Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 21, 2007The Linux Foundation collaboration summit The first Linux Foundation Collaboration Summit was held June 13 to 16 on Google's campus in Mountain View, California. This event could be thought of as the coming-out party for the Linux Foundation, the organization which resulted from the merger of the Open Source Development Labs and the Free Standards Group. Your editor was able to join this group, moderate a panel of kernel developers, and present his "kernel report" talk to an interested subset of attendees. This event has been well covered by many others, so your editor will focus on his particular impressions. Some other reports worth reading include:
Your editor has been to a lot of Linux-oriented events over the years. The collaboration summit was nearly unique, however, in the variety of people who attended. It was certainly not a developer's conference, but quite a few free software developers were to be found there. It is not a business conference along the lines of OSBC, but plenty of executive-type business people were in the room. Throw in a certain amount of media (on the first day), a handful of lawyers, high-profile users from Fortune 500 companies, and some PR people and you get a cross-section of the Linux ecosystem from developers of low-level code through to the people trying to make that code work in serious business settings. It is rare that people from the wider community get together and talk in this sort of setting. The stated purpose of the event was to promote collaboration across this wider community. The first step toward collaboration is understanding; the summit was almost certainly successful in helping members of the community understand each other better. For example, the kernel panel was a useful exercise in communicating the developers' thoughts to their user community. But a comment your editor heard more than once was that the most interesting part of the panel was just seeing how those developers interact with each other. Users, vendors, lawyers, and more were all able to discuss the ups and downs of Linux from their point of view. The bottom line is that things are going great, but they could be made to go quite a bit better yet. Ubuntu founder Mark Shuttleworth was the keynote speaker for the first day of the summit. His talk covered a number of topics, but the core point, perhaps, was this: while we have many tools which promote collaboration within projects, we lack tools to help with collaboration between projects. Wouldn't it be nice to have one distributed bug tracking system and a comprehensive, distributed source management system? Maybe the kernel developers and the enterprise distribution vendors could get together and designate an occasional kernel development cycle as being targeted toward enterprise release - and, thus, put together with a larger emphasis on stability. In general, there is a great deal of friction within the system; removing that friction will be an important part of our future success. Some themes were heard many times. There is a lot of interest in GPLv3 and the impact it will have on the industry. The message from the summit was that little will happen in a hurry, and that the best thing to do is to sit and watch. Everybody wants better power management and better device driver coverage. There is real stress between the enterprise customers' desires for stability, security fixes, and new features. Freedom matters: it is fun to hear a manager from Motorola talk about how using Linux makes it possible for the company to create interesting new products that couldn't have been done on "somebody else's stack." And, some press headlines notwithstanding, large proprietary software vendors were absent from the room - both physically and from the discussions which were held. This was not a meeting intended to design a "counterattack"; it was a way for the larger free software community to promote cooperation and understanding within itself. Finally, the summit was clearly intended to help the Linux Foundation figure out what role it should really be playing. This organization is still relatively new; it has a short period of time to prove that it will be worth the fees that its members pay into it. The Foundation is settling into three basic roles: promoting the development of Linux, protecting Linux from threats, and working to standardize the platform. There appeared to be wide agreement that, by organizing events like this summit, the Foundation is off to a good start.
Test driving Firefox 3 The Firefox 3.0 (FF3) development team has been busy, releasing a steady stream of alphas over the last six months, in preparation for a final release late this year. The latest release is Alpha 5, which seems like a good time to check in on the project and see what changes have been made. The project, codenamed Gran Paradiso, maintains an extensive set of documents on its planning center wiki. These documents are worth a look for anyone interested in what features are planned, but also provide insight into the planning process itself.
Much of the new functionality is under the covers in the Gecko 1.9 rendering engine. A specific goal of the engine development team was to pass the Acid2 browser test and they have succeeded in doing that. Switching the engine to use the Cairo 2D graphics library will provide support for SVG, PostScript, PDF and other formats. Performance enhancements and a more native look, especially for the Mac, are also on tap for FF3. The biggest new feature for users has not yet appeared in the browser. Places is a feature meant to unify bookmarks, history and RSS feeds, while providing a means to tag them to help organize them. In order to do that, FF3 is storing the Places information in an SQLite database. This database will also be available to Firefox Add-ons which can then offer other ways to view and organize them. Using SQLite for bookmarks has been enabled for Alpha 5, with numerous warnings about making a backup of your bookmarks file before running it. Tagging, history and RSS feeds are still awaiting a UI before their storage in the SQLite database is enabled.
Security is another area where the developers are putting in significant effort. Providing users with feedback, about the security of a site, without overwhelming them with warnings and popups, is a difficult problem, but some interesting ideas are emerging. With fairly simple UI changes, user confusion can be reduced. Modifying the location bar to remove the "favicon" (which some malicious sites set to the lock icon) and to highlight just the domain portion of the URL can go a long way towards helping users determine what sites they are visiting. Mozilla is also working with Google to generate a list of sites delivering malicious content and FF3 will block access to those sites. One worrisome development is the removal of the "same domain" restriction on XMLHttpRequest (XHR) calls. XHR is the workhorse of the AJAX style of browser interaction and web designers have long chafed under the restriction that JavaScript could only "call home". The World Wide Web Consortium (W3C) has some proposals on lifting that restriction by using "access control" lists and the FF3 team plans to implement them. The current restrictions have served us well, at least from a security perspective; hopefully this change has been well thought out. Another big addition, still in the "coming soon" category, is the addition of more offline capabilities to the browser. Being able to run web applications when not connected to the internet is one of the main goals. In order to do that, the history of pages will have to include the state of the Document Object Model (DOM) and the execution state of JavaScript embedded in the page. With a big enough browser cache, this would allow enough context to re-browse pages from weeks ago, even when offline. Overall, FF3 looks like an exciting release with a wide variety of new features. The current alpha does not really provide even an approximation of the full feature set, but it is still worth a look. At roughly the halfway point in FF3 development, great strides have been made with more to come.
Long-term support and backport risk One of the main selling points touted by many Linux-oriented vendors is stability. Once a customer buys a subscription for an "enterprise" Linux or embedded systems product, the vendor will fix bugs in the software but otherwise keep it stable. The value for customers is that they can put these supported distributions into important parts of their operations (or products) secure in the knowledge that their supplier will provide updates which keep the system bug-free and secure without breaking things. This business model predates Linux by many years, but, as the success of certain companies shows, there is still demand for this sort of service.So it is interesting that, at the recently-concluded Linux Foundation Collaboration Summit, numerous people were heard expressing concerns about this model. Grumbles were voiced in the official panels and over beer in the evening; they came from representatives of the relevant vendors, their customers, and from not-so-innocent bystanders. The "freeze and support" model has its merits, but there appears to be a growing group of people who are wondering if it is the best way to support a fast-moving system like Linux. The problem is that there is a great deal of stress between the "completely stable" ideal and the desire for new features and hardware support. That leads to the distribution of some interesting kernels. Consider, for example, Red Hat Enterprise Linux 4, which was released in February, 2005, with a stabilized 2.6.9 kernel. RHEL4 systems are still running a 2.6.9 kernel, but it has seen a few changes:
The end result is that, while running uname -r on a RHEL4 system will yield "2.6.9", what Red Hat is shipping is a far cry from the original 2.6.9 kernel, and, more to the point, it is far removed from the kernel shipped with RHEL4 when it first became available. This enterprise kernel is not quite as stable as one might have thought. Greg Kroah-Hartman recently posted an article on this topic which makes it clear that Red Hat is not alone in backporting features into its stable kernels:
An example of how this works can be seen in the latest Novell
SLES10 Service Pack 1 release. Originally the SLES10 kernel was
based on the 2.6.16 kernel release with a number of bugfixes added
to it. At the time of the Service Pack 1 release, it was still
based on the 2.6.16 kernel version, but the SCSI core, libata core,
and all SATA drivers were backported from the 2.6.20 kernel.org
kernel release to be included in this 2.6.16 based kernel
package. This changed a number of ABI issues for any external SCSI
or storage driver that they would need to be aware of when
producing an updated version of their driver for the Service Pack 1
release.
Similar things have been known to happen in the embedded world. In every case, the distributors are responding to two conflicting wishes expressed by their customers: those customers want stability, but they also want useful new features and support for new hardware. This conflict forces distributors to walk a fine line, carefully backporting just enough new stuff to keep their customers happy without breaking things. The word from the summit is that this balancing act does not always work. There were stories of production systems falling over after updates were applied - to the point that some high-end users are starting to reconsider their use of Linux in some situations. It is hard to see how this problem can be fixed: the backporting of code is an inherently risky operation. No matter how well the backported code has been tested, it has not been tested in the older environment into which it has been transplanted. This code may depend on other, seemingly unrelated fixes which were merged at other times; all of those fixes must be picked up to do the backport properly. It is also not the same code which is found in current kernels; distributor-private changes will have to be made to get the backported code to work with the older kernel. Backporting code can only serve to destabilize it, often in obscure ways which do not come to light until some important customer attempts to put it into production. All of this argues against the backporting of code into the stabilized kernels used in long-term-support distributions. But customer demand for features, and (especially) hardware support will not go away. In fact, it is likely to get worse. Quoting Greg again:
For machines that must work with new hardware all the time (laptops
and some desktops), the 12-18 month cycle before adding new device
support makes them pretty much impossible to use at
times. (i.e. people want you to support the latest toy they just
bought from the store.) This makes things like "enterprise" kernels
that are directed toward desktops quite uncomfortable to use after
even a single year has passed.
So, if one goes on the assumption that the Plan For World Domination includes moving Linux out of the server room onto a wider variety of systems, the pressure for additional hardware support in "stabilized" kernels can only grow. What is to be done? Greg offers three approaches, the first two of which are business as usual and the elimination of backports. The disadvantages of the first option should have been made clear by now; going to a "bug fixes only" mode has its appeal, but the resulting kernels will look old and obsolete in a very short time. Greg's third option is one which your editor heard advocated by several people at the Collaboration summit: the long-term-support distributions would simply move to a current kernel every time they do a major update. Such a change would have obvious advantages: all of the new features and new drivers would come automatically, with no need for backporting. Distributors could focus more on stabilizing the mainline, knowing that those fixes would get to their customers quickly. Many more bug fixes would get into kernel updates in general; no distributor can possibly hope to backport even a significant percentage of the fixes which get into the mainline. The attempt to graft an old support model better suited to proprietary systems would end, and long-term support Linux customers would get something that looks more like Linux. Of course, there may be some disadvantages as well. Dave Jones has expressed some discomfort with this idea:
The big problem with this scenario is that it ignores the fact that
kernel.org kernels are on the whole significantly less stable these
days than they used to be. With the unified development/stable
model, we introduce a lot of half-baked untested code into the
trees, and this typically doesn't get stabilised until after a
distro rebases to that kernel for their next release, and uncovers
all the nasty problems with it whilst it's in beta. As well as
pulling 'all bugfixes and security updates', a rebase pulls in all
sorts of unknown new problems.
As Dave also notes, some mainline kernel releases are better than others; the current 2.6.21 kernel would probably not be welcomed in many stable environments. So any plan which involved upgrading to current kernels would have to give some thought to the problem of ensuring that those kernels are suitably stable. Some of the key ideas to achieve that goal may already be in place. There was talk at the summit of getting the long-term support vendors to coordinate their release schedules to be able to take advantage of an occasional extra-stable kernel release cycle. It has often been suggested that the kernel could go to an even/odd cycle model, where even-numbered releases are done with stability as the primary goal. Such a cycle could work well for distributors; an odd release could be used in beta distribution releases, with the idea of fixing the resulting bugs for the following even release. The final distribution release (or update) would then use the resulting stable kernel. There is opposition to the even/odd idea, but that could change if the benefits become clear enough. Both Greg and Dave consider the effects such a change would have on the providers of binary-only modules. Greg thinks that staying closer to the upstream would make life easier by reducing the number of kernel variants that these vendors have to support. Dave, instead, thinks that binary-only modules would break more often, and "This kind of breakage in an update isn't acceptable for the people paying for those expensive support contracts." If the latter position proves true, it can be seen as an illustration of the costs imposed on the process by proprietary modules. Dave concludes with the thought that the status quo will not change anytime soon. Certainly distribution vendors would have to spend a lot of time thinking and talking with their customers before making such a fundamental change in how their products are maintained. But the pressures for change would appear to be strong, and customers may well conclude that they would be better off staying closer to the mainline. Linux and free software have forced many fundamental changes in how the industry operates; we may yet have a better solution to the long-term support problem as well.
Page editor: Jonathan Corbet Security Red Hat and IBM get certified Red Hat and IBM recently announced that Red Hat Enterprise Linux 5 (RHEL5) has earned the highest level of security certification achievable by commercial off-the-shelf operating systems. The certification is applicable when RHEL5 is running on IBM hardware, but all of the software is freely available, which may reduce the worries of customers regardless of which hardware they are considering running Linux on. The Fedora and CentOS distributions will immediately benefit, because they use the same software and SELinux policies, but other distributions can use the information as well. The certification that RHEL5 achieved comes from one of the most acronym-dense regions of the internet, which is, perhaps, unsurprising for a partnership between industry and the US government. Here is how the press release puts it:
[RHEL5] has been approved by the National Information Assurance Partnership for
Common Criteria Evaluation & Validation Scheme [NIAP-CCEVS] at Evaluation Assurance Level 4 (EAL4+) for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC).
The NIAP is overseen by the US National Security Agency (NSA) and exists to create and administer certification programs like CCEVS. The various protection profiles list the security requirements that need to be met to be certified. CAPP is concerned mostly with standard UNIX-style users and permissions, with some audit requirements thrown in. LSPP and RBAC are concerned with the security capabilities provided by SELinux along with auditing requirements. The profiles document the behavior that is expected while the testing verifies that the system does indeed behave that way. These kinds of certifications are nice, in a checkbox kind of way. There are many organizations that cannot or will not buy products that are not certified for a particular level and protection profile. Windows Server has been certified at EAL4, so filling in this checkbox for Linux may well remove a barrier to Linux adoption in some places. Obtaining certification at this level is great deal of work; Red Hat and IBM are to be commended for spending the time and money to get to this point. That being said, what does an EAL4+ mean for the security of servers that run RHEL5? As we said in late 2003, when (pre-Novell) SuSE teamed up with IBM to get an EAL2+ certification, the answer is, unfortunately, not much. It would seem that EAL4+ is a big step up from EAL2+, which it is, but not in the kinds of protections it provides. The EAL level is completely driven by how much testing and documentation go into the certification; how much "assurance" there is that the profile is met. The same profile (CAPP) was used in both. In addition, the protection profiles are limited to:
a level of protection, which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well-funded attackers to breach system security.
This puts most, if not all, interesting security threats outside of the scope of the testing. Adding two additional protection profiles, as was done this time, is certainly significant, but they still operate under the "no hostiles" caveat. Kernel hacker James Morris comments on the certification:
A lot of people thought it would be outright impossible to get an open source OS certified at this level. Not only were they wrong, but we've done it in a way which makes it part of the mainline kernel, upstream userland, and integrated into standard distributions. It is not some out-dated, incompatible and outrageously expensive fork of the OS, as has historically been the case with trusted OSes. "Military-strength" security is just now just another feature you get as standard in Linux, and it receives the same testing and community benefits as the rest of the OS.
Evidently, "military strength" security is only able to resist its own users making mistakes rather than a concerted effort by an enemy, but this is still a marvelous accomplishment. Perhaps the most unfortunate part of this certification process is that it is likely to vastly underestimate the abilities of an SELinux equipped system. It would be very interesting to see what kind of protection profile could actually be accommodated by RHEL5; it is likely to be much stronger than any we have seen from CCEVS. But, given that customers are typically interested in the checkbox much more than security, we will probably never know.
New vulnerabilities apache2: information disclosure
evolution-data-server: malicious server arbitrary code execution
gd: denial of service
iscsi-initiator-utils: denial of service
libexif: integer overflow
libphp-phpmailer: command execution
mplayer: buffer overflow
phpPgAdmin: cross-site scripting
phprojekt: multiple vulnerabilities
Updated vulnerabilities apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
bugzilla: multiple vulnerabilities
clamav: denial of service
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
evolution: format string error
pop mail man-in-the-middle attacks
fail2ban: denial of service
file: integer overflow
firefox: multiple vulnerabilities
freetype: arbitrary code execution
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
jasper: denial of service
kdebase: information leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Firefox 3.0 Main Window]](/images/ff3/fullwindow-sm.png)
![[Firefox 3.0 Page Info]](/images/ff3/pageinfo-sm.png)