LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for July 12, 2007A green light for free-software defined radio?Playing around with radio-frequency transmission and reception used to be restricted to those of us with hardware skills. That has been changing for some years, though, as processors get faster and software techniques advance; now, many radio transmitters and receivers are built with simple (but flexible) hardware. The hard work of generating the signal to be transmitted is done in software. Some wireless network adapters work that way now, as do a number of other devices. There is a well-advanced project - GNU Radio - which enables experimenters to do amazing things with software defined radio (SDR) systems.A potential problem with such devices is that users could, perhaps, modify the software and cause the radio to operate in ways which are not compliant with local spectrum-use regulations. Regulatory agencies tend to frown on such use - and on manufacturers which make it easy for their devices to be used in non-compliant ways. Fear of this sort of tampering is one of the excuses given by wireless adapter vendors for not releasing free drivers for their devices. It has also been an occasional concern for Linux distributors who include free drivers. In general, the combination of SDR and free software has long been the cause of worry and fear, and that has slowed progress on that front. The Software Freedom Law Center has made an attempt to address that fear by doing an analysis of the U.S. Federal Communications Commission's regulations with regard to the use of free software in software-defined radio systems. The resulting white paper is a bit of a challenging reading experience (it may be clearer than the FCC regulations, but it still reads like legalese), but it is probably worthwhile for anybody who is concerned about the interaction of SDR and free software. The white paper starts by looking at the scope of the FCC's regulations with regard to SDR systems. It is noted that many such systems (a wireless router, for example) contain full Linux distributions within them. Almost the entire distribution, however, is unrelated to the device's radio functionality and, thus, is not subject to FCC regulation. Any device software which does not interact directly with the radio is unregulated and can be free software. Next, the SFLC points out that, by its reading, the FCC's regulations only apply to device manufacturers. They do not, in particular, apply to independent software developers. This conclusion is important: it says that distributors who ship free drivers for SDR devices are not bound by the FCC's rules unless those drivers directly operate the radio in non-compliant ways. The down side is that manufacturers of software-defined radio devices really cannot provide free drivers if those drivers could be modified to enable non-compliant operation. The FCC expects that the security measures within these devices will be implemented in a way which resists casual tampering, and it has been clear on its worries that implementing those measures in free software will not yield a sufficiently robust solution. So, if the hardware can be easily programmed to do non-compliant things, it looks like the FCC expects the driver which programs the device to be a non-modifiable binary blob. The SFLC notes that the door is not entirely closed, and that a vendor which can demonstrate sufficient robustness with a fully free-software implementation could still get certification. But it would not be easy. The white paper concludes this way:
The SDR rules promulgated by the FCC represent a positive
development for FOSS developers working in the wireless space. The
rules allow FOSS developers not affiliated with device
manufacturers to continue work on their software without
restriction. They allow SDR manufacturers to employ FOSS for most
of the functionality of their devices, and they leave open the
possibility that a device using a purely FOSS-based software
platform could also pass FCC certification if it managed to
demonstrate the soundness of its security strategy.
It may be a positive development, but only to an extent; as long as the FCC is saying that SDR devices must contain binary blobs to be certified in the U.S., we will not have complete control over our devices. One should note that this document only discusses U.S. regulations. The FCC is certainly a prominent regulator, and its decisions have worldwide impact, but it is not the only regulatory body out there. Every country has its own rules, and some of them have regulatory agencies which are rather more nervous than the FCC; people who have studied the issue often note that Japan can be a very bad place to play loose with spectrum regulations. So, while a partially-green light from the FCC may be somewhat comforting, it's really only a small piece of the larger problem. Spectrum use and regulation is an important issue; it will have an increasing impact on our ability to communicate freely as time goes by. Improving software techniques promise to open up the spectrum in interesting ways, making it possible for more bits to be carried in ways which are difficult to intercept or interfere with. It has been argued that, as a result of improving technology, the need (and justification) for heavy-handed regulation is fading, at least over broad parts of the spectrum. The success of WiFi shows what can happen when even a small bit of spectrum is freed; imagine what could happen if the full innovative power of the free software community could be unleashed on flexible, software-defined radio systems. That is why any progress toward openness on the SDR front is a good thing, even if it remains far from what we really want.
Pointy-haired kernel hackers?Don Marti attended Greg Kroah-Hartman's Linux Symposium talk on the kernel development process; he wrote an informative article (titled Linux contributor base broadens) about it. The article states:
In the latest kernel release, the most active 30 developers
authored only 30% of the changes, while two years ago, the top 20
developers did 80% of the changes, he said. Kroah-Hartman himself
is now doing more code reviewing than coding. "That's all I do, is
read patches these days," he said.
An important part of this is that Greg presented this change as a good thing. The kernel has a far broader developer base than it once did, with patches for any given release coming from almost 1000 different people. We have a growing development community which is healthy and robust. Seeing what the mainstream media makes of things can be great fun sometimes. This time around, ComputerWorld UK picked up Don's article, running the same text but giving it a new title: Are top Linux developers losing the will to code? Slashdot picked it up under that title, then Wired chimed in with Core Linux Developers Stuck In Middle Management Mode, complete with a picture of a necktie-wearing employee wielding a stapler and a telephone. The prize must go to the Jem Report's The coders and the talkers, though; this article breaks new ground completely:
Linus' [sic] job is leaning more towards spokesman than
programmer. He's been a relatively effective manager up until now,
but I think that effectiveness will begin to erode rapidly with
time. The further you get away from the actual work, the less you
are able to accurately judge the appropriateness of other people's
work. You need to stay in the game -- you need to keep your skills
in condition. If you don't, you might understand the theory pretty
well, but you'll get further and further away from being in touch
with its application. Linus has become more of a talker and less of
a coder.
It seems we have trouble here. While we weren't looking, the Linux kernel drifted into a Dilbertesque realm and is now controlled by people who don't actually create software anymore. World Domination, it would seem, is now in grave doubt. Or perhaps all of this is just silly nonsense, an extreme extrapolation taken from a couple of sentences spoken at a Linux developer conference. If one wanted to investigate this subject further, a good starting place might be the 2.6.22 changelog; there one can see just how many patches our pointy-haired top-level maintainers have contributed over the latest development cycle. Here's a subset:
One could add more names to the list, but the end result would be about the same: the top-level kernel maintainers are not among the most prolific contributors (except maybe for David Miller - but, then, he's an exception in many regards), but neither are they absent from the game. They are still hacking on the code and cranking out the patches. From some of the articles that have been posted, one might think that subsystem maintainers spend the rest of their time attending meetings and writing weekly reports. What they are actually doing is working with patches - lots of patches - and with developers. A subsystem maintainer must review code, decide whether it is appropriate for the kernel, and, if not, give the developer guidance on how to make it better. Incoming patch streams must be merged together, and decisions must be made on which ones are ready for any given development cycle. It is a task which requires the maintainers to keep their hands deep in the code. Subsystem maintainers who do not touch the code, and who do not maintain a deep understanding of how the kernel works are not likely to remain maintainers for very long. So the broadening of the kernel development community - and the associated need for more work by subsystem maintainers - is not really costing us our best developers. They are not "losing the will to code." The things that cost us developers are elsewhere: a somewhat adversarial process which turns off some people, general burnout, or getting a job which takes their attention away from contributing to the community. All very normal stuff. In the Linux kernel community we may have our share of Dogberts, but we need not lose much sleep over the threat of pointy-haired subsystem maintainers bringing the process to a halt. Instead, they have helped the kernel development process to scale to a level beyond that of almost any other software development project anywhere; that is a good thing, not a sign of trouble.
An interview with Matt AsayMatt Asay (pronounced "ay-see") studied law at Stanford University - Larry Lessig was one of his professors - before he joined Lineo, a pioneering embedded Linux company. He later moved to Novell, and then to his current employer, Alfresco, which produces open source enterprise content management software. He also founded the Open Source Business Conference, and writes an influential blog called The Open Road. Glyn Moody talked to him about why he became a GPL believer and how to create a billion-dollar revenue open source company. How did your work with Larry Lessig come about?
I had what started off as a summer internship at Lineo, and I loved it
almost from day one. It turned into a full-time job which I continued doing
for the last two years of law school. [Larry Lessig] was teaching a class
"open sources", and I thought: "Well, I work for an open source
company; surely I'm qualified to take the class."
In that paper [pdf],
there's this mea culpa, where you effectively say: "Well, actually
I've decided that I was wrong about the GPL." What made you change your
mind?
I read his book [Code and Other Laws of Cyberspace] and thought it was fantastic, and ended up in this class with him, where I found out that he was much more persuasive in the book than he was in the class. In the class, all of these grand-sounding things about freedom and whatnot, and how good it was for the industry, didn't sound as good to me when I was trying to make a living selling the stuff: Lineo went through the first year of being just phenomenally successful, to the second year of collapsing. At the time, what I was hearing was: "This open source software is great. Everybody loves it." And the "everybody loves it" was true, but that didn't translate into people paying for it, at least in my experience. And so I had a fundamental disagreement with him that open source had a long future ahead of it. When you can only rely on the developers to scratch their itches, and their itches may not be the itch of these big companies that buy software, how could open source have any sort of a future ahead of it? And so we just battled constantly. But that turned into a grudging respect on my part. I wanted to write my third-year paper on open source licensing. He agreed to be my adviser for it - which sounds better on paper than it was in reality, because he was traveling like a madman and so I never actually got to see him.
I recognized that my experience at Lineo was maybe atypical for the
industry. I hadn't encountered enterprise software yet. I just didn't know
that that would be a different beast, but it turns out it is. In the
embedded world, developers rule. Developers are happy to sustain themselves
and to support themselves. In the enterprise world, for whatever reason,
they'd rather save time, and spend some money. In the embedded world, they
were happy to save money and spend time on the code. I think it was
watching Red Hat more than anything else: Red Hat slowly proved that you
can make money in open source.
How did you come to work for Novell?
While I was still working at Lineo, I contacted somebody that I had had to
lay off, and said: "Will you come back? We need you back." And he said:
"No, I won't, but will you come work for me at Novell?" I was just coming
up on graduation, and [it] says something about how rocky the last few
months at Lineo were that Novell actually looked like a stable place to
land.
While you were at Novell, you set up the Open Source Business Conference
(OSBC) in July 2003: what you were trying to achieve with that?
My initial job at Novell was trying to get hardware and software companies to support Netware, which you can imagine was a somewhat thankless task. It was about that time that I said: "The one thing that I know is interesting is open source." That's where I had just come from. So I went to our potential partners, saying: "Well, Netware is not very interesting, but Novell and Linux are." At the time, a lot of Novell's applications or infrastructure ran on Linux, such as eDirectory. So that became my story, going around talking about how they should support Novell's Linux story, even though Novell, aside from running some of its applications on Linux, didn't really have one. I was probably one of three people in the company that had any understanding of open source, and any desire to do anything there. Fortunately, one of those three was Chris Stone, the vice chairman. In December 2002, when the Linux Business Office was formed, he asked me if I would be part of that. It was designed as a group to advise him and push the company toward open source. The unfortunate thing is that there were a lot of people that had been there for ten, fifteen years. There were people who just dug in their heels and said, "No, our software is better and our technology is better. Surely they'll realize that Microsoft technology stinks." They just didn't get it.
OSBC was born out of the frustration that I had with both Novell and Lineo,
and played out in class with Lessig: how do you make money on this stuff
that everybody thinks is so great? If it's so great, surely somebody would
pay money for it, and if we could get people to pay money for it, there
would be a lot more of it.
Did you decide to leave Novell or to join Alfresco?
I was coming back from LinuxWorld or something, I was sitting with a friend, complaining to him about this great open source stuff that nobody knows how to make any money on. I said: "You know, I should do a conference on this, get all the smart people together." And he said: "Well, do it." So I contacted the two people in open source that I knew had money - Jason Matusow at Microsoft and Dan Frye at IBM. They both committed $30,000 to it. So, yeah: the interesting little fact with the Open Source Business Conference is that the first person to give money to it was Microsoft.
I decided to leave Novell about a year before I left Novell. I was still
fulfilling my Novell duties, but thinking strategically in a vacuum. I
started talking with a range of different open source companies; over the
course of a year, I think I must have met every single open source company
on the planet.
Why Alfresco?
The one thing that I didn't have at any of the companies that I'd been with
was real mentorship on the business side. I felt like I knew the open
source side reasonably well, but in terms of how to grow a company, I
didn't really have that. So here was a company founded by the founder of
Documentum, took it from zero to a billion dollars, and the former CEO of
Business Objects who'd taken it from, I think, 50 million to 500 million
[dollars]. Clearly, here was something I could learn from them.
So how did they come to launch an open source company, not knowing anything
about open source?
When I first contacted them, I was coming over to speak at LinuxWorld UK and I thought: "Who are the open source companies in the UK? Well, I'll contact Alfresco. They look really interesting." But I thought that I wouldn't be at all interesting to them. They were these guys with this great pedigree. Clearly, they didn't need any help. On their side, they were thinking: "We don't know anything about open source; we're an open source company. Clearly, we need a lot of help." And here's this guy that seems to know something about open source, contacting them out of the blue. I only found out later that they were really excited to get involved with me. From my side, I was thinking: "Well, I really don't have that much to offer, but hopefully they'll take me on out of charity." It was a good match.
Funny you should ask that: most of the open source companies that are out
there are launched by people who don't know anything about open source, and
it shows. I think the best open source companies have been those that were
launched by developers first. So, arguably, that's JBoss, Red Hat, MySQL,
where the community came before the company. The company was an
afterthought.
What was the licensing model when you first joined?
In Alfresco's case, we're pioneering somewhat, because the company definitely came before the community. I think that's a really difficult thing to do. I think it's hard to fake community, but I also think it's really important [to have one]. How these guys got started, is they had actually started another company and it failed. When they tried to explain to me what the product was, I can't understand it, and they can't really explain it, so that's one reason it failed. The other thing was it just became evident to them that it was really hard to go in there and plop a million-dollar proposition on these companies. They decided: "Look. How can we distribute our products in such a way that people can get easy access to it, and they don't have to pay these insane amounts of money?" They perceived from their efforts that this enterprise sales model, and the enterprise pricing model, was broken. It wasn't going to work very much anymore. And they said: "Oh, it's open source!" Maybe a year after that, they said: "Why don't we start an open source content management company?" because that's what John Newton, one of the founders, knew really well. But this time, we'll do Documentum part two, and this time we'll give the product away for free. And it sounded like a great proposition, except for the free part, and that's what we've been figuring out ever since.
It was a Sugar[CRM] model, so 70
percent of the code was open source under the [Mozilla Public License], and
30 percent was proprietary. But that is a terrible model on a range of
scores. One that was continuously coming up was: we just developed this
new feature; should it be open source or should it be proprietary? We were
constantly having to struggle with this.
Looking ahead, what does Alfresco aspire to become in the long term?
So we moved to a model where it was 100 percent open source - but it was not really open source, because my definition of open source is that it has to be under an OSI-approved license, and this was Mozilla Public License plus Attribution, which had a contentious time out in the market. Attribution said you had to have a "Powered by Alfresco" logo on every screen with a little subtext that said: "This software will burst into flames at any second. Run screaming from the room when you see it. Or you can pay us and then everything will be alright." Again, that worked for a little bit, but there started to be this fervor around "Attribution isn't real open source". I hadn't really thought about it up to that point. Internally, the same thing came around: why are we doing this? We thought it was open source, but now we're hearing from at least a vocal part of the open source developing community that this won't fly. So we scrapped that in June of last year, 2006. Part of my job was going out and talking with customers, finding out why they were buying us and whether or not they would continue to pay money for the value we were providing if they weren't forced to. In the process of doing that we discovered some interesting things. A lot of companies were coming to us directly and saying: "We just want to pay you." They were sidestepping the step of using the free product and then being forced into, for whatever reason, our proprietary plug-ins or enhancements or whatnot. A lot of them had an internal policy that they wouldn't use software unless they had a support contract. We were fortunate: most of our customers were big companies. I think that made it a little bit easier for us to make the decision to go GPL, which we eventually made last year, because our customers were the kinds that would pay for support. I think it might be a more difficult decision for some of our peers. I know for us, the plus side of it is that our press mentions went up, our leads went up, our sales are up 140 percent, our average sales price is up - everything has gone up since we went GPL. Part of that may be that we're just becoming better known as a company, so the brand is selling it, but I credit a lot of it to the GPL. We are more developer-friendly. More developers that work at big companies or other companies are downloading us and trying us out. They can trust the code before they trust the company, because at the end of the day, they own the code. They don't have to come back to us.
Well, I think Red Hat's going to beat us to it, but my personal goal is to
be the first pure-play, open source software company to be a billion
dollars in annual revenues - just prove that you can do it by giving the
software away for free.
Are we going to see open source dominating software within ten years, say?
In terms of product ambition, we would like to see content management used by everybody on the planet. It depends on how broadly you define content management, and that's one of the things that we're working on. Today, it's a roughly three billion dollar market, but within any enterprise, only five percent of the people in the enterprise actually use a content management system. So we're trying to bring down the cost and [improve] the ease of use so that it's as easy to use a content management system as it is to send an email, as it is to search and Google, as it is to blog.
I think that every software company on the planet, within the next year,
will be doing significant open source software within their walls,
including Microsoft. In fact, Microsoft has actually been an early adopter
because they perceive the threat more acutely than most.
What were your first thoughts when you heard about the Microsoft-Novell deal?
I believe that within ten years most of the software will be delivered in open source-esque fashion, either as software as a service, or directly through open source. The general trend, I think, is that software will become a service over the next ten years. That's not to say that there won't be heavy outposts of traditional software. [But] just look around at the start-ups that are being funded: it's very hard to get a traditional proprietary software company funded right now.
I was extremely disappointed because if there's any company that didn't
need to do that, it was actually Novell. Because Novell has patents that
go to the heart of both Microsoft's Windows Server business and its Office
business. Novell was under absolutely no threat of ever being sued by
Microsoft, period.
Are there any threats that you see facing open source as it grows in the future?
The reason they did it is to try to club Red Hat. Novell thinks it has an interest in destroying Red Hat; really what Novell needs is for Red Hat to continue to be successful and for Novell to learn how to be successful with Linux. I just remember thinking: Here's Novell. It's best chance of surviving in the future is to move toward more of an open source model, and it's just basically told the very community that could feed it that it didn't want it. It was cutting itself off from its future. I think it's done itself irreparable harm now. I just think Novell will have a very hard time ever gaining credibility again as an open source vendor.
I worry that diluted forms of open source will come to be viewed as
acceptable, and that's why I think the OSI is so important. When I look
around at my peers, they're arguing for an expanded definition of what open
source means - they want this Attribution [variant] to be accepted, they
want various different licensing models to be accepted as open source.
It sounds like you've become quite religious about it.
I do worry that if we bastardize the concept of open source to make it lowest common denominator business-friendly, then we lose the power of open source. Because the greatest threat to Microsoft and to these proprietary software companies is not a weak form of open source, but it's the full, pure open source. Frankly, it's GPL'd open source.
I've come 180 degrees on it, and I am a little bit religious on it, because
ultimately, coming back to the point I was arguing against Larry Lessig in
law school, I think freedom does matter. What's odd is that it actually
matters as much to the vendor as it does to the customer.
Glyn Moody writes about open source at opendotdotdot.
For the long-term success of open source vendors, they need to realize that freedom is in their interest, too. When you throw away all the safety nets, the proprietary crutches, it forces you to do business in a way that's overwhelmingly positive for customers. And if you can do that, then you'll be successful.
Security Security research: buy low, sell high?Security researchers have a hard job, with vendors often ignoring their research or, worse yet, slapping them with a lawsuit or criminal charges for finding bugs. Even when vendors take them seriously, it is difficult to turn good research into something you can eat, or pay the rent with. Finding and reporting vulnerabilities is often a "loss leader" for a security company or researcher; it is hoped that the credit they get will translate into sales of their products or services. A new vulnerability auction site seeks to change that, by directly turning vulnerabilities into cash. A Swiss company, WabiSabiLabi, runs the MarketPlace auction site to "enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," according to the press release announcement. WabiSabiLabi is also in the business of providing security consulting which may be connected, as they claim to provide information on "known and unknown" vulnerabilities. Though there is no mention of cost for providing the auction service, early warning of zero-day vulnerabilities could be part of what the company charges researchers. The model for the MarketPlace site is eBay, with several types of sales available, including traditional and dutch auctions. There is also the "Buy now!" option and, something specific to MarketPlace, the "Buy exclusively" option which, if offered and then used by a bidder, does not allow the vulnerability to be auctioned again. WabiSabiLabi serves as an intermediary in the transaction, in some ways like an escrow service; they test and vouch for the vulnerability while protecting the identities of the sellers and bidders. At first blush, this would seem a perfect way for a criminal organization to pick up vulnerabilities to use to further their aims, but WabiSabiLabi claims to scrutinize both buyers and sellers, before allowing them to use the site. The registration page warns that one will be required to fax an id card and telephone number before being granted access to the site, but one would hope their vetting process is more stringent than that. For buyers in particular, the bar should be set quite high, if undisclosed vulnerabilities are changing hands. So far, there are four vulnerabilities listed on the site, two of which have bids. The first is a Linux kernel information disclosure that allows processes to read arbitrary kernel memory in 2.6 kernels up through 2.6.20.1, also known as CVE-2007-1000. The second is a SquirrelMail remote command execution bug. At press time, the current high bid for the kernel bug is €600, while the SquirrelMail vulnerability is at €700 (and can be bought outright, but not exclusively, for €2650). It is not entirely clear why anyone would bid for the kernel bug, one that has a CVE entry and has been fixed in the mainline for four months. Perhaps the novelty is enough or some buyer has money to burn. On the other hand, up until a BugTraq posting on 11 July, the SquirrelMail vulnerability looked like the kind that would draw some interest. It would appear, though, that even enough information to describe the bug for the auction, was enough for someone to figure it out. Do the bidders get to withdraw their bids under that circumstance? What, exactly, the bidders get is also in question. If the sellers want to be able to sell multiple times, presumably they do not want buyers disclosing the vulnerability, which could easily run counter to the aims of potential buyers (governments or Mozilla for example). It also might be rather hard to enforce. Perhaps there are security companies who want to protect their customers immediately from a zero-day, but it would be rather unethical for them not to work with the vendor to get the bug fixed. Clearly, the entities most interested in buying vulnerabilities, and keeping them secret for the long term, are the malicious ones. Tipping Point, iDefense and others already offer bounties to security researchers who have discovered flaws. For WabiSabiLabi and MarketPlace sellers, the best hope is that those companies all start bidding against each other on the site. A few, high profile, undisclosed vulnerabilities selling for thousands of dollars, is probably all it will take to propel the site to success. If that does not occur, one hopes that WabiSabiLabi will not fall into dealing with criminals, even though the return is likely to be much better. Security researchers should be rewarded, rather than punished, for their work, but it remains to be seen if this particular idea will help accomplish that goal.
Brief items An update on Yoggie GPL complianceNearly a month and a half has gone by since we looked at the Yoggie Pico laptop firewall. At the time, we promised an update on a request for information about the availability of source code for Linux and other GPL software. Unfortunately, after several email exchanges with the firm that does PR for Yoggie, the code is still unavailable. A release of code was promised for the end of June, but did not materialize. A further query, early this week, produced the following information: Yoggie has sent me a link to forward on to you that
shows the start of their open source license compliance. http://www.yoggie.com/Partners
They have also asked me to communicate the fact that they are working hard
to publishing all the relevant info asap and have their legal team and IT
staff dealing with it in tandem.
Hopefully, they really mean it this time.
New vulnerabilities dar: weak cryptography
gfax: insecure temporary files
kernel: signal handling flaw on PPC
vlc: several vulnerabilities
Updated vulnerabilities acroread: multiple vulnerabilities
apache2: information disclosure
apache: multiple vulnerabilities
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
avahi: denial of service
bugzilla: multiple vulnerabilities
clamav: denial of service
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
elinks: code execution
elinks: arbitrary file access
emacs21: denial of service
evolution: format string error
evolution-data-server: malicious server arbitrary code execution
pop mail man-in-the-middle attacks
fail2ban: log injection vulnerability
fail2ban: denial of service
file: integer overflow
firebird: buffer overflow
firefox: multiple vulnerabilities
freetype: arbitrary code execution
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gd: denial of service
gedit: format string vulnerability
gimp: multiple vulnerabilities
glibc: integer overflow
grip: buffer overflow
gzip: multiple vulnerabilities
HelixPlayer: arbitrary code execution
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
jasper: denial of service
java: multiple vulnerabilities
kdebase: information leak
kdelibs: kate backup file permission leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: several vulnerabilities
kernel: several vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
krb5: multiple vulnerabilities
krb5: uninitialized pointers
krb5: local privilege escalation
krb5: multiple vulnerabilities
ktorrent: incorrect validation
lftp: shell command execution
libexif: integer overflow
libgtop2: buffer overflow
libmodplug: boundary errors
libphp-phpmailer: command execution
libpng: denial of service
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lookup-el: insecure temporary file
lynx: arbitrary command execution
mod_jk: proxy bypass
mod_perl: denial of service
moin: arbitrary JavaScript execution
mplayer: buffer overflow
mplayer: buffer overflow
mydns: buffer overflows
mysql: denial of service
mysql: format string bug
MySQL: privilege violations
MySQL: logging bypass
nbd: arbitrary code execution
ncompress: buffer underflow
OpenOffice.org: arbitrary code execution
OpenSSH: denial of service
openssh: remote denial of service
pam: privilege escalation
perl-Net-DNS: predictable id sequence
php: multiple vulnerabilities
php: several vulnerabilities
php: multiple vulnerabilities
php: buffer overflows
php: several vulnerabilities
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpPgAdmin: cross-site scripting
phpwiki: remote code execution
pptpd: denial of service
proftpd: authentication bypass
pulseaudio: denial of service
python: information disclosure
qemu: multiple vulnerabilities
qt: "/../" injection
quake: buffer overflow
rpm: arbitrary code execution
Mozilla: multiple vulnerabilities
slocate: information disclosure
snort: remote arbitrary code execution
Sun JDK/JRE: multiple vulnerabilities
tcpdump: denial of service
tetex: buffer overflow
tomcat: directory traversal
vixie-cron: weak permissions may cause errors
webmin: cross-site scripting
wireshark: multiple vulnerabilities
wordpress: another pile of vulnerabilities
XFree86 X.org: integer overflows
xfsdump: insecure temp dir
xine: format string vulnerabilities
xine-lib: arbitrary code execution
xine-lib: buffer overflow
xinit: race condition
xmms: BMP handling vulnerability
zziplib: buffer overflow
Page editor: Jake Edge Kernel development Brief items Kernel release statusThe current 2.6 kernel is 2.6.22.1. Linus announced the release of the 2.6.22 kernel on July 8. For those just tuning in: much has happened in this development cycle, including the addition of the mac80211 (formerly "Devicescape") wireless networking stack, the eventfd system calls, some new TCP congestion control algorithms, a rewritten CFQ I/O scheduler, a new IEEE1394 ("Firewire") stack, support for the Blackfin architecture, the long-awaited IVTV TV tuner driver, and much more. See the KernelNewbies 2.6.22 page for vast amounts of detail, the long-format changelog for even more detail, or the short-form changelog for a (relatively) concise listing of patches in this release.The 2.6.22.1 update, released on July 10, adds an SCTP security fix which had somehow managed not to get into 2.6.22. The 2.6.23 merge window has opened, and some 500 patches have found their way into the mainline git repository (as of this writing). For older kernels: the 2.6.20.15 and 2.6.21.6 stable updates were released on July 6; each contains a single fix for a security problem in the netfilter H323 connection tracking code.
Kernel development news Quote of the week
We all know swap prefetch has been tested out the wazoo since Moses
was a little boy, is compile-time and runtime selectable, and gives
an important and quantifiable performance increase to desktop
systems. Save a Redhat employee some time reinventing the wheel
and just merge it. This wheel already has dope 21" rims...
-- Matthew
Hawkins
The 2.6.23 merge window opensLinus opened the 2.6.23 merge window with a bang: the first thing merged was the CFS CPU scheduler. The group scheduling feature is not available, however, since it depends on the generic process containers patch, and would appear that containers will have to wait another cycle.Other patches merged so far include an IDE update, the rtl8187 wireless network driver (the first driver to use the mac80211 stack), support for the Yukon EX (88e8071) network adapter chipset, Xbox 360 gamepad support, a big rework of the splice() code which replaces sendfile() and adds an internal vmsplice_to_user() feature, an LZ01X compression implementation, and the removal of a number of ancient CDROM drivers. The 2.6.23 process has barely begun, expect a great deal of work to be merged yet. Andrew Morton's 2.6.23 merge plan is useful reading for those who would like to know what else may go in; among other things, it looks like this kernel will include fallocate(), lguest, and the on-demand readahead patches. Bear in mind that much of what goes into 2.6.23 will not get there by way of Andrew, so this is far from a complete list of what this kernel will contain.
An API for virtual I/O: virtioLinux has an abundance of virtualization choices, each with its own way of dealing with I/O. A recent set of kernel patches, submitted to the kernel-virtualization mailing list by Rusty Russell, would allow different virtualization implementations to share drivers by using a virtual I/O interface called virtio. There have been several public iterations of the interface with the latest, draft IV, narrowing in on what appears to be an acceptable solution, at least with the virtualization folks. There are always questions about adding yet another layer into the kernel, but the advantages for virtio are numerous. Russell outlines several in one of his posts to the kernel-virtualization list. There is some amount of urgency in devising a solution because several of the virtualization projects are either working on or reworking their virtual I/O. If an established mechanism, that already provides working block and network drivers existed, those projects, as well as any newcomers, would be likely to use it. Another key element is to try and prevent a major proliferation of kernel drivers each handling slightly different virtual block I/O. Trying to tune and maintain those drivers could become a major headache, so virtio separates the guest Linux side of the driver from the code that is specific to the hypervisor implementation. Each group of developers can maintain the code on their side of the API without changing the other, unless, of course, the virtio API itself needs to change. It is likely that some kind of virtual I/O will be adopted, as the kernel developers are likely to be unwilling to merge new drivers for each different virtualization mechanism that comes along; some commonality is required. The basic abstraction used by virtio is a "buffer", which consists of a struct scatterlist array. The array contains "out" entries describing data destined for the underlying hypervisor driver, as well as "in" entries for that driver to store data to return to the guest driver. The order is fixed (out followed by in) and a count of each is part of the buffer description, which allows the hypervisor driver to determine what it has. This buffer abstraction encapsulates everything needed to communicate data to be written to or read from the hypervisor driver and, eventually, the underlying device. A guest driver, that uses the virtio interface, hands off buffers to the hypervisor driver and awaits their completion. At its core, the virtio API is a set of functions that are provided by the hypervisor driver to be used by the guest:
struct virtqueue_ops {
int (*add_buf)(struct virtqueue *vq,
struct scatterlist sg[],
unsigned int out_num,
unsigned int in_num,
void *data);
void (*sync)(struct virtqueue *vq);
void *(*get_buf)(struct virtqueue *vq, unsigned int *len);
int (*detach_buf)(struct virtqueue *vq, void *data);
bool (*restart)(struct virtqueue *vq);
};
This operations vector is initialized by the hypervisor and passed to the
guest driver using a probe() function. The guest then
sets up its data structures and registers with its kernel as a block
or network device driver.
The basic operation uses add_buf() to register one or more buffers with the hypervisor driver. That driver is kicked via the sync() call to start processing the buffers. Each struct virtqueue has a callback associated with it which will be called when some buffers have completed. The guest then calls the get_buf() function to retrieve completed buffers. To support polling, which is used by network drivers, get_buf() can be called at any time, returning NULL if none have completed. The guest driver can disable further callbacks, at any time, by returning zero from the callback. The restart() routine is then used to re-enable them. Finally, the detach_buf() call is used during shutdown to cancel the operation indicated by the buffer and to retrieve it from the hypervisor driver. As part of his patches, Russell has working example block and network drivers using the virtio interface. Each uses the virtio API differently, and the requirements of each kind of device has pushed the evolution of the interface into its current form. He has also posted an example of a driver implementing virtio for his lguest hypervisor. The block driver uses a protocol that the buffer always has at least one out and in element. The first element passes the sector and type (read or write) information to the hypervisor driver and the first in element receives the status of the request. For a write, there are additional out elements, whereas for a read, there are additional in elements. When the I/O completes, the callback is invoked and the get_buf() calls return the completed buffers. The network driver uses separate virtqueues for sending and receiving packets which allows it to avoid any locking between the two. Each side only uses half of the scatterlist, out for sending and in for receiving. One of the major differences from "draft III" is combining the two types of buffers; previously there were "inbufs" and "outbufs" and the operations vector had calls for each type. By noticing that they could be combined while still supporting single direction buffers, Russell has halved the number of operations that need to be implemented. Currently, a hypervisor that wants to provide virtio devices to its guests must arrange to call the virtblock_probe() or virtnet_probe() functions. Any device discovery must be handled by the hypervisor and the guest driver is linked to the hypervisor driver at compile time. Dynamic, mix and match, hypervisor/guest combinations are not yet available, but will be down the road; proposals are already being floated on the kernel-virtualization list. In a blog posting, Russell describes the tension between performance and abstraction:
The danger is to come up with an abstraction so far removed from what's
actually happening that performance sucks, there's more glue code than
actual driver code and there are seemingly arbitrary correctness
requirements. But being efficient for both network and block devices is
also quite a trick.
It remains to be seen if the performance can live up to the needs of the various virtualization projects. If it does, and the interface is abstract enough to handle the kinds of virtual devices required, we should see some kind of push to get it included in the kernel sometime soon.
Video4Linux2 part 6b: Streaming I/O
With the read() and write() methods, each video frame is copied between user and kernel space as part of the I/O operation. When streaming I/O is being used, instead, this copying does not happen; instead, the application and the driver exchange pointers to buffers. These buffers will be mapped into the application's address space, making it possible to perform zero-copy frame I/O. There are two different types of streaming I/O buffers:
Note that drivers are not required to support streaming I/O, and, if they do support streaming, they do not have to handle both buffer types. A driver which is more flexible will support more applications; in practice, it seems that most applications are written to use memory-mapped buffers. It is not possible to use both types of buffer simultaneously. We will now delve into the numerous grungy details involved in supporting streaming I/O. Any Video4Linux2 driver writer will need to understand this API; it is worth noting, however, that there is a higher-level API which can help in the writing of streaming drivers. That layer (called video-buf) can make life easier when the underlying device can support scatter/gather I/O. The video-buf API will be discussed in a future installment. Drivers which support streaming I/O should inform the application of that fact by setting the V4L2_CAP_STREAMING flag in their vidioc_querycap() method. Note that there is no way to describe which buffer types are supported; that comes later.
The v4l2_buffer structureWhen streaming I/O is active, frames are passed between the application and the driver in the form of struct v4l2_buffer. This structure is a complicated beast which will take a while to describe. A good starting point is to note that there are three fundamental states that a buffer can be in:
These states, and the operations which cause transitions between them, come together as shown in the diagram below:
The actual v4l2_buffer structure looks like this:
struct v4l2_buffer
{
__u32 index;
enum v4l2_buf_type type;
__u32 bytesused;
__u32 flags;
enum v4l2_field field;
struct timeval timestamp;
struct v4l2_timecode timecode;
__u32 sequence;
/* memory location */
enum v4l2_memory memory;
union {
__u32 offset;
unsigned long userptr;
} m;
__u32 length;
__u32 input;
__u32 reserved;
};
The index field is a sequence number identifying the buffer; it is only used with memory-mapped buffers. Like other objects which can be enumerated in the V4L2 interface, memory-mapped buffers start with index 0 and go up sequentially from there. The type field describes the type of the buffer, usually V4L2_BUF_TYPE_VIDEO_CAPTURE or V4L2_BUF_TYPE_VIDEO_OUTPUT. The size of the buffer is given by length, which is in bytes. The size of the image data contained within the buffer is found in bytesused; obviously bytesused <= length. For capture devices, the driver will set bytesused; for output devices the application must set this field. field describes which field of an image is stored in the buffer; fields were discussed in part 5a of this series. The timestamp field, for input devices, tells when the frame was captured. For output devices, the driver should not send the frame out before the time found in this field; a timestamp of zero means "as soon as possible." The driver will set timestamp to the time that the first byte of the frame was transferred to the device - or as close to that time as it can get. timecode can be used to hold a timecode value, useful for video editing applications; see this table for details on timecodes. The driver maintains a incrementing count of frames passing through the device; it stores the current sequence number in sequence as each frame is transferred. For input devices, the application can watch this field to detect dropped frames. memory tells whether the buffer is memory-mapped or user-space. For memory-mapped buffers, m.offset describes where the buffer is to be found. The specification describes it as "the offset of the buffer from the start of the device memory," but the truth of the matter is that it is simply a magic cookie that the application can pass to mmap() to specify which buffer is being mapped. For user-space buffers, instead, m.userptr is the user-space address of the buffer. The input field can be used to quickly switch between inputs on a capture device - assuming the device supports quick switching between frames. The reserved field should be set to zero. Finally, there are several flags defined:
Buffer setupOnce a streaming application has performed its basic setup, it will turn to the task of organizing its I/O buffers. The first step is to establish a set of buffers with the VIDIOC_REQBUFS ioctl(), which is turned by V4L2 into a call to the driver's vidioc_reqbufs() method:
int (*vidioc_reqbufs) (struct file *file, void *private_data,
struct v4l2_requestbuffers *req);
Everything of interest will be in the v4l2_requestbuffers structure, which looks like this:
struct v4l2_requestbuffers
{
__u32 count;
enum v4l2_buf_type type;
enum v4l2_memory memory;
__u32 reserved[2];
};
The type field describes the type of I/O to be done; it will usually be either V4L2_BUF_TYPE_VIDEO_CAPTURE for a video acquisition device or V4L2_BUF_TYPE_VIDEO_OUTPUT for an output device. There are other types, but they are beyond the scope of this article. If the application wants to use memory-mapped buffers, it will set memory to V4L2_MEMORY_MMAP and count to the number of buffers it wants to use. If the driver does not support memory-mapped buffers, it should return -EINVAL. Otherwise, it should allocate the requested buffers internally and return zero. On return, the application will expect the buffers to exist, so any part of the task which could fail (memory allocation, for example) should be done at this stage. Note that the driver is not required to allocate exactly the requested number of buffers. In many cases there is a minimum number of buffers which makes sense; if the application requests fewer than the minimum, it may actually get more buffers than it asked for. In your editor's experience, for example, the mplayer application will request two buffers, which makes it susceptible to overruns (and thus lost frames) if things slow down in user space. By enforcing a higher minimum buffer count (adjustable with a module parameter), the cafe_ccic driver is able to make the streaming I/O path a little more robust. The count field should be set to the number of buffers actually allocated before the method returns. Setting count to zero is a way for the application to request that all existing buffers be released. In this case, the driver must stop any DMA operations before freeing the buffers or terrible things could happen. It is also not possible to free buffers if they are current mapped into user space. If, instead, user-space buffers are to be used, the only fields which matter are the buffer type and a value of V4L2_MEMORY_USERPTR in the memory field. The application need not specify the number of buffers that it intends to use; since the allocation will be happening in user space, the driver need not care. If the driver supports user-space buffers, it need only note that the application will be using this feature and return zero; otherwise the usual -EINVAL return is called for. The VIDIOC_REQBUFS command is the only way for an application to discover which types of streaming I/O buffer are supported by a given driver.
Mapping buffers into user spaceIf user-space buffers are being used, the driver will not see any more buffer-related calls until the application starts putting buffers on the incoming queue. Memory-mapped buffers require more setup, though. The application will typically step through each allocated buffer and map it into its address space. The first stop is the VIDIOC_QUERYBUF command, which becomes a call to the driver's vidioc_querybuf() method:
int (*vidioc_querybuf)(struct file *file, void *private_data,
struct v4l2_buffer *buf);
On entry to this method, the only fields of buf which will be set are type (which should be checked against the type specified when the buffers were allocated) and index, which identifies the specific buffer. The driver should make sure that index makes sense and fill in the rest of the fields in buf. Typically drivers store an array of v4l2_buffer structures internally, so the core of a vidioc_querybuf() method is just a structure assignment. The only way for an application to access memory-mapped buffers is to map them into their address space, so a vidioc_querybuf() call will typically be followed by a call to the driver's mmap() method - this method, remember, is stored in the fops field of the video_device structure associated with this device. How the driver handles mmap() will depend on just how the buffers are set up in the kernel. If the buffer can be mapped up front with remap_pfn_range() or remap_vmalloc_range(), that should be done at this time. For buffers in kernel space, pages can also be mapped individually at page-fault time by setting up a nopage() method in the usual way. A good discussion of handling mmap() can be found in Linux Device Drivers for those who need it. When mmap() is called, the VMA structure passed in should have the address of one of your buffers in the vm_pgoff field - right-shifted by PAGE_SHIFT, of course. It should, in particular, be the offset value that your driver returned in response to a VIDIOC_QUERYBUF call. Please iterate through your list of buffers and be sure that the incoming address matches one of them; video drivers should not be a means by which hostile programs can map arbitrary regions of memory. The offset value you provide can be almost anything, incidentally. Some drivers just return (index<<PAGE_SHIFT), meaning that the incoming vm_pgoff field should just be the buffer index. The one thing you should not do is store the actual kernel-space address of the buffer in offset; leaking kernel addresses into user space is never a good idea. When user space maps a buffer, the driver should set the V4L2_BUF_FLAG_MAPPED flag in the associated v4l2_buffer structure. It must also set up open() and close() VMA operations so that it can track the number of processes which have the buffer mapped. As long as this buffer remains mapped somewhere, it cannot be released back to the kernel. If the mapping count of one or more buffers drops to zero, the driver should also stop any in-progress I/O, as there will be no process which can make use of it.
Streaming I/OSo far we have looked at a lot of setup without the transfer of a single frame. We're getting closer, but there is one more step which must happen first. When the application obtains buffers with VIDIOC_REQBUFS, those buffers are all in the user-space state; if they are user-space buffers, they do not really even exist yet. Before the application can start streaming I/O, it must put at least one buffer into the driver's incoming queue; for an output device, of course, those buffers should also be filled with valid frame data. To enqueue a buffer, the application will issue a VIDIOC_QBUF ioctl(), which the V4L2 maps into a call to the driver's vidioc_qbuf() method:
int (*vidioc_qbuf) (struct file *file, void *private_data,
struct v4l2_buffer *buf);
For memory-mapped buffers, once again, only the type and index fields of buf are valid. The driver can just perform the obvious checks (type and index make sense, the buffer is not already on one of the driver's queues, the buffer is mapped, etc.), put the buffer on its incoming queue (setting the V4L2_BUF_FLAG_QUEUED flag), and return. User-space buffers can be more complicated at this point, because the driver will have never seen this buffer before. When using this method, applications are allowed to pass a different address every time they enqueue a buffer, so the driver can do no setup ahead of time. If your driver is bouncing frames through a kernel-space buffer, it need only make a note of the user-space address provided by the application. If you are trying to DMA the data directly into user-space, however, life is significantly more challenging. To ship data directly into user space, the driver must first fault in all of the pages of the buffer and lock them into place; get_user_pages() is the tool to use for this job. Note that this function can perform significant amounts of memory allocation and disk I/O - it could block for a long time. You will need to take care to ensure that important driver functions do not stall while get_user_pages(), which can block for long enough for many video frames to go by, does its thing. Then there is the matter of telling the device to transfer image data to (or from) the user-space buffer. This buffer will not be contiguous in physical memory - it will, instead, be broken up into a large number of separate 4096-byte pages (on most architectures). Clearly, the device will have to be able to do scatter/gather DMA operations. If the device transfers full video frames at once, it will need to accept a scatterlist which holds a great many pages; a VGA-resolution image in a 16-bit format requires 150 pages. As the image size grows, so will the size of the scatterlist. The V4L2 specification says:
If required by the hardware the driver swaps memory pages within
physical memory to create a continuous area of memory. This happens
transparently to the application in the virtual memory subsystem of
the kernel.
Your editor, however, is unwilling to recommend that driver writers attempt this kind of deep virtual memory trickery. A more promising approach could be to require user-space buffers to be located in hugetlb pages, but no drivers do that now. If your device transfers images in smaller pieces (a USB camera, for example), direct DMA to user space may be easier to set up. In any case, when faced with the challenges of supporting direct I/O to user-space buffers, the driver writer should (1) be sure that it is worth the trouble, given that applications tend to expect to use memory-mapped buffers anyway, and (2) make use of the video-buf layer, which can handle some of the pain for you. Once streaming I/O starts, the driver will grab buffers from its incoming queue, have the device perform the requested transfer, then move the buffer to the outgoing queue. The buffer flags should be adjusted accordingly when this transition happens; fields like the sequence number and time stamp should also be filled in at this time. Eventually the application will want to claim buffers in the outgoing queue, returning them to the user-space state. That is the job of VIDIOC_DQBUF, which becomes a call to:
int (*vidioc_dqbuf) (struct file *file, void *private_data,
struct v4l2_buffer *buf);
Here, the driver will remove the first buffer from the outgoing queue, storing the relevant information in *buf. Normally, if the outgoing queue is empty, this call should block until a buffer becomes available. V4L2 drivers are expected to handle non-blocking I/O, though, so if the video device has been opened with O_NONBLOCK, the driver should return -EAGAIN in the empty-queue case. Needless to say, this requirement also implies that the driver must support poll() for streaming I/O. The only remaining step is to actually tell the device to start performing streaming I/O. The Video4Linux2 driver methods for this task are:
int (*vidioc_streamon) (struct file *file, void *private_data,
enum v4l2_buf_type type);
int (*vidioc_streamoff)(struct file *file, void *private_data,
enum v4l2_buf_type type);
The call to vidioc_streamon() should start the device after checking that type makes sense. The driver can, if need be, require that a certain number of buffers be in the incoming queue before streaming can be started. When the application is done it should generate a call to vidioc_streamoff(), which must stop the device. The driver should also remove all buffers from both the incoming and outgoing queues, leaving them all in the user-space state. Of course, the driver must be prepared for the application to simply close the device without stopping streaming first.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jake Edge Distributions News and Editorials Looking forward to Mandriva 2008Mandriva 2008 is scheduled for a September release. The team is planning on a Cooker Snapshot (alpha release) followed by two betas and two release candidates before the final release on September 27, 2007.This page provides a run down of the biggest new versions and features that will be coming with Mandriva Linux 2008. Under the hood there's a 2.6.22 "tickless" kernel, ALSA 1.0.14 and built in support for the Hauppauge PVR series cards. The desktop is powered by X.org 7.3, featuring the new XrandR 1.2 framework. It also has GCC 4.2, with a complementary build of 4.3 available as an option in the /main repository. On the desktop you can take your pick of GNOME 2.20, KDE 3.5.7 (with a KDE 4 preview)or XFCE 4.4.1. The GNOME release includes Ekiga 3.0 and support for fillable forms in Evince (PDF reader). The KDE 4 preview has the Nepomuk semantic desktop system. Compiz Fusion, the re-merge between the Compiz and Beryl 3D desktop technologies, will be available as well. Among the improvements to interoperability and standards compliance is a complete migration to the XDG menu standard. Mandriva Linux 2008 will adopt the Fedora initialization system for udev, and move to a more distribution independent system for detecting and configuring hardware. A new configuration and management tool will replace several separate applications used to configure and manage network connections. WPA-EAP ('WPA Enterprise') authentication and security framework will be implemented in both the new network configuration tool. A hybrid suspend mode will be implemented for Mandriva Linux 2008, in which the system state will be saved to both memory and disk, allowing a quick resume from memory or a safe resume from disk. Contributing to Mandriva has never been easier. Volunteer maintainers have almost the same access to update and improve packages as Mandriva staff. Only a few of the most vital packages, such as the kernel, retain restrictions. There are plenty of ways to help out, including the package rebuild project which aims to refresh the package base by rebuilding and updating almost every package in the supported /main repository. Take a look at the technical specifications to see where else you might wish to help out.
New Releases First release candidate for 64 Studio 2.0 - "Safe as Milk"64 Studio 2.0-rc1 has been released. "Safe as Milk" was taken from the second track on Strictly Personal, the second album by Captain Beefheart & His Magic Band. The final 2.0 release is expected by the end of the month.
CentOS 5 i386 Live CDThe CentOS Development team has announced the availability of the CentOS 5 i386 Live CD. This CD is based on CentOS-5.0 i386 distribution with live CD technology from the ADIOS Live CD Project. This CD can be used as a workstation or a rescue disk.
Distribution News Debian Menu transitionBill Allombert looks at the Debian Menu transition. "With the upload of menu 2.1.35, the transition to implement the new menu hierarchy discussed in bug #361418 officialy start. The menu is now in transitional mode until packages are fixed. Menu sections translations will be updated in subsequent releases."
Debian release team releases hold on unstableMarc 'HE' Brockschmidt covers the news from the Debian release team. "Since my last mail, we have been able to fix up the missing odds and ends and have finally pushed a big chunk of packages to testing. This resolves most of the outstanding library transitions, so you can go back to doing whatever you want in unstable. Thank you all for helping by not uploading unneeded stuff for the past few days."
Debian looking for new FTP assistantsDPL Sam Hocevar has announced a search for new FTP assistants. "Though I have already received a few offers to help, most of them were from people already very deeply committed to other tasks in Debian, which kind of defeats the idea of having fresh blood in the teams. Which is not to say that their help is not being considered or appreciated, but rather that I *also* would like to see more "new" people."
The "new" Fedora BoardThe Fedora Board elections are over. Current board members Seth Vidal, Bill Nottingham, Chris Blizzard, and Matt Domsch will remain on the board for another term. New board members include Karsten Wade, Dennis Gilmore, Christopher Aillon, Jef Spaleta and Steve Dickson.
Fedora Kadischi reached End Of LifeKadischi, a program used to create custom Fedora spins, is no longer supported. The revisor project is the successor to kadischi.
Please Read: Need help in replacing music in Fedora packageTom Callaway has a problem with one of his Fedora packages (rocksndiamonds). It includes copyrighted music without permission from the copyright holder. So he is looking for some replacement music that can be used under a Creative Commons type license. Otherwise this game will have to be pulled from the Fedora archives.
Gentoo Council 2007/2008 NominationsA web page has been set up to track the nominations for Gentoo Council.
Distribution Newsletters Fedora Weekly News Issue 95The Fedora Weekly News for July 7 2007 covers the New Infrastructure Ticketing System, a Reminder -- Vote in the Fedora Board election, Fedora Core 5 Retirement (EOL), Fedora Planet articles Red Hat High, Fedora Free Media Program and The Tone of Fedora, Fedora Reviews and much more.
Ubuntu Weekly News: Issue #47The Ubuntu Weekly Newsletter for July 7, 2007 features two weeks of news packed into one issue, including a look at the second alpha of Gutsy Gibbon 7.10, some new members and LoCo teams, an ambitious set of features announced for the next Launchpad milestones, and the security updates and bug stats you all have learned to love.
DistroWatch Weekly, Issue 210The DistroWatch Weekly for July 9, 2007 is out. "The all-new Slackware Linux 12.0 should have been the major story of the week, but it was the release of Elive 1.0 that stole some of Slackware's thunder; we will take a quick look at the Enlightenment-powered desktop distribution, link to an interesting interview with the project's founder, and explain why DistroWatch provides direct download links to the Elive CD images. In other news, Fedora's Max Spevack talks about the future and vision of the popular distribution, Kubuntu's Jonathan Ridell explains why KDE 4 will not be the default desktop in Gutsy Gibbon, and Mandriva's Adam Williamson introduces NEPOMUK, a new social semantic desktop technology for KDE. All this and more in this week's issue of DistroWatch Weekly."
Distribution meetings 3 Debian developer meetings in Extremadura 2007The Spanish region of Extremadura will sponsor Debian Work Meetings in the same way they did last year. "Projects that want to use this great opportunity should create a wiki page with goals for the meeting and a list of attending people..."
Newsletters and articles of interest Enlighten your desktop with Elive (Packt Publishing)Mayank Sharma interviews Samuel Baggen, creator of the Elive distribution. "On its website, Elive claims to be more than a simple Linux distro, rather a work of art. I might be a little biased but that's probably true. One look at Elive's graceful and charming environment and you are sold. And unlike today's 3D visualization, Elive can run efficiently on older systems as well with a gamut of desktop applications. Its got detailed documentation Wiki and an active forum to answer questions."
A face-to-face conversation with Max Spevack of Fedora (Technetra)Alolita Sharma and Robert Adkins talk with Max Spevack. "We had the opportunity to sit down face-to-face with Max Spevack, chairman of the Fedora project, at the Red Hat Summit in San Diego to talk about all things Fedora -- the merger of Fedora Core and Extras, Fedora 7, and the road ahead. Here are Max's responses to our questions."
Burning Debian packages and repositories to disc with APTonCD and apt-mirror (Linux.com)Linux.com takes a look at the APTonCD utility. "Have you ever wished you had access to your Linux distribution's online package repositories when you didn't have access to the Internet, or when your access was slow and unreliable? The recently released APTonCD utility allows users of Debian-based distributions to create backup CDs and DVDs of as many Debian packages as they can download. Used in conjunction with the apt-mirror utility, APTonCD can back up an entire package repository, spanning several CDs or DVDs."
Using Compiz, Beryl, And Metisse On A Mandriva 2007 Spring Desktop (HowtoForge)HowtoForge provides a tutorial on using Compiz, Beryl, and Metisse on a Mandriva 2007 Spring (Mandriva 2007.1) desktop. Your system must have a 3D-capable graphics card.
Distribution reviews Venerable Slackware 12 gets a sporty new wardrobe (Linux.com)Linux.com has a review of Slackware 12.0. "Slackware Linux is the oldest surviving Linux distribution, and still one of the most popular. Last week's release of version 12.0 is a milestone for the Slackware team, as it marks Slackware's first use of a default 2.6.x kernel. Other new components include KDE 3.5.7, Xfce 4.4.1, Xorg 7.2.0, and GCC 4.1.2. Slackware is now nearing the bleeding edge without sacrificing stability, making this truly an exciting release."
As Specialized A Linux Distro As You're Likely to Find (InformationWeek)InformationWeek takes a quick look at Hikarunix. "You want proof there's a Linux distribution for absolutely every possible application? Here's one for you: Hikarunix, a distro dedicated to Go players and based on the ever-versatile Damn Small Linux (DSL)."
Page editor: Rebecca Sobol Development The Synfig 2D Animation packageSynfig is a 2D vector animation film production system that runs under Linux, MacOS X and Windows. The Synfig project overview and history explains:
Synfig is a powerful, industrial-strength vector-based 2D animation software package, designed from the ground-up for producing feature-film quality animation with fewer people and resources. While there are many other programs currently on the market to aid with the efficient production of 2D animation, we are currently unaware of any other software that can do what our software can.
![[Synfig]](/images/ns/synfig.png)
One of the major and unique design goals of Synfig was to automate the tweening process, which involves smoothing out the coarse transitions from one image to the next. Synfig started off as a commercial application. Primary developer Robert Quattlebaum's company Voria Studios, LLC released the software as open-source under the GNU GPL in early 2006. A January, 2006 OSNews interview with Quattlebaum covers the reasons behind this decision in more detail. Synfig version 0.61.06 was recently announced: "It is the result of more than a year of contributions by the free software community. It has far fewer bugs, several usability enhancements, a set of new Tango-styled icons and other improvements." A Linux screenshot shows the application's user interface. A few short animation clips are available on the Synfig gallery, they can be viewed with the MPlayer utility. Additional demos have been posted on YouTube. The quality of the demos shows that the software is indeed able to produce useful animation. Synfig is available for download in source and package form here. There are a number of tutorials available for learning to use Synfig. The project is currently looking for assistance in the areas of C++ programming, art and documentation. Interested people should take part in the July 28, 2007 IRC meeting.
System Applications Database Software Firebird 2.1 beta 1 releasedVersion 2.1 beta 1 of the Firebird DBMS has been announced. "This is the first Beta build of the Firebird version 2.1 series. It is for FIELD TESTING ONLY and should not be put into production systems."
MySQL 5.1.20-beta has been releasedVersion 5.1.20-beta of the MySQL DBMS is out. "This release includes a security fix for Bug#25578 and Bug#23667: CREATE TABLE LIKE did not require any privileges on the source table."
PostgreSQL Weekly NewsThe July 8, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Embedded Systems BusyBox 1.6.1 releasedStable version 1.6.1 of BusyBox, a collection of command line utilities for embedded systems, is out. "This is a bugfix-only release, with fixes to echo, hush, and wget."
Interoperability Samba Adopts GPLv3 for Future ReleasesJeremy Allison has announced that future releases of Samba will be licensed under the GPLv3. "To allow people to distinguish which Samba version is released with the new GPLv3 license, we are updating our next version release number. The next planned version release was to be 3.0.26, this will now be renumbered so the GPLv3 version release will be 3.2.0."
Web Site Development Django status update: July 8For the latest news on Django, a Python-based web platform, see the July 8, 2007 edition of the Django status update.
Zope 3.4.0b1 releasedVersion 3.4.0b1 of the Zope web development platform is out. "This release is the first beta release for Zope 3.4.0. It was preceeded by an alpha release in April. Since the beta we finished repackaging of eggs, added three new features and fixed more than 12 bugs, please see the change log for details. Zope 3.4 introduces support for binary large objects in the ZODB, provides a new postprocessing hook for publishing results and makes all Zope packages available as Python eggs."
Desktop Applications Audio Applications Aqualung 0.9beta8 releasedVersion 0.9beta8 of Aqualung, a music player, is out. "This release is the latest in a series of beta releases on our way to the future stable release of Aqualung 1.0, which is anticipated to be released at the end of this year. The current release adds support for internet radio and tabbed playlists, also containing several smaller improvements and important bugfixes."
Ardour: progress with MIDIMIDI support is being added to Ardour, a multi-track audio workstation. "The screenshot below shows some of the progress being made in the trunk branch of Ardour toward MIDI recording, playback and editing. Congratulations and thanks to Dave Robillard, for his rapid work on the core of this as well as the code restructuring it has required, and to Google for funding Dave this summer."
Traverso 0.41.0 releasedVersion 0.41.0 of Traverso is out with several new capabilities and some bug fixes. "Traverso is a cross platform multitrack audio recording and editing suite with a clean and innovative interface targeted for home and professional use."
Data Visualization PLplot 5.7.3 releasedVersion 5.7.1 of PLplot, a library of functions for making scientific plots, is out. The release notes state: "This is a routine development release of PLplot. It represents the ongoing efforts of the community to improve the PLplot plotting package. Development releases in the 5.7.x series will be available every few months. The next stable release will be 5.8.0."
Desktop Environments GARNOME 2.18.3 releasedVersion 2.18.3 of GARNOME, the bleeding-edge GNOME distribution, is out. "This release incorporates the GNOME 2.18.3 Desktop and Developer Platform, fine-tuned and updated with love by the GARNOME Team. This is the forth (and last) release of the current stable GNOME branch, ironing out yet-more bugs, hopefully adding yet-more stability, and ships with the latest and greatest stable releases. As usual it includes updates and fixes after the official GNOME freeze, together with a host of third-party GNOME packages, Bindings and the Mono(tm) Platform."
GARNOME 2.19.5 releasedVersion 2.19.5 of GARNOME, the bleeding-edge GNOME distribution, is out. "This is the fifth release in the unstable cycle, with more features, more fixes and yet more madness added. Also icons. Indeed, icons. ;-) It is for anyone who wants to get his hands dirty on the development branch, or who'd like to get a peek at future features."
GNOME 2.18.3 releasedVersion 2.18.3 of the GNOME desktop has been released. "This is the final release in a series of point releases for the stable 2.18 branch. Come and see all the bug fixing, all the new translations and all the updated documentation brought to you by the wonderful team of GNOME contributors! While development is underway on the GNOME 2.19/2.20 road, work on the stable branch continued to make it even more solid."
GNOME 2.19.4 releasedVersion 2.19.4 of the GNOME desktop has been released. "This is our fourth development release on our road towards GNOME 2.20.0, which will be released in September 2007. New features are still arriving, so your mission is simple : Go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it."
GNOME 2.19.5 releasedA new development release of GNOME is available. "This is our fifth development release on our road towards GNOME 2.20.0, which will be released in September 2007. New features are still arriving, so your mission is simple : Go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it."
Sawfish Window Manager maintainer resignsMatt Foster sends us word that John Harper has resigned as the maintainer of the Sawfish window manager, according to this email thread.
GNOME String and UI Change announcement periodThe GNOME string change & UI change announcement period has been announced. "This means two things: + all string changes must be announced to gnome-i18n and gnome-doc-list + all user interface changes must be announced to gnome-doc-list".
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE 4.0 Alpha 2 released (KDE.News)KDE.News has announced the release of KDE 4.0 Alpha 2. "This release comes straight out of Glasgow, the largest city in Scotland where aKademy is currently taking place. Hundreds of KDE hackers are working like crazy to hunt down bugs, complete features for KDE 4.0 and sit together developing and finishing new and exciting applications for the new major version of the leading Free Desktop. The most exciting new development is currently going on in Plasma, KDE 4's new shell for the desktop."
KDE Commit-Digest (KDE.News)The July 8, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "Akademy 2007 draws to a close. Dolphin embedded as the file management view in Konqueror. Plasma continues to mature, with new data engines for Tasks and Bluetooth, and EBN and Task Manager Plasmoids making an introduction. Further progress in Javascript bindings through QtScript; import of Kimono (C#) classes. More basic functionality added to Kollagame, a game development IDE..."
KDE Software AnnouncementsThe following new KDE software has been announced this week:
Xorg Software AnnouncementsThe following new Xorg software has been announced this week:
Electronics gEDA/gaf development snapshot 1.1.0-20070705 releasedDevelopment snapshot 1.1.0-20070705 released of gEDA/gaf, a collection of electronic CAD tools, has been announced. "This release had a lot of changes, bug fixes, and new features. Many thanks to everybody involved."
Encryption Software GnuPG 2.0.5 releasedVersion 2.0.5 of GnuPG, an encryption utility, has been announced. "This is maintenance release with a few bug fixes and support for building for W32 platforms."
Games FreedroidRPG 0.10.2 releasedVersion 0.10.2 of the game FreedroidRPG is out. "This new version, mostly unchanged from the -rc4, focuses on making the development for the game easier, exported some hardcoded data into files, made the map editor a bit more usable and other major and minor tweaks."
Mail Clients Claws Mail 2.10.0 releasedRelease 2.10.0 of Claws Mail, an email client, has been announced. Changes include a long list of new features and bug fixes.
Music Applications Qsynth 0.3.0 (unstable-qt4) releasedVersion 0.3.0 of Qsynth is available. "Qsynth 0.3.0 is now out for you to try and guess what? This marks the point of no return to the aging Qt3 framework. Yes, Qt4 migration was complete."
Languages and Tools C gnucflow 1.2 is outStable version 1.2 of gnucflow has been announced. "'GNU cflow' analyzes a collection of C source files and prints a graph charting control flow within the program. It can produce both direct and inverted flowgraphs for C sources, or optionally generate a cross-reference listing. It implements either POSIX or GNU (extended) output formats. Input files can optionally be preprocessed before analyzing. The package also provides an Emacs major mode, so users can examine the produced flowcharts in Emacs."
C++ GCC newsThe latest news from the Gnu Compiler Collection includes: "C interoperability support (ISO Bind C) has been added to the Fortran compiler. The code was contributed by Christopher D. Rickett of Los Alamos National Lab. Experimental support for the upcoming ISO C++0x standard been added."
Caml Caml Weekly NewsThe July 10, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Eiffel sather 1.2.3 releasedStable version 1.2.3 of sather, a language that is derived from Eiffel, has been announced. Sather is: "An object-oriented language with garbage collection, statically-checked strong typing, multiple inheritance, separate implementations and type inheritance, parameterized classes, dynamic dispatch, iteration abstraction, higher-order routines and iters, exception handling assertions, preconditions, postconditions, and class invariants. Code can be compiled into C code and can link with C object files."
Tcl/Tk Tcl-URL! - weekly Tcl news and linksThe July 10, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Libraries GLPK 4.19 releasedStable version 4.19 of GLPK has been announced. "GLPK (GNU Linear Programming Kit) is intended for solving large scale linear programming problems by means of the revised simplex method. It is a set of routines written in the ANSI C programming language and organized in the form of a library."
Miscellaneous GLOBAL 5.6 releasedVersion 5.6 of GLOBAL, a source code tagging system, is out. The release notes say: "From this version, the license was changed to GNU GPL3. Additionally, a big bug (memory leak) since 5.4.* was fixed."
Page editor: Forrest Cook Linux in the news Recommended Reading Dell's Linux desktop line keeps expanding (DesktopLinux)DesktopLinux reports that Dell is expanding its consumer Linux line. "When Dell first announced that it would be releasing Ubuntu Linux-powered consumer desktops and laptops, some people saw it as more of a stunt than a serious business move. They were wrong. Dell has already expanded its consumer Linux line, and now it has announced that it will soon be offering Ubuntu Linux systems outside of the United States and for new businesses."
Did ya know? It's Fair Use Day: July 11, 2007 (ars technica)ars technica reminds us that today is the day to celebrate our right to fairly use copyrighted material, no matter what the holders might wish you to believe. "'It is important the people are aware of what they can legally do with regards to copyrighted material,' said Pirate Party US spokesman Andrew Norton. 'Very often people believe that a use of copyrighted material that would normally fall into fair use is an infringement of copyright. It is a belief that copyright holders seek to enforce, either through frivolous litigation, intimidation, or legal and political maneuvering to legally restrict what can be considered fair use. This is especially true when it comes to critical reviews, or parodies.'"
Trade Shows and Conferences aKademy 2007: The Second Day (KDE.News)KDE.News covers aKademy. "aKademy 2007 continues! Sunday, the second day of the conference, brought more talks covering a wide diversity of topics. Read on for the Sunday aKademy 2007 Report. Sunday was very busy and interesting, and we regret that we were not able to attend and cover all talks. Yet, we reported some of the most interesting. Luckily, you will be able to find sheets and videos of the talks on the aKademy 2007 website."
aKademy 2007: KDE e.V. Meeting (KDE.News)KDE.News covers the KDE e.V. meeting at aKademy. "Officially, KDE is represented by the KDE e.V. which is located in Germany. The meeting started with general housekeeping tasks, followed by reports from the e.V. departments and the working groups. With the departure of Eva Brucherseifer, our long-standing president of the KDE e.V. for the past 5 years, the assembly elected a new board member. KDE e.V. would like to take this oportunity to thank Eva again for all the great work she performed during this time of great change within the KDE community and technological landscape, and we are pleased to hear that she will continue to contribute to KDE. The new elected board member is Klaas Freitag. After internal private discussion within the board, it was decided that Aaron Seigo will assume the presidency of the KDE e.V. board."
More aKademy 2007 (KDE.News)KDE.News continues its aKademy 2007 coverage with Education Day, Summer of Code and Tuesday Hack-a-thon.
Member of Scottish Parliament Patrick Harvie Talks to KDE (KDE.News)KDE.News covers the final talk at aKademy by Patrick Harvie, a Member of the Scottish Parliament for the Green Party. "While not a technical wizard like most of the other talks of the day, Patrick was able to describe to us the attitudes to free software from the Government he is elected to keep an eye on, and how the work of KDE developers applies to more than just software."
Akademy Awards 2007 (KDE.News)KDE.News covers the aKademy Awards. "At the second day of aKademy 2007, the contributors conference closed with the aKademy Awards Ceremony. Two of last years winners, Boudewijn Rempt and Laurent Montel awarded no less than four awards to Sebastian Trueg, Mathias Kretz, Danny Allen and Kenny Duffus."
Ottawa Linux Symposium 2007 Day 4 (excess.org)Ian Ward finishes his OLS coverage with a look at Extreme High Performance Computing or Why Microkernels suck (by Christoph H. Lameter), Cleaning Up The Linux Desktop Audio Mess (by Lennart Poettering) and The Price of Safety: Evaluating IOMMU Performance (by Muli Ben-Yehuda).
Linux robots descend on Atlanta (LinuxDevices)LinuxDevices has a report from Robocup. "Linux-powered robots are flocking to Atlanta this week to compete in the Robocup scientific competition. The eleventh annual event has attracted at least two Linux-based designs aiming to replace Sony's Aibo as the de facto hardware platform for standard Robocup league play."
Companies Lenovo quietly selling Linux-compatible laptops (DesktopLinux.com)DesktopLinux.com looks at the latest Linux laptop offerings from Lenovo. "Lenovo seems to have a love/hate relationship with Linux. Last year, it began offering its high-end T60p ThinkPad laptop with SLED 10 (SUSE Linux Enterprise Desktop). This year, the company is releasing its newest high-end laptop, the T61p ThinkPad, and once more, while it runs desktop Linux, the company isn't overly eager to let the world know about it. Be that as it may, Lenovo released the ThinkPad T61p, on July 10 and will start to ship it to customers later in July."
Interviews Interview with FSFE President Georg Greve by Sean Daly (Groklaw)Groklaw has an interview with Georg Greve, President of the Free Software Foundation Europe. "Sean Daly had the opportunity to meet up in Brussles (sic) with George Greve, President of the Free Software Foundation Europe, on July 2nd, and naturally he wanted to ask him about GPLv3. He also got Greve's views on what's wrong with Open XML, some news about the complaint ECIS, the European Committee For Interoperable Systems, has lodged with the European Commission, this time in the area of office and internet interoperability, how the FSFE's Freedom Task Force has been working out, and much more."
Resources A sysadmin toolbox for Web site maintenance (Linux.com)Linux.com looks at running a home web server. "I run a small but fairly active Web site from a home server, as was commonly done back in the early days of the World Wide Web. What started as a learning project soon grew to be my primary hobby. It takes a bit of knowledge of Linux systems, various open sourced applications, and how the Internet works to start a Web site from scratch. Here are some of the applications and tools that help me stay on top of things."
Reviews Gaming In Ubuntu Feisty Fawn (Techy Stuff)Techy Stuff reviews games (with screenshots) for Feisty Fawn. "It is true that you can't run to Walmart and buy a Linux version of the newest games; Yet there are plenty of games that are worth playing in Linux. Although there are thousands of Linux games, these are the best."
A brief hands-on with the Intel classmate PC (ars technica)ars technica takes a look at the Intel classmate PC. "The unit I looked at was powered by a specialized version of Mandriva 2007, with customizations aimed at school-aged children. It was packed with several free, open-source productivity programs such as OpenOffice.org, and included a number of customizations to make the KDE-powered interface easier to use for those with limited computer experience. Support for open-source software for these systems will reduce the price, but there are other advantages as well. Schools and governments will be able to modify the Classmate PC software to meet their needs."
Siag Office is far from pathetic (Linux.com)Linux.com reviews Siag Office. ""Siag, it sucks less!" This is the slogan for Siag Office. This and the self-effacing name for the Siag Office Word Processor, Pathetic Writer, might leave you thinking that this office suite is a mere plaything, a university student's cobbled-together programming assignment. But don't be fooled by first impressions. Siag Office is a lightweight suite of applications which might be just the right set of office tools for you, especially if you have older hardware."
Page editor: Forrest Cook Announcements Commercial announcements Alfresco Community Contribution Model 2.1 announcedAlfresco Software, Inc. has announced the release of the Alfresco 2.1 Community Contribution Model. "Contributions from the Alfresco Community to Alfresco 2.1 include wiki space, blog space and calendars, as well as multi-lingual document and translation management to assist in managing the document translation process and collections of translated material (for details of the latter project, please visit http://www.eionet.europa.eu/EIONET_Services/LongLiveCIRCABC)."
Canonical releases Storm as open sourceCanonical Ltd has announced the release of Storm, a generic open source object relational mapper (ORM) for Python. Storm is designed to support communication with multiple databases simultaneously. The Storm project welcomes participation. Its website includes a tutorial, and links to allow developers to download, report bugs and join the mailing list. Storm is licensed under the LGPL.
IBM pledges free access to patents for standardsIBM announced today that they are simplifying access to their patent portfolio as it applies to open standards. "IBM's commitment not only applies to the distributors, developers or manufacturers that are implementing the specifications involved, but also extends to their users or customers. It is valid as long as adopters are not suing any party -- not just IBM -- over necessary patented technology needed to implement the standards."
Intel and Novell Become Patrons of KDE (KDE.News)KDE.News reports that Intel and Novell have become corporate patrons of KDE. "Intel and Novell have both become corporate Patrons of KDE. Their exceptional financial commitment to the KDE e.V. helps the project with community events, infrastructure and developer meetings."
Mandriva adds a semantic layer to the KDE 4 desktopMandriva has put out a press release (click below) about what we can expect from the NEPOMUK-KDE project. "NEPOMUK-KDE introduces semantic capabilities to the upcoming release of the K Desktop Environment (KDE 4), providing an interoperable framework that can be harnessed by all KDE applications to allow annotating and interlinking any and all desktop objects."
Mandriva advances into Korea, the IT hub of AsiaMandriva has announced the opening of Mandriva Korea. "Mandriva, the global Linux distributor, selected MetaNav to become its official local representative in this fast growing technological environment in Asia. Mandriva and MetaNav reached an agreement to work together and co-develop open source products and services closely adapted to the East Asian market."
Microsoft's proclamation on GPLv3Microsoft has put out a statement claiming that, despite what others have said, it is not and will not be bound by any version of the GPL. But then one wonders why they say: "At this point in time, in order to avoid any doubt or legal debate on this issue, Microsoft has decided that the Novell support certificates that we distribute to customers will not entitle the recipient to receive from Novell, or any other party, any subscription for support and updates relating to any code licensed under GPLv3."
OpenLogic Enterprise 4.6 announcedOpenLogic, Inc. has announced the release of OpenLogic Enterprise 4.6. "... the newest release of its enterprise platform designed to help companies quickly and easily manage the use of open source software across the enterprise. OpenLogic Enterprise 4.6 contains many additions to the OpenLogic Certified Library, has a fast new automated installation process, and offers more enterprise control for updating security patches and versions of open source software."
New Books Forbidden LEGO - New from No StarchNo Starch Press has published the book Forbidden LEGO by Ulrik Pilegaard and Mike Dooley.
Contests and Awards Help choose the 2007 SourceForge.net Community Choice Award winners (Linux.com)Linux.com reports that the SourceForge.net community has selected the nominees, you can vote for the projects you think represent "the cream of the crop on SourceForge.net." Voting is open until July 20 and winners will be announced at OSCON the following week.
Education and Certification rPath Launches Certified Software Appliance Architect CurriculumrPath has announced it is launching a Certified Software Appliance Architect training curriculum, which will give participants the skills needed to build, deploy and maintain software appliances. The curriculum will employ a hands-on, lab-driven approach and focus on application packaging, software appliance design, image construction, lifecycle management, and virtualization technologies.
Upcoming Events Open Solutions Alliance to Congregate at OSCON Interoperability Hack-a-ThonThe Open Solutions Alliance (OSA) has announced it is hosting the first in its series of Interoperability Hack-a-Thons at O'Reilly Open Source Convention (OSCON) in Portland, Ore., July 23 - 27, 2007.
Events: July 19, 2007 to September 17, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Web sites Announcing hardware4linux.infoThe hardware4linux.info site has been launched. "This is a new web site about hardware for Linux. The site allows to browse systems and components to find the ones that work or don't work with Linux. It works in a collaborative way: users install an LSB package to collect their hardware and system configuration, upload the collected data to the site and then rate their hardware components on the site."
Medwiki, the medical wiki (LinuxMedNews)LinuxMedNews has an announcement for the new Medwiki site. "What happens when a fan of Free Software and wikies wish to motivate your girlfriend to her Medicine studies? You could think in many things but possibly not to create a multilanguage wiki about Medicine and human health to her, but was exactly that what I did, and I couldn't choose a best gift."
Audio and Video programs Video of GPLv3 release now availableThe Free Software Foundation has made videos of Richard Stallman's GPLv3 release announcement available. "You can watch Stallman give an overview of the major changes in the license, and his reflections on the drafting process. The video is Ogg Theora, and is about fifteen minutes long."
Page editor: Forrest Cook
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Buffer states]](/images/ns/kernel/v4l2_buffers.png)