Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for August 2, 2007Open-source badgeware "Badgeware" refers to a class of software with licenses requiring that some sort of attribution of its origin be displayed in all copies. An example which has seen much discussion over the last year is SugarCRM, whose license required that every screen carry a 106x23 "Powered by SugarCRM" logo and a copyright notice. This decoration was required for any program derived from the SugarCRM code, even if it was far removed from SugarCRM in its actual functionality. SugarCRM's pushing of this license and describing it as "open source" caused a lot of fuss; many in the community were glad when SugarCRM recently announced that it was dropping its badgeware license in favor of GPLv3.Badgeware licenses are seen widely (though not universally) as not being free. "Free," for the purposes of a discussion like this, means compliant with the Open Source Definition. It is said that badgeware provisions interfere with clause 3, which requires that it be possible to create derived works. Since the attribution functionality cannot be removed, certain kinds of modifications are prohibited by attribution requirements. Provision 6 says that there cannot be any discrimination against any particular field of endeavor; badgeware requirements can prevent code from running in a mode where there is no graphical interface, or where the display is so small (on a phone handset, for example) that the requisite attribution would take up most of the useful space. And term 10 requires that the license be technology-neutral, which is hard to achieve if the license is requiring that attribution be displayed in specific ways. Even so, attribution requirements are not unknown in free software licenses. The OSI-approved Adaptive Public License (APL) has such a requirement. Version 2 of the General Public License puts this requirement on derived works:
If the modified program normally reads commands interactively when
run, you must cause it, when started running for such interactive
use in the most ordinary way, to print or display an announcement
including an appropriate copyright notice and a notice that there
is no warranty (or else, saying that you provide a warranty) and
that users may redistribute the program under these conditions, and
telling the user how to view a copy of this License. (Exception: if
the Program itself is interactive but does not normally print such
an announcement, your work based on the Program is not required to
print an announcement.)
Early versions of the BSD license also carried the infamous advertising clause. So attribution requirements are not exactly a new thing. The debate on those licenses has certainly not ended; a number of companies have taken the liberty of calling their badgeware licenses "open source" despite the lack of any certification from the Open Source Initiative. In most cases, that certification has not even been requested, perhaps because the companies involved fear that the answer would not be to their liking. An exception has been Socialtext, which submitted its Common Public Attribution License for OSI approval (after several previous rounds) in June. There was a long, inconclusive discussion. The OSI's license committee considered the license in July, but was unable to provide a recommendation. Committee chair Russ Nelson personally recommended approval, though, saying:
The APL was not a widely used license, I suspect because of its
complexity. Let's give attribution requirements another chance in
a simpler license. If such a licensed software does not achieve
the Open Source effect, it will put the issue to rest.
Shortly thereafter, the OSI board took his advice and approved the CPAL as an open-source license. The CPAL (in its final form) is based strongly on the Mozilla Public License, but it adds two terms to the end. One, of course, is the attribution requirement:
...the Original Developer may include in Exhibit B ("Attribution
Information") a requirement that each time an Executable and
Source Code or a Larger Work is launched or initially run (which
includes initiating a session), a prominent display of the Original
Developer's Attribution Information (as defined below) must occur
on the graphic user interface employed by the end user to access
such Covered Code (which may include display on a splash screen),
if any. The size of the graphic image should be consistent with the
size of the other elements of the Attribution Information. If the
access by the end user to the Executable and Source Code does not
create a graphic user interface for access to the Covered Code,
this obligation shall not apply.
There are some limits on the attribution information - the phrase cannot exceed ten words, for example. The attribution need only be displayed at startup time, and not on every screen as some other licenses have required. If there is no graphical interface, there is no requirement to display the attribution information. So it would seem that this is about as gentle as attribution requirements can be expected to be - and it is no worse than was already approved in the APL. One interesting term appears to have not drawn much scrutiny:
You acknowledge that all trademarks, service marks and/or trade
names contained within the Attribution Information distributed with
the Covered Code are the exclusive property of their owners and may
only be used with the permission of their owners, or under
circumstances otherwise permitted by law or as expressly set out in
this License.
Nothing in the license grants any sort of permission to use any trademarks which might be contained in the required attribution information. Since display of the attribution information is required, a denial of the right to use the trademark could potentially shut down any right to use the software at all. So anybody who is considering building on a CPAL-licensed program would be well advised to carefully study the trademark policies which apply to the attribution information. The CPAL also contains a Affero-style requirement that the source be made available to anybody who uses the software. So anybody who builds a web site based on CPAL-licensed code must be prepared to distribute their source even if they are not distributing the software in any other form. The reaction to this approval has not been universally positive. There are many in our community who do not want to see badgeware legitimized as "open source"; they see the CPAL as being a nose in the tent door with a very large camel behind it. On the other hand, Socialtext has done its best to play by the rules and has spent many months trying to craft attribution terms which meet the community's standards. The real test, now, will be to see whether others use this license or build upon CPAL-licensed software. If that does not happen, the CPAL will have little effect regardless of what the OSI thinks of it.
Thunderbird to form its own organization A blog posting by Mitchell Baker, chief lizard wrangler and CEO at Mozilla Corp., set off a firestorm of reaction, as it suggested that it might be best for Thunderbird to split off from Mozilla. The reaction was probably much stronger and louder than Baker expected, so she has followed up with a number of additional posts, clarifying her statements. Though it is rather counter-intuitive, it may actually be for the best, the main developers are backing the plan. It could lead to bigger and better things for the project. Baker posted her thoughts last week, which were picked up by various online news sources and the controversy began. Various conspiracy theories, typically involving Google, were promulgated. The ultimate mission of both Mozilla Foundation (MF) and Mozilla Corp. (MC) were debated, those organizations alternately ridiculed, reviled and defended. In short, it was a typical internet flamefest, with far more heat than light. Baker's original posting was lacking in many of the details that she filled in later, making it far easier for commenters to provide their own explanations. The picture that is emerging actually seems quite positive for Thunderbird development. Essentially, Baker, other Mozilla Foundation board members and the lead developers all recognized that Thunderbird was not getting the attention it deserved - it is overshadowed by Firefox, its higher profile sibling. The MF has been focused on Firefox from the outset and created Mozilla Corp. as the for-profit entity to handle the revenue from the Firefox deal with Google. The vast majority of MC employees are working on Firefox which is not likely to change. The two Mozilla entities want to focus their energy on Firefox - Thunderbird was suffering because of it. Thunderbird has never attracted the following that Firefox has. In terms of users, developers and community members, Thunderbird is probably two orders of magnitude smaller than Firefox. Increasing the size of the Thunderbird community is at least part of what Baker is trying to do. Her original post is titled Email Call to Action and contains some thoughts about coming up with a wider email vision that have mostly been drowned out in the Thunderbird governance debate. Baker outlined three possible scenarios for how to move Thunderbird out from under the current structure and asked for suggestions on others. The first and second options are similar in that they create a new foundation for Thunderbird, either as a subsidiary of MF or as a full-fledged company of its own. Both are considered to have a fairly high overhead, organizationally, and creating a subsidiary foundation still does not really address the problem, as MF will still be dealing with Thunderbird issues. The third option is to spin off the developers into a small, independent, for-profit services and consulting company, while turning Thunderbird into a Mozilla community project, like SeaMonkey. Another, potentially viable, option has emerged from the comments: Thunderbird could move to another organization, the Apache Foundation is often mentioned, where it would be on a more equal footing with that organization's other projects. Based on the thoughts posted by Thunderbird lead developer, Scott MacGregor, it would appear that the independent company option is emerging as the lead contender. It has the advantage of being the simplest to set up and get going, with "start-up" funding being the major question. Based on Baker's posts, it would seem likely that MC would help with funding, at least for a bit, but a revenue model of some kind would have to come along relatively soon. With Thunderbird as a community project, very little would change from an external view. The development would stay on the Mozilla servers, the source code repositories and bug tracking systems would not move. The main difference would be that Thunderbird Corp. (or whatever it ends up being called) would be responsible for making releases of the code, much like the community handles SeaMonkey releases today. This would presumably allow Thunderbird to be released on its own schedule, without any link to the Firefox schedule. A Thunderbird Corp. may very well struggle for revenue. MC has been so successful because of their agreement with Google, making it the default Firefox search engine and homepage. This has brought in tens of millions of dollars in revenue, but it is hard to see how Thunderbird could capitalize on a similar deal. Thunderbird is, at some level, in direct competition with Google's Gmail service, which is what led some to believe Google was behind the "ouster" of Thunderbird from Mozilla. Baker has clearly stated that Google was completely uninvolved in the Thunderbird discussion, but there are still some who believe otherwise. Many vocal commenters on the various postings and stories are looking at this as a hostile act by Mozilla. It appears, however, that this is truly an attempt to recognize that things are not working and to try and find a solution that will work. According to Baker, MacGregor and others, it simply is not possible for two projects as disparate in size as Firefox and Thunderbird to be handled within the same organization; the smaller always gets the short end of the stick, a disproportionate short end. In order for Thunderbird to thrive, it needs to find its own way. It is hard to visualize Mozilla without Thunderbird or vice versa. Thunderbird's adoption rate has definitely been helped by the association with Mozilla (and Firefox). While they may officially be splitting up, that may not affect very much in the minds of the public. SeaMonkey is still associated with Mozilla, though it is run as a community project. Thunderbird will still share lots of code with Firefox - the community affiliation probably will not affect much, Thunderbird and Firefox are likely inextricably linked. The bigger question is whether a new Thunderbird organization can continue to deliver email client innovation that can attract more users and a larger community. The Lightning calendar is something that Thunderbird has needed for a long time. It is often the "yes, but" that is heard when organizations are considering dropping proprietary alternatives in favor of Thunderbird. There are plenty of new and exciting features on the Thunderbird roadmap, it is merely a matter of choosing wisely, getting them implemented and released, while struggling to find a revenue model that works. It is a tall order, but, with a lot of hard work and a bit of luck, it is achievable.
A turning point for open gadgets? The Economist recently ran an article on avoiding international roaming rates associated with cellphone use while traveling. Your editor's recent schedule has made him rather more than usually interested in that subject, so the article seemed worth a read. It seems that there are not a whole lot of truly viable solutions available at the moment; the recommended approach appears to be to get an unlocked GSM phone and buy SIM cards locally - not something one needs an Economist subscription to know about. Happily, the article concludes that "relief" is at hand; it then expends several paragraphs on just what form that relief will take:
Several months before Steve Jobs, Apple's media-savvy boss, gave
the world its first tantalising glimpse of the iPhone, something
remarkably similar in appearance (but wholly different within) was
shown to the Linux software community and other open-source
evangelists. OpenMoko, an initiative aimed at developing all the
technology for a mobile smart phone based on non-proprietary Linux
software, is everything the iPhone could have been but is not.
The article notes that the openness of the platform means that users will be able to install applications without the approval (or knowledge) of their cellular providers. Those applications can include voice over IP tools which can work via a data connection through a local GSM provider, thus shorting out the roaming and long distance charges. But there's a lot more that can be done - things that no cellular provider ever dreamed of. LWN readers will have often heard your editor's contention that truly open gadgets must, sooner or later, take over the market. But that takeover has been discouragingly slow in coming. Manufacturers prefer to keep their products closed and under their control; other forces, including pressures to support DRM schemes and regulatory issues, also come into play here. So, while we have more gadgets to play with than ever before, most of those gadgets cannot be hacked upon and extended to do interesting new things - at least, not without a serious effort on the community's part to crack them open. Awareness of the problems associated with closed devices has grown far more slowly than many of us would like. Most consumers, it seems, are interested in devices that Just Work and have little interest in extending them. So there is little pressure in the market for more open devices, and, thus, little incentive for manufacturers to offer them. The cellular industry may just be the place where this tide begins to turn. In the U.S., at least, this industry works under an exploitive and controlling model. Handsets are usually purchased through the provider, are locked to that provider, and lack any features which said provider worries could damage its revenue model. So even simple and obvious functions, like copying pictures from the handset onto its owner's computer, tend to be blocked. Voice over IP functionality which could be used to evade roaming charges in distant countries is entirely out of the question (though T-Mobile has just launched an interesting plan which enables free calls from WiFi hotspots). The cellular telephone has become an increasingly personal and indispensable tool. It is picking up a number of interesting new capabilities. Almost everybody has one in the richer parts of the world - and, often, in the less-rich parts as well. Phones which carry arbitrary restrictions designed to further somebody else's agenda will get the attention of people who are not ordinarily tuned into software freedom issues. That will be especially true when freer alternatives are out there and their potential becomes clear. So the OpenMoko phone may yet prove to be the revolutionary device that some of its backers have promised. Unlike every other Linux-based cellular phone produced so far, it will be an open system, free for anybody to extend in any number of ways. If this phone lives up to its potential at all, people will see what it can do and start asking why their shiny new handset can't be extended in the same ways. They might just start demanding a higher degree of openness from their vendors and/or providers. If we are lucky, purveyors of closed devices will start finding it harder to compete. Maybe, just maybe, the OpenMoko phone will succeed in teaching people about the value of free devices and, as a result, help bring an end to an era of hardware designed to serve the interests of people other than its owner. [As to whether the OpenMoko will live up to its potential: LWN has ordered one of their early development devices with the idea of writing an article or two about it. Anybody who has been following that situation knows that OpenMoko's fulfillment operation is currently not living up to much of any potential. Stay tuned, hopefully we'll have a device to review sometime soon.]
Page editor: Jonathan Corbet Security Our devices are spilling our secrets Recent news about a certain much-anticipated work of fiction being posted to the internet, in advance of its scheduled release, was not terribly surprising. The method used was, perhaps, a bit crude, and certainly time consuming, but it got the job done. Unbeknownst to the anonymous poster, their camera helpfully provided some extra information that might be used to track them down. Our devices are collecting all kinds of data about our habits and they are increasingly divulging that data in unexpected ways. In the case of the Harry Potter book, the camera serial number was recorded in the Exchangeable image file format (Exif) data of the JPEG files of each page. Based on that information, Canon, the camera's manufacturer, may be able to match the camera to its original purchaser. If the camera has been serviced in the three years since it was released, that would also create an entry matching the serial number to the owner at that time. Neither of those conclusively links a person to the "crime", if it even is a crime, but they could give any investigators a good place to start. It could have been a lot worse - some camera models have GPS capability built-in with Exif fields available to store that information on each shot. Perhaps the photo shoot happened deep enough inside some building that the GPS would not work, but over the hours it took to do that project, it seems quite possible that at least one shot would get tagged. It would be pretty easy to track down where the photos were taken if some were tagged with latitude and longitude coordinates. If it did not bring the police around, it certainly might have brought legions of Potter fans, eager to acquire the book early. GPS data encoded into each photograph that you take, is a useful feature, keeping track of where the photos were taken some years down the road after (human) memory has failed. The other Exif data, much of which is detailed information about camera settings, is probably quite useful to photographers and is much simpler than trying to keep a record of exposure settings as you take pictures. Gathering and storing the data is quite helpful, it is the unexpected disclosure that causes problems. It would be easy to ignore this problem, writing it off to an ignorant user, who should have scrubbed the Exif data before posting, but the problem comes in other guises as well. The US Secret Service evidently wants to be able to track your printer output, presumably as part of their anti-counterfeiting responsibilities, so they have convinced laser printer manufacturers to secretly add the now-famous yellow dots to each color page that is printed. Some of these codes have been cracked by the Electronic Frontier Foundation (EFF) and others, and have been found to contain model and serial numbers along with a timestamp of the print time. It is much harder to blame ignorant users when the device manufacturer actively tries to hide the fact that identifying information is being leaked. Worse yet, it appears that inquiring about this practice and asking how to turn it off can lead to a visit from the Secret Service. There is nothing quite like a visit from a federal agent to stifle dissent. The folks at Seeing Yellow have lots more information, including a plan to overwhelm the agency through sheer numbers of people asking how to turn this "feature" off. Imagine a world where the government required each person to carry a device that: knew its location via GPS, had the ability to take pictures and wireless connectivity. It is a scenario that would be ripe for abuse. In many ways, lots of people already, voluntarily, live in that world as cell phones have all those characteristics. It is not inconceivable that the cell phone manufacturers have already had a visit, from the Department of Homeland Security (DHS) or some other three-letter agency of the government, asking for help in the "War on Terror." The devices are certainly capable of reporting location (possibly with a helpful photo of people in the vicinity) back to the carrier and through them to the DHS. Probably, hopefully, that is not (yet?) happening, but there is no real technical barrier. If we ratchet the paranoia level down a notch, cell phones, in particular smart phones, still pose an enormous target for the criminal world. Subverting phones that have cameras and GPS, to run them under the control of an attacker, makes an incredible surveillance tool. By using the same kinds of techniques that are used to spread viruses and spyware today, it should not be difficult to get targets to willingly perform actions that will lead to the subversion of their phone. From there, the attacker can get all of the call records, photos, calendar items and contacts while directing the phone to transmit its location every minute to the attacker. Not only could this kind of information be used by stalkers, muggers and other criminals, this same capability could be used by lovers or employers to track people, keeping tabs on their movements and contacts. Rather than hire a private investigator, a jealous husband or wife might just borrow the other's phone, surf to a spyware site, and install a tracking program themselves. The opportunities are endless and exceedingly frightening for anyone concerned about privacy in today's world. There are no easy answers on how to protect oneself against these unintentional data leaks. The organizations and individuals interested in collecting the data are doubly interested in concealing the fact that they are doing it, but, worse still, it is difficult for users to detect. If a cell phone is sending a short burst of encrypted information every minute, how would the average user, or even a sophisticated lab, detect and decode that data? If someone had not stumbled upon the yellow dots, we might be printing traceable documents, in blissful ignorance, to this day. What other, similar kinds of tracking are going on that we do not yet know about? Free software can certainly help with this problem, but it is no panacea. Being able to replace the software in a device, with code that can be scrutinized and built before installing, is a good way to know what the device will do. Getting code that is vouched for by a trusted group, also serves to alleviate privacy leakage concerns. That is not the end of the story, unfortunately, as the hardware itself may be the culprit. Laser printer hardware is likely responsible for the identifying information in the output, making it rather difficult to replace. It is extremely difficult to know what the hardware in other devices might be doing behind our backs. The truly paranoid will not be willing to trust any hardware they did not build themselves, perhaps from individual transistors, while trying to figure out how to trust the compiler. For the rest of us, open platforms, like OpenMoko, with free software and hardware, may provide reasons to believe that our data is protected; unless, of course, the device gets stolen or lost - encryption anyone?
New vulnerabilities gpdf: integer overflow
drupal: cross site request forgery
festival: privilege escalation
firefox: multiple vulnerabilities
gdm: denial of service
libvorbis: multiple memory corruption flaws
qt: arbitrary code execution
unrar: integer signedness error
vim: arbitrary code execution
Updated vulnerabilities apache2: information disclosure
apache: multiple vulnerabilities
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
avahi: denial of service
bind: DNS cache poisoning
bochs: buffer overflow
bugzilla: multiple vulnerabilities
centericq: buffer overflows
clamav: denial of service
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
emacs21: denial of service
evolution: format string error
evolution-data-server: malicious server arbitrary code execution
pop mail man-in-the-middle attacks
fail2ban: log injection vulnerability
fail2ban: denial of service
file: integer overflow
firebird: buffer overflow
firefox: multiple vulnerabilities
firefox, thunderbird, seamonkey: multiple vulnerabilities
flac123: arbitrary code execution
flash-plugin: input validation flaw
freetype: integer overflows
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||