LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for July 26, 2007Fedora's mid-life crisisThe conversation started innocuously enough - or maybe it didn't. Rahul Sundaram's question was this: given recent decisions in the U.S. Supreme Court, might Fedora actually be able to point at repositories containing codecs which are said to infringe upon U.S. software patents? And, more to the point, regardless of what Red Hat's legal department says, does Fedora want to do such a thing? Fedora leader Max Spevack responded that, to answer this question, "the Fedora Board needs to reaffirm its larger strategy about Multimedia." There was some digression on how firmware does (or does not) differ from proprietary codecs. Then Mike McGrath broadened the scope further with a quick question:
What is our target market supposed to be?
The following is a quote from Bill Nottingham's response, but his message is worth reading in its entirety:
We don't have one! Seriously, I have yet to see anything that shows
that we have a coherent market, a plan for attack, or *anything*
along those lines.
So, we muddle along. Since no one has a plan or a target market, we implement whatever features the developers happen to think of, or random features vaguely relating to future enterprise development. Or we just incorporate the latest upstream.... Right now we don't have any overriding set of goals. So we never really say 'no, that isn't what we want Fedora to do' to anything that fits our simple 'uses open source, isn't completely targeted to obsolete things' mantra, and we attempt to do all of these things... which means we'll probably fail at all of them. This message clearly resonated among the Fedora developers, none of whom stood up to say that he or she had a clear idea of who the target market is. Fedora hackers are looking over at Ubuntu, which has adopted a focused view of what it is trying to do and which has had significant success as a result. The Fedora project is seen as lacking that focus; it's not sure of what it's trying to do. As the distribution matures, its community is starting to ask itself some hard questions about where it is trying to go. It's a sort of free software project mid-life crisis. Initially, Fedora's mission was seen - at least by outsiders - as serving as a proving ground for software destined to go into Red Hat Enterprise Linux and as a way to keep the venerable Red Hat Linux product around. So the target market will have been Red Hat itself, along with the Red Hat Linux users that Red Hat believed - almost certainly correctly - were an important part of making its enterprise offerings successful. There was no painful introspection in those days; Fedora mostly did what Red Hat wanted done - integrating Xen, for example - with the result that users began to despair of it ever being a truly community-oriented distribution. The situation has since changed considerably. Red Hat still holds considerable sway over what Fedora does by virtue of paying a large number of engineers to work on it. But the distribution has become much more open and more driven by what its community wants it to be - should the community decide what that is. There is a certain interest in turning Fedora into a polished desktop distribution. Doing so would require making some hard decisions: focusing on a single desktop, for example. It would require some sort of solution to the patent-encumbered codec problem. The support period - recently lengthened to just over one year - would probably have to be made longer yet. Much work would have to be done to make the various components of the distribution work together better; the tug-of-war between the two ways of configuring network interfaces (system-config-network and NetworkManager) was mentioned a few times. Maybe, instead, Fedora wants to be a solid base upon which others can create finished distributions, much like the role Debian plays for Ubuntu. There is a certain amount of pride over the project's revisor tool which makes it easy to create derivative versions of Fedora. If this tool worked well with external repositories, others could take on the work (and legal risk, if any) of creating and distributing versions of Fedora with complete codec support, binary-only drivers, or any of the other things which are not consistent with Fedora's philosophy. Aside from the fact that Fedora is still seen (by its developers) as needing more "polish" to serve in this role, there is an interesting set of trademark issues which comes into play once a derivative distribution has something other than Fedora packages in it. Fedora's trademark policy is already seen as an impediment by people making derived distributions (such as Dell's firmware updates live CD). It will be even harder for people trying to take Fedora into entirely new territory. The issues can be resolved by simply removing all references to the Fedora name, but there are advantages on both sides if derived distributions can claim to be based on Fedora. There has been some talk on how the policies could be changed, but anything concrete will happen some time from now, if ever. Alternatively, Fedora could be a distribution for developers who want something close to the leading edge and who are less concerned with "polish." It's a legitimate audience, but it is also limited in size. A number of other scenarios have been presented, but what is really required is for people to make the decisions and to get the work done to implement those decisions. It seems that Fedora is currently short of decision makers. Jesse Keating expressed it this way:
We seem to have a lot of sous chefs which are busy doing what they
know, but no executive chefs with a grand vision of what will be on
tomorrow's menus.
Anybody who aspires to be an executive chef can, if they actually try to make significant changes, expect a fair amount of resistance from elsewhere in the community. But perhaps the time has come for somebody who looks forward to that sort of challenge. The Fedora project has a solid base to build on and an increasingly open community process to help it get to where it wants to be. With the right focus on an interesting set of goals, Fedora could surprise the world. This distribution should have no trouble proving that it's not over the hill yet.
An "online desktop" for GNOME?An "online desktop" is not exactly a new idea, as X-based thin clients have been around for twenty years or more, but combining the desktop and the web is an idea that is gaining some momentum, at least in the GNOME community. The online-desktop project is an attempt to define a mashup of Linux, GNOME and web applications into something completely new. It is an ambitious goal, which will be met with a fair amount of skepticism, likely by all of the communities being mashed. In a keynote at the recent GUADEC 2007 conference, Bryan Clark and Havoc Pennington laid out a vision (slides in PDF format) of the online-desktop (OD) with the following top-level description:
The perfect window to the
Internet: integrated with all your favorite online apps, secure and
virus-free, simple to set up and zero-maintenance thereafter.
Many people are or will be using online applications almost exclusively, with the operating system just providing a platform to run the browser, at least according to Pennington and Clark. The OD would seamlessly connect the browser-based applications with any native programs that remain, storing data locally and remotely. This would allow users to access their data, including settings and preferences, from any internet connected device. A user would be able to jump between multiple computers and mobile devices, finding their entire desktop environment and data available on each. A new disk and fresh install would no longer require a tedious reconfiguration of preferences and restoration of backups, a user would simply log in to the 'service' and pick them all up. This network-centric view of computer usage is not particularly new either - Sun's "the network is the computer" initiative is a famous (or infamous) example. The keynote points to plans for the next version of Windows, which will be more closely integrated with Microsoft's internet services, as an indicator that the OD direction is the right one. In order for Microsoft to play its usual lock-in game, it would need to provide most or all of the kinds of web applications that people already use. OD proposes to integrate with the existing applications, presenting a single view that incorporates them and facilitates sharing between them, without the lock-in. The requisite demo during the keynote was of Big Board, a GNOME Python application, that prototypes portions of the OD, using the Mugshot project. A high-level implementation plan was also presented:
SEARCH AND DESTROY everything that leaves my data stranded
on a single computer.
INTEGRATE the best web applications with the desktop.
RETHINK the user experience to take advantage of live
connections to friends on the net.
CHANGE THE DEFAULTS so naïve users taking no special action
will create collaborative, backed-up, online data rather than local
files.
By its very nature, OD has a very distributed architecture. It is meant to talk to various servers to store data using the services (Flickr, Picasa, Gmail, etc.) that the user is already using. But there will also be data that needs to be stored, for instance preferences and configuration information, for which a service will need to be created. This service is envisioned to be decentralized, with at least some of the servers run by the community. Like many parts of the project, it is still in the planning stages. The project is young, with thoughts and discussion starting to pop up on the GNOME desktop-devel mailing list in April. Since the conference, things have started to heat up, the website has moved from within Mugshot to its own site, some mockups have been created and there has been a bit of a discussion about an acronym. An obvious choice, using the first letters of GNOME Online Desktop leaves something to be desired, so current candidates seem to be GOLD (OnLine Desktop) or GOOD (Open Online Desktop). Others would rather see it referred to as GNOME Online without an acronym; we stayed out of it and used OD. Another piece that is in the planning stages is an API for desktop applications to be able to share HTTP state and cache information. With multiple programs talking to some of the same websites, cookies, at least, will need to be shared between them. Sharing data that has been cached from websites, between the browser and other programs that use it, would be useful to reduce traffic as well. Mixing and matching different web application APIs and storing lots of personal data on remote servers will require careful thought about security. There is some mention of "strong cryptography" being used, but the concerns mentioned so far seem mostly concerned about handling (and losing) private keys. Overall, the security issue seems to be a low priority. A post to Pennington's blog seems to miss the point, comparing the OD security issues to that of online banking. Banks only store the information they have, not the sum total of all data one might have on their computer. In order to fulfill the "secure and virus-free" portion of the goal statement, a lot more thinking and effort will have to be focused there. Folks typically carry more powerful computers, with more storage, in their pockets today, than were even available to home users twenty years ago. That trend seems to be continuing, at least for now, so there should be ways to carry our own data with us. Desktops that were set up to handle external, plugged-in storage devices and easily switch to an environment stored there would remove the need to store that data on an internet server, except, perhaps, for backups. This might be a simpler alternative that removes some of the concern about loss of data control. There are lots of opportunities to share and collaborate using web applications, for pictures, text, video, music, etc. But there is also lots of data folks may not want to share. Financial information, email, contracts and work-related documents are just a few of the things that people very well might want to keep private, naïve or no. It will be very difficult to set up an environment that turns all data, by default, into "collaborative, backed-up, online data", without sometimes exposing sensitive data. Using the word processing tool to type a blog entry and a love letter should not automatically expose both to the world. An interesting, related development is an attempt to define what a "free" or "open" web service is. If a user's personal data is to be stored somewhere other than the local disk, potentially multiple places, it must be clear what rights the user has to that data. The responsibilities of the service must be clearly defined as well. Luis Villa has some thoughts about the framework in which an Open Service Definition might come about. The framework consists of sets of goals, preconditions and rights, each of which can be thought of as a "sliding scale". He goes into some detail enumerating each of the sets and discussing various settings that could be made on the scales and the impacts that has on freedom and openness, for both users and providers. By using OD as a test case while discussing various settings with interested parties, Villa hopes to come out with a set of definitions and licenses that, in many ways, parallel the Free Software and Open Source definitions. It is an issue that is much larger than the OD project and one that bears watching. The biggest question, perhaps, is whether this is the "right" direction for GNOME and for desktops in general. Is personal computing finally headed toward a completely network-centric existence? If so, are HTTP, HTML, Javascript, AJAX, and the like up to the task? One is reminded of the wisdom of the Magic 8-ball: Answer hazy, ask again later. One advantage that free software has over some of its competitors is its diversity; we are certain to see other implementations of an online desktop (Pyro for example) as well as desktops that resist the close integration to the web. Free software will truly give users the ability to choose the one that works for them; users of proprietary systems may not be so lucky.
Where have the universities gone?When Greg Kroah-Hartman talked about the provenance of Linux kernel code at the Ottawa Linux Symposium, one member of the audience asked about whether contributions from universities were tracked. The answer is that universities were handled like any other source and tracked accordingly. If code is contributed by somebody who works for the university (a faculty member, in other words), the university is credited as having supported the work. Contributions from students tend to be treated as "hobbyist" work, but there are few significant contributors who fall into this category. There is, in fact, very little code coming from the university environment in general. Your editor was able to find exactly five files in the 2.6.23-rc1 kernel tree which contain a 2007 copyright credited to a University.It was not always that way; universities used to be heavily involved in the creation and distribution of free software (though it did not originally carry that name). The BSD Unix distribution - the first to support virtual memory and drive VAXen worldwide - came from the University of California at Berkeley. Linux became the master's thesis for one Linus Torvalds. The X Consortium grew out of a project at MIT - it was part of Project Athena, which was the source of much interesting work. The GNU project has its roots at MIT as well. Alan Cox did much of his crucial early Linux work while at Swansea University. Ted Ts'o, another important early contributor, was based at MIT. Looking further back, graybeards among us will remember the influential WATFOR Fortran compiler from the University of Waterloo. Much interesting work (and code) came from the Andrew project at Carnegie Mellon University. Two of your editors got their start at the University of Colorado working with a project called Toolpack, creating Fortran developer tools; their names can be found in this old report [PDF]. The list goes on at some length. Over the years, we have all been the beneficiaries of a great deal of creativity (and code) to come out of the university environment. While there are still interesting projects happening at universities, the flow of code has nearly stopped. This seems strange; one need not dig too far into the curriculum at most computer science departments to find operating systems classes using Linux as a teaching tool, but these same computer science departments are, as a whole, not contributing back changes to that tool. This is a large and rather unremarked-upon change in how free software works; it would be interesting to understand what force is driving this change. Your editor has spent a few weeks querying contacts in the academic world, but the amount of useful information coming back is surprisingly small. An "I don't know" answer from a computer science department chair was not expected. So, rather than provide definitive answers, your editor will have to engage in some definitive handwaving. One obvious change is that the amount of code coming from the corporate environment has grown from nearly zero to something huge. As the proprietary software idea took over the industry, the idea that a company would give away its code came to look similar to the notion of opening up its bank account to all comers. At the same time, individuals rarely had the resources to develop and contribute code themselves, and the supporting community was not there. So universities were about the only real source for freely-circulated software. Thanks to the culture of openness in academia, passing that code around (and improving it) seemed like a natural thing to do. Unfortunately, that code of openness has suffered somewhat in more recent times. In many parts of the world, universities are able to privatize and commercialize interesting work, even if that work was funded by public money. University researchers have strong incentives to put their energy (and their code) into startup companies instead of contributing that code back to the community. Look, for example, at the story of the Stanford Checker, which was initially built on gcc. Rather than contribute that code, the developers created a private company (Coverity) to commercialize it. The community has certainly benefited from Coverity's work, but we still do not have a static analysis tool with anything near the power of the erstwhile "Stanford Checker." The same commercial forces almost certainly have the effect of drawing effective developers out of the university environment. Talented students who might once have gone on for advanced degrees or continued to work within the university are likely to have plenty of more lucrative options elsewhere. This will be especially true for those who have demonstrated that they can create useful, production-quality code. So, perhaps, it is not surprising that many of the most productive free software developers are no longer found at universities. Another disincentive for university contributors is that few free software projects are interested in prototypical or overly experimental code. A potential kernel contribution must be rock-solid, well-benchmarked, with well-defined needs and users. A university project may explore an interesting idea far enough to generate the required publications, but the resulting code is likely to be far from ready for mainline inclusion. It may well be that, for many university researchers, there is no real reason to make the effort to get their code merged, even if the work would be useful in a more practical environment. Funding agencies and tenure committees do not normally consider community contributions when making their decisions. Code contributed to the community also requires ongoing maintenance, something which many university environments are not well prepared to support. Graduate students move on to other challenges, and faculty go on to the next project. It is hard to write a successful grant application for maintenance work. So interesting code has a real chance of simply being dropped once the research objectives have been achieved - or the funding has run out. So there are a number of reasons for the reduction in university participation in the development process. That participation has certainly not fallen to zero. We can thank the University of Michigan for much of our NFSv4 code. A lot of USB work has come out of the Rowland Institute at Harvard. Much of the early eCryptfs work happened at Stony Brook University. The University of Waikato has contributed to the DCCP protocol implementation. The Helsinki University of Technology works with the IPv6 code, as have the University of Tokyo and Keio University. These are just a few recent contributions to the kernel; clearly, the scope of university contributions to the community goes far beyond that. But these contributions are buried by the code coming from other sources. For better or for worse, the period when universities were the source of a large portion of our free software code base would appear to have passed. But that period left us with a strong foundation on which to build the systems we have today.
Security Cache poisoning vulnerability found in BINDDomain Name System (DNS) cache poisoning has been a problem, on and off, for years. There has been a kind of an arms race with security researchers periodically finding problems in DNS server implementations and the vendors racing to fix them. Amit Klein of Trusteer recently released a vulnerability report for the Berkeley Internet Name Daemon (BIND) showing a rather reliable means to poison the cache of a nameserver that runs it. The consequences of this poisoning can be quite severe, invisibly rerouting traffic bound for a given host to one under an attacker's control. We will dispense with the usual overview of DNS, it was briefly described in an April LWN article - the vulnerability executive summary and Wikipedia article have useful descriptions as well. There are essentially two types of DNS servers: those that directly reply to queries about a particular zone (zone servers) and those that cache query results (caching servers). An internet service provider or company will typically set up a few caching DNS servers that actually talk to the zone servers, and configure all client machines to make their DNS requests to the caching servers. Once an entry has been entered into the cache of those servers, it will not be requested again until the time-to-live (TTL) of the entry expires. If an attacker can get an incorrect entry put into the cache, especially one with a very long TTL, he can redirect traffic to servers under his control. This is the "poison" in the cache. DNS uses User Datagram Protocol (UDP), which is stateless rather than connection-oriented. This allows attackers to send "answers" to DNS queries that they never received. They can forge the IP address of the nameserver that would be queried; if the bogus response is received before the real response, it will be used and the real one dropped. Several steps are taken to make it more difficult for an attacker to forge a response, but one of those countermeasures was not correctly implemented in BIND, leading to this most recent vulnerability. The DNS protocol contains a 16-bit transaction ID field that must be matched between the query and the response in order to be considered valid. Early DNS implementations just incremented those transaction IDs for each new query, making it trivial for an attacker's program to predict which was coming next. The obvious fix is to randomize the transaction IDs, which is exactly what BIND did, unfortunately not quite as randomly as they might have hoped. Random number generation (RNG) is one of those things that seems like it should be blindingly simple, but turns out to be incredibly difficult to do correctly. For things like games or simulations, it is relatively straightforward to create an RNG with reasonable properties, but for security and cryptography, it is much more difficult. One of the key properties that a crypto-strength RNG must have is unpredictability. One way to look at that is to determine how much RNG output an attacker must see before they can make informed guesses about the next "random" number. This is where the BIND algorithm was found to be lacking. By studying the code used to generate the transaction IDs, Klein noticed that if the transaction ID was even (least significant bit was zero), there were only ten possible values that could be generated as the next transaction ID. Other techniques had been able to reduce the search space to around 5000 possibilities, but forging and sending that many bogus DNS responses before the real reply reaches the recipient is not a very reliable poisoning technique. With only ten responses to send, it is quite possible to get the bogus response there first, especially if the real DNS server is busy and responds a little slowly. If an attacker (at attacker.com) wanted to poison the cache entry of financial-site.com for the users at randomisp.com, they would need to lure a user of randomisp.com's caching DNS server to visit attacker.com. When the DNS server at randomisp.com queries the attacker.com DNS server, that server looks at the transaction ID, if it is odd, it sends back a redirection to itself (using a DNS feature called CNAME chaining). If the transaction ID is even, it quickly calculates the ten possible values for the next transaction ID and starts sending responses for financial-site.com using those IDs. In addition, it redirects the query to financial-site.com. If that site is not in the cache, or its cache entry has expired, randomisp.com's DNS server will make a query, probably using one of the ten transaction IDs (unless an intervening query has gone out), to financial-site.com. It is very likely that one of the bogus responses will be picked up and the attacker now controls the mapping of financial-site.com to an IP address, for all users of randomisp.com. Normally, the invitation to visit attacker.com would go out as spam or by some other means that tricks users into going places that they probably should not. No particular ISP is targeted, the poisoning is used as part of a pharming attack. Pharming is typically used to get credentials, usernames and passwords, for financial and other sites by spoofing a well-known website on an attacker's server. Because of the cache poisoning, the user could use a bookmark or even type in the financial-site.com address, but still end up at the attacker's site. The website graphics and login process are duplicated there which causes the user (or his browser's password manager) to type in the credentials and hit submit. The full report makes for quite an interesting read. Klein describes several other means of attack and weaknesses in the BIND RNG, including ways to completely recover the internal state of the RNG. Internet Systems Consortium (ISC), the maintainers of BIND have released an updated version, with a new RNG, though there was very little description of the problem or the fix in their advisory. The problem has been assigned CVE-2007-2926 but, as of this writing, that is just a placeholder. This is quite a serious vulnerability and should be rather embarrassing to the folks at ISC. The problems with transaction IDs and the need for their unpredictability have been known for many years. It is not at all beyond the realm of possibility that the analysis done by Klein, was done by the attacker community some time ago, and has been used already. Widespread usage would likely have been detected, but if used judiciously, it could have been exploited for quite some time. Another technique that could help avoid these kinds of attacks would be to randomize (crypto-strength RNG, of course) the source UDP port on each query. BIND currently chooses a single random UDP source port at startup time and uses that throughout its life. If an attacker could not predict the port to send a bogus response to, it almost would not matter that they could predict what response to send.
Brief items Samsung fixes its printer driversOne week ago we reported that Samsung's printer driver installation script compromised the security of the systems it was run on by turning a few small applications (like OpenOffice.org) into setuid root executables. We have just heard from Samsung that this problem has been fixed. A quick look at the new installer confirms that the calls making those applications setuid have been commented out, though the structure to do that work remains in place.
Wesabe's automatic banking Firefox extensionWesabe has announced the availability of an open source Firefox extension to help with online banking. "Setting up Wesabe accounts for banks that provide automatic data downloads, including American Express, Chase and USAA, only takes seconds -- members simply need to enter their username and password. The extension auto-records a login and download, and then plays it back as frequently as the member wants updated data. The extension works equally as well for banks that don't provide automatic downloads -- members use the extension to 'record' an actual download session from their bank Web site, a process that typically takes between one and two minutes." One can only hope that this source gets audited well; it would be an optimal trojan horse platform, and is sure to be a cracker target as well.
New vulnerabilities bind: DNS cache poisoning
bochs: buffer overflow
centericq: buffer overflows
clamav: denial of service
kernel: denial of service
lighttpd: denial of service
nginx: cross site scripting
nvclock: insecure tmp file usage
redhat-cluster-suite: denial of service
tcpdump: integer overflow
Updated vulnerabilities acroread: multiple vulnerabilities
apache2: information disclosure
apache: multiple vulnerabilities
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
avahi: denial of service
bugzilla: multiple vulnerabilities
clamav: denial of service
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
cups: denial of service
curl: insufficient verification methods
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
elinks: code execution
elinks: arbitrary file access
emacs21: denial of service
evolution: format string error
evolution-data-server: malicious server arbitrary code execution
pop mail man-in-the-middle attacks
fail2ban: log injection vulnerability
fail2ban: denial of service
file: integer overflow
firebird: buffer overflow
firefox: multiple vulnerabilities
firefox, thunderbird, seamonkey: multiple vulnerabilities
flac123: arbitrary code execution
flash-plugin: input validation flaw
freetype: arbitrary code execution
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gd: denial of service
gedit: format string vulnerability
gimp: multiple vulnerabilities
grip: buffer overflow
gzip: multiple vulnerabilities
HelixPlayer: arbitrary code execution
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
jasper: denial of service
java: multiple vulnerabilities
kdebase: information leak
kdelibs: kate backup file permission leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: several vulnerabilities
kernel: signal handling flaw on PPC
kernel: several vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
krb5: multiple vulnerabilities
krb5: uninitialized pointers
krb5: local privilege escalation
krb5: multiple vulnerabilities
ktorrent: incorrect validation
LedgerSMB: authentication bypass
lftp: shell command execution
libexif: integer overflow
libgtop2: buffer overflow
libmodplug: boundary errors
libphp-phpmailer: command execution
libpng: denial of service
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lookup-el: insecure temporary file
lynx: arbitrary command execution
mod_jk: proxy bypass
mod_perl: denial of service
moin: arbitrary JavaScript execution
mplayer: buffer overflow
mplayer: buffer overflow
mydns: buffer overflows
mysql: denial of service
mysql: format string bug
MySQL: privilege violations
mysql: multiple vulnerabilities
MySQL: logging bypass
nbd: arbitrary code execution
ncompress: buffer underflow
OpenOffice.org: arbitrary code execution
OpenSSH: denial of service
openssh: remote denial of service
pam: privilege escalation
perl-Net-DNS: predictable id sequence
php: multiple vulnerabilities
php: several vulnerabilities
php: multiple vulnerabilities
php: buffer overflows
php: several vulnerabilities
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpPgAdmin: cross-site scripting
phpwiki: remote code execution
pptpd: denial of service
proftpd: authentication bypass
pulseaudio: denial of service
python: information disclosure
qemu: multiple vulnerabilities
qt: "/../" injection
quake: buffer overflow
rpm: arbitrary code execution
Mozilla: multiple vulnerabilities
slocate: information disclosure
snort: remote arbitrary code execution
Sun JDK/JRE: multiple vulnerabilities
tcpdump: denial of service
tetex: buffer overflow
tomcat: directory traversal
tomcat: cross-site scripting
vixie-cron: weak permissions may cause errors
vlc: several vulnerabilities
wireshark: multiple vulnerabilities
XFree86 X.org: integer overflows
xfsdump: insecure temp dir
xine: format string vulnerabilities
xine-lib: arbitrary code execution
xine-lib: buffer overflow
xinit: race condition
xmms: BMP handling vulnerability
xnview: buffer overflow
X.org: temp file vulnerability
zziplib: buffer overflow
Page editor: Jake Edge Kernel development Brief items Kernel release statusThe current 2.6 prepatch is 2.6.23-rc1, released by Linus on July 22. The 2.6.23 merge window is now closed. See the article below for features merged since last week; for a complete view of what's in 2.6.23-rc1 see the short-form changelog or the full changelog if you have a lot of time.Something over 100 patches have gone into the mainline repository since -rc1 as of this writing. They are mostly fixes, but there was also a patch removing the request_queue_t typedef - though it was later restored with a "deprecated" tag. The current -mm tree is 2.6.23-rc1-mm1. This tree has slimmed considerably as patches flowed into the mainline; other changes include a set of IDE updates, the USB device authorization patches, the Linux security non-modules patch, a new file capabilities patch, some new ext4 features, and process-ID namespaces. For older kernels: 2.6.16.53-rc1 was released on July 23 - the first 2.6.16 update in a while. 2.4.34.6 was released on July 22 with a couple of fixes. 2.4.35-rc1 is also out with a larger set of fixes; the final 2.4.35 release should happen shortly.
Kernel development news Quotes of the week
Stupid bugs only appear endearing in retrospect.
-- Linus Torvalds
In Linux we reject _lots_ of code, and that's the only way to
create a quality kernel. It's a bit like evolutionary selection:
breathtakingly wasteful and incredibly efficient at the same time.
-- Ingo Molnar
Apologies to those of you looking for selections from the ill-advised run of limericks recently posted on linux-kernel; interested readers can find most of them in this thread.
The 2.6.23 stragglersLinus has closed the 2.6.23 merge window. Before that happened, however, a few more patches slipped through:
Changes visible to kernel developers include:
Since the merge window is now closed, that should be the end of new features for this development cycle. There could be an exception or two, though: a few developers appear to have missed the window and are hoping to slip in a few post -rc1 changes.
SDIO support comingThe Secure Digital Input/Output specification enables the creation of SD cards which handle tasks beyond the simple storage of bits, which is what SD has traditionally been used for. The SD Association SDIO page shows some cute pictures with SDIO network adapters, cameras, GPS receivers, fingerprint recognizers, and a strangely disturbing image of a scanner glued directly to an SD card. As small gadgets with SD slots become more prevalent, one can imagine a number of uses for peripherals which can be attached to those slots. Since many of those gadgets run Linux, it would be nice to have proper support for SDIO devices in the mainline kernel. Unfortunately, like much of the SD Association's work, SDIO has been a realm of proprietary specifications and implementations.That would appear to be about to change, however: Pierre Ossman has sent out an announcement of interest:
I am happy to announce that SDIO support will soon be a standard
feature in Linux. No more proprietary stacks with all the troubles
(legal and technical) that go with them.
The new SDIO stack, written by Pierre and Nicolas Pitre, is in a fairly complete state with all the sorts of bus-level support that driver writers have come to expect. There is one driver (for GPS interfaces) available now; it is expected that others will show up shortly. If all goes well, expect the new SDIO stack to be ready for 2.6.24.
fault()Back in October, 2006, LWN covered the proposed fault() method for virtual memory areas. This API change was put forward as part of a fix for an obscure (but real) race condition within the kernel. Such a fix would seem important, but, even so, it took the better part of a year for fault() to make it into the mainline. Now that the patch has been merged for 2.6.23, it is worth taking a look at the API which was adopted.A virtual memory area (VMA) in the kernel represents a piece of a process's virtual address space. Each VMA is mapped in its own way; most VMAs are mapped to files on the disk, but there are also anonymous VMAs (mapped to swap space, for all practical purposes), device memory mappings, and more. Each VMA must provide a handler for situations where a specific page in that VMA is not resident in main memory; the handler must rectify the situation or let the kernel know that it cannot be done. In most cases, the nopfn() or older (but more heavily used) nopage() methods fill that bill. They are called with the offset of the missing page within the VMA and are expected to return a pointer to the page structure for the missing page. For more complicated cases, nonlinear VMAs in particular, the populate() method is invoked instead. The existence of three functions to perform the same task suggests that requirements have changed over time and that a cleanup is overdue. When none of those interfaces are able to be extended to prevent a race condition, the pressure for a new approach can only get stronger. That new approach, as created by Nick Piggin, is the fault() method, which should, eventually, replace all three of the others. The prototype for fault() is:
int (*fault)(struct vm_area_struct *vma, struct vm_fault *vmf);
Most of the information of interest can be found in the new vm_fault structure, which looks like this:
struct vm_fault {
unsigned int flags;
pgoff_t pgoff;
void __user *virtual_address;
struct page *page;
};
The fault() method should, like its predecessors, arrange for the missing page to exist and return its address to the kernel. The interface used is rather more flexible, though. The offset of the missing page can be found in the pgoff field. Fault handlers can also find the corresponding user-space address in virtual_address, but anybody who is tempted to use that field should be prepared to justify that use to a crowd of skeptical kernel developers. Most handlers should not care where the page lives in user space, and use of virtual_address will make it impossible to support nonlinear VMAs. So, if at all possible, virtual_address should be ignored. If your code only uses pgoff, it should also set the VM_CAN_NONLINEAR flag in the VMA's vm_flags field to let the kernel know that it is playing by the rules. The flags field has two possible flags:
After fault() has done its work, it should store a pointer to the page structure for the faulted-in page in the page field - but see below for an exception. The return value from fault() is a set of flags which can indicate a number of things:
All callers of the populate() VMA operation have been changed, and that method no longer exists. There is an entry in the feature removal schedule for nopage() indicating that it will go away "as soon as possible." The kernel still has a number of nopage() implementations, though, so getting rid of it may take a little while yet. Longer-term plans call for the removal of nopfn() as well, though no date has been set for this change. Certainly any new code which implements mmap() should be written to handle faults with fault() rather than one of the older functions.
Still waiting for swap prefetchIt has been almost two years since LWN covered the swap prefetch patch. This work, done by Con Kolivas, is based on the idea that if a system is idle, and it has pushed user data out to swap, perhaps it should spend a little time speculatively fetching that swapped data back into any free memory that might be sitting around. Then, when some application wants that memory in the future, it will already be available and the time-consuming process of fetching it from disk can be avoided.The classic use case for this feature is a desktop system which runs memory-intensive daemons (updatedb, say, or a backup process) during the night. Those daemons may shove a lot of useful data to swap, where it will languish until the system's user arrives, coffee in hand, the next morning. Said user's coffee may well grow cold by the time the various open applications have managed to fault in enough memory to function again. Swap prefetch is intended to allow users to enjoy their computers and hot coffee at the same time. There is a vocal set of users out there who will attest that swap prefetch has made their systems work better. Even so, the swap prefetch patch has languished in the -mm tree for almost all of those two years with no path to the mainline in sight. Con has given up on the patch (and on kernel development in general):
The window for 2.6.23 has now closed and your position on this is
clear. I've been supporting this code in -mm for 21 months since
16-Oct-2005 without any obvious decision for this code forwards or
backwards.
I am no longer part of your operating system's kernel's world; thus I cannot support this code any longer. Unless someone takes over the code base for swap prefetch you have to assume it is now unmaintained and should delete it. It is an unfortunate thing when a talented and well-meaning developer runs afoul of the kernel development process and walks away. We cannot afford to lose such people. So it is worth the trouble to try to understand what went wrong. Problem #1 is that Con chose to work in some of the trickiest parts of the kernel. Swap prefetch is a memory management patch, and those patches always have a long and difficult path into the kernel. It's not just Con who has run into this: Nick Piggin's lockless pagecache patches have been knocking on the door for just as long. The LWN article on Wu Fengguang's adaptive readahead patches appeared at about the same time as the swap prefetch article - and that was after your editor had stared at them for weeks trying to work up the courage to write something. Those patches were only merged earlier this month, and, even then, only after many of the features were stripped out. Memory management is not an area for programmers looking for instant gratification. There is a reason for this. Device drivers either work or they do not, but the virtual memory subsystem behaves a little differently for every workload which is put to it. Tweaking the heuristics which drive memory management is a difficult process; a change which makes one workload run better can, unpredictably, destroy performance somewhere else. And that "somewhere else" might not surface until some large financial institution somewhere tries to deploy a new kernel release. The core kernel maintainers have seen this sort of thing happen often enough to become quite conservative with memory management changes. Without convincing evidence that the change makes things better (or at least does no harm) in all situations, it will be hard to get a significant change merged. In a recent interview Con stated:
Then along came swap prefetch. I spent a long time maintaining and
improving it. It was merged into the -mm kernel 18 months ago and
I've been supporting it since. Andrew [Morton] to this day remains
unconvinced it helps and that it 'might' have negative consequences
elsewhere. No bug report or performance complaint has been
forthcoming in the last 9 months. I even wrote a benchmark that
showed how it worked, which managed to quantify it!
The problem is that, as any developer knows, "no bug reports" is not the same as "no bugs." What is needed in a situation like this is not just testimonials from happy desktop users; there also needs to be some sort of sense that the patch has been tried out in a wide variety of situations. The relatively self-selecting nature of Con's testing community (more on this shortly) makes that wider testing harder to achieve. A patch like swap prefetch will require a certain amount of support from the other developers working in memory management before it can be merged. These developers have, as a whole, not quite been ready to jump onto the prefetch bandwagon. A concern which has been raised a few times is that the morning swap-in problem may well be a sign of a larger issue within the virtual memory subsystem, and that prefetch mostly serves as a way of papering over that problem. And it fails to even paper things completely, since it brings back some pages from swap, but doesn't (and really can't) address file-backed pages which will also have been pushed out. The conclusion that this reasoning leads to is that it would be better to find and fix the real problem rather than hiding it behind prefetch. The way to address this concern is to try to get a better handle on what workloads are having problems so that the root cause can be addressed. That's why Andrew Morton says:
To attack the second question we could start out with bug reports:
system A with workload B produces result C. I think result C is
wrong for <reasons> and would prefer to see result D.
and why Nick Piggin complains:
Not talking about swap prefetch itself, but everytime I have asked
anyone to instrument or produce some workload where swap prefetch
helps, they never do.
Fair enough if swap prefetch helps them, but I also want to look at why that is the case and try to improve page reclaim in some of these situations (for example standard overnight cron jobs shouldn't need swap prefetch on a 1 or 2GB system, I would hope). There have been a few attempts to characterize workloads which are improved by swap prefetch, but the descriptions tend toward the vague and hard to reproduce. This is not an easy situation to write a simple benchmark for (though Con has tried), so demonstrating the problem is a hard thing to do. Still, if the prefetch proponents are serious about wanting this code in the mainline, they will need to find ways to better communicate information about the problems solved by prefetch to the development community. Communications with the community have been an occasional problem with Con's patches. Almost uniquely among kernel developers, Con chose to do most of his work on his own mailing list. That has resulted in a self-selected community of users which is nearly uniformly supportive of Con's work, but which, in general, is not participating much in the development of that work. It is rare to see patches posted to the ck-list which were not written by Con himself. The result was the formation of a sort of cheerleading squad which would occasionally spill over onto linux-kernel demanding the merging of Con's patches. This sort of one-way communication was not particularly helpful for anybody involved. It failed to convince developers outside of ck-list, and it failed to make the patches better. This dynamic became actively harmful when ck-list members (and Con) continued to push for inclusion of patches in the face of real problems. This behavior came to the fore after Con posted the RSDL scheduler. RSDL restarted the whole CPU scheduling discussion and ended up leading to some good work. But some users were reporting real regressions with RSDL and were being told that those regressions were to be expected and would not be fixed. This behavior soured Linus on RSDL and set the stage for Ingo Molnar's CFS scheduler. Some (not all) people are convinced that Con's scheduler was the better design, but refusal to engage with negative feedback doomed the whole exercise. Some of Con's ideas made it into the mainline, but his code did not. The swap prefetch patches appear to lack any obvious problems; nobody is reporting that prefetch makes things worse. But the ck-list members pushing for its inclusion (often with Con's encouragement) have not been providing the sort of information that the kernel developers want to see. Even so, while a consensus in favor of merging this patch has not formed, there are some important developers who support its inclusion. They include Ingo Molnar and David Miller, who says:
There is a point at which it might be wise to just step back and
let the river run it's course and see what happens. Initially,
it's good to play games of "what if", but after several months it's
not a productive thing and slows down progress for no good reason.
If a better mechanism gets implemented, great! We'll can easily replace the swap prefetch stuff at such time. But until then swap prefetch is what we have and it's sat long enough in -mm with no major problems to merge it. So swap prefetch may yet make it into the mainline - that discussion is not, yet, done. If we are especially lucky, Con will find a way to get back into kernel development, where his talents and user focus are very much in need. But this sort of situation will certainly come up again. Getting major changes into the core kernel is not an easy thing to do, and, arguably, that is how it should be. If the process must make mistakes, they should probably happen on the side of being conservative, even if the occasional result is the exclusion of patches that end up being helpful.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Skolelinux/Debian-Edu and LinExThe Skolelinux project got its start in Norway in 2001. At that time the initial goals included using a Debian-based distribution with applications localized in two Norwegian dialects, Bokmål and Nynorsk, and in the Northern Sami language. The solution was envisioned as a server with thin clients, well documented and easy to use. Any teacher, even those without computer experience, should be able to install the system and have it ready for students without much effort.Skolelinux has been on the LWN Distribution list since before pre release 41 was announced (November 2, 2003). That was about the time that the Skolelinux project and the Debian-Edu project decided that one big project was better than two little projects. The merger of the two mailing lists was completed in early 2004. Skipping forward to the present, Skolelinux/Debian-Edu 3.0 has been released. It is based on Debian 4.0 "etch" and therefore compatible with LSB 3.1, using kernel 2.6.18 and KDE 3.5.5. This new release has full support for networked thin clients, diskless clients, workstations and laptops. There are more than 80 instructional applications, translated to more than 50 languages. Skolelinux receives support from regional and national projects in Germany, Spain, France, Greece and Norway. The next milestone for Skolelinux will be to merge the Debian based gnuLinEx distribution, which is used by more than 250,000 students and public employees in the region of Extremadura in Spain. According to the road map, the merger will start with the educational installations of LinEx in primary and secondary schools. LinEx has many other installations in health care, government and small business that will not be affected, at least in the early stages. There are some differences between LinEx and Debian-Edu that will need to addressed during the merger. For example, LinEx does not currently support thin and diskless clients, or use web-based system administration. Also LinEx uses GNOME and Skolelinux KDE, so GNOME will need to be integrated into the final product. Ideally all the required packages would be in the Debian repository, but there are licensing issues with packages that use Squeak, Flash or Java and LinEx contains some Spanish documentation, tutorials and training courses that have restrictive licenses. There are other LinEx specific packages could go into the Debian repository, they just aren't there now. Currently there are different packages in LinEx and Debian-Edu that do the same task, so one may be chosen over the other. There are hurdles to overcome, but one of the largest may be that of producing a system that is familiar and comfortable for the users of both LinEx and Skolelinux, and by users I mean the teachers and administrators. The students will adapt.
New Releases Announcing openSUSE 10.3 Alpha6The sixth alpha release of openSUSE 10.3 is out. "AJ used to write here, that he's glad to announce. I can't say I am - I am relieved I can announce openSUSE 10.3 Alpha6 to you. I didn't have a chance to put too much testing into more than the i586 DVD5 and the KDE CD. But I didn't want to wait any longer either. So I'm left with hoping the best."
Gutsy Gibbon Tribe 3 releasedThe Gutsy Gibbon Tribe 3 CD images are available for Ubuntu, Kubuntu, Edubuntu and Xubuntu. "Pre-releases of Gutsy are *not* encouraged for anyone needing a stable system or anyone who is not comfortable running into occasional, or even frequent breakage. They are, however, recommended for Ubuntu developers and those who want to help in testing, reporting, and fixing bugs."
Canonical's Launchpad 1.1.7 release notesLaunchpad is a suite of development tools used in the creation of Ubuntu and related distributions. Version 1.1.7 is out with bug fixes and new features. Click below for the release notes.
easyfedora 0.2Easyfedora is a KDE application which will help you install more software and drivers on your Fedora system, quickly and easily. Version 0.2 was released under a proprietary license.
Distribution News Retiring Debian's sparc32 portLast May we reported that Debian was thinking about dropping sparc32 support from Lenny. Since then no one has stepped up to maintain the port so it will be dropped. Newer sparc64 hardware will be supported.
First call for votes: GR: Accept the concept of Debian MaintainersOn June 28, 2007 we took a look at a proposal for creating Debian Maintainers. A modified version of this proposal is now up for a vote.
[Debian Installer] Experimental support for Serial ATA RAID (dmraid)The Debian Installer team has announced that daily built images of Debian Installer (for Lenny) now include experimental support for installing Debian on systems configured with Serial ATA RAID, as supported in Linux by using the dmraid utility. These images need lots of testing and are currently available only for i386 and amd64.
[RFH] Debian Listmaster team needs more manpowerThe current Debian listmaster team needs a bit more manpower, so they are currently looking for 2-4 Debian Developers who would be willing to help out with listmastering. Click below for the job requirements.
Fedora Engineering Steering Committee (FESCo) Election ResultsThe FESCo election is over, and the members for the 2007/2008 FESCo are (in alphabetical order): Christopher Aillon, Josh Boyer, Tom Callaway, Kevin Fenzi, Dennis Gilmore, Christian Iseli, Jeremy Katz, Jesse Keating, Bill Nottingham, Brian Pepple, Jason Tibbitts, Warren Togami and David Woodhouse.
news.opensuse.org goes liveThe openSUSE News site has been launched. "We are happy to announce our new news.opensuse.org website. This news portal will provide the latest openSUSE news. We will continue to send important announcements to the opensuse-announce mailing list, but they should also be added to this site as well."
openSUSE 10.2 PromoDVDsPromotional DVDs of openSUSE 10.2 are available to those who will spread them around, particularly to openSUSE/Linux beginners. Click below to find how to get some.
Distribution Newsletters Fedora Weekly News Issue 97The Fedora Weekly News for July 21, 2007 looks at the availability of fedorapeople.org, Smolt, Open Invitation, plus news from Planet Fedora, proposed Fedora 8 features, plans for tickless kernel for x86_64 architecture in Fedora 8, and several other topics.
Ubuntu Weekly News: Issue #49The Ubuntu Weekly Newsletter for July 21, 2007 covers the release of Gutsy Tribe 3, Canonical's launch of training courses, the first Ubuntu conference in Germany, a State of the Union Summary of the Ubuntu US Lo``Co Teams, the release of Launchpad 1.1.7, a new ATI driver in Gutsy, and much much more.
DistroWatch Weekly, Issue 212The DistroWatch Weekly for July 23, 2007 covers Sabayon Linux 1.0 "Business Edition", Puppy Linux 2.17, Gentoo Foundation, Debian tidbits, openSUSE News & Coolo, Linus Interview, and Too Many Distros?
Newsletters and articles of interest DSL answers user requests with 4.0 alpha (Linux.com)Linux.com looks at the alpha release of Damn Small Linux (DSL) 4.0. "[DSL developer Robert] Shingledecker urged would-be testers to read the new Getting Started document. "There are many changes in icons, file manager, accessing menu and mydsl," he pointed out. He said he placed a minimal number of icons on the desktop so users could choose which applications they wanted. As DSL has four different installation methods -- LiveCD, Frugal, Hybrid, and Traditional -- Shingledecker asked that those posting bugs in the forum be sure to note which method they're using."
New PC-BSD 1.4 beta includes enhanced desktop eye candy (Linux.com)Linux.com looks at the release of PC-BSD 1.4 beta. "The new PC-BSD 1.4 beta, released last week, offers 3-D desktop support via Beryl as well as late-model components such as KDE 3.5.7, FreeBSD 6.2, Xorg 7.2, a selection of fresh GUI tools and utilities, and a variety of optional components, as detailed in the full release notes."
Puppy 2.17 released (Linux.com)Linux.com takes a quick look at Puppy Linux 2.17. "If you need a compact, streamlined distro capable of running on an aging machine, take a look at Puppy Linux 2.17, a fresh release containing a number of new features, including seriously upgraded printing capabilities and enhanced modem detection and configuration."
Distribution reviews Ubuntu Studio supports serious audio, adds little for video and graphics (Linux.com)Linux.com reviews Ubuntu Studio. "The long and the short of it is that if you are a musician or audio enthusiast, Ubuntu Studio is a big win: you get a stable, tested, preconfigured source for the high-end audio components you need to do serious recording and editing, and you get it built upon one of today's most popular, well-supported mainstream distros. The millions of vanilla Ubuntu users on 32-bit Intel machines can add the Ubuntu Studio goodness with a simple cut-and-paste APT repository addition (instructions are at ubuntustudio.org) -- a far nicer alternative than installing a separate distro."
openSUSE 10.3 Alpha 6 Report (TuxMachines)TuxMachines reviews openSUSE 10.3 Alpha 6. "openSUSE 10.3 Alpha 6 appeared yesterday, the same day as the unveiling of the new openSUSE News portal. And that right after the big announcement that Andreas was handing over the reins of project manager to Coolo. I kinda expected Alpha 6 to be delayed by that latter news. It wasn't and it was a doozy too. The DVD deltaiso was over a one gig in size, so I was expecting some significant changes and improvements this time."
eyeOS: A genuine Web OS (Linux.com)Linux.com covers a web-based OS called eyeOS. "Unlike most Web desktops that require you to create an account and rely on their service, eyeOS offers you two options. The hosted version of eyeOS allows you to create a free account and use the system without getting your hands dirty installing, configuring, and maintaining it. The major drawback of using the hosted solution is that you can't log in as root, which means that you won't be able to install additional applications, among other things. Alternatively, you can install eyeOS on your own server, which gives you complete control over the system."
Page editor: Rebecca Sobol Development Store data on paper with Twibright OptarTwibright Optar is a new and unique software project by Karel 'Clock' Kulhavý, developer of the Ronja optical network link project. Here's the project description: ![[Optar]](/images/ns/optar.png){kind=small}
Optar stands for OPTical ARchiver. It's a codec for encoding data on paper. Optar fits 200kB on an A4 page, then you print it with a laser printer. If you want to read the recording, scan it with a scanner and feed into the decoder program. A practical level of reliability is ensured using forward error correction code (FEC). Automated processing of page batches facilitates storage of files larger than 200kB.
One may wonder why, in this high tech world, would you want to use paper as a data archive medium. Paper tape and 80 column punch cards went out of style in the early 1980s. Optar is probably not for those who are intent on running a paperless office. Here are some unique benefits and features of Optar:
Usage of Optar is fairly straightforward, the optar command encodes data into a series of .pgm files. Those can easily be converted to PostScript with the convert command from the ImageMagick suite, then printed to most laser printers. Conversion from paper back to data involves scanning the pages with SANE or other scanner software, saving as .png files, then feeding those to unoptar, which outputs the original data. While functional, Optar is still in an early stage of development. Some desirable options would be the ability to select output paper sizes such as US letter and legal on the command line, and choose the encoding density. The documentation is currently limited to a README file, there are plans to make man pages for the two Optar commands. The code is without a version number at this point, presumably because there is only one version that has been released. Optar has been released under the Gnu GPL, the source code is available for download here. The code is written in C and builds with the standard make and make install commands.
System Applications Clusters and Grids Release 2.1.1 of Linux-HA is now availableVersion 2.1.1 of Linux-HA, a cluster control system, is out. "This release has been extensively tested by many people and is considered stable. At this time, there are no known regressions from the previous stable release 2.0.8, or the Novell SLES10 SP1 release."
Database Software PostgreSQL Weekly NewsThe July 22, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
SQLite 3.4.1 releasedVersion 3.4.1 of SQLite, a lightweight DBMS, is available. "This release fixes a bug in VACUUM that can lead to database corruption. The bug was introduced in version 3.3.14. Upgrading is recommended for all users. Also included are a slew of other more routine enhancements and bug fixes."
Mail Software Apache SpamAssassin 3.2.2 is availableVersion 3.2.2 of the Apache SpamAssassin mail filter is out. "3.2.2 is a minor bug-fix release."
Networking Tools Tramp 2.1.10 releasedStable version 2.1.10 of Tramp has been announced. "Tramp stands for 'Transparent Remote (file) Access, Multiple Protocol'. It provides remote file editing, similar to Ange-FTP and EFS. The difference is that Ange-FTP uses FTP to transfer files between the local and the remote host, whereas Tramp uses a combination of 'rsh' and 'rcp' or other work-alike programs, such as 'ssh'/'scp'."
Package Management Announcing RPM 4.4.2.1Version 4.4.2.1 of the RPM Package Management system has been released. "The time since 4.4.2 has been quite leng[th]y, and so is the number of fixes included in this release. Also various cleanups have been done, such as removing most (if not yet all) Red Hat-specific items and hacks from the sources to signify the fact that rpm.org is not tied to any single vendor."
Printing PyKota 1.26 releasedVersion 1.26 of the PyKota printer quota system has been announced. "Several new configuration directives were introduced to increase the software's versatility. You can now control the ordering in the output of the data dumper, either from the command line or when it's used as a CGI script. The 'grey vs color' pseudo colorspace is now supported in ink accounting mode. Several minor improvements or bug fixes were done all over the place."
Security RSBAC 1.3.5 releasedVersion 1.3.5 of Rule Set Based Access Control (RSBAC), an access control system for the Linux kernel, is out with a number of bug fixes and build improvements.
Web Site Development Django status update: July 22The July 22, 2007 edition of the Django status update covers the latest news from the Django Python-based web framework. "Database migration is the hot topic this past week. Also, Django-based photo galleries, undo in Django, the first Satchmo-based online store, and more can be found inside."
Midgard 1.8.4 releasedStable version 1.8.4 of the Midgard web content management system has been announced. "Midgard 1.8.4 release includes major bugfixes".
Introducing OpenSearch (O'Reilly)Uche Ogbuji introduces OpenSearch on O'Reilly's XML.com. "Uche Ogbuji's Agile Web column returns with an introduction to OpenSearch, an Atom-friendly format for describing and discovering search engines and query endpoints on the Web in a RESTful way."
Desktop Applications Audio Applications QjackCtl 0.3.1a crash-fix releasedRelease 0.3.1a of QjackCtl, a GUI control panel for the JACK Audio Connection Kit, is out. "This is an emergency crash-fix release and everyone is [i]nvited to ditch yesterdays one."
Data Visualization openPlaG 1.01 releasedVersion 1.01 of openPlaG is out with the new ability to load and save graph settings. "openPlaG is an online function graph plotter, written in PHP. It can compute and plot a very high amount of functions, including many probability functions and is fairly good configurable."
Desktop Environments GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Commit-Digest (KDE.News)The July 22, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "Plasma progress, with new Plasmoids: Browser, Notes, 3D Earth Model, Twitter, Desktop, and Tiger (scripting example), and the development of a mouse cursor data engine. Bug fixing spree in TagLib, K3b, and the Kopete Cryptography plugin. Support for encrypted storage devices in Solid, with better integration of device support in Amarok. Further integration of Plasma in Amarok. Work on making Konsole follow KDE settings more strictly. Much work on revamping Ark for KDE 4..."
Quickies: KDE e.V. Presidential Address, KHTML and WebKit, Qt4 Book, KDE4 on Mac Visuals (KDE.News)A new KDE Quickies article has been published. "A number of KDE related news stories are floating about the interweb today, so here's a quick round-up. Aaron Seigo writes his KDE e.V. Presidential Address on his blog in an effort to force the e.V. to be more transparent about their activities. Over at Ars Technica, I have an article talking about the future of KHTML and WebKit: you'll be happy to know that this seems to no longer be a real problem. Daniel Molkentin has published a new book on coding for Qt 4.x which is now available for ordering at qt4-book.com..."
KDE 4 snapshots for amd64 07.07.22-01Release 07.07.22-01 of the KDE 4 snapshots for the amd64 platform has been announced. "Now kwin works, it is not necessary to start another window manager before."
KDE Software AnnouncementsThe following new KDE software has been announced this week:
Xorg Software AnnouncementsThe following new Xorg software has been announced this week:
Streaming Media Ezstream 0.4.1 releasedStable version 0.4.1 of Ezstream has been announced. "Ezstream is a command line source client for the Icecast media streaming server. It can stream Ogg Vorbis and MP3 audio, as well as Ogg Theora video, either "as-is"; without reencoding (which uses very little CPU time) or it can use external decoders and encoders to convert virtually any media format into one of the supported streaming formats."
Web Browsers Mozilla Thunderbird 2.0.0.5 and SeaMonkey 1.1.3 Released (MozillaZine)MozillaZine reports on the release of Thunderbird 2.0.0.5 and SeaMonkey 1.1.3. These releases fix several security vulnerabilities.
Miscellaneous Diet Tracker 1.5 is outVersion 1.5 of Diet Tracker has been released. "Diet Tracker is a set of Perl codes to help you keep track of your diet progress. It uses a MySQL database to store and display your daily weight variations and calorie intake as you progress in your diet."
Languages and Tools C GCC 4.2.1 releasedVersion 4.2.1 of GCC, the Gnu Compiler Collection, is out. "GCC 4.2.1 is a bug-fix release, containing fixes for regressions in GCC 4.2.0 relative to previous GCC releases." This will also be the last release of GCC under the GPLv2 license.
Caml Caml Weekly NewsThe July 24, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Haskell Introduction to Haskell, Part 2: Pure Functions (O'ReillyNet)O'Reilly is running part two of an introductory series on Haskell. "In the second of three parts, Adam Turoff continues his introduction to Haskell, a language that can take some getting used to. In this installment, he looks at Pure Functions, which is to say functions with no side effects."
Python Python-URL! - weekly Python news and linksThe July 23, 2007 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk Tcl-URL! - weekly Tcl news and linksThe July 25, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Libraries FXT 2007.07.23 releasedStable version 2007.07.23 of FXT has been announced. "FXT' is a C++ library containing code for various fast orthogonal transforms and related algorithms for real, complex, n-dim fourier transforms, hartley transform, 1dim and 2dim, number theoretic transforms, walsh, haar, and wavelet transforms, convolution, correlation and power spectrum, mass-storage FFTs and convolution, fast multiplication routines, sine and cosine transforms, and z-transform."
Page editor: Forrest Cook Linux in the news Recommended Reading Seeing yellow over color printer tracking devices (Linux Journal)Linux Journal covers the Seeing Yellow campaign. "A series of encodings on printouts from color laser printers to discourage counterfeiting? At first, the idea sounds like the urban legend from a couple of decades ago that claimed you could hear Satanic messages when you play vinyl records backwards. Yet the evidence from the Electronic Frontier Foundation is that the encodings are embedded in color printers from all major manufacturers. Moreover, the issues raised by the practice have caused Free Software Foundation director Benjamin Mako Hill and other members of the Computing Culture group at the MIT Media Lab to begin the Seeing Yellow campaign to stop the practice."
Game over for OpenDocument? (LinuxWorld)Here's a LinuxWorld article on the failure of the OpenDocument format to take over. "The truth is, the big ODF application vendors left governments with no other choice but to go with OOXML as the only way to migrate existing systems to XML. They hoped to capitalize on ill will against Microsoft and legislation forcing rip-out-and-replace migrations. But as the Massachusetts situation, the state legislation situation, and the situation in Denmark shows, government IT establishments are beginning to rebel against the foolhardy and expensive rip-out-and-replace strategy."
Companies BBC to hear open source concerns (BBC News)The BBC News looks at requests to make the BBC's on demand TV service work on all computer operating systems. "The BBC Trust has offered to meet with open source advocates who argue that the corporation has a duty to make the download service platform agnostic. When the BBC iPlayer, as it is known, launches on 27 July it will only work with PCs running Microsoft Windows XP." (Thanks to Mark Tall)
Xandros buys Linux e-mail vendor Scalix (LinuxWorld)LinuxWorld reports on the acquisition of Scalix by Xandros. "Linux desktop and server vendor Xandros Wednesday acquired Scalix, which develops an open-source e-mail, calendar and groupware platform. Xandros, which develops a Linux desktop, server and set of management tools called BridgeWays, said the acquisition would help it build toward its goal of developing a complete Linux stack, including desktop, small and midsize business and advanced enterprise servers, cross-platform management tools, and IT infrastructure applications."
Linux Adoption UK Greens connect to free software (Linux.com)Linux.com investigates a push toward open-source software by environmental groups in the UK. "For average hackers in their cubicles, the relation between environmental and free software issues may seem remote but the Green Party of England and Wales (GPEW) is working to connect the dots. Since adopting a motion in favor of free and open source software (FOSS) in 2005, party members have not only spoken frequently in favor of FOSS, but also on related issues, such as software patents and lockdown technologies in Vista. The reasoning behind these efforts might surprise, as much as gratify, the average hacker. For now, they also leave the GPEW scrambling to live up to its own ideas."
Legal What Linspire Agreed To (Groklaw)Groklaw examines the Microsoft/Linspire patent covenant. "If I am a businessman, and I'm thinking about getting a patent promise not to sue from Microsoft, because I think like that, wouldn't that last bit kill the deal? Business applications are not covered. So accounting, payroll, HR, project management, sales management, financial forecasting and reporting, supply chain management, "unified communications" -- none of that is covered."
Interviews Interview with Con Kolivas (APC)APC interviews (ex-)kernel developer Con Kolivas. "If there is any one big problem with kernel development and Linux it is the complete disconnection of the development process from normal users. You know, the ones who constitute 99.9% of the Linux user base."
Reviews GMF: Beyond the Wizards (O'ReillyNet)O'ReillyNet looks at the Eclipse Graphical Modeling Framework. "In today's development environment, users expect to be able to visualize data, configuration, and even the processes of a system. For this reason, they use tools to communicate requirements visually with stakeholders and subject matter experts. Think for a moment about UML, it takes a very complex set of data and represents it visually to simplify the communication of software requirements and design. Likewise, there are potential visual tools for describing workflows, data mining, server management, and many other business processes. These tools are able to boost productivity and reduce cost, which is obviously a win-win situation."
Canonical launches Web-based systems management for Ubuntu (Linux-Watch)Linux-Watch takes a look at Ubuntu's Landscape. "Landscape will be available to Canonical's support subscribers. Landscape provides a key tool for the growing number of businesses that want to take advantage of the ease of use of Ubuntu and have previously seen system administration or support as a hurdle. This is Canonical's first native Ubuntu system deployment and management tool."
Navicore on the N800: Taking Linux to the streets! (Linux.com)Linux.com takes a look at using GPS mapping and navigation on the N800 Internet Tablet. "Navicore is Nokia's GPS mapping and navigation program for the N800 Internet Tablet. The kit comes with a Bluetooth GPS receiver, car-mounting hardware, and a memory card containing the Navicore Personal software and map collection. If you have an N800, it's a great travel aid."
OLPC's XO laptop (BBC News)BBC News looks inside the OLPC XO laptops. "The One Laptop Per Child project is one step closer to releasing the completed machine to millions of schoolchildren in the developing world. But what makes the computer so unique?" (Thanks to Bevis R W King)
Pleasant Diversions At Studio Dave (Linux Journal)Dave Phillips looks at the LiVES video editor for Linux, and Reaper, a native Windows audio/MIDI sequencer running under Wine. "I've written about Reaper in previous articles, but recently I've had a special occasion to get into the program more deeply. I've inherited a gifted student who wants to learn how to use the computer as a tool for music composition. He's a very talented guitarist, he's already written more than a dozen songs, and he has no-one around him at his age who can play at his level. He's 12 years old."
Latest Mozilla Sunbird is a well-connected calendar (Linux.com)Linux.com reviews Sunbird. "Mozilla's Sunbird calendaring application lives perpetually in the shadow of its siblings Firefox and Thunderbird, garnering just a fraction of the developer effort and publicity lavished on the browser and email client. Nevertheless, it is slowing maturing into a reliable tool worthy of the Mozilla brand."
Pyro delivers Web apps to the Linux desktop (DesktopLinux)DesktopLinux looks at the alpha release of the Pyro Desktop. "The Pyro project has launched its "Pyro Desktop," a new Linux application with the lofty goal of "true integration between the Web and modern desktop computing." Pyro offers an interesting new approach to deploying Web-based applications on the Linux desktop, reminiscent of Opera's and Vista's widgets."
Mozilla begets WebRunner, a site-specific browser (Linux.com)Linux.com takes a look at WebRunner. "Nowadays, people are turning to Web-based applications as replacements for desktop applications. Web-based office suites, mail clients, multimedia apps, and general productivity tools are all extremely useful now, but standard Web browsers aren't always the best option for running applications. To provide a more suitable tool for Web-based apps, Mozilla Platform Evangelist Mark Finkle has been working on WebRunner, a site-specific browser (SSB) that's designed to work exclusively with one application at a time. It's not finished yet, but it's already showing promise."
Miscellaneous Next major PC company to go Linux will be HP (Linux-Watch)Linux-Watch predicts that HP will be entering the desktop Linux systems market. "What I expect to hear at LinuxWorld is that HP will be offering two Linux desktop SKUs. One will feature Novell's SLED 10 SP 1 for business users. The other will be for home owners and use Ubuntu 7.04."
Inside One Laptop per Child: Episode 04 (Red Hat Magazine)Red Hat Magazine has another entry in its video series about the OLPC project. "Episode 04 takes us on location in Porto Alegre, Brazil. Where the first batches of XOs have been delivered and deployed. Meet the teachers using the laptops in the classroom. Where besides doing daily assignments on the machines, some students have already learned programing." It's a six-minute Ogg Theora file.
Page editor: Forrest Cook Announcements Non-Commercial announcements Akaza Research awarded NIH grant (LinuxMedNews)LinuxMedNews reports on the winning of an NIH grant by Akaza Research. "Akaza Research, LLC announced today that it has been awarded a two-year Phase II SBIR grant from the National Institutes of Health to continue development of the open source clinical trials data capture system, OpenClinica. The objectives of the project include further development of the OpenClinica open source community, addition of new features, such as calendaring, coding, and adverse events to the core OpenClinica platform, and implementation of data exchange capabilities."
Marcus Rex to be CTO at the Linux FoundationThe Linux Foundation has announced that long-time SUSE manager Marcus Rex will be the group's new chief technology officer. It's a one-year position, after which Mr. Rex will go back to Novell. "As CTO, Rex will lead all technical initiatives for the Linux Foundation, including oversight of the Linux Standard Base and other workgroups such as Open Printing. He will also be the primary technical interface to LF members and the LF's Technical Advisory Board who represent the kernel community."
The all-new Linux Fund Visa Card launches todayA new Linux Fund Visa Card has been announced. "The Linux Fund began in 1999. Since then, the organization has handed out over one-half million dollars in grants to Free and Open Source Software (F/OSS) projects like Blender, FreeGeek and the WikiMedia Foundation. "We don't represent a wealthy patron or a long-dead industrialist," says Mandel. "Our donations come from engineers, managers, and ordinary working geeks who use The Linux Fund Visa in the course of everyday living. "The way it works is actually quite cool, Just by using The Linux Fund Visa card, ordinary geeks can participate in serious philanthropy, at no out-of-pocket cost to themselves. Each time a cardholder uses their card, a donation is made to The Linux Fund by the card issuer, U.S. Bank."
SugarCRM goes to GPLv3SugarCRM has announced that the upcoming 5.0 release of its "community edition" CRM software will carry the GPLv3 license. This is a big improvement over the current license which contains badgeware provisions and was never accepted as open source. "Sugar Community Edition 5.0 is expected to be released in September, and introduces innovative platform features, new CRM functionality and community development tools."
Commercial announcements Entrust contributes essential PKI technology component to open-source communityEntrust, Inc. has announced the release of its public key infrastructure technology to the open-source community. "To support that goal, the layered security expert is contributing public key infrastructure (PKI) technology to the open-source community through Sun Microsystems, Inc. and the Mozilla Foundation. Specifically, Entrust will supply its certificate revocation list distribution points (CRL-DP) patent 5,699,431 to Sun under a royalty-free license for incorporation of that capability into the Mozilla open-source libraries."
Ingres Joins the Eclipse FoundationIngres Corporation has announced that it has become a member of the Eclipse Foundation. "According to Emma McGrattan, Ingres senior vice president of engineering, "Ingres has a large application development community using a variety of application development languages across a host of operating system platforms. Eclipse encompasses the diverse needs of Ingres developers by providing an Integrated Development Environment (IDE), a rich and robust development and debugging platform for building the most sophisticated enterprise applications.""
ITema releases enterprise service bus for PHP developersITema, Inc. has announced the release its Blackbird PHP enterprise service bus software under the GPL. "Blackbird allows PHP developers to rapidly develop loosely coupled software applications, allowing them to leverage PHP's development speed and ease of use for application integration tasks. It also integrates easily with Apache ServiceMix by sharing a common message queue server, Apache ActiveMQ. This allows developers to mix PHP and Java components with minimal effort."
OpenLogic introduces new development and production support packagesOpenLogic has announced two new open-source support development and production support packages. "OpenLogic, Inc., a provider of enterprise open source software solutions encompassing hundreds of open source packages, today announced the availability of two cost-effective support packages for enterprises using open source software. These new packages are designed to cover the full spectrum of open source support needs, from development and QA to staging and production."
Passport Software releases PBS Manufacturing Series for LinuxPassport Software, Inc. has announced the release of PBS Manufacturing Series Version 11.5 for LINUX. ""For companies who have chosen Linux for their operating system, software solution choices have been slim. PBS Manufacturing changes that", says Ian Creswell, Passport's Manufacturing Product Manager. "For Linux users, PBS Manufacturing combined with Passport Business Solutions offers a complete, fully integrated business solution that brings the sophisticated tools of bigger ERP systems to the small to mid-size company for better control of their manufacturing, make-to-order, or job shop operations" continues Creswell."
Xandros acquires ScalixXandros has announced the acquisition of Scalix. "Today Xandros, the leading provider of intuitive end-to-end Linux solutions and cross platform management tools, announced the acquisition of Scalix, the premier award-winning Linux e-mail, calendaring and messaging company."
New Books Artist's Guide to GIMP Effects -- New from No Starch PressNo Starch Press has published the book Artist's Guide to GIMP Effects: GIMP for photography, special effects, and design by Michael J. Hammel.
Contests and Awards The 2007 Best of SugarCRM awards programSugarCRM Inc. has announced the first annual Best of SugarCRM Award program, which recognizes best-in-class SugarCRM implementations. "SugarCRM is now accepting nominations for the award through Monday, August 6, 2007. Finalists will be publicly announced on Wednesday, August 8, 2007 at the LinuxWorld Expo in San Francisco. The awards ceremony dinner will be held in conjunction with the CRM Acceleration Summit in New York City on Monday, August 20, 2007."
Surveys Study shows enterprises evaluate on Windows, deploy on LinuxAlfresco Software, Inc. has announced its global survey of trends in the use of open source software in the enterprise. "The Alfresco open source barometer survey, conducted April through June 2007 using opt-in data provided by 10,000 of the 15,000 Alfresco community members, showed that Windows is increasingly a popular evaluation platform for open source software but most enterprises use Linux when they go into production. The survey also asked users about their preferences in operating systems, application servers, databases, browsers, and portals to capture the latest information in how companies today evaluate and deploy open source and legacy proprietary software stacks in the enterprise."
Event Reports Mandriva and Intel Showcase classmate PC at aKademyMandriva and Intel demonstrated the classmate PC at the aKademy conference. "Intel's Latin America Linux Strategic Program Manager Sulamita Garcia and Mandriva's KDE developer Helio de Castro were participating at aKademy 2007, KDE's annual meeting of the KDE community, demonstrating the flexibility and the specialized educational interface of Mandriva Linux on the Intel-powered classmate PC in the "Edu and School" presentation sessions."
PgDay Portland, A huge success!The Portland, Oregon PgDay event was a success. "On July 22nd, PostgreSQL.Org held a single day conference in Portland Oregon preceding OSCON 2007. This conference, although short notice was a huge success. We had solid attendance from new and old community members.Notable talks for me was Theo Schlossnagle's talk on Solaris and PostgreSQL. It was enlightening to see where PostgreSQL is lacking, (places I didn't realize) and how Theo has worked around the problems to provide a quite decent set of tools for Solaris and PostgreSQL."
Upcoming Events Red Hat To Showcase Open Source Enterprise Solutions At GITEX 2007Red Hat has announced that it will be attending the 27th Gulf Information Technology Exhibition (GITEX). At the event, Red Hat will present its latest Red Hat Enterprise Linux 5 operating system and JBoss Enterprise Application Platform to its Middle Eastern partners and to potential customers.
Software Freedom Day 2007Software Freedom Day 2007 has been announced. "September 15th marks Software Freedom Day, the world's largest celebration and outreach effort about why transparent and sustainable technologies like Free & Open Source Software are so important. Community groups in more than 80 countries organise local activities and programs on Software Freedom Day to educate the wider public about free software: what it is, how it works and its relationship to human rights and sustainability. We already have over 140 teams around the world registered: join them in spreading the word!"
Events: August 2, 2007 to October 1, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Web sites Introducing beautifulcode.oreillynet.comO'Reilly has announced the launch of the beautifulcode.oreillynet.com web site. "The new, easy-to-use site gives the public the opportunity to discuss the book's projects and to contribute information about other projects that illustrate coding artistry. The site is designed to build community among new and experienced innovative programmers and designers who are inventing and creating elegant coding solutions now and in the future."
Staging Site for Firefox Support Knowledge Base Ready (MozillaZine)MozillaZine reports on the launch of the Firefox Support knowledge base. "Chris Ilias writes: "The staging site for the new Firefox Support knowledge base is now up and running, and were looking for people to help contribute content. We have an initial list of articles we would like created for the alpha version, so feel free to create an account, assign yourself to an article, and create it. Our primary goal, right now, is core content."
TechBase Hits 1,000,000 (KDE.News)KDE.News reports that the TechBase site has reached a milestone. "KDE's new technical documentation library, TechBase, hit an important milestone today when it served up its one millionth page. In step with the KDE 4.0 development cycle, TechBase is rapidly maturing into a central hub for high-level technical information related to KDE and the Free software desktop."
Audio and Video programs ELCOT's success story on OSS migration on youtube.comKrishna Pagadala reports on the availability of a YouTube video on the migration to OSS by India's ELCOT. "After a year of experimentation and implementation, ELCOT made a corporate video on how it migrated to linux, notably suse linux which had stolen the hearts of all ELCOT's officials."
Page editor: Forrest Cook
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||