LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for June 28, 2007Defending "open source"The term "open source" has been controversial since its inception. It was coined initially in response to two problems - the alternative "free software" is simultaneously too vague and too precise. Too vague in that it is forever forcing certain members of the community to say "not free as in beer"; the real value of free software is not that you can get it without paying. Too precise in that some of those trying to sell free software into corporate environments would rather not bring along "politics" and the image of the more intransigent members of the free software foundation. So "open source" was supposed to capture the benefits of access to the source code without scaring the managers.One might well argue that it has been somewhat successful in that goal - but not after some ups and downs. Richard Stallman almost immediately criticized the term, and hasn't stopped since. Near the end of 1998 there was a dispute between Software in the Public Interest and the Open Source Initiative over who owned the "open source" trademark. This disagreement became moot in June, 1999, when the OSI abandoned its attempt to register the trademark in the U.S. Plans were announced to create a separate "OSI Certified" mark, but one would search in vain for a way to use that mark now; the OSI never completed its attempt to register that term either. Despite the lack of any sort of certification or enforcement body, the "open source" term has done nicely over the years. People generally seem to know what it means, and, certainly, our community has only grown stronger over that time. Recently, however, certain companies have started testing to see just how far they can push the term. The use of "badgeware" licenses was a warning shot (covered here last November); most of those licenses are not considered to be truly open source. More recently, Centric CRM has made it clear that it intends to play by different rules:
We truly believe in our product, team and product strategy. We have
never misled or mis-communicated the license that our software is
based on. Our current license is not OSI-approved, nor have we ever
claimed it is. But it is open source.
This "open source" license contains these terms:
You may use, copy, modify, and make derivative works from the code
for internal use only. You may not redistribute the code, and you
may not sublicense copies or derivatives of the code, either as
software or as a service.
Clearly, this language does not correspond with the idea most LWN readers will have of "open source." There is no freedom to fork - or even to share your improvements. By making this use of the term "open source," Centric CRM is clearly stating that the Open Source Initiative has no say over what the term means. OSI president Michael Tiemann disagrees, and has stated his intent to start defending the term:
Open Source has grown up. Now it is time for us to stand up. I
believe that when we do, the vendors who ignore our norms will
suddenly recognize that they really do need to make a choice: to
label their software correctly and honestly, or to license it with
an OSI-approved license that matches their open source label.
The sad truth is that Centric CRM may have calculated correctly. OSI holds no trademarks which can be used to discourage unwanted uses of the "open source" term. In fact, the OSI has accomplished discouragingly little over the past several years. Nothing has been done to make the OSI a more community-oriented operation; the OSI board of directors elects itself and answers to nobody. About the only visible activities at the OSI are a multi-year process to try to reduce the number of approved licenses and the occasional approval of a new license. The OSI has not "gone wrong" - it has not started approving licenses that the community would disagree with. But it is widely seen as dormant and irrelevant to anything of interest that the community is doing. This is the organization whose president would now like to rally the community to the defense of the "open source" term. Certainly Mr. Tiemann's cause would be easier if the OSI had paid more attention to the community all along. Perhaps defending "open source" is the way by which the OSI can win back some respect. It is a task which needs to be done; either abuse of the term needs to be curbed, or, as Don Marti suggests, it's time for a new one. It is possible to argue that anybody who is taken in by a phony "open source" license deserves all that ensues; relying upon any piece of software without understanding the license is a known recipe for trouble. But if "open source" becomes associated with non-free licenses, it will no longer be a term which we will want associated with our software. If "open source" inherently cannot be defended, either legally or through community pressure, it is time we found that out and moved on. Aggressively defending "open source" is the right thing for the OSI to do at this time; it will be most interesting to see if the OSI is up to the task.
Major Mono hackathon produces MoonlightThe Mono project has just caught its breath from a major hacking effort to produce a demo version of Moonlight, a free software implementation of Silverlight, which has been called Microsoft's answer to Adobe's Flash. In a three week blur of 12-16 hour days, the team made far more progress than they expected and produced a working version of a plug-in for Mozilla-based browsers. A free software implementation, of a media plug-in for free browsers, is definitely a step in the right direction, though there could be problems lurking down the road. Microsoft calls Silverlight "a cross-browser, cross-platform plug-in for delivering the next generation of Microsoft .NET-based media experiences and rich interactive applications for the Web." While it, surprisingly, is cross-browser, supporting Firefox on both Windows and MacOSX, the definition of cross-platform leaves something to be desired, at least for Linux users. That is where Moonlight comes in, implementing the Silverlight platform for Linux. Silverlight essentially provides a relatively lightweight subset of the .NET platform and packages it, along with media player capabilities, as a browser plug-in. Since the Mono project has already implemented a large portion of .NET for Linux, it was the obvious place for the Moonlight project. Though, as Moonlight hacker Chris Toshok points out: "You don't need mono to use moonlight." The language used to program Moonlight is Extensible Application Markup Language (XAML) which is an XML-based language, developed by Microsoft, for describing user interfaces. It shares the graphics model and some of the characteristics of the W3C standard, Scalable Vector Graphics (SVG), but does so in an incompatible fashion The hackathon came about because Miguel de Icaza, Mono project lead, was invited to the ReMix conference in Paris, to show the "progress" that had been made with Moonlight. ReMix is a reprise of the Mix conference, which was held in Las Vegas in April and was where Microsoft announced Silverlight. By the time de Icaza had received the invitation, roughly a month had gone by since the announcement, but there had been little or no progress made on Moonlight. This caused de Icaza to put out a call for volunteers, to the Mono team, in order to put a demo together in the three weeks left before the show. A huge chunk of development work ensued, detailed in a post to de Icaza's blog.
It seems likely that we will start seeing Silverlight content at websites in the relatively near future and it is extremely useful to have a free implementation. Presumably, Moonlight will be able to be built for 64-bit and/or less popular architectures, which will make it much more widely available than Flash. The Flash plug-in is closed source, only distributed for a limited subset of Linux architectures. On the flip side, we will also, no doubt, see all sorts of "native" add-ons called from Silverlight content that will lock out Linux users. Reliance on proprietary, patented, DRM-ridden codecs would seem likely, which will complicate or severely limit Linux use. XAML is a language or format that is controlled by Microsoft; they can change it on a whim, providing little or no notice or documentation. In addition, our old friend the software patent may rear its ugly head. It is not difficult to imagine ways that Microsoft might interfere with Moonlight or Mono, if they perceive them to pose a threat at any point. In order to remain free, at least in the "rich media" world, the free and open source software community must take a lead in designing, implementing and popularizing fully free alternatives to Flash and Silverlight. Plug-ins for all major browsers and operating systems with freely available codecs need to be included as part of the project. It's an incredibly tall order, but it is difficult to see significant strides in Linux desktop acceptance, at least for home use, without a solution for web page videos and the like. Relying on proprietary software companies to take the lead, as we have with Flash and now Silverlight, is not likely to take us in a direction we want to go.
Counting vulnerabilitiesRecently, Jeff Jones posted a survey comparing the number of vulnerabilities found in the first 90 days of Microsoft Vista deployments against those of a number of other operating systems. It may not come as a surprise that Mr. Jones, who is a Microsoft employee, found that Vista was significantly more secure than the alternatives. There has been no shortage of such surveys over the years, and it may be tempting to write this one off as another bit of random FUD. Still, it's good to have an answer to such things.Mr. Jones found that five Vista vulnerabilities were disclosed in its first 90 days, exactly one of which was fixed by Microsoft. When he looked at Red Hat Enterprise Linux 4WS, the story was a little different: in the first 90 days of RHEL4, Red Hat fixed 181 vulnerabilities and left another 85 without patches. 129 of those vulnerabilities had been disclosed prior to the RHEL4 release. The result is a nice little bar chart showing that RHEL4 was two orders of magnitude worse than Windows Vista for security performance in the first 90 days. Scary stuff. The numbers posted can be checked, and they are not far out of line. Red Hat published a table showing that a default install of RHEL4 WS suffered from 274 vulnerabilities in its first year of existence. That's a lot of security holes, even after accounting for the fact that a full 52 of them were in Ethereal (now Wireshark). One could argue that the first 90 days is exactly the period of time one would want to look at if one's goal were to produce the most lopsided result. Before Vista's release, few people had the opportunity to look at it; there was not much outside probing for security holes going on. Vista was initially only available in its business edition, reducing both the scope of the system's functionality and the number of copies distributed. Every component of RHEL4, instead, had been publicly available for months before the system's release. There were no real surprises in RHEL4. The relatively long freeze time involved in the creation of an "enterprise" distribution makes the problem worse; while the world is busily finding (and fixing) security problems in free software, the packages for the upcoming RHEL release are just sitting there waiting to be decreed sufficiently stable. So of course there will be a big pile of RHEL vulnerabilities on the first day of release, and of course Vista will not have the same kind of pile. Red Hat's response to this situation can be clearly seen on the RHEL4 security updates page. On the day of release, Red Hat put out 27 advisories, many of which fixed more than one vulnerability. For example, the postgreSQL update addresses five different CVE numbers, some of which were clearly worth fixing. First-day fixes also updated php, krb5, cups, KDE, thunderbird, Python, Perl, mailman, and more. Many of these were important fixes, though none of them were deemed "critical" by Red Hat; the first critical updates happened a few weeks later, when bugs in Firefox, HelixPlayer, and Mozilla were fixed. One could well ask: why does Red Hat not fold these updates into the initial release? If they are good enough to issue on release day, they should be good enough to go directly into the distribution. There are certainly logistics issues here; mirrors would have to be updated and so on. But it's not like the old days when there were thousands of boxed sets to be manufactured. Red Hat could probably find a way to get the first-day updates into the distribution itself. The benefits, however, would be entirely in the area of public relations. The number of deployed RHEL4 systems in the first day (or the first 90 days) will be sufficiently close to zero that the amount of actual exposure caused by the existence of those vulnerabilities is negligible. In his report, Mr. Jones goes to some trouble to try to filter out some packages which are not available on Windows as a way of heading off criticism that he is not comparing equal systems. But they are still not equal, of course, and never can be. Any default RHEL installation will certainly include Python, for example, and will suffer from Python's vulnerabilities, even if that installation never actually uses Python in a way which makes those vulnerabilities exploitable. Many RHEL4 systems will have installed the vulnerable versions of cvs, xloadimage, mysql, telnet, mailman, gaim, postfix, alsa-lib, vim, gpdf, enscript, Perl, etc.; these are all packages which are missing from a Vista install. The vulnerabilities in these packages are also not exploitable in much (probably a large majority) of RHEL deployments. How many companies deploy RHEL for the purpose of running HelixPlayer, busybox, or elinks? Then, there's the silly ones. It might be embarrassing that the initial RHEL4 release included a bug with a 1999 CVE number. This vulnerability was in cpio, which neglected to create archive files with the user's umask taken into account. As a result, cpio archives created with the -O option have world read and write permissions granted. This is a bug worth fixing, but it would be amazing if anybody, anywhere, were to actually be affected by this bug. Even so, the cpio vulnerability counts in the total. Perhaps more to the point, how many vulnerabilities like the cpio hole will ever be disclosed in Vista? No security researcher is likely to bother disclosing a bug like that. If that sort of problem is fixed at all, it will be a quiet part of some service pack update with no public announcement. By so aggressively going after and fixing this kind of security problem, we are causing the number of disclosed vulnerabilities to grow in a way that most proprietary software companies would try to avoid. Finding and fixing these problems remains the right thing to do, though, regardless of who is counting the resulting advisories. It is also worth pointing out that some of the disclosed vulnerabilities are mitigated by Red Hat's use of exec-shield and SELinux. Red Hat still fixes the bug because it's the right thing to do, but, for some of these vulnerabilities, exploitation is difficult or impossible even without the fix. The most important points, though, are these: (1) despite the seemingly large number of vulnerabilities, the number of systems actually compromised still seems to be quite low, and (2) this number of vulnerabilities is still far too high, regardless of what any other operating system is doing. It is encouraging that the number of remotely exploitable vulnerabilities is small, but the fact that we are arguably not getting any better at not putting security holes into our code in the first place is discouraging. There is still much to be done in the areas of careful coding, pre-release security auditing, and security-related development tools. Regardless of what one thinks of the methodology of this report, the security bugs that were counted are real; every one of them is a reminder that we can be doing better.
Security Scanning for PHP vulnerabilities with PixyPixy is a source code scanner for PHP 4 that tries to detect two major types of web application vulnerabilities. Cross-site scripting (XSS) and SQL injection are two of the most commonly reported security problems in web applications; any help in detecting and fixing them is welcome. In addition, for those who want to try before they install, the project offers a web interface to upload PHP code for XSS checking. Pixy is a java program written by folks at the Secure Systems Lab at the Vienna University of Technology. It is roughly a year old, with at least one vulnerability report attributed to it. The project homepage has extensive documentation that will get the impatient going quickly but also satisfy the curiosity of those interested in the guts of the tool. Once you get past the "quick start", the Pixy documentation guides you through the concept of "tainted" values, which underly both XSS and SQL injection vulnerabilities. The basic idea is that unfiltered input can enter the program in various ways, which is considered to be a tainted value. In order to determine if the tainted value is used in a way that could be exploited, you must follow the data through assignments and function calls. If the data is then used in a way that could cause an XSS (via echo() for example), Pixy will flag it. Similarly, if it is used in a mysql_query(), a possible SQL injection will be flagged. Using htmlentities() on data that is eventually output, will remove the taint on that data for the purposes of XSS analysis. Using addslashes() on arguments to SQL queries, changes their status to "weakly tainted", which means they are not a problem when used inside single quotes in the query, but are still dangerous when just interpolated into the string. The program produces two kinds of output, a textual report that lists the line numbers as well as output that can be used with graphviz. The graphical output shows a dependency graph describing the flow from the taint source to the dangerous use. Pixy is geared towards the most common usage of PHP and currently only analyzes PHP 4. If a program uses its own, specialized filtering that is even more cautious than the PHP built-ins, Pixy will not see that filtering and will still consider the data to be tainted. In addition, checking for SQL injection in any database other than MySQL seems to be lacking. There are endless arguments about the PHP language and whether its constructs and practices foster secure programs, but it is clear that many, if not most, PHP projects have had security problems along the way. Removing XSS and SQL injection problems would take care of a significant fraction of the problems reported daily on BugTraq. Anyone working with PHP code, especially when using MySQL via the mysql_query() call, should seriously consider running Pixy while giving a careful look at anything suspicious that it reports.
Brief items Windows Vista - 6 Month Vulnerability ReportJeff Jones has updated his report on security in Windows Vista vs. Linux and MacOSX for a 6 month period. LWN analyzes the original 90 day report in this week's issue (subscribers only). He has changed his methodology somewhat, this time around, to try and address some concerns expressed over the original report. "The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process). If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own ..."
New vulnerabilities apache: multiple vulnerabilities
denyhosts: denial of service
ekg: several vulnerabilities
emacs21: denial of service
fail2ban: log injection vulnerability
HelixPlayer: arbitrary code execution
krb5: multiple vulnerabilities
maradns: memory leaks
perl-Net-DNS: predictable id sequence
proftpd: authentication bypass
redhat-cluster-suite: arbitrary code execution
tinymux: buffer overflow
webmin: cross-site scripting
xfsdump: insecure temp dir
Updated vulnerabilities acroread: multiple vulnerabilities
apache2: information disclosure
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
bugzilla: multiple vulnerabilities
clamav: denial of service
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
elinks: code execution
elinks: arbitrary file access
evolution: format string error
evolution-data-server: malicious server arbitrary code execution
pop mail man-in-the-middle attacks
fail2ban: denial of service
file: integer overflow
firefox: multiple vulnerabilities
freetype: arbitrary code execution
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gd: denial of service
gedit: format string vulnerability
grip: buffer overflow
gzip: multiple vulnerabilities
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
iscsi-initiator-utils: denial of service
jasper: denial of service
java: multiple vulnerabilities
kdebase: information leak
kdelibs: kate backup file permission leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: several vulnerabilities
kernel: several vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
krb5: uninitialized pointers
krb5: local privilege escalation
krb5: multiple vulnerabilities
ktorrent: incorrect validation
lftp: shell command execution
libexif: integer overflow
libexif: integer overflow
libgadu: memory alignment bug
libgtop2: buffer overflow
libmodplug: boundary errors
libphp-phpmailer: command execution
libpng: denial of service
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lookup-el: insecure temporary file
lynx: arbitrary command execution
madwifi-ng: multiple vulnerabilities
mod_jk: proxy bypass
mod_perl: denial of service
moin: arbitrary JavaScript execution
mplayer: buffer overflow
mplayer: buffer overflow
mydns: buffer overflows
mysql: denial of service
mysql: format string bug
MySQL: privilege violations
MySQL: logging bypass
nbd: arbitrary code execution
ncompress: buffer underflow
OpenOffice.org: arbitrary code execution
OpenSSH: denial of service
openssh: remote denial of service
pam: privilege escalation
php: multiple vulnerabilities
php: several vulnerabilities
php: multiple vulnerabilities
php: buffer overflows
php: several vulnerabilities
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpPgAdmin: cross-site scripting
phprojekt: multiple vulnerabilities
phpwiki: remote code execution
pptpd: denial of service
pulseaudio: denial of service
python: information disclosure
qemu: multiple vulnerabilities
qt: "/../" injection
quagga: denial of service
quake: buffer overflow
rpm: arbitrary code execution
Mozilla: multiple vulnerabilities
slocate: information disclosure
snort: remote arbitrary code execution
Sun JDK/JRE: multiple vulnerabilities
tcpdump: denial of service
tetex: buffer overflow
tomcat: directory traversal
vixie-cron: weak permissions may cause errors
wordpress: another pile of vulnerabilities
XFree86 X.org: integer overflows
xine: format string vulnerabilities
xine-lib: arbitrary code execution
xine-lib: buffer overflow
xinit: race condition
xmms: BMP handling vulnerability
zziplib: buffer overflow
Page editor: Jake Edge Kernel development Brief items Kernel release statusThe current 2.6 prepatch is 2.6.22-rc6, released by Linus on June 24. "I'm happy to say that things seem to have calmed down after -rc5, and that most of this really is just bugfixes and regression fixing in particular." This kernel development cycle would appear to be getting closer to its conclusion; the list of known regressions is getting short. As always, the long-format changelog has lots of details.About 30 patches have been merged into the mainline git repository since the 2.6.22-rc6 release; they are fixes, mostly in the architecture-specific and USB code. There have been no -mm releases over the last week, and no releases of any stable kernel trees.
Kernel development news Quotes of the week
Quite frankly, I personally am considering removing
"checkpatch.pl". That thing is just a nazi dream. That hard-coded
80-character limit etc is just bad taste.
-- Linus Torvalds
The problem IMO is that we are seeing less and less patch review
but it needs to be more and more. Andrew is one of a handful of
people who are reviewing lots of patches. It shouldn't be his
wheelbarrow to have to push around all the time. So if a little
automation can help Andrew, that's a good thing. Until people
revolt, that is.
-- Randy Dunlap
Eliminating taskletsTasklets are a deferred-execution method used within the kernel; they were added in the 2.3 development series as a way for interrupt handlers to schedule work to be done in the very near future. Essentially, a tasklet is a function to be called (with a data pointer) in a software interrupt as soon as the kernel is able to do so. In practice, a tasklet which is scheduled will (probably) be executed when the kernel either (1) finishes running an interrupt handler, or (2) returns to user space. Since tasklets run in software interrupt mode, they must be atomic - no sleeping, references to user space, etc. So the work that can be done in tasklets is limited, but they are still heavily used within the kernel.There is another problem with tasklets: since they run as software interrupts, they have a higher priority than any process on the system. Tasklets can, thus, create unbounded latencies - something which the low-latency developers have been long working to eliminate. Some efforts have been made to mitigate this problem; if the kernel has a hard time keeping up with software interrupts it will eventually dump them into the ksoftirqd process and let them fight it out in the scheduler. Specific tasklets which have been shown to create latency problems - the RCU callback handler, for example - have been made to behave better. And the realtime tree pushes all software interrupt handling into separate processes which can be scheduled (and preempted) like anything else. Recently, Steven Rostedt came up with a different approach: why not just get rid of tasklets altogether? Since the development of tasklets, the kernel has acquired other, more flexible ways of deferring work; in particular, workqueues function much like tasklets, but without many of the disadvantages of tasklets. Since workqueues use dedicated worker processes, they can be preempted and do not present the same latency problems as tasklets; as a bonus, they provide a process context which allows work functions to sleep if need be. Workqueues, argues Steven, are sufficiently capable that there is no need for tasklets anymore. So Steven's patch cleans up the interface in a few ways, and turns the RCU tasklet into a separate software interrupt outside of the tasklet mechanism. Then the tasklet code is torn out and replaced with a wrapper interface which conceals a workqueue underneath. The end result is a tasklet-free kernel without the need to rewrite all of the code which uses tasklets. There is little opposition to the idea of eliminating tasklets, though it is clear that quite a bit of performance testing will be required before such a change could go into the mainline kernel. But almost nobody likes the wrapper interface; it is just the sort of compatibility glue that the "no stable internal API" policy tries to avoid. So there is a lot of pressure to dump the wrapper and simply convert all tasklet users directly to workqueues. Needless to say, this is a rather larger job; it's not surprising that somebody might be tempted to try to avoid it. In any case, the current patch is good for testing; if the replacement of tasklets will cause trouble, this patch should turn it up before anybody has gone to the trouble of converting all the tasklet users. Another question needs to be answered here, though: does the conversion of tasklets to workqueues lead to a better interrupt handling path, or should wider changes be considered? Rather than doing a context switch into a workqueue process, the system might get better performance by simply running the interrupt handler as a thread as well. As it happens, the realtime tree has long done exactly that: all (OK, almost all) interrupt handlers run in their own threads. The realtime developers have plans to merge this work within the next few kernel cycles. Under the current plans, threaded interrupt handlers would probably be a configuration-time option. But if developers knew that interrupt handlers would run in process context, they could simply do the necessary processing in the handler and do away with deferred work mechanisms altogether. This approach might not work in every driver - for some devices, it might risk adding unacceptable interrupt response latency - but, in many cases, it has the potential to simplify and streamline the situation considerably. The code would not just be simpler - it might just perform better as well. Either way, the removal of tasklets would appear to be in the works. As a step in that direction, Ingo Molnar is looking for potential performance problems:
So how about the following, different approach: anyone who has a
tasklet in any performance-sensitive codepath, please yell
now. We'll also do a proactive search for such places. We can
convert those places to softirqs, or move them back into hardirq
context. Once this is done - and i doubt it will go beyond 1-2
places - we can just mass-convert the other 110 places to the lame
but compatible solution of doing them in a global thread context.
This is a fairly clear call to action for anybody who is concerned about the possible performance impact of this change on any particular part of the kernel. If you think some code needs faster deferred work response than a workqueue-based mechanism can provide, now is not the time to defer the work of responding to this request.
Linux security non-modules and AppArmorLong-time LWN readers will know that the Linux security module (LSM) API is controversial at best. To many, it has failed in its purpose, which is enabling the development of competing approaches to hardened Linux system; the only significant in-tree security module remains SELinux. Meanwhile, the LSM interface is easily abused; since it allows the insertion of hooks into almost any system operation of interest, it can be used by other modules to provide non-security functionality. The LSM symbols are mostly exported GPL-only, but it is still possible for binary-only modules to abuse the LSM operations - and, apparently, some have done so.SELinux hacker James Morris has been pondering this issue recently; he has also noticed that the in-tree security modules (SELinux and the small module implementing capabilities) cannot be unloaded. So, he asked, why implement a modular interface at all? He has posted a patch which turns LSM into a static API with no exported symbols. With this patch applied, any needed security "modules" must be built into the kernel; there is no longer any way to add them at run time. There have been a few complaints, but, from your editor's point of view, it does not seem like anybody has come up with a compelling reason why it must be possible to unload security modules. Instead, it has been pointed out that maintaining a coherent security state in the presence of unloadable modules is nearly impossible. So this patch would appear to have reasonably good chances of being applied. The only question, perhaps, is whether the developers feel the need to provide an extended warning period for developers and users of out-of-tree security modules. One such module is AppArmor - the GPL-licensed security mechanism distributed by Novell. AppArmor has remained out of the tree for a long time while its developers have tried to address the various comments which have been posted over the years. A new AppArmor patch has been posted; many things have been fixed, but one of the core points remains: AppArmor still uses a pathname-based mechanism for its policy enforcement. This approach sits poorly with developers - especially those in the SELinux camp - who think that pathnames are an inherently insecure method. In their view, the only truly secure way to control access to objects is to put labels on the objects themselves. It seemed that this dispute had been resolved at the 2006 kernel summit, where it was determined that the use of pathnames was not enough to keep AppArmor out of the kernel. That has not stopped people from complaining, though, and those complaints redoubled when another pathname-based approach (TOMOYO Linux) was posted recently. If AppArmor does get into the mainline, it will have to be over the objections of developers who feel that is providing false security to its users. Andrew Morton appears to want to resolve this issue and get it off the mailing lists; he sees two alternatives:
a) set aside the technical issues and grudgingly merge this stuff
as a service to Suse and to their users (both of which entities are
very important to us) and leave it all as an object lesson in
how-not-to-develop-kernel-features. [...]
b) leave it out and require that Suse wear the permanent cost and quality impact of maintaining it out-of-tree. It will still be an object lesson in how-not-to-develop-kernel-features. It seems that Andrew would rather not be in the position of delivering object lessons on how not to develop kernel code by whatever means; he concludes with this request:
Sigh. Please don't put us in this position again. Get stuff
upstream before shipping it to customers, OK? It ain't rocket
science.
At the 2006 summit, Linus took a clear position that the use of pathnames for security policies seemed reasonable to him. Given that, along with the fact that AppArmor is being widely distributed, and it seems that, sooner or later, this module should find a home in the mainline - even if it is no longer in modular form.
A summary of 2.6.22 internal API changesThe 2.6.22 development cycle is slowly heading toward its conclusion, meaning that it should be safe to try to list the significant internal API changes made this time around. They include:
The LWN 2.6 API changes page is an ongoing list of API changes in the 2.6 development series.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Debian Maintainers GR ProposalAnthony Town posted a proposed general resolution to the Debian-vote list, Debian Maintainers GR Proposal. It's about having a second keyring for Debian maintainers who don't want to be full fledged Debian Developers. This second keyring would provided limited upload ability to unstable or experimental.Anthony's proposal is in seven parts:
The proposal got a few seconds, but attracted quite a bit of debate. Bastian Venthur wondered why not just improve the new maintainer process: "So, why such a complicated GR introducing second class DDs? Just grant a few more rights to our NMs and try to improve the NM process in the long run and everybody will be happy." Raphël Hertzog pointed to previous discussions, "In short, this DM status is complementary to NM. It's not working around any deficiency in the NM process." Joey Schulze raised the concern, "I fear that the DM thingy is just invented to get more people [to] maintain packages in Debian without becoming properly involved, eventually not giving the same care a normal DDviaNM would give and thus Debian ending up with a universe of broken packages. That's most certainly not what I would like Debian to become in the future." Anthony pointed out:
The NM process is designed to create new Debian Developers -- particularly
with the ability to participate fully in the project, NMUing, hijacking
packages, voting, raising and seconding GRs, following -private, creating
new .debian.net services, accounts on dozens of machines, become a DPL
delegate, run for DPL, represent Debian, do transverse activities across
the distribution, etc....
People should be able to contribute at the level they feel comfortable with; if that increases over time, that's great; if it stays constant or decreases, we shouldn't try to force them to do more than they want, or refuse to accept what they're willing to do. That doesn't mean lowering our standards of what we distribute, just being willing to accept packages that are able to be maintained to our standards more efficiently than we currently do. In another post he added:
The NM process is about making new DDs -- who participate fully in
the project, and understand and agree with its goals. Not every useful
contributor to Debian actually wants that status -- Matthew Garrett's one
example of a former DD who'd like to contribute to Debian without being
a DD, and this is a way of making that more effective. Likewise there are
plenty of people who'd like to make a small contribution to Debian without
having to obtain the level of knowledge and experience we expect of
DDs.
The debate continues and so far little seems to be resolved. We can expect a somewhat re-worded proposal to go out though, which may well receive the required number of seconds to get it to a vote.
New Releases BLAG 70k alphaBLAG Linux and GNU has released an alpha test image of BLAG 70k. "This 70k series is updated to use Fedora 7 as a base and kernel 2.6.21. It's in pretty good shape already, but has a few things to smooth out."
Mandriva releases Corporate Desktop 4.0Mandriva has announced the release of Corporate Desktop 4.0. "Ergonomically designed, secure, comprehensive, easy to use and to administer: by consulting its corporate clients and building on its own expertise in the desktop area, Mandriva developed Corporate Desktop 4.0, a distribution that can be installed in less than 15 minutes and extensively customized thanks to a new post-installation tool."
Slackware 12.0 RC 2The June 26, 2007 Slackware current changelog entry proclaims the second release candidate for Slackware 12.0. "This might as well be called 12.0 RC2 so that we're not accused on skimping on release candidates. ;-) Still going through various reports, and (especially) looking into getting the php.ini defaults reasonable (as well as figuring out which features can be safely built as extensions). But, we're getting there."
WhiteBox Enterprise Linux 4 Respin2 now availableWhite Box Enterprise Linux 4 Respin 2 is available. "This covers Update5 from upstream plus a few errata released since. The recent OO.o and OO.o2 updates ARE included."
Distribution News Looking for new release assistantsThe Debian project is looking for new release assistants to help with Lenny. Interested Debian developers will need to be able to dedicate a chunk of time each week to this task, QA experience and an understanding of C, /bin/sh scripting, Perl, Python, Debian packaging, policy, the developers reference, and similar things.
Announcing Novell Hack WeekNovell is running a special internal event this week called Hack Week. "During Hack Week, our entire Linux engineering team -- hundreds of people -- will be working on whatever Linux or open source projects interest them. Everyone will work alone or in teams, on existing open source projects or new ideas of their own. No one will tell them what or what not to do -- it's a free week for free hacking, driven by individual passion." The Idea Pool web site is where hackers are publicizing their projects and it's open to the public.
IBM and atsec achieve independent certification of Red Hat Enterprise Linux 5 at Common Criteria EAL4+ under NIAP schemeatsec information security has announced that the U.S. National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) has certified Red Hat Enterprise Linux 5 as conformant to EAL4+ and the following Protection Profiles: Controlled Access Protection Profile (CAPP), Role Based Access Control (RBAC) Protection Profile and Labeled Security Protection Profile (LSPP). The operating system is certified on several IBM server platforms. The evaluation work was performed by atsec information security corporation, and the effort was sponsored by IBM.
Main frozen for Tribe-2The Ubuntu Tribe 2 CD is expected on June 28, 2008.
Distribution Newsletters Fedora Weekly News Issue 93The Fedora Weekly News for June 23, 2007 covers FESCo elections, Fedora Remixed (a YouTube Video), Custom Kernels in Fedora, Fedora Board Elections, FUDCon F8 Update and much more.
Ubuntu Weekly News: Issue #46The June 23rd issue of Ubuntu Weekly News is out. Topics covered include Dell's live thread about Ubuntu, Jordan Mantha joining the Ubuntu Core Team, planned features for Gutsy, the release of Launchpad 1.1.6 and much more.
DistroWatch Weekly, Issue 208The DistroWatch Weekly for June 26, 2007 is out. "A Linux distribution is not just a CD image we download from the Internet; for many of us the social part of a project, such as any interactive communication channels, are equally important. In this week's feature story, Mark South examines how one or two poisonous individuals can spoil the experience for many other users. In the news section, we take a look at the importance of the various language-specific distributions on the market, examine the new features in Ubuntu 7.10, introduce a new YaST module for creating custom live CDs, and link to a story featuring the PCLinuxOS Control Center. Finally, don't miss the excellent article written by Linux Weekly News on the subject of backporting newer software and patches into a stable distribution."
Newsletters and articles of interest Roll your own Linux distro (IT Wire)IT Wire looks at creating a customized distribution using ROCK Linux or Linux From Scratch. "The first thing to do is away from the keyboard. First you must consider what you wish to achieve. What will be the aim of your distro? Possible reasons are to optimise for, or to target, a particular CPU. Alternatively, you may wish to create a highly specialised system for specific purposes. You should also consider the default programs you would like to supply. For instance, is your preferred command-line interpreter the bash shell? Or do you prefer csh? Will you opt for sendmail for e-mail management, or do you prefer exim? Are you a vi or a pico person? One advantage of a customised Linux distribution is that it can work exactly how you want. If your aim is to provide a distro for many people to use then you will want to be flexible with your choices."
Two new alternatives for the enterprise desktop (Linux.com)Linux.com takes a look at Mandriva Corporate Desktop 4.0 and White Box Enterprise Linux 4 Respin 2. "Today enterprise users have two new choices in desktop distributions. Mandriva Corporate Desktop 4.0 is an all-new version of Mandriva's enterprise workstation, while White Box Enterprise Linux 4 Respin 2 incorporates the recent OpenOffice.org and OpenOffice.org 2 updates."
The Perfect Server - Fedora 7 (HowtoForge)HowtoForge sets up a server with Fedora 7. "This is a detailed description about how to set up a Fedora 7 server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of Fedora 7, but should apply to the 64-bit version with very little modifications as well."
Distribution reviews New AntiX distro makes older hardware usable (Linux.com)Susan Linton reviews AntiX. "I've been a fan of SimplyMEPIS for years. The distribution was one of the early pioneers in the field of user-friendly Linux development, and to this day offers a system that usually "just works." Earlier this month the MEPIS site announced a community variation for older computers based on SimplyMEPIS. AntiX is an installable live CD that features a modern kernel, recent X server, and lighter applications for use on computers with as little as 64MB RAM. I tried it, and liked what I found."
OpenSUSE 10.3 Alpha 5 report (TuxMachines)TuxMachines.org takes a look at OpenSUSE 10.3 Alpha 5. "Alpha 5 in the OpenSUSE 10.3 developmental cycle was released several days ago and with it came a few surprises. As opposed to big changes in the installed system itself, the big news this release was the 1 CD install offerings. In KDE and GNOME flavors, this release brought the single ~700MB install cdrom. I found them to be complete enough to get a stable desktop system. Not much development will be possible without further package installation, but downloading and installing the required and other desired packages through yast might be preferrable to downloading the usual 5 or 6 cds or the huge dvd."
Page editor: Rebecca Sobol Development Using Irssi to communicate within free software projects
Due to the nature of Free Software projects, unorthodox means of communication are needed. For many projects it is not possible for a developer to just walk into the next office and discuss matters. Developers are often spread over the entire globe like grains of sand. Communication via Mailing ListsWhile the official communication channels often refer to public mailing lists that are archived on the web, members of many projects also enjoy real-time chats as well. Both means share their unique set of advantages and complement each other. One advantage of mailing lists is their asynchronous nature, which means that there's no problem for Europeans, North Americans and Japanese to discuss the same topic, no matter in which timezone each member lives. Since there is no immediate need for members of a discussion to be awake during the same time it will often last a few days at least. Another reason for preferring public mailing lists as main communication channel is the archiving function. The discussion and its outcome are automatically archived on the Internet. They can be re-read later and referred to. The archive also demonstrates development progress and documents design decisions and their origin. It helps interested people understand how the project evolves and gives users many ideas when problem solutions are discussed. Thanks to a large number of commonly used search engines, such discussions are indexed quickly and are found by using proper search keywords. Real-time Chat SystemsEven though mailing lists have advantages, chat systems are quite useful as well. If you want to check out something quickly with other developers, opening an online chat and talking to those present is a lot faster than waiting for mailing list responses. It's like opening the next office door and asking your colleague, except that they might live thousands of kilometers away. A real-time chat is similar to a small chat in the office. Even though the general topic may be work, from time to time there will also be a personal component, especially when its members have become acquainted with each other. This also helps bonding developers to a healthier community. IRC NetworksSeveral networks provide Internet Relay Chat (IRC). In the early days of Linux development, a new network was quickly established as the Linux network. In recent times, many projects run their main IRC channels on either Freenode or OFTC. Both networks have been founded to provide services for Free Software projects in particular, and even buddy up these days. Many developers stay logged in during the entire work day even though they may be working on jobs other than their favorite open-source project. This way, they stay in touch with their colleagues and can seek help from like-minded people for their other job when needed. Several IRC clients are available, some provide a graphical interface, some are text-based. However, many developers prefer one client: Irssi. It is a terminal-based client that can be run under the X window system or on a text-based console. Irssi Windows and ScriptsOne important feature of Irssi is that unlike the older client ircII, every channel (i.e. chat room) and every conversation is virtually moved into its own window. Conversations don't clutter the main screen and it becomes easier to keep track of different conversations at the same time. This feature enables asynchronous use as well, since you don't lose the context when your colleague responds on the following day. When activity is recognized in a channel, its window number is highlighted in the status line so that you notice ongoing conversations. Windows can be rearranged with the /window move n command so that the most important ones get lower numbers. It is possible to jump directly to a window with Alt-[1..0] (and Alt-q ... Alt-o for windows 11 to 19). Another advantage Irssi provides over many other clients is the Perl interface that is used to improve the client and adapt it to a user's special needs. It is possible to load and unload scripts manually with the /load command. Scripts are automatically loaded during startup when they are copied or linked to in the directory ~/.irssi/scripts/autorun. Many user-contributed scripts for Irssi are available on the web::irssi::scripts page. The Debian distribution also provides a large number of scripts in the irssi-scripts package. Long Topic NamesA special feature of the IRC networks mentioned above is support for
topic names that are longer than 80 characters. The topic for a channel
usually contains a short description of what is going on in the channel,
i.e. the scope of the channel it is associated with. Irssi displays
this on the top of the window. The information can also be displayed
with the Longer channel topics have been implemented for a reason. They are no longer used only to carry a description of the channel's scope, they also serve as a pin board onto which the most recent and important news or problems are announced. For developers it may be important to read the topic. However, a problem arises when somebody changes the topic, there is no easy way to recognize the difference when it is more than 300 characters long and you don't have the old version stored somewhere. Note that the client only displays the first line of the topic and this depends on the width of your terminal. For text files the differences are easily visualized, so why not for long topic lines as well? The solution is the script topic-diff.pl. When it is loaded each topic change is accompanied with a list of items that have been added or removed. The script has been developed with a focus on development channels where the pipe symbol is treated as a delimiter of topic components. It will split the topic into components and report changes in them. If a component has only been moved within the topic, no difference is reported, of course. By using a combination of mailing lists and realtime chat systems, it has become quite easy to stay in touch with project colleagues and watch development and discussions without losing sanity.
System Applications Database Software PostgreSQL Weekly NewsThe June 24, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
pgsnmpd 1.0 beta 1 announcedVersion 1.0 beta 1 of pgsnmpd has been announced. Pgsnmpd is: "the SNMP(Simple Network Management Protocol) agent for PostgreSQL. It reports the health state of PostgreSQL with original MIB (Management Information Base)."
Interoperability Samba 3.0.25b availableVersion 3.0.25b of Samba has been released. "This is the third production release of the Samba 3.0.25 code base and is the version that servers should be run for for all current bug fixes."
Networking Tools Release of iptables 1.3.8Version 1.3.8 of iptables has been announced. "This release contains lots of accumulated bugfixes, manpage updates, and support for IPv6-MH, TCPMSS and port randomization for NAT."
Printing pkpgcounter 2.17 releasedVersion 2.17 of pkpgcounter has been announced, it features several bug fixes. "pkpgcounter is a generic Page Description Language parser which can either count the number of pages or compute the percent of ink coverage needed to print various types of documents."
Security privbind 1.1 releasedVersion 1.1 of privbind has been announced. "Privbind is a small tool allowing secure running of unprivileged programs, but allowing them to bind to privileged (<1024) TCP/UDP ports. Privbind has a secure design, with no SUID executables and no daemons."
Desktop Applications Audio Applications Amarok 1.4.6 releasedVersion 1.4.6 of the Amarok music player is out with an assortment of new features and bug fixes.
Business Applications The first release of BotsThe first release of Bots has been announced. "Bots EDI-connects your company with your trading partners. EDI is the exchange of electronic business data between companies. Bots takes care of all the needed communications, translations, protocols and standards."
Desktop Environments GARNOME 2.19.4 releasedVersion 2.19.4 of GARNOME, the bleeding-edge GNOME distribution, is out. "This release includes all of GNOME 2.19.4 plus a bunch of updates that were released after the GNOME freeze date."
The GNOME Journal, June EditionThe June 2007 edition of the GNOME Journal has been announced: "It features an article about GStreamer audio effects, an interview with Ken VanDine about GNOME 2.18 Live Media releases, an introduction to Accerciser, and a summary of GNOME.conf.au 2007."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE e.V. Quarterly Report 2007 Q1 (KDE.News)KDE.News has announced the availability of the 1Q 2007 KDE e.V. Quarterly Report [PDF]. "Topics covered include the KDE PIM Meeting at Osnabrück in January 2007, progress on the Copyright Assignment (Fiduciary Licence Agreement) and reports from the Marketing Working Group, Human Computer Interaction Working Group, and Sysadmin Team."
KDE Commit-Digest for 24th June 2007 (KDE.News)The June 24, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "Introductions of a Dictionary, Photoframe, and Facebook Plasmoids, and a Weather and Solid DataEngine in Plasma. Usability improvements and optimisations in KListView, used for icon views in Konqueror and Dolphin. The start of a shared, common location for vocabulary files across KDE-Edu applications, with initial implementation in Kanagram. Support for application-specific caches in the Icon Cache implementation, and further progress in the KOrganizer Theming and KRDC Summer of Code projects..."
KDE Software AnnouncementsThe following new KDE software has been announced this week:
Xorg Software AnnouncementsThe following new Xorg software has been announced this week:
Simdock 1.1 announcedStable version 1.1 of Simdock has been announced. "SimDock is a fast and customizable dockbar. It allows the user to launch applications showing some eye-candy animation. It is written in c++ and wxWidgets and fits well in Gnome but works on most desktop environments.It does not require Compiz or 3D acceleration."
Electronics Electric 8.05 announcedOpenCollector.org has announced the release of version 8.05 of the Electric VLSI Design System. Changes include: "Various bug-fixes, routing improvements, and improved LEF/DEF import".
Games Plunger 0.1.0 releasedThe WorldForge game project has announced the release of version 0.1.0 of Plunger. "Plunger is a 3D mesh converter. It currently imports Collada, OgreXML and Sears object format and exports Collada, OgreXML, Sears object format, MD3 and a text summary about the model."
Imaging Applications Gimmage 0.2.2 releasedStable version 0.2.2 of Gimmage is available, it features bug fixes and code cleanups. "Gimmage is a small gtk image viewer, perfect for command line usage as it accepts directories and image filenames as arguments. It also has a filechooser integrated into the main UI, making accessing images and directories a snap."
Medical Applications Freemed-YiRC Beta0.99 released (LinuxMedNews)LinuxMedNews has announced the Beta 0.99 release of Freemed-YiRC. "Freemed-YiRC is a software project which aims to provide a product capable of providing Child Caring Agencies/Youth in Residential Care (YiRC) agencies with a fully functional internal case management/information system."
Miscellaneous NLTK-Lite 0.8 beta releasedVersion 0.8 of NLTK-Lite, a suite of open source Python modules, data sets and tutorials supporting research and development in natural language processing, has been announced. "This version is substantially revised and expanded from version 0.7. The code now includes improved interfaces to chunkers, grammars, frequency distributions, full integration with WordNet 3.0 and implementations of WordNet similarity measures, the Lancaster Stemmer, simpler conventions for importing modules, and simpler installation. "
Languages and Tools Assembly Language libdisassemble 2.0 releasedVersion 2.0 of LIBDISASSEMBLE, a Python-based opcode disassembly library for x86 processors, is out. "This version aims to provide a complete disassembly of IA32 instruction set. Future versions will include the addition of IA64/32 instruction set."
Caml Caml Weekly NewsThe June 26, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Java OpenXava 2.1.5 released (SourceForge)Version 2.1.5 of OpenXava is available. "OpenXava is a framework to develop Java Enterprise/J2EE applications rapidly and easily. It's based in business component concept. Feature rich and flexible since it's used for years to create business applications with Java."
Python Python-URL! - weekly Python news and linksThe June 25, 2007 edition of the Python-URL! is online with a new collection of Python article links.
IDEs Anjuta DevStudio 2.2.0 (stable) -- Hurricane -- released!Anjuta 2.2.0 (Hurricane) is the first stable release of the 2.x series. Anjuta 2.2.0 is a GNOME IDE that integrates seamlessly with your favorite development tools. "It features a number of advanced programming facilities that include project management, application wizards, an on-board interactive debugger, integrated glade UI designer, integrated devhelp API help, integrated valgrind memory profiler, integrated gprof performance profiler, class generator, powerful source editor, source browsing and many more."
Eclipse Europa coming soonEclipse Europa will be released on June 29. "Eclipse Europa is the annual release of Eclipse projects. Like last years Callisto release, the Europa release is a coordinate release of different Eclipse project teams. This year, the annual release includes 21 projects. By releasing these projects at the same time, the goal is to eliminate uncertainty about version compatibility and make it easier to incorporate multiple projects into your environment."
Libraries Release libnetfilter_conntrack 0.0.80Release 0.0.80 of libnetfilter_conntrack, a userspace library that provides an API to the in-kernel connection tracking state table, is out with bug fixes.
ANN: Urwid 0.9.8.1 - Console UI LibraryVersion 0.9.8.1 of Urwid, a console-based user interface library, is out. "This is a maintenance release that fixes a number of bugs that have been found in 0.9.8."
Version Control Mercurial 0.9.4 releasedVersion 0.9.4 of Mercurial, a source control management system, is out with a number of new features. Click below for details.
Page editor: Forrest Cook Linux in the news Recommended Reading Welcome to Open Source 2.0 (Linux Journal)Linux Journal looks at "open source". "There is no doubt that 3 February 1998 was a historic day. For it was then, at a meeting in Mountain View, that a small group led by Eric Raymond came up with the term "open source" as an alternative to the description "free software". The question is, will history count 21 June 2007 as another such pivotal moment -- the day that Open Source 2.0 was born?"
Bad, Bad Reasons Not to Buy Open-Source Software (eWeek)Steven J. Vaughan-Nichols presents a rebuttal to an eWeek article that steered people away from open-source software. "1) Microsoft is the safe choice Safe? Safe!? Come on. Microsoft's products are infamous for not being safe. Vista was supposed to be soooo much more secure than earlier versions of Windows. I said that was nonsense when Vista was first coming out. And what do we now see? Why, this month alone, we see that there are four flaws. Three of the flaws could let information slip out if users visit malicious pages using IE, and with the fourth vulnerability, all you have to do is view a malicious e-mail with Windows Mail, and ta-da, you've just been hijacked. I hope you enjoy your PC being part of a botnet."
Trade Shows and Conferences DebConf 7 positions Debian for the future (Linux.com)Linux.com covers DebConf 7. "At last week's DebConf 7 Debian Conference in Edinburgh, Scotland, nearly 400 attendees had a chance to meet and socialise after years of working together online. They attended more than 100 talks and events, ranging from an update by the current and former Debian Project Leaders to a group trip to the Isle of Bute, off the opposite coast of the country."
Video of Talk by Ivan Krstic, OLPC's Chief Security Architect (Groklaw)Groklaw covers a talk by Ivan Krstic. "You have got to see this. It's the keynote talk by Ivan Krstic, OLPC's Chief Security Architect, at the Massachusetts Technology Leadership Council's Open Source Summit this week. Thanks to the wonderful Dan Bricklin, we can watch the talk too. From this talk, I finally understand fully what the project is for. It's not to design a cheaper laptop. It's to create a a new way to educate. The laptop is a surrogate brain, so if a kid is curious he or she can get on the laptop and find out the answer. Is that not how children naturally learn? They have questions and they ask for answers."
Linux Foundation Works on Green Credentials (idm.net.au)idm.net.au covers the launch of the Green Linux initiative. "The Linux Foundation is aiming to push the open source operating systems green credentials harder, resolving to develop new ways in which to improve the systems power management capabilities. The Green Linux initiative was born during last weeks Linux Foundation Collaboration Summit at Googles Silicon Valley campus, an event attended by 230 open source developers and representatives from companies such as IBM, Sun, AMD, Red Hat, Dell and Novell."
Report from MTLC's 2nd Annual Open Source Summit in Boston (Groklaw)Groklaw has a report on the Second Annual Open Source Summit in Boston. "Dan Bricklin has all of the panel discussions and talks from last week's Second Annual Open Source Summit in Boston online now. So if you didn't get to attend in person, you can listen for yourselves. A Groklaw member, Jim Olsen, who attended the summit has written up a report for us. He describes what each panel or talk was about, so you will know which you want to listen to."
Companies mixi.jp Delivers Massive Scale-Out with MySQLMySQL AB presents a case study of the mixi.jp web site. "MySQL AB, developer of the world's most popular open source database, today concluded its "Twelve Days of Scale-Out" educational initiative by presenting a case study on mixi.jp, the third-most popular Web site in Japan. Each day from June 11-22, the MySQL Web site has been highlighting how many of the world's fastest-growing companies are using the MySQL database to cost-effectively scale-out their successful online businesses."
Sun to donate Cluster code to OpenSolaris community (LinuxWorld)LinuxWorld looks at Sun's most recent donation of code, the Open High Availability Cluster, which is available under the CDDL. "The first donation, due out this week, is focused on application modules or agents that allow open-source or commercial applications to become highly available in a clustered environment. Sun will make the code available for 24 of the high-availability agents it offers with its commercially available Solaris Cluster software. Among the agents are modules for Sun's Solaris Containers virtualization technology, BEA Systems Inc.'s WebLogic application server and the open-source PostgreSQL database."
Linux Adoption San Diego rolls out laptops with Linux (eSchool News)eSchool News reports on a plan by the San Diego Unified School District to put Linux-based laptops into the hands of students. "Always-On is split into three phases, and SDUSD is in the middle of the first phase, which began in March. The project's goal is to give students access to laptop computers with software tools and resources to help prepare them to learn, live, and work in the 21st century. Toward that end, the district is using Novell's SUSE Linux Enterprise Desktop as the standard platform for the initiative."
Interviews Ubuntu's Mark Shuttleworth: Prepare for the Shared Software Tidal Wave (TechNewsWorld)TechNewsWorld has an interview with Mark Shuttleworth. ""I was poor. I was desperate. I wanted to be on this bandwagon of this Internet thing, and I wanted to find a business that wouldn't require large amounts of bandwidth or large amounts of capital. The key was Linux. It was Linux that let me connect to the Net so I could start soaking up this knowledge," said Mark Shuttleworth, founder of Ubuntu Linux."
Resources Hybrids Combine GNU Classpath and OpenJDK (InfoQ)InfoQ looks at GNU Classpath/Sun Java hybrids. "The first GNU Classpath/Sun Java hybrids have begun to appear. The hybrids combine GNU Classpath with Java code that Sun has recently released under the GPL either to improve an existing project or to further the goal of having a completely Free JDK. First IKVM made a snapshot available, thus allowing parts of the OpenJDK class libraries to be used on Mono and .NET. Then the CACAO team released a new version that allows Sun's phoneME to be used as core libraries. Finally, Red Hat launched IcedTea to allow the OpenJDK to be built using only Free Software and to provide stubs and replacements from GNU Classpath for the remaining binary plugs in the OpenJDK." You can also follow the discussions at Planet Classpath and get the video of the State of the Coffee Cup at DebConf 2007, posted here. (Thanks to Mark Wielaard)
In Praise of Pic (O'Reilly)Philipp K. Janert, Ph.D. looks at Pic on O'Reilly. "With all the elaborate 3D graphics packages out there today, it's easy to forget that sometimes all you want to do is draw a nice 2D diagram. Philipp Janert takes us on a stroll down memory lane with pic, a command-line based tool that can prove very useful."
Reviews Flock 0.9 lands gracefully (NewsForge)Joe 'Zonker' Brockmeier reviews version 0.9 of the Flock browser on Linux.com. "The Flock project has been building a "social Web browser" since 2005. The upcoming Flock 0.9 release adds new blogging features, integrates media streams into the browser, and includes an overhaul of the Flock bookmark system. It's not perfect yet, but Flock 0.9 is a big leap forward."
KDE's Plasma is heating up (Linux.com)Linux.com looks at KDE's Plasma project. "KDE launched Plasma in 2005 to revitalize the desktop interface, which the project said had remained "essentially the same" as it was in 1984. The initiative sought to renovate the KDE desktop codebase for the upcoming KDE 4 release, as well as to make innovations to KDE 3's conservative interface. Key goals included marrying the Kicker desktop panel, KDesktop root window, and SuperKaramba widget manager into a single Plasma interface; providing a framework to make widgets easier to write; making the unified components more consistent both visually and in terms of usability; and making the desktop a more organic workflow environment."
Rumors of new Gnash functionality exaggerated (Linux.com)Linux.com reviews Gnash. "A free Flash viewer is one of the last major gaps in GNU/Linux desktop functionality, so last week's news that Gnash, the free Flash player, had reached the stage where it could play YouTube and Lulu.tv videos seemed too good to be true. Unfortunately, it was."
Miscellaneous What's new with Ruby (Linux Journal)Pat Eyler looks at some events in the Ruby universe. "Wow! There have been big events in the Ruby universe recently. I'll be writing about several of them over the next couple of weeks, but today I want to touch on one that gets pretty deeply into Ruby."
Page editor: Forrest Cook Announcements Non-Commercial announcements Bandit Project's Cross-Platform Card Selector Gives Users Control of Their Internet IdentitiesThe Bandit project announces availability of their digital identity management software. "DigitalMe allows for a user-centric identity model, where users, not Web sites, control how sensitive identity information is presented. This offers greater security, since users provide only the digital card with the specific information necessary to complete a transaction, and storage of sensitive information is limited to authorizing sites. DigitalMe works by allowing users to manage multiple digital identity cards to control identity data, including name, postal address, e-mail address and credit card information. The cards are either obtained from third-party companies or created by the user. When the user visits an information card-compatible Web site and performs a transaction, such as purchasing an item, a list of digital cards is presented. The user selects the relevant card and credentials are sent to an authorizing third-party site, for example the credit card company, which verifies that the user has the necessary funds to perform the purchase. Authorization is securely sent back to the original site through the user's system, and the transaction is completed."
EFF: Dangerous Ruling Forces Search Engine to Log UsersThe Electronic Frontier Foundation (EFF) and Center for Democracy and Technology (CDT) are urging a California court to overturn a ruling that would require an Internet search engine to create and store logs of its users' activities as part of electronic discovery obligations in a civil lawsuit.
Tiemann: time to start enforcing "open source"Michael Tiemann, the leader of the Open Source Initiative, has come to the conclusion that it is time to start coming down on companies which falsely use the "open source" label. "We should never put the customer in a position where they cannot trust the term open source to mean anything because some company and their investors would rather make a quick buck than an honest one, or because they believe more strongly in their own story than the story we've been creating together for the past twenty years. We are better than that. We have been successful over the past twenty years because we have been better than that. We have built a well-deserved reputation, and we shouldn't allow others to trade the reputation we earned for a few pieces of silver."
Commercial announcements Eclipse Ships Largest-Ever Release of Leading Open Source Software Development PlatformThe annual coordinated release of the Eclipse Integrated Development Environment (IDE) was announced today. "Innovations in the Europa release include new runtime technology for creating server applications, developer tools for service-oriented architecture (SOA), tools for improving team collaboration and support for users of the popular Ruby programming language."
Mandriva UK Limited is launchedMandriva has announced the launch of Mandriva UK Limited. "Mandriva UK Limited (United Kingdom) was launched on May 23rd 2007 as the sole UK partner for Mandriva S.A, offering Mandriva Linux operating systems. Our target areas are corporate applications and solutions to individuals, educational institutions, public and private organizations, ISVs and OEMs all over the United Kingdom."
NVIDIA Tesla GPU launchedNVIDIA Corporation has announced the launch of the Tesla line of graphical processing units. "Computing on NVIDIA Tesla is now available to any software developer through the world's only C-language development environment for the GPU. NVIDIA(R) CUDA(TM) is a complete software development solution that includes a C-compiler for the GPU, debugger/profiler, dedicated driver, and standard libraries. CUDA simplifies parallel computing on the GPU by using the standard C language to create programs that process large quantities of data in parallel. Programs written with CUDA and run on Tesla are able to process thousands of threads simultaneously, providing high computational throughput to enable the GPU to quickly solve complex, computational problems. The NVIDIA CUDA development environment is currently supported on the Linux and Microsoft(R) Windows(R) XP operating systems."
Solutions4ebiz announces the Envoy 1U network routerSolutions4ebiz has announced a new rack-mounted Linux router platform with T1/E1 network capabilities. "Solutions4ebiz, the exclusive Midwest distributor and online retailer for ImageStream Internet Solutions (ImageStream), announced today the availability of a new business router, the Envoy 1U. The Envoy 1U, based on ImageStream's original Envoy router design, adds rackmount capability, support for more ports per chassis, and additional power options."
SourceKibitzer offers free Bio Service for Java developersSourceKibitzer has announced SourceKibitzer Bio. "SourceKibitzer OU, the Web's most advanced resource for Java developers working on open-source software (OSS), today announced SourceKibitzer Bio, a free, web-based service to enhance the benefits that Java developers realize for contributing to the open source software community."
TechTracker Media unveils new open-source marketing channelTechTracker Media has announced the Enterprise Open Source Channel. "TechTracker Media(TM), the leading IT vertical ad network, today announced the launch of their new "Enterprise Open Source Channel" - the industry's first vertical marketing channel devoted entirely to open source."
Untangle brings the open source movement to small business network securityUntangle has launched the Untangle Gateway Platform a commercial-grade open source solution for blocking spam, spyware, viruses, adware and unwanted content on the network. " Built around more than 30 best-of-breed, open source projects - including SpamAssassin, ClamAV, and Snort - the Untangle Gateway Platform provides the convenience, features and stability of the Appliance Vendors at a fraction of the cost and hassle. The complete system can be downloaded, installed, and configured in less than one hour." The Untangle Gateway Platform is available as a free download on SourceForge under the GPL v2 license.
Xandros to provide enhanced interoperability between standardized XML document formatsXandros has announced an effort to produce open-source translators for documents stored in the Ecma Office Open XML and Open Document Formats. "Xandros, the leading provider of intuitive Linux solutions and cross platform interoperability tools, today announced it will join Microsoft and other companies to build and ship open source translators between documents stored in Ecma Office Open XML and Open Document Formats. The translators, being developed through the Open XML/ODF Translator project, will be made available to Xandros users via the Xandros Networks update facility. Every Xandros product that includes OpenOffice.org will be equipped with the translators."
New Books Adding Ajax--New from O'ReillyO'Reilly has published the book Adding Ajax by Shelley Powers.
Education and Certification LPI announces new training partnersThe Linux Professional Institute has announced new training partners in Africa, Europe and Latin America. "This includes the first LPI training partners in France, Greece, the Ivory Coast, Peru, and Tanzania."
Calls for Presentations Audio Mostly 2007 call for papersA call for papers has gone out for Audio Mostly 2007. The event will take place on September 27-28, 2007 in Ilmenau, Germany, submissions are due by August 24.
ELC-Europe 2007 Call for PresentationsA Call for Presentations has gone out for ELC-Europe 2007. "The CE Linux Forum would like to invite you to make a presentation at our upcoming Embedded Linux Conference - Europe. The conference will be held November 2 and 3 in Linz, Austria, in conjunction with the 9th Real Time Linux Workshop." Submissions are due by August 11, 2007.
Ohio LinuxFest call for papers deadline is nearly hereThe call for presentations deadline for Ohio LinuxFest 2007 is approaching rapidly. The last date for presentation submissions is July 15, 2007. Ohio LinuxFest 2007 will be held Friday, September 28 through Sunday, September 30 at the Greater Columbus Convention Center.
Upcoming Events Akademy 2007 sponsors announced (KDE.News)KDE.News has announced the sponsors for the 2007 Akademy conference. "This Friday will see KDE contributors and our friends arriving from around the world to take part in the KDE World Summit in Glasgow. It costs a lot of money to host a conference of this size, but as in previous years our industry partners have stepped up and made it possible through generous sponsorship."
Events: July 5, 2007 to September 3, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it.
Page editor: Forrest Cook
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Moonlight version of the Silverlight demo]](/images/Silverlight-airlines-demo-sm.png)
