LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 14, 2007An interview with Fedora leader Max SpevackNow that Fedora 7 has been released, Fedora project leader Max Spevack has a little bit of breathing room. Like nature, LWN abhors a vacuum, so we sent Max a list of questions and a request for answers. We are now happy to present the answers. Without further ado...LWN: Fedora 7 is out. Congratulations! What do you think is the best single thing about this release, and what do you most wish had been done better?
There are two "single best things" about Fedora 7. :-)
The first is the combination of Fedora Core and Fedora Extras into a single package repository, and the other work that went into place around that. Before I go on, let's define two things: @redhat.com == employed by Red Hat @fedoraproject.org == anyone who is a Fedora contributor, may or may not be employed by Red Hat Pre-Fedora 7, a package maintainer had to be @redhat.com in order to have commit access to packages that were in Core, but anyone @fedoraproject.org could have commit access to packages that were in Extras. Core and Extras were built on separate build systems. The Core build system was internal to Red Hat, and the Extras build system was completely external. The compose tool that built the install tree and ISO was only able to pull from packages that were in Core. Fedora 7 has blown all of that up. The CVS has been combined. There is no more Core or Extras, just a single Fedora repository, which allows us to give commit access (via ACLs) to anyone @fedoraproject.org for ANY package, as appropriate. It allows people who have expertise in specific packages to have more direct access to those packages in Fedora, regardless of whether or not they are @redhat.com. Similarly, we have rolled out a new build system, called Koji, which operates completely externally from Red Hat. Add to that a new compose tool, called Pungi, which assembles the output of Koji into an actual distribution, and the entire Fedora "toolchain" is now 100% in the community. The end result of all of that is the second "best thing" about Fedora 7: custom spins. Pungi, as I have already mentioned, is a command-line compose tool. You feed it a package manifest, it spits out an install tree, or an installable CD/DVD. Similarly, LiveCD Creator is the command-line tool that we use to build our LiveCD, LiveUSB, etc. It's quite similar to pungi -- you feed it a package manifest, it does the rest. Additionally, two of our most enterprising community members, Jeroen van Meeuwen and Jonathan Steffan, have built a graphical application on top of the Pungi and LiveCD Creator APIs. This tool is called Revisor, and it provides a graphical wizard-like application that allows the user to select various repositories (Fedora or third-party), and to select a package manifest and various build targets (Live, Installable, USB, etc). The backend of the tool does all the work, and the end user can spin a custom version of Fedora without having to understand all of the technical details going on underneath. Koji, Pungi, LiveCD Creator, and Revisor are all available in the Fedora repositories. Every tool that Fedora uses, from source control to ISO production, is 100% free software. On the negative side, things got a little bit crazy in the last week or so prior to the release. A few regressions made it in, and while those can be fixed with things like 0-day updates, it's still not a good thing to have. So we'll work to improve that. Also, the "feature" process around Fedora needs some fixing and managerial oversight. We're working to correct that in Fedora 8 by setting up a small team that is entirely focused on feature tracking, status, etc. Basically we're giving Fedora a bit more project management than it's had in the past. So what can we expect for Fedora 8?
One of the things that we want to do with Fedora 8 is get the release
cycle back on a predictable track. A 6 month cycle, beginning on June
1st, puts the release date smack in the middle of Christmas.
Furthermore, the Thanksgiving holiday in the United States is something
that needs to be planned around. In short, we were worried that a 6
month cycle for Fedora 8 would very quickly slip out to 7 or 8 months
simply due to the holidays that come at the end of the year.
So we're looking to shorten the cycle up, with a Fedora 8 GA tentatively scheduled for October 31st. http://fedoraproject.org/wiki/Releases/8/Schedule That doesn't leave us a lot of time. Fortunately, we're looking at a far less ambitious Fedora 8. With so much new stuff in Fedora 7, we'd like to give all of our infrastructure changes a chance to settle in and get some polish, and also give some of the contributors who have been going nonstop on Fedora for the last few months a development cycle that is a bit less stressful. But that doesn't mean we don't have some things planned. The best thing for people who are interested in Fedora 8 to do is look at our wiki, where we will be tracking potential features over the course of the release cycle. Before you click that link and hold us to it, I will say again that this is early-stage planning right now, and just because something appears on this list today doesn't mean it will be in the final release, or that it will even make it through the culling process in which we decide what is *really* important and what is of secondary importance. http://fedoraproject.org/wiki/Releases/8/FeatureList One thing not on that list that I am hoping we can get on there soon is additional improvements to the LiveCD tools -- especially the LiveUSB key, hopefully with encryption well-integrated into it. But that's just me talking as a manager -- the core developers still need to have a chance to weigh in with what they are thinking, and what their time commitments are going to be. The second feature that I am particularly fond of is one that actually exists independent of any sort of distribution release cycle, and that is the expansion of Revisor from a GUI application to a web application. A web app that allows people to create a custom Fedora spin or a Fedora appliance will be a tremendous achievement for the Fedora Project, and will be the capstone to all of the work that has already been done with Koji, Pungi, LiveCD tools, and Revisor. Do I think this will be ready near Fedora 8? Not necessarily something that is fully production ready, but since we intend to develop it in public, hopefully at least some sort of alpha/beta that is usable. What can you tell us about the longer-term plan for Fedora? Where do you think the project will be in 2-3 years?
I have to start this answer off with a statement of fact:
Red Hat will continue to be Fedora's biggest sponsor, providing development resources, infrastructure money, bandwidth, community-budget, FUDCons, legal support, etc. However, I believe that it is ultimately the job of the Fedora Project Leader, whoever that person is, to say "what do I have to do to ensure that the Fedora Project can grow and thrive, *EVEN IF* all Red Hat support were to one day disappear"? It's a hypothetical question. But the answer is real. And the answer is the critical path of Fedora in a 2-3 year horizon. 16 months ago when I started my time as Fedora Project Leader, the critical path was the fact that Fedora's development infrastructure was split. We've taken the steps necessary to fix that problem. Hopefully now we can start to reap some of the rewards. Over the next 2-3 years, I hope that we see more and more packages that were "Core" become co-maintained by both Red Hat developers and non-Red Hat developers. The infrastructure for this is now in place -- but the process itself needs to mature in its own time. I hope that we see the Fedora Project further solidify itself as an upstream base for other distributions, not just things like Red Hat Enterprise Linux and other RHEL-derived distros. We're already seeing some success in this arena, as the One Laptop Per Child project is built on the Fedora base. Again, we believe that we've created the infrastructure for this in Fedora 7, but it will take a year or two for the results of that to trickle down. Hopefully we'll one day see Fedora hosting the "best of breed" (though I hate buzzwords like that) appliances and spins for all sorts of different use cases. As always, a major goal of Fedora is to continue to lower the barrier to entry for new contributors. With our technical world in decent order, I think we'll have more time in the coming year for work like this, which should pay dividends 2-3 years down the road. Hopefully Fedora can grow into a project that has a much larger community of "developers" as opposed to "packagers". We're really really good at the latter (and that's a great thing), but I'd like us to continue to improve in the former. There has been some grumbling from the ranks of (former) Fedora Extras maintainers that the new update process just adds bureaucracy to their job. Has anything been done to make those maintainers happier?
The short answer to this question is that things are a bit rough right
now, but folks (the Fedora Engineering Steering Committee, comprised of
both RH and non-RH contributors) are actively working on making things
better. Time just ran out to have it all done pre-F7.
We are working on both streamlining the updates process through command line submission tools that can be scripted, and also revamping the ACL process to use the new package database that has been built. In the past, there was a difference between updates for a Core package and an Extras package. For Extras, you build the package and it was pushed the next time that Extras was pushed out, without any real need for notification to users about what the update was, etc. For Core packages, you built the package, filled out a template in a web-based updates system, and then went through updates-testing and finally to the updates repo with a announcement and visible change information coming from the yum applet. The Fedora 7 workflow, right now, feels a lot like that old Fedora Core workflow. However, our new updates infrastructure, Bodhi, is being rolled out, and we believe that will help the situation. What the updates workflow is GOING to look like is:
So the biggest change here is that the freedom to update packages that were once in Extras without having to really specify what those changes were has been curtailed. And at the same time the tools are being worked on to make the updates process as easy as possible. Whatever happened to the proposed developer ranking system? Is that still something the project is considering?
It was an idea that was proposed on some Fedora mailing lists earlier
this year. It never really gained much traction beyond that. Maybe
someone will resurrect it. Maybe not. Personally I don't think this is
a critical-path topic. But that's easy for me to say, because I've
already declared myself a level 60 Fedora Ninja.
Red Hat still maintains a fairly firm control over parts of the project; the decision to not consider outside artwork for Fedora 7 is one example. Do you expect that to continue, or will the Fedora project become more independent over time?
Fedora must continue to become more independent over time.
The situation with the Fedora art community and Fedora 7's art was very unfortunate. There are some people (including me) who think that we should allow Fedora's artwork to be created, judged, and used the same way that we do with Fedora's code. There are others who think that artwork is a different beast, and that for it to be done well, it has to happen in a more "closed" environment than other parts of Fedora development. I am not an artist. But I think Fedora 7's art looks great. I am also not the sort of person who is going to base my decision of what distribution to use on the default theme that is provided by that distribution. That isn't to say that I don't think great artwork is a major selling point -- I just don't think it's enough of a deal breaker to warrant the breaking of the rules that the rest of Fedora plays by. I believe that Fedora has a tremendously committed and tremendously talented art community. I believe that the Fedora Project has a responsibility to give those artists a place where they can do their work, and see their work put to good use. Put bluntly -- I would like to see all (not just some, but all) of the artwork in Fedora developed openly, in the same community-oriented way that we try to build the rest of the distribution. If such a decision results in some short-term growing pains, I'm fine with that because I think the long term community that will result from such a commitment will be stronger. The very technical goals of Fedora 7 required all of my "political capital" so to speak, in order to make happen. I couldn't win an additional fight about the manner in which parts of Fedora's artwork was produced. Was the end result good? Yes. Was the process good? No. Did I sort of have to take it on the chin? Yes. Will I allow the same thing to happen again for Fedora 8? No. The Fedora 8 artwork will be developed in the community, and whoever the "lead designer" of that artwork is, it will be a requirement that that person conduct their work with the input of Fedora's larger art community, or the final work, no matter how beautiful it might be, will be unacceptable. The development process at rpm.org has been quiet for a while (though a look at the lists shows that some things are happening). Meanwhile, the other RPM has launched rpm5.org and appears to be headed toward a major release. How do you feel about the state of rpm.org development, and is there any chance of joining this fork sometime in the future?
I have to answer this question from several different angles.
First, from the "RPM.org as a self-contained engineering project that various distros use" angle: Right now, a maintenance release (4.4.2.1) is being prepared, with a release planned within the next two or so weeks. Its primary goals are bug fixes, and the review/merge of patches from vendors (mainly SUSE and Red Hat). Once that maintenance release is out, the development cycle of the next major version of RPM will begin. Speaking with the RPM developers, my understanding is that its focus will be on making the codebase more maintainable, cleaning up and improving the APIs, and getting a proper and predictable development/release process in place. This, we think, will also help to build a more healthy community around RPM, both of developers and testers. The rpm.org developers have been keeping an eye on what the rpm5.org team is doing. Both trees have some common interest areas and code. The long-term is where the two projects differ. On rpm5.org (http://rpm5.org/roadmap.php), it says: "The main RPM development is already focused on the development of the forthcoming RPM 5.0. The primary goals of RPM 5.0 are the additional support for the XML based archiving format XAR (http://code.google.com/p/xar/), an integrated package dependency resolver, further improved portability and extended cross-platform support. The final RPM 5.0 versions are expected to be released in the second half of 2007." In short, the rpm5.org development plans give RPM a *larger* scope. The rpm.org development team thinks that RPM should have a *smaller* scope. RPM should be a solid, stable foundation of a system. Everything else should be built on top of it. Keep RPM small and extensible by providing good and stable APIs. Now, from the "Fedora as a distribution built around RPM" perspective: RPM needs to grow and improve, but we need to make sure it grows in the right direction. And like most things in the world there are different opinions on where RPM go. Fedora provides tools like pungi and revisor that allow someone to use a release from rpm5.org and spin up a distribution centered around that. If a group of Fedora users wanted to spin a version of Fedora 7 using an rpm5.org release as a basis of comparison and testing, that would probably be a pretty interesting activity, and I would think that the results of it would be useful to developers working both at rpm.org and rpm5.org. That is the simple reality of the open source software world. The Fedora Project is committed to using rpm.org's work as its upstream. Many thanks to Max for taking the time to answer our questions in such detail.
SourceForge: the "Hotel California" of open source projects?You can check out any time you like, but you can never leave SourceForge (SF) provides a valuable service to the free and open source software communities, but it is not without its flaws. It is quite common that, as projects mature and gain popularity, they move away from SF for a variety of reasons. Unfortunately, because of a well-intentioned data retention policy at SF, this can lead to projects held hostage by the high regard search engines have for SF. SF is one of the earliest providers of free hosting for projects claiming over 100,000 projects with over one million registered users. It provides source code repositories, mailing lists, bug tracking, download space for releases, and has recently added wikis for the projects hosted there. For many small projects it has been an essential part of the infrastructure. It provides a way to draw developers' attention and it is a place for users to get information and releases. At least partially because of its popularity, SourceForge has its share of problems. Complaints about the tools chosen, user interface, number and type of advertisements, etc. are commonly heard. Perhaps the biggest issue for most projects is the availability of the site. Development grinds to a halt if the SF server goes down; communication disappears without the mailing lists and, because it uses centralized source code management, no code can be checked in or out. SF becomes the single point of failure for the entire project. If a project gets unhappy enough with SourceForge, they can, of course, just pick up and move elsewhere. There are other project hosting sites available, some geared towards particular kinds of projects. It is likely that other sites suffer many of the same shortcomings as SF, so projects often find their own host, where they can control the tools and advertising policies. They can also impact the reliability issues by choosing tools that are less centralized. To their credit, SF does nothing to discourage projects from moving, but they do have a policy regarding what happens to the project's data and, ultimately, to the project's SF entry itself. A weblog entry by kernel hacker Dave Jones gives his opinion, rather forcefully, about the retention policy. It seems he had tried to have his x86info project removed from SF, but was foiled by the policy. This rubbed him the wrong way:
My biggest beef is that of ownership. I feel I've effectively been
forced to fork my own project. As I understand their policies,
the terms mention that they won't remove projects that have
released code just in case someone wants to fork an earlier version,
or see the older history. In my case, I have a complete preservation
of history in the git tree imported from the original CVS, along with
tarballs of all releases.
Should someone wish to fork my project, they'd be far better served
by grabbing either of those than the 4 year old code stagnating
in the CVS attic at sourceforge.
Search engine ranking plays a big role in his annoyance as well. A page at SF with a particular project name attached to it will be very high or at the top of any search engine results. Anyone looking for the project is likely to end up at the SF site, which will require another hop to get to the active site, if they see the link, as Jones puts it:
So now I'm left with one
line of text forwarding to the new site, amongst a sea of commercials
for sourceforge's "services".
The policy is for the protection of the code and the project, so that a loose cannon project administrator cannot, in a fit of pique, get the project and all of its files deleted. It also protects against data loss when projects move, but then disappear from their new site. There is certainly nothing wrong with the policy per se, but it has some, probably unintended, side effects. SF has a built up a well deserved reputation as a solid, if a bit annoying, home for projects, and it certainly cannot be faulted for the trust that search engines have in it. There is also nothing wrong with providing a repository for old releases of open source software. It would just be nice if they could provide what Jones calls the "yes, I really know what I'm doing, and I understand your reasons, but please kill this project" option. In some ways like the trademark issue described on this page last week, this adds another decision that a project leader may need to consider in the early stages of a project.
The first LiPS specificationsThe Linux Phone Standards Forum is an industry group aimed at standardizing the use of Linux in telephony applications. Its members include some service providers, embedded software companies, chip manufacturers, and so on. There is, interestingly, a distinct lack of representation from handset manufacturers in the group currently. LiPS has recently announced the release of the first set of Linux telephony specifications. This work is far from complete, but it is enough to give an idea for where this group intends to go. For those who would like to look at the whole thing, it can be downloaded as a zip file filled with files in PDF and HTML formats.One of the first things that one notes is that LiPS is not about free software. The (minimal) software associated with the specification can be distributed under a somewhat BSD-like license, but any necessary patent licenses can only be had under "reasonable and non-discriminatory" (i.e. discriminatory against free software) terms. LiPS is very much about making it easier to create proprietary applications for the phone space. One set of specifications covers basic user interface tasks - how the arrow keys should work, APIs for text entry, etc. LiPS appears to have settled on GTK+ as its toolkit of choice for this purpose despite the presence of Trolltech in the list of members. There is some evident concern about the size of the GTK+ library, leading to a specification of which widgets are necessary and which can be removed. Specifications covering the customization of the look and feel of the device are planned but not yet present. Then, there's a set of "enabler" services. Those which are present currently include a discussion of address book services and basic voice call management. There is much more planned in this area, including calendars, messaging, web browsing, data synchronization, video calling, and, inevitably, "DRM". Other areas which have not been filled in are "application management" and "OS services." Application management covers the launching and control of applications and some API-level things like inter-process communication. The OS services category is a large one; at the lowest levels it will have a set of "requirements on the Linux kernel and drivers" and some sort of database service. On top of that one finds things like network protocols, power management, dealing with SIM cards, etc. One imagines that the specification writers will be busy for a while. Some of the missing documents are planned for later in this year, with the rest completed in 2008. Most of this is relatively boring stuff for people who are not actually working in this area. It may turn out to be important work for those who would like to see Linux World Domination in the mobile telephone arena, though. If it is to achieve that goal, LiPS will want to broaden its membership; the lack of presence by the companies which are actually shipping Linux-based phones is worrying. The creation of a software stack which is truly free software would be a good addition to the Forum's goals; if a phone is completely proprietary and locked-down, the fact that it is running Linux will not be especially helpful or interesting. If the Forum can become truly inclusive in these ways, perhaps its specifications will be more than just LiPS service.
Security BadBunny? Only if you invite it inThere has been a lot of press, over the last several weeks, about the "BadBunny" worm, which infects OpenOffice.org (OO.o) files. Most of the buzz seems to be about the multi-platform nature of the worm, which is interesting, but the mainstream technical press seems to miss the fact that, without a number of bad user decisions, the worm would not do anything at all. There was a lot of noise about OO.o macros and security last summer, but the situation is the same as when we last reported about OO.o security: if one is going to use an office suite with a macro language, one must be careful about which macros are run. The infected file itself is a graphics document file called badbunny.odg which contains macro definitions that can be executed when the file is loaded into OO.o. If the macro is run, it does different things depending on the platform, but attempting to infect either the mIRC or XChat Internet Relay Chat (IRC) clients is the first step. If those clients are run after the infection, BadBunny will try to propagate by offering the document file to other connected users. As a secondary payload, BadBunny stores and runs a script file that tries to infect other files in the directory where the document file is stored. For reasons unknown, each operating system gets a script written in a different language: for Linux it is Perl, MacOSX is Ruby, and Windows is Javascript. BadBunny also attempts to do a "ping of death" denial of service attack against multiple anti-virus sites. The worm was first reported by the anti-virus company Sophos back in May and was described as a "proof of concept" that was emailed to their researchers. The name, BadBunny, comes from the names of various files that get installed as well as a pornographic image of a man in a bunny suit that may be displayed. More recently, anti-virus vendor Symantec has reported BadBunny "in the wild", but it is not very widespread. There are some pretty good reasons this worm has not spread widely. Users are becoming more aware of these kinds of problems and many already know to be "cautious when handling OpenOffice files from unknown sources" as Symantec suggests in their announcement. This is not, of course, an OO.o-specific problem. All files from unknown sources should be treated with care. In order to be affected by BadBunny, users will also have to enable the macros to run. As reported by Malte Timmermann, Sun's OO.o Technical Architect, the worm does not bypass the OO.o security checks and the user will be prompted before the macros are run. One can certainly imagine that there are users who will receive a file of unknown provenance, perhaps by email or over IRC, open it and run its macros, but they are, hopefully, few and far between; this is certainly not the infection vector of an attacker's dreams. Like it or not, macro languages in office suites are here to stay. They have their uses (and abuses). For the most part, users will not even consider using an office suite that does not offer a scripting language. As Timmermann puts it:
OpenOffice.org has a macro language with access to local resources.
Of course this macro language can be used for performing any kind of tasks, that's the intention of it! Users shouldn't run macros from unknown sources, same like they shouldn't run any programs or other scripts from unknown sources. It could be argued that the OO.o macro language should be simplified in ways that might help cut down the potential for abuse. It is difficult to see how that can be done when the major competitor, at least in the Windows world, has a "full featured" macro language. The balance between security and new features is always tricky, but when trying to compete against an established market leader, sometimes the features have to win. If you believe that an office suite requires a sophisticated macro language, these kinds of problems cannot be considered security holes in the program; it is doing exactly as the user instructed it to. Individuals or organizations that want to use tools with these capabilities have to be security conscious. In the end, if users are going to blindly click through any kind of warning, any reasonable level of security is impossible. This is true no matter what operating system, web browser or office suite is used.
New vulnerabilities kdebase: information leak
kernel: several vulnerabilities
kernel: several vulnerabilities
madwifi-ng: multiple vulnerabilities
mecab: buffer overflow
OpenOffice.org: arbitrary code execution
pam: privilege escalation
spamassassin: local denial of service
wordpress: SQL injection
Updated vulnerabilities acroread: multiple vulnerabilities
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
bind: denial of service
bugzilla: multiple vulnerabilities
clamav: denial of service
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
elinks: code execution
elinks: arbitrary file access
evolution: format string error
pop mail man-in-the-middle attacks
fail2ban: denial of service
file: integer overflow
firefox: multiple vulnerabilities
freetype: arbitrary code execution
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gdb: buffer overflow
gedit: format string vulnerability
gimp: arbitrary code execution
grip: buffer overflow
gzip: multiple vulnerabilities
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
jasper: denial of service
java: multiple vulnerabilities
kdelibs: kate backup file permission leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
krb5: uninitialized pointers
krb5: local privilege escalation
krb5: multiple vulnerabilities
ktorrent: incorrect validation
lftp: shell command execution
lha: temporary file vulnerability
libexif: integer overflow
libgadu: memory alignment bug
libgtop2: buffer overflow
libmodplug: boundary errors
libpng: denial of service
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lighttpd: denial of service
lookup-el: insecure temporary file
lynx: arbitrary command execution
madwifi: denial of service
mod_jk: proxy bypass
mod_perl: denial of service
moin: arbitrary JavaScript execution
mplayer: buffer overflow
mydns: buffer overflows
mysql: denial of service
mysql: format string bug
MySQL: privilege violations
MySQL: logging bypass
nbd: arbitrary code execution
openldap: security bypass
OpenSSH: denial of service
openssh: remote denial of service
otrs2: code injection
php: multiple vulnerabilities
php: several vulnerabilities
php: multiple vulnerabilities
php: buffer overflows
php: several vulnerabilities
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
php-pear: directory traversal
phpwiki: remote code execution
postgresql: SQL injection
postgresql: privilege escalation
pptpd: denial of service
pulseaudio: denial of service
python: information disclosure
qemu: multiple vulnerabilities
qt: "/../" injection
quagga: denial of service
quake: buffer overflow
rpm: arbitrary code execution
Mozilla: multiple vulnerabilities
shadow-utils: mailbox creation vulnerability
snort: remote arbitrary code execution
squirrelmail: missing input sanitizing
Sun JDK/JRE: multiple vulnerabilities
tcpdump: denial of service
tetex: buffer overflow
tomcat: directory traversal
util-linux: access restriction bypass
vixie-cron: weak permissions may cause errors
wordpress: another pile of vulnerabilities
wpa_supplicant: buffer overflow
XFree86 X.org: integer overflows
xine: format string vulnerabilities
xine-lib: arbitrary code execution
xine-lib: buffer overflow
xinit: race condition
xmms: BMP handling vulnerability
xscreensaver: password check bypass
zziplib: buffer overflow
Page editor: Jake Edge Kernel development Brief items Kernel release statusThe current 2.6 prepatch remains 2.6.22-rc4. Patches continue to flow into the mainline repository; they are mostly fixes, but the ZERO_SIZE_PTR patch for the SLUB allocator has also gone in.The current -mm tree is 2.6.22-rc4-mm2. Recent changes to -mm are almost all fixes aimed at stabilizing this tree somewhat. The current stable 2.6 kernel is 2.6.21.5, released on June 11 with a rather long list of fixes. 2.6.21.4 was released on June 8 with a set of security fixes: "The /dev/[u]random fix is especially important for machines with no entropy source (e.g. keyboard, mice, or disk drives) and no realtime clock since successive boots could generate same output from RNG. The cpuset bug is a possible information leak when reading from /dev/cpuset/tasks (assuming cpusets support is compiled in and the cpuset fs mounted on /dev/cpuset). The SCTP bug is remotely triggerable when using SCTP conntrack." For older kernels: 2.6.20.13 was released on June 8 with the same security fixes; it was followed by 2.6.20.14 (June 11), which contained a large assortment of patches. 2.4.34.5 was released on June 6 with a small set of fixes. The 2.4.35 process continues with 2.4.35-pre5, also released on the 6th.
Kernel development news Quotes of the week
The overall quality of 2.6.21 is pretty horrific. It saw the
introduction of a lot of new code fundamental to the operation of
the kernel (the tickless stuff for eg), massive updates to areas
such as ACPI, and just to mix things up, we switched from a
known-crap-but-tried-and-tested IDE system to
a-bleeding-edge-but-hopefully-with-signs-of-promise libata based
system. Lots of changes == lots of fallout the first time it goes
into a production OS.
-- Dave Jones
What I am objecting to is this idea that many kernel developers
seem to have, that if there is some aspect of the kernel/user API
that becomes a bit inconvenient for the kernel to implement, then
we can put the blame on the applications that rely on that aspect,
call them names such as "legacy", "abuser", "conceptually buggy",
"broken", etc., and ultimately justify breaking the ABI -- since
it's only those applications that we have demonised that will be
affected, after all.
-- Paul Mackerras
/* I'm told there are only two stories in the world worth telling: love * and hate. So there used to be a love scene here like this: * * Launcher: We could make beautiful I/O together, you and I. * Guest: My, that's a big disk! * * Unfortunately, it was just too raunchy for our otherwise-gentle tale. */
Linus on GPLv3 and ZFSFor the curious, here's a recent posting from Linus Torvalds on Sun's motivations and GPLv3. "So to Sun, a GPLv3-only release would actually let them look good, and still keep Linux from taking their interesting parts, and would allow them to take at least parts of Linux without giving anything back (ahh, the joys of license fragmentation). Of course, they know that. And yes, maybe ZFS is worthwhile enough that I'm willing to go to the effort of trying to relicense the kernel. But quite frankly, I can almost guarantee that Sun won't release ZFS under the GPLv3 even if they release other parts. Because if they did, they'd lose the patent protection."
R500 initial driver releaseSupport for ATI R500 graphics chipsets has been one of the biggest missing pieces from the Linux free driver collection. That has just changed with the release of an early driver for R500 chipsets written from reverse-engineered specs. The driver only does 2D for now, but 3D support is in the works. Unsurprisingly, the development team would like help in getting this driver ready for production use. This release is an important step forward; congratulations are due to the developers who have brought this work this far.
Who wrote - and approved - 2.6.22The 2.6.22 kernel is getting closer to its final state with its official release likely to happen near the end of this month. Patches are still being added to the mainline repository, but things have stabilized enough that it makes sense to take a look at where the code came from this time around. Accordingly, your editor has fixed up his scripts and cranked through the changesets added in this kernel development cycle.As of this writing, just over 6,000 changesets have been accepted for 2.6.22. Those patches were contributed by 885 different developers, added 494,000 lines, and deleted 241,000 other lines (without counting renames, which would otherwise increase both numbers by about 60,000 lines). That makes 2.6.22 a large change relative to its immediate predecessors:
Here's the top contributors of those changes:
Bryan Wu makes it to the top of the list of contributors (by lines changed) by virtue of being the person to contribute support for the Blackfin architecture. David Howells contributed the AF_RXRPC and AFS filesystem work; Marcelo Tosatti wrote the OLPC "Libertas" wireless driver, and Jiri Benc's name appears on the mac80211 stack. When broken down by employer, the (approximate, as always) numbers come out like this:
One thing which jumps out here is that the amount of code contributed by developers known to be working on their own time has dropped; 2.6.22 will be one of the most corporate kernels yet. Looking at the developers who put Signed-off-by lines onto patches yields some interesting results. If one tabulates all 12,678 signoffs in 2.6.22, the results look like this:
All authors must sign off on their code. Additionally, any maintainer who passes a patch up toward the mainline adds a signoff indicating that he or she believes the code is legitimate and suitable for inclusion. If one excludes signoffs by the author of each patch, the remaining 7,000 signoffs are (almost) all by people through whom the code has passed (a few of them are by additional authors of the patch). Those adding non-author signoffs can thus be thought of as the gatekeepers through whom each patch must pass. Non-author signoffs break down like this:
In summary, 80% of the patches merged into the mainline kernel passed through the twenty developers listed above. One can take another step, and look at the number of non-author signoffs by employer:
The bottom line: while Linux kernel development is a highly distributed activity, the work of several hundred developers is channeled through a surprisingly small number of individuals, and an even smaller number of companies on its way into the mainline.
More fun with file descriptorsIn last week's episode, the kernel developers were considering the addition of a couple of flags to the open() system call; these flags would allow applications to select previously unavailable features like the non-sequential file descriptor range or immediate close-on-exec behavior. The problem that comes up quickly is that open() is just one of many system calls which creates file descriptors; most of the others do not have a parameter which allows an application to pass a set of accompanying flags. So it is not possible to request, for example, the non-sequential behavior when obtaining a file descriptor with socket(), pipe(), epoll_create(), timerfd(), signalfd(), accept(), and so on.In the second version of the non-sequential file descriptor patch, Davide Libenzi attempted to address part of the problem by adding a socket2() system call with an added "flags" parameter. That was enough to frighten a number of developers; nobody really wants to see a big expansion of the system call list resulting from the addition of variations on all the file-descriptor-creating calls. Another approach, it seems, is required, but finding that approach is not entirely easy. One possibility is to simply ignore the problem; not everybody is sold on the need for non-sequential file descriptors or immediate close-on-exec behavior. There are enough people who see a problem here to motivate some sort of solution, though. Ulrich Drepper, the glibc maintainer, has seen enough applications to conclude that the issue is real. An alternative, suggested by Alan Cox, is to create a process state flag which controls the use of these features. So a call like:
prctl(PR_SPARSEFD, 1);
would turn on non-sequential file descriptor allocation for all system calls made by the calling process. The problem here is that the lowest-available-descriptor behavior is a documented part of the POSIX binary interface. A process could waive that guarantee for itself, but it will always be hard to know that all libraries used by that process are safe in the absence of that behavior. One library might want to use non-sequential file descriptors, but that library cannot safely turn them on for the whole process without risking the creation of difficult bugs in obscure situations. It has been suggested that linker tricks could be used to avoid bringing older libraries, but Ulrich feels that people would respond by simply recompiling the older libraries and the potential bugs would remain. Linus came into the discussion with a statement that neither adding a bunch of new system calls nor the global flag were acceptable. Instead, he came up with a completely different idea: create a mechanism which allows a single system call to be invoked with a specific set of flags. His proposed interface is:
int syscall_indirect(unsigned long flags, sigset_t sigmask,
int syscall, unsigned long args[6]);
The result would be a call to the given system call with the requested arguments. For the duration of the call, the given flags would be in effect, and signals in sigmask would be blocked. Even before adding any flags, this mechanism could be used to implement the series of system calls (pselect(), for example) which exists only to apply a signal mask to an earlier version of the call. Then the non-sequential file descriptor and close-on-exec behavior could be requested via the flags argument. Beyond that, flags could be added to control the handling of symbolic links, and various other things. Matt Mackall suggested that the "syslet" mechanism could be implemented as a "run this call asynchronously" flag. This approach is not without its potential problems. There are worries that the flags bits could be quickly exhausted, once again making it hard to add options to existing system calls. Linus suggests overloading the flag bits as a way of making them last longer. That approach risks problems if application developers attempt to apply the wrong flags for a given system call - there would be no automatic way of catching such errors - but it is unlikely that applications would be calling syscall_indirect() themselves, so this risk is relatively small. It is appropriate to worry about whether any conceivable, sensible behavior modification is covered by this interface, or whether it needs a different set of parameters. And one might well wonder whether, some years from now, a large percentage of system calls will be made via syscall_indirect(). This new system call suffers from one other shortcoming as well: there is currently no working implementation. That will likely change at some point, leading to a wider discussion of the proposed interface. If it still seems like a good idea, we might just have a way of adding new behavior to old functions without an explosion in the number of system calls. Sometimes, perhaps, it really is true that problems in computer science are best solved through the addition of another level of indirection.
KHB: Real-world disk failure rates: surprises, surprises, and more surprisesAt this year's USENIX File Systems and Storage Technology Conference, we were treated to two papers studying failure rates in disk populations numbering over 100,000. These kinds of data sets are hard to get - first you have to have 100,000 disks, then you have to record failure-related data faithfully for years on end, and then you have to release the data in a form that doesn't get anyone sued. The storage community has salivated after this kind of real-world data for years, and now we have not one, but two (!) long-term studies of disk failure rates. The conference hall was packed during these two presentations. When the talks were done, we stumbled out into the hallway, dazed and excited by the many surprising results. Heat is negatively correlated with failure! Failures show short AND long-term correlation! SMART errors do mean the drive is more likely to fail, but a third of drives die with no warning at all! The size of the data sets, the quality of analysis, and the non-intuitive results win these two papers a place on the Kernel Hacker's Bookshelf. The first paper (and winner of Best Paper), was Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?, by Bianca Schroeder and Garth Gibson. They reviewed failure data from a collection of 100,000 disks, over a period of up to 5 years. The disks were part of a variety of HPC clusters and an Internet service provider. Disk failure was defined as the disk being replaced. The date of replacement was also used as the date of the failure, since determining exactly when a disk failed was not possible. Their first major result was that the real-world annualized failure rate (average percentage of disks failing per year) was much higher than the manufacturer's estimate - an average of 3% vs. the estimated 0.5 - 0.9%. Disk manufacturers obviously can't test disks for a year before shipping them, so they stress test disks in high-temperature, high-vibration, high-workload environments, and use data from previous models to estimate MTTF. Only one set of disks had a real-world failure rate less than the estimated failure rate, and one set of disks had a 13.5% annualized failure rate! More surprisingly, they found no correlation between failure rate and disk type - SCSI, SATA, or fiber channel. The most reliable disk set was composed of only SATA drives, which are commonly regarded to be less reliable than SCSI or fibre channel. In another surprise, they debunked the "bathtub model" of disk failure rates. In this theory, disks experience a higher "infant mortality" initial rate of failure, then settle down for a few years of low failure rate, and then begin to wear out and fail. The graph of the probability vs. time looks like a bathtub, flat in the middle and sloping up at the ends. Instead, the real-world failure rate began low and steadily increased over the years. Disks don't have a sweet spot of low failure rate. Failures within a batch of disks were strongly correlated over both short and long time periods. If a disk had failed in a batch, then there was a significant probability of a second failure up to at least 2 years later. If one disk in your batch has just gone, you are more likely to have another disk failure in the same batch. Scary news for RAID arrays with disks from the same batch. A recent paper in the 2006 Storage Security and Survivability Workshop, Using Device Diversity to Protect Data against Batch-Correlated Disk Failures, by Jehan-François Pâris and Darrell D. E. Long, calculated the increase in RAID reliability from mixing batches of disks. Using more than one kind of disk increases costs, but with the combination of data from these two papers, RAID users can calculate the value of the extra reliability and make the most economical decision. The second paper, Failure Trends in a Large Disk Drive Population, by Eduardo Pinheiro, Wolf-Dietrich Weber and Luiz Andrè Barroso, reports on disk failure rates at Google. They used a Google tool for recording system health parameters and many other staples of Google software (Mapreduce, Bigtable, etc.) to collect and analyze the data. They focused on SMART statistics - the built-in disk drive monitoring in many modern disk drives, which records statistics about scan errors and blocks relocated. The first result agrees with the first paper: The annualized failure rate was much higher than estimated, between 1.7% and 8.6%. They next looked for correlation between failure rate and drive utilization (as estimated by the amount of data read or written to the drive). They find a much weaker correlation between higher utilization and failure rate than expected, with low utilization disks often having higher failure rates than medium utilization disks, and, in the case of the 3-year-old vintage of disks, higher than the high utilization group. Now for the most surprising result. In Google's population of cheap ATA disks, high temperature was negatively correlated with failure! In the authors' words:
In fact, there is a clear trend showing that lower temperatures are
associated with higher failure rates. Only at very high temperatures
is there a slight reversal of this trend.
This correlation held true over a temperature range of 17-55 C. Only in the 3-year-old disk population was there correlation between high temperatures and failure rates. My completely unsupported and untested hypothesis is that drive manufacturers stress test their drives in high temperature environments to simulate longer wear. Perhaps they have unwittingly designed drives that work better in their high-temperature test environment at the expense of a more typical low-temperature field environment. Finally, they looked at the SMART data gathered from the drives. Overall, any kind of SMART error correlated strongly with disk failure. A scan error occurs when the disk checks data in the background, reading the entire disk. Within 8 months of the first scan error, about 30% of drives would fail completely. A reallocation error occurs when a block can't be written, and the block is reassigned to another location on disk. A reallocation error resulted in about 15% of affected drives failing with 8 months. On the other hand, 36% of the drives that failed had no warning whatsoever, either from SMART errors or from exceptionally high temperatures. For Google's purposes, the predictive power of SMART is of limited utility. Replacing every disk that had a SMART error would end up replacing good disks that will run for years to come about 70% of the time. For Google, this isn't cost-effective, since all their data is replicated several times. But for an individual user for whom losing their disk is a disaster, replacing the disk at the first sign of a SMART error makes eminent sense. I have personally had two laptop drives start spitting SMART errors in time to get my data off the disk before it died completely. Overall, these are two exciting papers with long-awaited real-world failure data on large disk populations. We should expect to see more publications analyzing these data sets in the years to come. Valerie Henson is a Linux file systems consultant specializing in file system check and repair.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials A new APT for Debian SidAPT is also known as the Advanced Packaging Tool. Wikipedia describes APT as a package management front-end, but then notes:
There is no single "apt" program as such; APT is a C++ library of functions
(known as libapt) which are used by front-end programs for dealing with
packages, such as apt-get and apt-cache. They are commonly used in examples
due to their simplicity and ubiquity; apt-get and apt-cache are of
"important" priority in all current Debian releases, and are therefore
installed in a default Debian installation. Several other front-ends to APT
exist, which provide more advanced installation functions and more
intuitive interfaces.
APT is both a front-end for dpkg and it is also the underpinning for more advanced front-end tools like Synaptic and aptitude. APT is often described as one of the best things about Debian. A new version of APT was uploaded to Sid (Debian's unstable branch) last weekend. Version 0.7.2 is a big merge of the version in debian/experimental and the version in Ubuntu. It's an ABI breaker, meaning that until all the packages depending on libapt are rebuilt, Sid will be very unstable. By now though Sid should be settling back down. The new APT contains translated package descriptions, support for the new dpkg "Breaks" field, apt-https support (based on libcurl), automatic removal of unused dependencies moved into libapt, automatic installation of recommends like aptitude and support for unattended installing security upgrades. Michael Vogt notes that the automatic removal of unused dependencies is a long-standing feature request for synaptic, so having it integrated into libapt will be of great benefit there and for other apt front-ends. The automatic installation of recommended packages is currently off by default although that will change at some point in the future. Joey Hess notes several places where the Debian installer will have to change to support this feature and there are likely other places within Debian where changes will need to be made. It would be nice to see this properly implemented and integrated through-out Lenny. Apt development has been moved to the bazaar-ng (bzr) revision control system; the APT Development Wiki Page is the best place to track that development.
New Releases Ubuntu Tribe 1 releasedUbuntu Gutsy Gibbon Tribe 1 has been released. "Tribe 1 is the first in a series of milestone CD images that will be released throughout the Gutsy development cycle. The Tribe images are known to be reasonably free of showstopper CD build or installer bugs, while representing a very recent snapshot of Gutsy."
Distribution News Fedora Board ElectionsMax Spevack reports: "We are due for our first round of Fedora Board elections. There have been some threads recently on fedora-advisory-board that have been working to clarify what the Board's role should be as it goes into its next term." Three of the nine seats are open for election in this current iteration, the process is similar to other Fedora elections, and anyone who is a Fedora contributor (regardless of where they are employed) may run and vote.
New mailing list and forum for 64 Studio usersThe 64 Studio distribution has a new forum and a new mailing list for user questions and general discussion.
End of Fedora Legacy mirror at Iowa StateThe Fedora Legacy mirror at Iowa State will be shutting down on July 1, 2007. "Max Spevack announced last month that Fedora Core 5's end of life would be June 29th. That gives us a good milestone for removing our Fedora Legacy mirror. Traffic was high for two months after the announcement of Fedora Legacy's demise but has dwindled since April. So, beginning July 1, 2007, Iowa State will no longer offer a mirror of Fedora Legacy. Grab what you would like between now and then." The ATrpms.net mirror will also be shutting down soon.
New High-Performance Linux Distro for Security and MonitoringnPulse Networks has announced it will release a new Linux distribution in August. Catapulta borrows from Debian and Ubuntu and is designed for network monitoring and security applications. From this summary page: "A key to the project was the substantial tuning required to common Linux distributions to achieve high packet throughput. nPulse eventually built its own custom distribution, named "Catapulta" which it is now placing in the public domain for general usage, and in the expectation of drawing on-going contributions from a user community to continue to enhance the distro."
New Distributions Granular LinuxGranular Linux aims to be an easy to use, user-friendly desktop distribution for both new and experienced Linux users. It's based on PCLinuxOS and features easy switching between the KDE and XFCE desktop environments. Granular 0.90 is available as a test release. See the announcement for details.
KaroshiKaroshi is a server operating system designed for schools. Karoshi is based on PCLinuxOS and it provides a simple graphical interface that allows easy installation, setup and maintenance of your network. The latest version is 5.1.3 (announcement).
linuX-gamers.net live DVDlinuX-gamers.net has announced the first public release (v0.9) of a live DVD for gamers. The DVD contains Nexuiz, Warsow, Glest, Torcs and much more.
Distribution Newsletters Fedora Weekly News Issue 91The Fedora Weekly News for June 9, 2007 looks at Cooperative Bug Isolation for Fedora 7, OLPC: Mesh Networking Overview in Red Hat Magazine, Fedora for ARM and cross compilation, Innovation in virtualization management tools, Fedora 7 reviews, Community Control And Documentation Of New Workflows, Fedora On ARM Architecture Opens Up Cross-Compilation Discussion, A World Of Hurt: Making F7 Install CD Set From DVD Using FC6 Pungi, Splitting Terminfo Out Of The ncurses RPM, Eliminating Unwanted RPM Dependencies And Statically-linked Binaries, F7 Images For Mass Production, Exploding Trees and SCM, Why Emacs Is Not Installed By Default, Metalink: A New Way Of Distributing Fedora ISOs?, Quick Notes On Update Image Installer And F8 Desiderata, and several other topics.
Ubuntu Weekly News: Issue #44The Ubuntu Weekly News for June 9, 2007 covers the release of Gutsy Tribe 1, newly approved MOTU Lionel Porcheron, upcoming Ubuntu Hug Day, the new Launchpad release, an interview with Mark Shuttleworth, an Ubucon held by the Colorado LoCo at Google offices, and much much more.
DistroWatch Weekly, Issue 206The DistroWatch Weekly for June 11, 2007 is out. "This week marks the start of a slower season on the distribution release calendar; all major new versions are now out and many users have been enjoying their newly updated Linux desktops. But is there still anything exciting going on the distro scene? You bet! This week's DistroWatch Weekly asks the readers to comment on their "distro hopping" habits, reports about Linux Format's annual distribution mega-test, links to an open source software article in The Economist, and reports about the new linuX-gamers live DVD. Finally, don't miss your chance to suggest new packages to be tracked after the upcoming DistroWatch's package database update later this month."
Newsletters and articles of interest HP's LinuxCOE turns 4.0, enables DIY Linux distros (Linux-Watch)Linux-Watch looks at LinuxCOE 4.0, which was announced last May. "If you want to give LinuxCOE a try, you can use it to install a Linux system by visiting the Instalinux website. For the source code and documentation visit the LinuxCOE site."
Pepper, Ubuntu Linux developers make plans to shrink (NetworkWorld.com)NetworkWorld.com looks at another contender for Intel's Mobile Internet Device platform, Pepper Linux. "Pepper Linux, which runs on the slick Pepper Pad Internet browsing appliance, will be ported to Intel's MID platform, with the software being available this fall to equipment makers."
Taking OpenSolaris for a spin (Linux-Watch)Linux-Watch takes a look at Open Solaris. "If you're like most Linux users, you've heard of OpenSolaris, but I'm willing to bet you've never tried it. One reason, as former Debian co-founder and now Sun Chief Operating Platforms Officer Ian Murdock explained, is that OpenSolaris doesn't come as a packaged operating system like Linux does."
Installing Xen On CentOS 5.0 (i386)HowtoForge has a tutorial on installing Xen on CentOS 5.0 (i386). "Xen lets you create guest operating systems (*nix operating systems like Linux and FreeBSD), so called "virtual machines" or domUs, under a host operating system (dom0). Using Xen you can separate your applications into different virtual machines that are totally independent from each other (e.g. a virtual machine for a mail server, a virtual machine for a high-traffic web site, another virtual machine that serves your customers' web sites, a virtual machine for DNS, etc.), but still use the same hardware. This saves money, and what is even more important, it's more secure. If the virtual machine of your DNS server gets hacked, it has no effect on your other virtual machines. Plus, you can move virtual machines from one Xen server to the next one."
Distribution reviews Alternative GUIs: SymphonyOS (TuxMachines)TuxMachines takes a look at Symphony OS. "The SymphonyOS desktop (named "mezzo") seems to be a marriage of the fvwm window manager with Mozilla's scriptable layout engine, Gecko. On the desktop, there are areas with links in them (known as "desklets" and "launchers"). When clicked, the links can bring up Web pages or programs. In the four corners of the desktop, there are hotspots that bring up what are referred to as "menus," which are actually full-page views of four specific functional areas: Computer (settings); Files; Programs; and Trash. In the top center of the main page, there's a hotspot containing the clock, that also works as the way to refresh the desktop after the desktop background image has been changed through SymphonyOS' Desktop Manager."
Granular Linux - What Am I Missing? (TuxMachines)TuxMachines reviews Granular Linux. "Granular Linux is a Linux distribution based on PCLinuxOS and features the XFCE4 and KDE desktops. It appears to have been in development since about the beginning of 2007 and has had one previous release. The developers of Granular have recently released a test of their upcoming .90 and I thought I'd see what it offered."
Page editor: Rebecca Sobol Development Collections in the XMMS2 music playerThe number of music players on Linux has been steadily increasing lately, but while these projects have been getting more and more polished, we have yet to see revolutionary improvements in terms of user experience. Indeed, the trend has been to borrow as many features as possible from other projects, rather than questioning the reasons behind their design. This article describes XMMS2's attempt to address long-standing limitations of music players, through its new support for Collections. Design RationaleI have been concerned with the state of music players for a long time. Two years ago, I wrote a Manifesto for a Better Music Player. Although my ideas have evolved since then, the general conclusions of that article still hold. One important argument I made is that the design of a music player should focus on the users' needs, rather than on a list of well-known features. All the traditional features (playlist, media library, cover browsing, etc) and hacks (play queue, random mode, etc) stem from the needs users have for:
Non-linear playback was first introduced in a crude form as the "random mode", directly inspired from legacy CD players. iTunes later popularized its "Party Shuffle" mode, which solved the unpredictability of playback by maintaining a queue of randomly selected songs. What we are still waiting for, though, is a smarter mode that would also take into account beat, artist similarity, or other semantic information. Music players that are based on a media library typically provide a search feature. Unfortunately, the power of the search function is often hindered by annoyingly complex forms used to choose the fields to query. Few developers seem to have noticed the success of Google's search interface: minimalistic, but enriched by rating heuristics and a rich syntax for advanced users. The other axis required by our ever-growing music libraries is browsing. Media library browsing is always present in some form, although mostly simplistic and uninspired. When they are not cloning iTunes genre/artist/album filters or the browsing of cover art, most music players simply present the users with the list of all their media in a plain multi-column layout. Easy to implement, but hard on the eyes for the users. Interestingly, Foobar2000 (freeware) is the only popular player to allow a rich customization of the layout, which greatly improves readability. The lack of features that help users organize their media library contributes to the difficulty of addressing the two previous issues. In the physical world, users can arrange their CDs spatially in their own personal way (by artist, date of release, mood, etc), set a couple of albums aside for playing at a party, or highlight their latest acquisitions on a shelf. This lets them build a cognitive map of the location of items. On computer-based music players, however, they are barely provided with the possibility to create playlists, possibly dynamic, but seldom integrated well enough to be used powerfully. Even bare files have richer organizational possibilities, using directories! The reason behind these limitations is not that they are inherently unsolvable. The truth is that a lot of effort is required to implement new approaches in any of these fields. Experimentation, either conceptual or in terms of interface, is expensive. The Collections ConceptThe goal of Collections is to address this problem by creating a common abstraction layer. Search, browsing and organization all share one property: they act on subsets of the media library. Computers are especially good at handling sets, but music players haven't really exploited that fact yet. A collection is defined as a subset of the media library. This set of media (songs) can be dynamic, for instance "All media by Kraftwerk released prior to 1980" or "All media added to the media library last week, except those by Justin Timberlake". A static set, for instance hand-picked media selected for parties, is just a special case of dynamic sets. Note that a collection is not merely what some players call a "Smart Playlist" (or "Dynamic Playlist"). A "Smart Playlist" is only used to play an arbitrary list of media, while a collection is a generic representation of a set of media. For instance, this includes the results of a search, a filtered view of the media library, the list of tracks from a given album, etc. Because a collection is an abstract representation, it can be used ubiquitously throughout all the features of the music player: browsing, searching in the media library or the playlist, enqueuing, jumping, etc. A collection can also be saved on the server, thus allowing the users to organize their music and reuse their selection in homogeneous and flexible ways. Collections for the XMMS2 playerThe XMMS2 project turned out to be the perfect ground to implement collections. Unlike its popular predecessor XMMS, XMMS2 hasn't gathered much attention yet. However, it features all that you would expect from a recent music player: a media library, support for many audio formats and multiple platforms (Linux, *BSD, OS X, Windows, etc), bindings for many languages (C, C++, Ruby, Python, Perl, Java), and a friendly community open to innovation. In addition, the player was designed according to a client-server architecture, so that the server is responsible for all the boring work (audio decoding, media library management, tag extraction, etc), while any flavor of user interface can be implemented as a client connected to the server, possibly across the network. Collections have been implemented in XMMS2 as a student project during the Google Summer of Code 2006, and finally merged into the stable tree on May 20, 2007 as part of the DrJekyll release. Support for collections was implemented on the server as a layer above the media library, and playlists are exposed to the clients through a collections API. This API allows clients to save collections on the server, query the media library, enqueue the content of a collection, etc. Thus, although the user interface depends on the client, the server and the clients all share the same abstract representation. Clients are also freed from the need to generate complex SQL queries themselves; instead, they can easily build a (DBMS-agnostic) collection and the tedious query is performed by the server. In addition, a parser is provided to generate a collection from a string with an enriched search syntax. Collections make it essentially trivial to browse and search the media library. Moreover, advanced features are either natively available or very easy to implement: iTunes-like Party Shuffle, recursive filtering (e.g. search inside the playlist), display Top 10 or never played songs, changing the equalizer settings if the playing song is in a particular collection (e.g. "Jazz Vinyl rips"), etc. ImplementationStrictly speaking, collections are implemented as a directed acyclic graph (DAG), each node of which is a collection operator. In fact, because the structure is recursive, each node of the graph corresponds to a collection. This model was chosen to emphasize the aggregated nature of users' music collections. Collection operators come in four different flavors:
The set operators take an arbitrary number of operands and returns the collection obtained by applying the corresponding set operation to them. For instance, "any music by The Beatles or any music by The Rolling Stones". Available set operators: union, intersection, complement. The filter operators enforce conditions on properties of the media; the resulting collection only contains the media that match the filtering attributes. For instance, "all the songs with 'stairway' in their title". Available filter operators: equals, match (partial matching of strings using wildcards), larger/smaller (for numbers), has (checks whether a property is present). The list operators are a bit special. The basic list operator (called "idlist") does not accept any operands; instead, it simply generates the collection corresponding to the custom list of media it contains. Because list operators store static, ordered lists of media, they are used as playlists in XMMS2. Available list operators: list, queue (pop songs once they have been played), Party Shuffle (takes an operand, used to randomly feed the list with new entries). The reference operator is simply used to refer to the content of a saved collection or playlist. For instance, "all the songs released in 2007 in the Foo playlist". A reference operator is also used to refer to the whole media library (all media).
Now, let's illustrate all this with a sample collection structure:
Here, "All Media" is a reference to the whole media library, and we use a Match operator to only keep media for which the artist has a name starting by "A" (1). We then take the union (3) of this and the content of the "Rock 90's" saved collection (2). The result is passed as an operand to a Party Shuffle operator (4), which we save under the name "Interesting" (5). When the user plays the "Interesting" playlist, songs are popped from the list as soon as they are finished, and new songs matching the operand collection (3) are automatically enqueued, so that the list always contains at least 20 items. This is specified by the "size" attribute of the Party Shuffle. Of course, the user can also edit the playlist and add tracks to it manually. This is only one example of collections among many. As you can see, the modular structure of collections allows virtually unlimited possibilities. As such, they have been tightly integrated both on the server and in the client API. On the server, a dedicated module is responsible for handling collection features. When a collection is queried, it serializes the structure into an SQL query, runs it in the media library and returns the matching media, either as a list of media ids or hashes containing the requested media properties. When a collection is saved on the server, it is added to the collection DAG and kept in memory while the server is running. On shutdown, the whole DAG is serialized into the database. Note that playlists are nothing but collections, albeit restricted to list operators and saved into a dedicated namespace. In the client API, collections introduced many important changes. First, executing raw SQL queries has been deprecated; all queries are now to be performed using collections. Collection data structures can be built either using a set of dedicated functions, or by calling the collection parser on a string given by the user. Finally, many XMMS2 methods have been extended to support collections (e.g. to enqueue media) and new methods allow clients to query, save and retrieve collections from the server. If you want to learn more about the concept of collections, please have a look at the collections concept page on the XMMS2 wiki. For more details about the implementation, check the collections design page and the API documentation. Adoption and future directionsSeveral XMMS2 clients have started offering features based on collections, including Abraca (GTK2 client) and gntxmms2 (console client). Other clients have ported search and browsing to the collections API: Esperanza (Qt4 client), gxmms2 (GTK2 client) and the official command-line interface. Hopefully, client developers will start exploring new directions now that collections are in the main release. The XMMS2 CLI client has already been scheduled for a full rewrite. Several improvements are also expected to address current limitations of the collections implementation. One limitation is that all collections are treated equally as media sets; if a filter is applied on a playlist, the order and duplicated items will be lost. A smarter internal distinction between lists and sets inside the DAG is in the works. An ordering collection operator could then be introduced to transform a set into an ordered list, as well as an operator to select subsequences of such lists, similarly to SQL LIMIT operation. They could be used to create a collection containing the "list of the 20 most recently added media". The SQL query generator could also be further optimized, unless we decide to replace the database backend completely. Collections have just made it into the official XMMS2 distribution, but people already use them through features like search, Party Shuffle or groups of songs saved in the media library. They are a powerful toy for developing new features in the clients and hopefully helping users organize and use their music library. It's an exciting time to come up with fresh ideas in the XMMS2 world, and I hope the rest of the developers in the music player community will take the time to reflect on and discuss all these questions earnestly!
System Applications Database Software PostgreSQL Weekly NewsThe June 10, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Agile Database Refactoring with Hibernate (O'Reilly)Gilad Buzi, Kelley Glenn and Jonathan Novich discuss the process of changing data models on O'Reilly. "In this article, we will show readers how to upgrade their faulty schemas and data models without affecting existing applications or processes. By using the latest technology from Hibernate (version 3.0 and up)--along with a combination of database views, stored procedures, and standard design patterns--application developers and data architects can repair a faulty data model, one piece at a time."
Device Drivers LIRC 0.8.2 announcedVersion 0.8.2 of LIRC, the Linux Infrared Remote Control interface, is out with support for more IR remotes and other changes.
Mail Software Apache SpamAssassin 3.1.9 releasedVersion 3.1.9 of Apache SpamAssassin has been announced. "This is a maintenance and security release of the 3.1.x branch. It is highly recommended that people upgrade to this version from 3.0.x or 3.1.x."
Apache SpamAssassin 3.2.1 releasedVersion 3.2.1 of Apache SpamAssassin has been announced. "This is a maintenance and security release of the 3.2.x branch. It is highly recommended that people upgrade to this version from 3.2.0."
Mailfromd 4.1 announcedStable version 4.1 of Mailfromd is out. "Mailfromd is a general-purpose mail filtering daemon for Sendmail and Postfix. It is able to filter both incoming and outgoing messages using criteria of arbitrary complexity, supplied by the administrator in the form of a script file. The program interfaces with Sendmail using Milter protocol. Mailfromd provides the following basic features: flexible programming language for writing filter scripts, sender address verification, SPF, DNSBL, greylisting and whitelisting, controlling mail sending rate. "
Networking Tools PacketViz 0.5.0 releasedVersion 0.5.0 of PacketViz, a Java-based network graphing tool, has been released. "PacketViz is a general packet or interaction graphing tool that can be used in a variety of applications including: Cache coherency "protocol flow diagrams", Networking packet diagrams and Dynamic software interaction diagrams".
Miscellaneous announcing Allmydata-Tahoe v0.3Version 0.3 of Allmydata-Tahoe is out. "We are pleased to announce the release of version 0.3.0 of Allmydata-Tahoe, a secure, decentralized storage grid under a free-software licence. This is the follow-up to v0.2 which was released May 2, 2007"
Desktop Applications Audio Applications AlsaPlayer 0.99.80-rc1 and FftScope 1.0.5 announcedVersion 0.99.80-rc1 of AlsaPlayer and Version 1.0.5 of FftScope have been announced. "The main added feature in those 2 packages is a new GTK2 interface."
AudioMove 1.15 releasedVersion 1.15 of AudioMove is available. "AudioMove is a simple, easy to use GUI-based batch audio file copy-and-conversion program. You just tell it what files to convert, what format to convert them to, and where to put the output files, and it does it."
Jokosher 0.9 arrivesVersion 0.9 of Jokosher has been released. "Jokosher is a simple yet powerful multi-track studio. With it you can create and record music, podcasts and more, all from an integrated simple environment."
Traverso 0.40.0 ReleasedVersion 0.40.0 of Traverso is out with a number of new capabilities. "Traverso is a cross platform multitrack audio recording and editing suite with a clean and innovative interface targeted for home and professional use."
Desktop Environments GARNOME 2.19.3 announcedVersion 2.19.3 of GARNOME, the bleeding-edge GNOME distribution, is out. "We are particularly proud of all the hacking and smoke-testing that has been going on during the past couple days. New tarballs have been built and tested by various GARNOMEies as fast as we could update SVN. Once again, this early testing revealed a number of serious issues with some of the GNOME applications, a bunch of bug reports where filed, resulting in new, fixed tarballs being rolled as quickly as possible -- before the official release deadline. Our contribution to make even unstable development releases a somewhat sane place to live. Thank you, #garnome!"
GNOME 2.19.3 releasedVersion 2.19.3 of the GNOME desktop environment has been announced. "This is our third development release on our road towards GNOME 2.20.0, which will be released in September 2007. New features are still arriving, so your mission is simple : Go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Commit-Digest (KDE.News)The June 10, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "Umbrello gets a code generator for the D programming language. Further work in Plasma. Initial work to allow the Dolphin file view component to be embedded into Konqueror. More work in the KOrganizer Calendar and KRDC Summer of Code projects, with the start of the Icon Cache, TextTool Plugins in KOffice and Kopete Messenger update projects. Start of a Solid interface in Amarok, with breakthroughs in support for the Jamendo music service. KDevelop begins to be ported to the KDevPlatform structure..."
HIG Hunting Season: Icons (KDE.News)KDE.News looks at getting icons ready for KDE 4. "The great work of the Oxygen icon artists is a much discussed and anticipated part of KDE 4. The new icons now follow the freedesktop.org naming specification which makes it easier to share icons between applications of several desktop environments. In the HIG hunt this week, we will check that this work lives up to its full potential by looking for missing icons and wrong uses. Read on for more details."
KDE Software AnnouncementsThe following new KDE software has been announced this week:
GUI Packages Whats coming in GTK+ 2.12Matthias Clasen has sent out a series of emails describing changes coming to GTK+ 2.12. "I thought it might be a good idea to anticipate the release announcement for GTK+ 2.12 by writing a series of mails about some of the new features that will appear in the next stable release. I hope that this inspires some people to play with the new stuff, so that we can - find api holes and problems before they get frozen in the stable release - get some feedback on the quality (or lack thereof) of the api docs - inspire people to write examples or gtk-demo additions that show new stuff".
Multimedia Sofa 0.2.2 releasedVersion 0.2.2 of the Sofa Media Center, an audio and video media player for GNOME, has been announced: "Another bug fix release, this one should correct all compilations error users have been having. It contains some clean ups in the code but with no new features. Still, it should be more stable."
Music Applications Csound 5.06 releasedVersion 5.06 of Csound, a computer music system, is out. "As part of our continuing plans Csound 5.06 was release on Wednesday 6 June 2007. Apart from the usual bug fixes and bug introductions there are a number of new opcodes, and a significant progress in merging CsoundAV functionality into the Sourceforge tree."
Office Suites KOffice 1.6.3 released (KDE.News)KDE.News has announced the release of the KOffice 1.6.3 office suite. "The KOffice team today released the third minor release of the 1.6 series. As the development focus has shifted to the next major release, this new version was aimed at polishing and fixing bugs. With this new version, three new languages are added to the list of translations: Bulgarian, Low Saxon and Nepali."
OpenOffice.org release 2.2.1Release 2.2.1 of the OpenOffice.org office suite is out. "This is a minor bug fix release - full details of the changes may be found in the Release Notes".
Science Kalkulon 3.0.0 releasedStable version 3.0.0 of Kalkulon has been announced. "Kalkulon is a plattform-independent scientific expression calculator. It has a C-like expression syntax and its own small programming language. The GUI version is written for Qt 4.2 (or later) and supports nice syntax coloring even for single digits in larger numbers. The console version supports the readline library."
Video Applications Gnash 0.8.0 releasedGnash 0.8.0 is out; this one has been designated the third alpha Gnash release. Improvements include support for YouTube videos, a number of virtual machine upgrades, a simple Flash debugger, and more. "Gnash supports the majority of Flash opcodes up to SWF version 7, and a wide sampling of ActionScript classes for SWF version 8.5. All the core ones are implemented, and many of the newer ones work, but may be missing some of their methods."
Miscellaneous Soothsayer revision 56 releasedRevision 56 of Soothsayer has been announced. "Soothsayer is an intelligent predictive text entry platform. Soothsayer exploits redundant information embedded in natural languages to generate predictions. Soothsayer's modular and pluggable architecture allows its language model to be extended and customized to utilize statistical, syntactic, and semantic information sources. "
Languages and Tools Caml Caml Weekly NewsThe June 12, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Perl Better Code Through Destruction (O'Reilly)Igor Gariev discusses Perl garbage collection on O'Reilly. "Larry Wall said that Perl makes easy things easy and hard things possible. Perl is good both for writing a two-line script that saves the world at the last minute (well, at least it saves you and your project) and for robust projects. However, good Perl programming techniques can be quite different between small and complex applications. Consider, for example, Perl's garbage collector. It frees a programmer from memory management issues most of the time...until the programmer creates circular references."
Python Python-URL! - weekly Python news and linksThe June 11, 2007 edition of the Python-URL! is online with a new collection of Python article links.
Shells Hotwire 0.556 releasedStable version 0.556 of Hotwire is available. "Hotwire is intended to replace the interactive command execution portion of a typical Unix shell. It includes much of the functionality found in the combination of a terminal emulator, a shell, and core utilities like ls and grep. Most of the commands are named the same, and do basically the same thing. Where it makes sense, Hotwire improves the commands to have better defaults and makes things nicer by using the mouse, and so on."
Tcl/Tk Tcl-URL! - weekly Tcl news and linksThe June 12, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
XML XQuery, the Server Language (O'Reilly)Kurt Cagle looks at XQuery on O'Reilly. "In February 2007, the XQuery specification became a formal W3C Recommendation, after nearly six years of development. As a language, XQuery can best be thought of as a way to turn the integrated language used to retrieve sets of nodes from an XML document, XPath, into a standalone language. To do so, XQuery adds a number of features--command and control structures (such as for expressions), the ability to create intermediate date variables (the let keyword), conditional handling (if/then/else), and the like to the XPath 2.0 language. Perhaps more significantly, however, XQuery also adds the ability to create modules consisting of collections of XQuery functions, and provides a way to subscribe to external functions within their own respective namespaces."
Libraries Cairo release 1.4.8 now availableVersion 1.4.8 of the Cairo 2D graphics library is out. "This release includes a thread-safe surface-cache for solid patterns which significantly improves text rendering with the xlib backend. Also, dozens of error paths in cairo have been fixed thanks to extensive fault-injection testing by Chris Wilson."
CLAM 1.1 releasedVersion 1.1 of CLAM, a C++ library for audio and music, is out. "After a very intense development months since the last 1.0 release, the CLAM crew is glad to announce that CLAM 1.1 is ready to download. It comes with many new features and code clean up. Most important improvements are found in the Visual Prototyping front: new 3D-looking widgets, new data viewers and control surface; and a simplified way to bind controls between the user interface and the processing network."
Miscellaneous GNU tar 1.17 releasedVersion 1.17 of GNU tar is out with several bug fixes and a new feature. See the release announcement for details.
Page editor: Forrest Cook Linux in the news Recommended Reading Jonathan Schwartz replies to Linus regarding ZFS and GPLv3Sun's Jonathan Schwartz has replied to the Linus posting we highlighted yesterday. "Did the Linux community hurt Sun? No, not a bit. It was the companies that leveraged their work. I draw a very sharp distinction - even if our competition is conveniently reckless. They like to paint the battle as Sun vs. the community, and it's not. Companies compete, communities simply fracture."
Bringing free software down to earth (Economist)The Economist has run an article about Mark Shuttleworth and Ubuntu. "But Mr Shuttleworth is most excited about free software's potential to open up the third dimension in the display and navigation of information. 'In the space station there was no sensation of up or down,' he recalls. 'Yet if it was even slightly obvious which direction Earth was, everyone would point their feet in that direction. Our brain cannot reconfigure itself in a rational way. So we should exploit the irrationality to be productive.'"
Linux phone standards group to publish specifications (Ars Technica)Ars Technica covers an announcement from the Linux Phone Standards Forum (LiPS). "LiPS aims to create a cohesive assortment of application programming interfaces (APIs) for mobile Linux development in order to increase interoperability between various Linux-based mobile platforms and simplify third-party mobile Linux application development. The first set of specifications, which will soon be available from the LiPS web site, describe systems for contact management, user interface services, and voice call handling. The rest of the LiPS 1.0 specification elements, which relate to functionality like messaging, presence, and calendaring, will be released before the end of the year."
Trade Shows and Conferences File system, power and instrumentation: Can Linux close its technical gaps? (LinuxWorld)Don Marti provides a nice overview of the state of the Linux Kernel in advance of the Linux Foundation's Collaboration Summit June 13-15. He quotes extensively from Andrew Morton and Linus Torvalds about parts of the kernel which need improvement. "In an e-mail message, project founder Linus Torvalds says he agrees that the file system and power management need to work. The latter, he says, is part of a bigger problem with device drivers that basically work but don't implement advanced features. But, Torvalds says, the simple instrumentation Linux already has is enough to deal with real-world performance issues."
Companies New Firm Eager to Slap Patents on Security Patches (eWeek)eWeek has posted an article about Intellectual Weapons, a company with an innovative new business model. "Take heart, underappreciated, unremunerated vassals, for a new firm is offering to work with you on a vulnerability patch that they will then patent and go to court to defend. You'll split the profits with the firm, Intellectual Weapons, if they manage to sell the patch to the vendor. The firm may also try to patent any adaptations to an intrusion detection system or any other third-party software aimed at dealing with the vulnerability, so rest assured, there are many parties from which to potentially squeeze payoff."
Xandros CEO doesn't agree that Linux is patent violator (LinuxWorld)Xandros CEO Andreas Typaldos discusses their Microsoft deal in this article at LinuxWorld. "'We did not discuss patents [with Microsoft] and we don't think Linux violates any patents and we were not asked about it,' Typaldos said. 'It is a non-issue for us.'"
What the Microsoft/Xandros deal means for Linux (Linux-Watch)Linux-Watch has quotes from various people regarding the MS/Xandros deal. "Now that the deal is in place, the question is, "What to make of it?" We do know that the partnership has not drawn even a tenth of the criticism that the Novell/Microsoft patent partnership drew. Nonetheless, some other Linux vendors have little good to say about the new Xandros partnership."
Linux Adoption FNB switches 12000 desktops to Linux (Tectonic)Tectonic covers a large scale Linux deployment in South Africa. "Following recent reports of a South African bank eyeing out Linux, Novell South Africa today issued a statement in which it said it had reached an agreement with First National Bank of South Africa to standardise the bank's 12 000 desktops in its 680 retail branches on Novell's Linux product. With 12 000 desktops switching to Linux this is very likely the most significant Linux and open source implementation in South Africa to date."
Legal Peer to Patent Project Begins June 15 (Groklaw)Groklaw has a reminder about the the Peer to Patent project starting next week. "It's historic, in that it's never been tried before, letting the public provide the USPTO examiners with a helping hand. The goal is to find ways to block stupid patents at the applications input level, so they don't get approved, issue, and subsequently hurt people and companies. I think of it as bug spray to kill off stupid patents before they can multiply."
Interviews Interview with Brian Aker (LinuxWorld)LinuxWorld interviews MySQL architect Brian Aker on a wide range of issues, from storage engines to open source economics. "In our view today, BitKeeper is still the strongest player and much stronger than actually three contenders right now which are Bazaar-NG, Mercurial and Git. And Git's only recent. And they're not quite there just yet. And it's interesting to see who can outinnovate who first. Can Larry and BitKeeper out keep outinnovating the open source guys, or will the open source guys pass him up. And it's interesting to watch. But I think it's making all the different products in that market better in the end, because they all have to compete with one another."
A temporary network on a budget (LinuxWorld)LinuxWorld talks with Stu Sheldon, the Tech Committee chair for Southern California Linux Expo (SCALE). "With SCALE, the design criteria is simple, Provide stable and balanced Internet access for both exhibitors and guests. That sounds easy doesn't it? Oh, one other thing -- I needed to make it so I could pick the entire network up and rearrange it every year. This has been my task since the very first SCALE. I officially took over the Tech Committee chair position shortly after SCALE 1, and now host and maintain the three SCALE public servers year-round in my colocation facility in Thousand Oaks, Calif."
Resources full circle magazine - #1 released!Ubuntu has a new community-produced magazine that used Scribus, OpenOffice.org and GIMP to create a 42 page first issue. Click below for their announcement which includes the table of contents.
Anatomy of the Linux kernel (IBM developerWorks)IBM developerWorks covers kernel history and architecture. "Over time, the Linux kernel has become efficient in terms of both memory and CPU usage, as well as extremely stable. But the most interesting aspect of Linux, given its size and complexity, is its portability. Linux can be compiled to run on a huge number of processors and platforms with different architectural constraints and needs. One example is the ability for Linux to run on a process with a memory management unit (MMU), as well as those that provide no MMU. The uClinux port of the Linux kernel provides for non-MMU support."
OpenWRT 101 (O'ReillyNet)O'ReillyNet looks at choosing, building, installing and using Linux-based firmware for wireless routers. "There are currently three major active branches of the OpenWRT platform: OpenWRT, FreeWRT, and DD-WRT. OpenWRT is the original code base, which focuses on a minimal embedded Linux platform with a number of modules to add various functionalities. FreeWRT is a direct outgrowth of OpenWRT and focuses on providing an advanced platform for experienced developers. DD-WRT started with Sveasoft Alchemy but switched over to a WRT kernel to make use of commodity access points from companies like Linksys and Netgear as opposed to high-end APs."
A guide to using PDFs on GNU/Linux (Linux Journal)Linux Journal surveys PDF support. "Although GNU/Linux has long supported postscript format, full support for the related PDF file format has been longer in arriving. Today, however, PDF support is finally starting to equal what is available on other operating systems. Whether you are printing, editing, or viewing PDF files, you now have the choice of a variety of applications on both the command line and the desktops."
Turn Vim into a bash IDE (Linux.com)Linux.com covers the Bash Support plugin for Vim. "The Bash Support plugin works in the Vim GUI (gVim) and text mode Vim. It's a little easier to use in the GUI, and Bash Support doesn't implement most of its menu functions in Vim's text mode, so you might want to stick with gVim when scripting."
Reviews Kazehakase brings innovation to the browser (Linux.com)Linux.com examines a browser that is
Nixstaller and the inconvenience of do-it-yourself (Linux.com)Linux.com looks at Nixstaller. "Nixstaller 0.2.2 is a command-line tool for creating graphical installers for archived files on Unix-like systems. If that sounds paradoxical, it is. Although Nixstaller is easy enough to learn that you can produce your first installer within half an hour of installing it, much of the process is sufficiently painstaking that it cries out for the automation usually associated with a graphical interface."
Desktop publishing with OpenOffice.org (Linux.com)Linux.com takes a look at using Draw and Writer from OpenOffice.org for desktop publishing tasks. "So why are the desktop publishing capabilities of OpenOffice.org not better known? I believe that it is mostly a matter of people seeing what they expect to see. When hearing of a program called Writer, most people naturally assume that it is just another word processor. In the same way, Draw is automatically assumed to be another graphics program. It takes time and experience to know just how far Writer and Draw can stretch, and apparently the six years or so in which OpenOffice.org has been available isn't enough for more than a handful of users to know their full potential."
Revisor utility creates custom install images for Fedora (Linux.com)Linux.com reviews Revisor. "With Revisor running as the front end in Fedora 7, and the image building tools running in the background, it is now easy to build an install image exactly the way you want it. Using Revisor, you can choose exactly what software to include -- for example, you could build an image that installed only Xfce, and omitted GNOME and KDE. You could build a minimal install for an old machine, or for one with multiple distros and versions on which you wanted to save space. For security purposes, you could build an install in which you handpick each package. Or you could specify a custom repository or build custom images that fit on different-sized USB drives. An image built with Revisor may also be a less cumbersome way to do duplicate installs than using Kickstart. The possibilities are wide open."
Ubuntu's mobile and embedded project advances (Linux-Watch)Linux-Watch takes a look at the updated Ubuntu Mobile and Embedded (UME) project's architecture roadmap. "Following two months of planning, Canonical Ltd. has updated the Ubuntu Mobile and Embedded (UME) project's architecture roadmap. UME aims to create a version of the popular Ubuntu desktop Linux OS tailored to the requirements of Intel-based "mobile Internet devices" (MIDs), expected in 2008."
WengoPhone 2.1 gives Linux users a solid softphone (Linux.com)Linux.com looks at the WengoPhone. "The OpenWengo project recently released version 2.1 of its WengoPhone VoIP softphone. It's a big step forward for Linux users. Wengo -- the commercial PSTN-routing SIP provider that is the open source project's parent company -- focused on its Windows builds and essentially skipped over Linux during the 2.0 release cycle. OpenWengo's Linux developers were never satisfied with the stability of the 2.0-series release candidates, so they never incremented the Linux version number to 2.0."
Miscellaneous LinuxChix coordinator resigns amidst controversy (Linux.com)Linux.com reports that Mary Gardiner has resigned as LinuxChix coordinator. "Gardiner told Linux.com that she did not feel pressured into a resignation, but that it was the best thing for her and for the group. She said she will be stepping back from an active volunteer role but will remain a member. 'My involvement for the foreseeable future will be limited to handover help as needed and continued activity in AussieChix. I haven't ruled out more active involvement again sometime in the future.'"
Page editor: Forrest Cook Announcements Non-Commercial announcements Mandriva signs the AFUL petitionMandriva has announced that it has signed the AFUL petition against the sale of bundled software. "Nowadays, when you buy a new computer, several pieces of software are already pre-installed, be it the operating system, antivirus software or burning software. It is almost impossible for consumers to know the selling price, contracts and conditions of use of these applications and, if they wish to, to refuse to purchase them. On average, the price of this software constitutes between 10% and 25% of the purchase price of the computer - that is to say from 100 to 300 Euro. Although the French Consumer Code forbids tied sale of goods (the computer hardware) and services (software licenses), the situation continues and deprives consumers of real freedom of choice."
Commercial announcements Fluffy Spider Technologies partners with Technical SolutionsFluffy Spider Technologies (FST) and Technical Solutions (Techsol) have announced an international joint research, development, and marketing alliance. "The FST and Techsol alliance enables developers of products such as smart phones, TV set-top boxes, point-of-service terminals, in-car systems and building automation devices to outsource innovative hardware design and manufacture, with further cost reductions, and benefit from the embedded software platform that allows them to dramatically enhance the user experience."
Gaia Flash Framework releasedSteven Sacks has announced the release of the Gaia Flash Framework. "Technology author Steven Sacks today announced the free public release of his Gaia Flash Framework(R). Gaia is an open-source framework that provides powerful solutions for building Flash websites to designers and developers of all skill levels. Gaia dramatically reduces development time and is the first tool to feature a scaffolding engine for Flash."
Intuit's QuickBooks Enterprise Solutions Embraces LinuxThe press release is thin on technical details and there is no mention of client-side Linux support, but Intuit is, perhaps for the first time, actually admitting that Linux shops exist. It appears they are offering a way to store the database for their mid-range QuickBooks on Linux servers. "The offering will enable the tens of thousands of growing companies that are passionate about using open source environments to take advantage of Intuit's award-winning mid-market system while maintaining the increased security, manageability and lower total cost of ownership of Linux. The decision to extend the offering beyond Windows, made at the QuickBooks Enterprise Solutions User Conference, is part of Intuit's effort to continue to meet the needs of more complex businesses."
Another day another Microsoft patent dealMicrosoft has announced that it has signed a patent agreement with LG Electronics. "The specific financial terms of the agreement are confidential, but the parties are disclosing that Microsoft will be making a net balancing payment to LGE and MicroConnect for patents related to operating systems and computer systems. LGE will be making ongoing payments to Microsoft for the value of Microsoft patents as they relate to Linux-based embedded devices that LGE produces."
Microsoft hires a Director of Linux InteroperabilityAs announced on Microsoft's 'PORT 25' weblog, Tom Hanrahan, formerly the Director of Engineering for the Linux Foundation, has joined the company. His title is most likely new to Microsoft org charts. "Tom will join as the Director of Linux Interoperability, and will head our Linux/Windows interoperability work, including leadership of the Microsoft/Novell Interoperability Lab. This development lab will undertake much of the engineering work involved in the multi-year technical partnership. Among other things, Tom has much to teach us on 'developing in the open' -- how to work in a transparent way with a broad engineering community."
OpenLogic Partners with AegifOpenLogic, Inc. has announced a partnership with Aegif. "Aegif employs experienced consultants who offer strategic advice and solutions on content and document management -- and has a wide variety of clients including the largest companies in Japan. As a part of today's agreement, Aegif will use OpenLogic to provide and support the open source software needed to run major open source ECM products, as well as other open source packages. The underlying software stacks needed to run ECM open source products in Japan are often different than in the U.S. and require localized support."
PrismTech uses Gumstix for Software Defined RadioPrismTech has announced a Software Defined Radio Solution that uses the Gumstix miniature computer. "PrismTech, an acknowledged leader in the provision of high performance middleware and tools, today announced the availability of its SpectraT Operating Environment (OE) on the GumstixT family of small form factor computers. This technology breakthrough delivers the first complete COTS Software Communications Architecture (SCA) software defined radio (SDR) solution on the world's smallest full-function computer, offering significant cost, size, weight and power (SWaP) benefits for SDR developers."
Qt Jambi 4.3 releasedVersion 4.3 of Qt Jambi, a rich client Java development framework with a dual license, has been has been announced by Trolltech. "With an intuitive, easy to learn API and integrated development tools for User Interface (UI) design and internationalization, Qt Jambi enables rapid development of advanced rich-client applications."
Zenoss Releases New Version of Open Source IT Management ProductZenoss Inc. has released the next major version of Zenoss Core, version 2.0. "The new version of Zenoss Core, an integrated IT management software solution, allows IT administrators to track the configuration and health of their entire IT environment. Zenoss Core is the first commercial open source IT management solution to include a configuration management database (CMDB), and adds several other features that deliver on the company's mission of simplifying enterprise IT management."
New Books Ubuntu for Non-Geeks, 2nd Ed, New from No StarchNo Starch Press has published the book Ubuntu for Non-Geeks, 2nd Edition by Rickford Grant.
Resources Comparing ODF and OOXMLSam Hiser has put up a detailed comparison of the OpenDocument and Microsoft OOXML document formats. "ODF is the only format unencumbered by intellectual property rights (IPR) restrictions on its use in other software, as certified by the Software Freedom Law Center. Conversely, many elements designed into the OOXML formats but left undefined in the OOXML specification require behaviors upon document files that only Microsoft Office applications can provide. This makes data inaccessible and breaks work group productivity whenever alternative software is used."
Calls for Presentations StorageSS deadline extended to June 15The 3rd International Workshop on Storage Security and Survivability (StorageSS) paper submission deadline has been extended to June 15.
Upcoming Events aKademy keynote speakers announced (KDE.News)KDE.News has announced the keynote speakers for aKademy 2007. "The opening talk will be from Lars Knoll of Trolltech who will tell us about their plans for Qt 4.4 and their relationship with KDE. Mark Shuttleworth of Canonical will be talking on the 10 Challenges to Open Source. On Sunday, Dan Kohn of The Linux Foundation will talk on the state of Linux Standardisation on the Desktop. Continuing the week the Edu and Schools Day will be opened by Sulamita Garcia with a talk on Intel's Classmate PC."
CIFS Engineering Workshop in Mountain View, CaliforniaA CIFS Engineering Workshop will be held in Mountain View, California on September 26-28, 2007. "This event is intended for engineers working on any CIFS products and services, not just products based on the Samba codebase. We welcome engineers from any implementers of the CIFS and SMB2 protocols, or from people shipping products based on these protocols, or people with a deep interest in advancing the standardization of these protocols."
Invitation to EBU SeminarAn European Broadcasting Union international training seminar will take place in Geneva, Switzerland on October 1-2, 2007. "Want to learn if Free and Open Source Software provides relevant alternatives for your TV & Radio production and delivery platforms? This seminar is designed for you. The seminar will be your guide through the specifics of FOSS and address key issues such as licensing, costs & support."
Registration is Open - Flash Memory Summit 2007Online registration is open for the second annual Flash Memory Summit taking place in Santa Clara, California, August 7 - 9, 2007.
Events: June 21, 2007 to August 20, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Web sites GNOME Blogs upgraded to WordPress MUThe GNOME Blogs site has been moved to WordPress MU, numerous site improvements have been added.
Page editor: Forrest Cook
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Collection Diagram]](/images/ns/Collection-diagram-usecase-3.png)
The nodes represent collection operators, while edges simply connect
operands to operators.