LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for August 2, 2007Open-source badgeware"Badgeware" refers to a class of software with licenses requiring that some sort of attribution of its origin be displayed in all copies. An example which has seen much discussion over the last year is SugarCRM, whose license required that every screen carry a 106x23 "Powered by SugarCRM" logo and a copyright notice. This decoration was required for any program derived from the SugarCRM code, even if it was far removed from SugarCRM in its actual functionality. SugarCRM's pushing of this license and describing it as "open source" caused a lot of fuss; many in the community were glad when SugarCRM recently announced that it was dropping its badgeware license in favor of GPLv3.Badgeware licenses are seen widely (though not universally) as not being free. "Free," for the purposes of a discussion like this, means compliant with the Open Source Definition. It is said that badgeware provisions interfere with clause 3, which requires that it be possible to create derived works. Since the attribution functionality cannot be removed, certain kinds of modifications are prohibited by attribution requirements. Provision 6 says that there cannot be any discrimination against any particular field of endeavor; badgeware requirements can prevent code from running in a mode where there is no graphical interface, or where the display is so small (on a phone handset, for example) that the requisite attribution would take up most of the useful space. And term 10 requires that the license be technology-neutral, which is hard to achieve if the license is requiring that attribution be displayed in specific ways. Even so, attribution requirements are not unknown in free software licenses. The OSI-approved Adaptive Public License (APL) has such a requirement. Version 2 of the General Public License puts this requirement on derived works:
If the modified program normally reads commands interactively when
run, you must cause it, when started running for such interactive
use in the most ordinary way, to print or display an announcement
including an appropriate copyright notice and a notice that there
is no warranty (or else, saying that you provide a warranty) and
that users may redistribute the program under these conditions, and
telling the user how to view a copy of this License. (Exception: if
the Program itself is interactive but does not normally print such
an announcement, your work based on the Program is not required to
print an announcement.)
Early versions of the BSD license also carried the infamous advertising clause. So attribution requirements are not exactly a new thing. The debate on those licenses has certainly not ended; a number of companies have taken the liberty of calling their badgeware licenses "open source" despite the lack of any certification from the Open Source Initiative. In most cases, that certification has not even been requested, perhaps because the companies involved fear that the answer would not be to their liking. An exception has been Socialtext, which submitted its Common Public Attribution License for OSI approval (after several previous rounds) in June. There was a long, inconclusive discussion. The OSI's license committee considered the license in July, but was unable to provide a recommendation. Committee chair Russ Nelson personally recommended approval, though, saying:
The APL was not a widely used license, I suspect because of its
complexity. Let's give attribution requirements another chance in
a simpler license. If such a licensed software does not achieve
the Open Source effect, it will put the issue to rest.
Shortly thereafter, the OSI board took his advice and approved the CPAL as an open-source license. The CPAL (in its final form) is based strongly on the Mozilla Public License, but it adds two terms to the end. One, of course, is the attribution requirement:
...the Original Developer may include in Exhibit B ("Attribution
Information") a requirement that each time an Executable and
Source Code or a Larger Work is launched or initially run (which
includes initiating a session), a prominent display of the Original
Developer's Attribution Information (as defined below) must occur
on the graphic user interface employed by the end user to access
such Covered Code (which may include display on a splash screen),
if any. The size of the graphic image should be consistent with the
size of the other elements of the Attribution Information. If the
access by the end user to the Executable and Source Code does not
create a graphic user interface for access to the Covered Code,
this obligation shall not apply.
There are some limits on the attribution information - the phrase cannot exceed ten words, for example. The attribution need only be displayed at startup time, and not on every screen as some other licenses have required. If there is no graphical interface, there is no requirement to display the attribution information. So it would seem that this is about as gentle as attribution requirements can be expected to be - and it is no worse than was already approved in the APL. One interesting term appears to have not drawn much scrutiny:
You acknowledge that all trademarks, service marks and/or trade
names contained within the Attribution Information distributed with
the Covered Code are the exclusive property of their owners and may
only be used with the permission of their owners, or under
circumstances otherwise permitted by law or as expressly set out in
this License.
Nothing in the license grants any sort of permission to use any trademarks which might be contained in the required attribution information. Since display of the attribution information is required, a denial of the right to use the trademark could potentially shut down any right to use the software at all. So anybody who is considering building on a CPAL-licensed program would be well advised to carefully study the trademark policies which apply to the attribution information. The CPAL also contains a Affero-style requirement that the source be made available to anybody who uses the software. So anybody who builds a web site based on CPAL-licensed code must be prepared to distribute their source even if they are not distributing the software in any other form. The reaction to this approval has not been universally positive. There are many in our community who do not want to see badgeware legitimized as "open source"; they see the CPAL as being a nose in the tent door with a very large camel behind it. On the other hand, Socialtext has done its best to play by the rules and has spent many months trying to craft attribution terms which meet the community's standards. The real test, now, will be to see whether others use this license or build upon CPAL-licensed software. If that does not happen, the CPAL will have little effect regardless of what the OSI thinks of it.
Thunderbird to form its own organizationA blog posting by Mitchell Baker, chief lizard wrangler and CEO at Mozilla Corp., set off a firestorm of reaction, as it suggested that it might be best for Thunderbird to split off from Mozilla. The reaction was probably much stronger and louder than Baker expected, so she has followed up with a number of additional posts, clarifying her statements. Though it is rather counter-intuitive, it may actually be for the best, the main developers are backing the plan. It could lead to bigger and better things for the project. Baker posted her thoughts last week, which were picked up by various online news sources and the controversy began. Various conspiracy theories, typically involving Google, were promulgated. The ultimate mission of both Mozilla Foundation (MF) and Mozilla Corp. (MC) were debated, those organizations alternately ridiculed, reviled and defended. In short, it was a typical internet flamefest, with far more heat than light. Baker's original posting was lacking in many of the details that she filled in later, making it far easier for commenters to provide their own explanations. The picture that is emerging actually seems quite positive for Thunderbird development. Essentially, Baker, other Mozilla Foundation board members and the lead developers all recognized that Thunderbird was not getting the attention it deserved - it is overshadowed by Firefox, its higher profile sibling. The MF has been focused on Firefox from the outset and created Mozilla Corp. as the for-profit entity to handle the revenue from the Firefox deal with Google. The vast majority of MC employees are working on Firefox which is not likely to change. The two Mozilla entities want to focus their energy on Firefox - Thunderbird was suffering because of it. Thunderbird has never attracted the following that Firefox has. In terms of users, developers and community members, Thunderbird is probably two orders of magnitude smaller than Firefox. Increasing the size of the Thunderbird community is at least part of what Baker is trying to do. Her original post is titled Email Call to Action and contains some thoughts about coming up with a wider email vision that have mostly been drowned out in the Thunderbird governance debate. Baker outlined three possible scenarios for how to move Thunderbird out from under the current structure and asked for suggestions on others. The first and second options are similar in that they create a new foundation for Thunderbird, either as a subsidiary of MF or as a full-fledged company of its own. Both are considered to have a fairly high overhead, organizationally, and creating a subsidiary foundation still does not really address the problem, as MF will still be dealing with Thunderbird issues. The third option is to spin off the developers into a small, independent, for-profit services and consulting company, while turning Thunderbird into a Mozilla community project, like SeaMonkey. Another, potentially viable, option has emerged from the comments: Thunderbird could move to another organization, the Apache Foundation is often mentioned, where it would be on a more equal footing with that organization's other projects. Based on the thoughts posted by Thunderbird lead developer, Scott MacGregor, it would appear that the independent company option is emerging as the lead contender. It has the advantage of being the simplest to set up and get going, with "start-up" funding being the major question. Based on Baker's posts, it would seem likely that MC would help with funding, at least for a bit, but a revenue model of some kind would have to come along relatively soon. With Thunderbird as a community project, very little would change from an external view. The development would stay on the Mozilla servers, the source code repositories and bug tracking systems would not move. The main difference would be that Thunderbird Corp. (or whatever it ends up being called) would be responsible for making releases of the code, much like the community handles SeaMonkey releases today. This would presumably allow Thunderbird to be released on its own schedule, without any link to the Firefox schedule. A Thunderbird Corp. may very well struggle for revenue. MC has been so successful because of their agreement with Google, making it the default Firefox search engine and homepage. This has brought in tens of millions of dollars in revenue, but it is hard to see how Thunderbird could capitalize on a similar deal. Thunderbird is, at some level, in direct competition with Google's Gmail service, which is what led some to believe Google was behind the "ouster" of Thunderbird from Mozilla. Baker has clearly stated that Google was completely uninvolved in the Thunderbird discussion, but there are still some who believe otherwise. Many vocal commenters on the various postings and stories are looking at this as a hostile act by Mozilla. It appears, however, that this is truly an attempt to recognize that things are not working and to try and find a solution that will work. According to Baker, MacGregor and others, it simply is not possible for two projects as disparate in size as Firefox and Thunderbird to be handled within the same organization; the smaller always gets the short end of the stick, a disproportionate short end. In order for Thunderbird to thrive, it needs to find its own way. It is hard to visualize Mozilla without Thunderbird or vice versa. Thunderbird's adoption rate has definitely been helped by the association with Mozilla (and Firefox). While they may officially be splitting up, that may not affect very much in the minds of the public. SeaMonkey is still associated with Mozilla, though it is run as a community project. Thunderbird will still share lots of code with Firefox - the community affiliation probably will not affect much, Thunderbird and Firefox are likely inextricably linked. The bigger question is whether a new Thunderbird organization can continue to deliver email client innovation that can attract more users and a larger community. The Lightning calendar is something that Thunderbird has needed for a long time. It is often the "yes, but" that is heard when organizations are considering dropping proprietary alternatives in favor of Thunderbird. There are plenty of new and exciting features on the Thunderbird roadmap, it is merely a matter of choosing wisely, getting them implemented and released, while struggling to find a revenue model that works. It is a tall order, but, with a lot of hard work and a bit of luck, it is achievable.
A turning point for open gadgets?The Economist recently ran an article on avoiding international roaming rates associated with cellphone use while traveling. Your editor's recent schedule has made him rather more than usually interested in that subject, so the article seemed worth a read. It seems that there are not a whole lot of truly viable solutions available at the moment; the recommended approach appears to be to get an unlocked GSM phone and buy SIM cards locally - not something one needs an Economist subscription to know about. Happily, the article concludes that "relief" is at hand; it then expends several paragraphs on just what form that relief will take:
Several months before Steve Jobs, Apple's media-savvy boss, gave
the world its first tantalising glimpse of the iPhone, something
remarkably similar in appearance (but wholly different within) was
shown to the Linux software community and other open-source
evangelists. OpenMoko, an initiative aimed at developing all the
technology for a mobile smart phone based on non-proprietary Linux
software, is everything the iPhone could have been but is not.
The article notes that the openness of the platform means that users will be able to install applications without the approval (or knowledge) of their cellular providers. Those applications can include voice over IP tools which can work via a data connection through a local GSM provider, thus shorting out the roaming and long distance charges. But there's a lot more that can be done - things that no cellular provider ever dreamed of. LWN readers will have often heard your editor's contention that truly open gadgets must, sooner or later, take over the market. But that takeover has been discouragingly slow in coming. Manufacturers prefer to keep their products closed and under their control; other forces, including pressures to support DRM schemes and regulatory issues, also come into play here. So, while we have more gadgets to play with than ever before, most of those gadgets cannot be hacked upon and extended to do interesting new things - at least, not without a serious effort on the community's part to crack them open. Awareness of the problems associated with closed devices has grown far more slowly than many of us would like. Most consumers, it seems, are interested in devices that Just Work and have little interest in extending them. So there is little pressure in the market for more open devices, and, thus, little incentive for manufacturers to offer them. The cellular industry may just be the place where this tide begins to turn. In the U.S., at least, this industry works under an exploitive and controlling model. Handsets are usually purchased through the provider, are locked to that provider, and lack any features which said provider worries could damage its revenue model. So even simple and obvious functions, like copying pictures from the handset onto its owner's computer, tend to be blocked. Voice over IP functionality which could be used to evade roaming charges in distant countries is entirely out of the question (though T-Mobile has just launched an interesting plan which enables free calls from WiFi hotspots). The cellular telephone has become an increasingly personal and indispensable tool. It is picking up a number of interesting new capabilities. Almost everybody has one in the richer parts of the world - and, often, in the less-rich parts as well. Phones which carry arbitrary restrictions designed to further somebody else's agenda will get the attention of people who are not ordinarily tuned into software freedom issues. That will be especially true when freer alternatives are out there and their potential becomes clear. So the OpenMoko phone may yet prove to be the revolutionary device that some of its backers have promised. Unlike every other Linux-based cellular phone produced so far, it will be an open system, free for anybody to extend in any number of ways. If this phone lives up to its potential at all, people will see what it can do and start asking why their shiny new handset can't be extended in the same ways. They might just start demanding a higher degree of openness from their vendors and/or providers. If we are lucky, purveyors of closed devices will start finding it harder to compete. Maybe, just maybe, the OpenMoko phone will succeed in teaching people about the value of free devices and, as a result, help bring an end to an era of hardware designed to serve the interests of people other than its owner. [As to whether the OpenMoko will live up to its potential: LWN has ordered one of their early development devices with the idea of writing an article or two about it. Anybody who has been following that situation knows that OpenMoko's fulfillment operation is currently not living up to much of any potential. Stay tuned, hopefully we'll have a device to review sometime soon.]
Security Our devices are spilling our secretsRecent news about a certain much-anticipated work of fiction being posted to the internet, in advance of its scheduled release, was not terribly surprising. The method used was, perhaps, a bit crude, and certainly time consuming, but it got the job done. Unbeknownst to the anonymous poster, their camera helpfully provided some extra information that might be used to track them down. Our devices are collecting all kinds of data about our habits and they are increasingly divulging that data in unexpected ways. In the case of the Harry Potter book, the camera serial number was recorded in the Exchangeable image file format (Exif) data of the JPEG files of each page. Based on that information, Canon, the camera's manufacturer, may be able to match the camera to its original purchaser. If the camera has been serviced in the three years since it was released, that would also create an entry matching the serial number to the owner at that time. Neither of those conclusively links a person to the "crime", if it even is a crime, but they could give any investigators a good place to start. It could have been a lot worse - some camera models have GPS capability built-in with Exif fields available to store that information on each shot. Perhaps the photo shoot happened deep enough inside some building that the GPS would not work, but over the hours it took to do that project, it seems quite possible that at least one shot would get tagged. It would be pretty easy to track down where the photos were taken if some were tagged with latitude and longitude coordinates. If it did not bring the police around, it certainly might have brought legions of Potter fans, eager to acquire the book early. GPS data encoded into each photograph that you take, is a useful feature, keeping track of where the photos were taken some years down the road after (human) memory has failed. The other Exif data, much of which is detailed information about camera settings, is probably quite useful to photographers and is much simpler than trying to keep a record of exposure settings as you take pictures. Gathering and storing the data is quite helpful, it is the unexpected disclosure that causes problems. It would be easy to ignore this problem, writing it off to an ignorant user, who should have scrubbed the Exif data before posting, but the problem comes in other guises as well. The US Secret Service evidently wants to be able to track your printer output, presumably as part of their anti-counterfeiting responsibilities, so they have convinced laser printer manufacturers to secretly add the now-famous yellow dots to each color page that is printed. Some of these codes have been cracked by the Electronic Frontier Foundation (EFF) and others, and have been found to contain model and serial numbers along with a timestamp of the print time. It is much harder to blame ignorant users when the device manufacturer actively tries to hide the fact that identifying information is being leaked. Worse yet, it appears that inquiring about this practice and asking how to turn it off can lead to a visit from the Secret Service. There is nothing quite like a visit from a federal agent to stifle dissent. The folks at Seeing Yellow have lots more information, including a plan to overwhelm the agency through sheer numbers of people asking how to turn this "feature" off. Imagine a world where the government required each person to carry a device that: knew its location via GPS, had the ability to take pictures and wireless connectivity. It is a scenario that would be ripe for abuse. In many ways, lots of people already, voluntarily, live in that world as cell phones have all those characteristics. It is not inconceivable that the cell phone manufacturers have already had a visit, from the Department of Homeland Security (DHS) or some other three-letter agency of the government, asking for help in the "War on Terror." The devices are certainly capable of reporting location (possibly with a helpful photo of people in the vicinity) back to the carrier and through them to the DHS. Probably, hopefully, that is not (yet?) happening, but there is no real technical barrier. If we ratchet the paranoia level down a notch, cell phones, in particular smart phones, still pose an enormous target for the criminal world. Subverting phones that have cameras and GPS, to run them under the control of an attacker, makes an incredible surveillance tool. By using the same kinds of techniques that are used to spread viruses and spyware today, it should not be difficult to get targets to willingly perform actions that will lead to the subversion of their phone. From there, the attacker can get all of the call records, photos, calendar items and contacts while directing the phone to transmit its location every minute to the attacker. Not only could this kind of information be used by stalkers, muggers and other criminals, this same capability could be used by lovers or employers to track people, keeping tabs on their movements and contacts. Rather than hire a private investigator, a jealous husband or wife might just borrow the other's phone, surf to a spyware site, and install a tracking program themselves. The opportunities are endless and exceedingly frightening for anyone concerned about privacy in today's world. There are no easy answers on how to protect oneself against these unintentional data leaks. The organizations and individuals interested in collecting the data are doubly interested in concealing the fact that they are doing it, but, worse still, it is difficult for users to detect. If a cell phone is sending a short burst of encrypted information every minute, how would the average user, or even a sophisticated lab, detect and decode that data? If someone had not stumbled upon the yellow dots, we might be printing traceable documents, in blissful ignorance, to this day. What other, similar kinds of tracking are going on that we do not yet know about? Free software can certainly help with this problem, but it is no panacea. Being able to replace the software in a device, with code that can be scrutinized and built before installing, is a good way to know what the device will do. Getting code that is vouched for by a trusted group, also serves to alleviate privacy leakage concerns. That is not the end of the story, unfortunately, as the hardware itself may be the culprit. Laser printer hardware is likely responsible for the identifying information in the output, making it rather difficult to replace. It is extremely difficult to know what the hardware in other devices might be doing behind our backs. The truly paranoid will not be willing to trust any hardware they did not build themselves, perhaps from individual transistors, while trying to figure out how to trust the compiler. For the rest of us, open platforms, like OpenMoko, with free software and hardware, may provide reasons to believe that our data is protected; unless, of course, the device gets stolen or lost - encryption anyone?
New vulnerabilities gpdf: integer overflow
drupal: cross site request forgery
festival: privilege escalation
firefox: multiple vulnerabilities
gdm: denial of service
libvorbis: multiple memory corruption flaws
qt: arbitrary code execution
unrar: integer signedness error
vim: arbitrary code execution
Updated vulnerabilities acroread: multiple vulnerabilities
apache2: information disclosure
apache: multiple vulnerabilities
apache: cross-site scripting
Asterisk: two SIP denial of service vulnerabilities
avahi: denial of service
bind: DNS cache poisoning
bochs: buffer overflow
bugzilla: multiple vulnerabilities
centericq: buffer overflows
clamav: denial of service
cpio: arbitrary code execution
vixie-cron: privilege escalation
cscope: buffer overflows
cscope: buffer overflows
cups: denial of service
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
dovecot: directory traversal
elinks: code execution
elinks: arbitrary file access
emacs21: denial of service
evolution: format string error
evolution-data-server: malicious server arbitrary code execution
pop mail man-in-the-middle attacks
fail2ban: log injection vulnerability
fail2ban: denial of service
file: integer overflow
firebird: buffer overflow
firefox: multiple vulnerabilities
firefox, thunderbird, seamonkey: multiple vulnerabilities
flac123: arbitrary code execution
flash-plugin: input validation flaw
freetype: arbitrary code execution
freetype: integer overflows
gcc: file overwrite vulnerability
gd: buffer overflow
gd: denial of service
gedit: format string vulnerability
gimp: multiple vulnerabilities
grip: buffer overflow
gzip: multiple vulnerabilities
HelixPlayer: arbitrary code execution
horde-kronolith: local file inclusion
ImageMagick: integer overflows
imlib2: arbitrary code execution
ipsec-tools: denial of service
jasper: denial of service
java: multiple vulnerabilities
kdebase: information leak
kdelibs: kate backup file permission leak
kdelibs: cross-site scripting
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: denial of service
kernel: denial of service by memory consumption
kernel: denial of service
kernel: several vulnerabilities
kernel: signal handling flaw on PPC
kernel: several vulnerabilities
kernel: denial of service
kernel: denial of service
kernel: multiple vulnerabilities
krb5: multiple vulnerabilities
krb5: uninitialized pointers
krb5: local privilege escalation
krb5: multiple vulnerabilities
ktorrent: incorrect validation
lftp: shell command execution
libexif: integer overflow
libgtop2: buffer overflow
libmodplug: boundary errors
libphp-phpmailer: command execution
libpng: denial of service
libpng: buffer overflow
libpng: heap based buffer overflow
libtiff: buffer overflow
libxml2 - arbitrary code execution
libxml2: multiple buffer overflows
lighttpd: denial of service
lookup-el: insecure temporary file
lynx: arbitrary command execution
mod_jk: proxy bypass
moin: arbitrary JavaScript execution
mplayer: buffer overflow
mplayer: buffer overflow
mydns: buffer overflows
mysql: denial of service
mysql: format string bug
MySQL: privilege violations
mysql: multiple vulnerabilities
MySQL: logging bypass
nbd: arbitrary code execution
ncompress: buffer underflow
nginx: cross site scripting
nvclock: insecure tmp file usage
OpenOffice.org: arbitrary code execution
OpenSSH: denial of service
openssh: remote denial of service
pam: privilege escalation
perl-Net-DNS: predictable id sequence
php: multiple vulnerabilities
php: several vulnerabilities
php: multiple vulnerabilities
php: buffer overflows
phpbb2: missing input sanitizing
phpbb2: multiple vulnerabilities
phpPgAdmin: cross-site scripting
phpwiki: remote code execution
pptpd: denial of service
proftpd: authentication bypass
pulseaudio: denial of service
python: information disclosure
qemu: multiple vulnerabilities
qt: "/../" injection
quake: buffer overflow
redhat-cluster-suite: denial of service
rpm: arbitrary code execution
snort: remote arbitrary code execution
Sun JDK/JRE: multiple vulnerabilities
tcpdump: integer overflow
tcpdump: denial of service
tetex: buffer overflow
tomcat: directory traversal
tomcat: cross-site scripting
vixie-cron: weak permissions may cause errors
vlc: several vulnerabilities
wireshark: multiple vulnerabilities
XFree86 X.org: integer overflows
xfsdump: insecure temp dir
xine: format string vulnerabilities
xine-lib: arbitrary code execution
xine-lib: buffer overflow
xinit: race condition
xmms: BMP handling vulnerability
X.org: temp file vulnerability
zziplib: buffer overflow
Page editor: Jake Edge Kernel development Brief items Kernel release statusThe current 2.6 prepatch remains 2.6.23-rc1, no prepatches have been released over the last week. Well over 500 changesets have been merged into the mainline git repository since -rc1, though, and the -rc2 release is overdue. The changes are mostly fixes, but there is also the addition of the "literate" Lguest documentation, a mechanism where kernel-space code can request notification when it is about to be preempted from the CPU, new configuration options for software suspend and hibernation, the removal of support for SuperH sh73180 and 7300 CPUs, AMD Geode LX framebuffer support, the removal of the arm26 port, and a TCP congestion control API change (pkts_ackt() gets the round-trip time in microseconds now).The current -mm tree is 2.6.23-rc1-mm2. Recent changes to -mm include support for multiple netconsole targets, a Sonics Silicon backplane subsystem, and a bunch of reiser4 fixes. For older kernels: 2.6.16.53 was released on July 25 with about a dozen fixes. 2.4.35 was released on July 26 with a number of backported drivers and fixes.
Kernel development news Quotes of the week
The tty layer is one of the very few pieces of kernel code that
scares the hell out of me.
-- Ingo Molnar
I wish people would focus less on who wrote the actual code that
got merged in the end, and more on the problem that got
solved.... People who care about the desktop should be happy that
the scheduler improved a lot due to the competition where the two
new schedulers were hair-close in most aspects.
-- Arjan van de Ven
This spec says that systems which can not automatically go into
suspend within 15 minutes of idle can _not_ earn a sticker. No
sticker, no client computer sales to governments. If Linux can't
get STR [suspend-to-RAM] working, broadly deployed, and enabled by default, then
our plans for world domination are going to take a significant
hit.
-- Len Brown
Suspend and hibernation status reportRafael Wysocki, the current maintainer of the suspend and hibernation code in the kernel, has put together a lengthy document describing the current state of the art. "this document is intended as an introductory presentation of the current (ie. as in the 2.6.23-rc1 kernel) design of the suspend (ie. suspend-to-RAM and standby) and hibernation code, the status of it, known problems with it and the future development plans." It's a long read but interesting for those who are interested in this subsystem.
Controlling memory use in containers"Containers" is the term normally applied to a lightweight virtualization approach where all guest systems run on the host system's kernel (as opposed to running their own kernel on a special virtual machine). The container technique tends to be more efficient at run time, but it poses challenges of its own; since every container runs on the same kernel, a whole series of internal barriers must be created to give each container the illusion of having a machine to itself. The addition of these barriers to the Linux kernel has been a multi-year process as the various projects working in this area work out a set of interfaces that works for everybody.An important part of a complete container implementation is resource control; it is hard to maintain the fiction of a separate machine for each container if one of those containers is hogging the entire system. Extensive resource management patches have received a chilly reception in the past, but a properly done implementation based on the process containers framework might just make it in. The CFS group scheduling patch can be seen as one type of container-based resource management. But there is far more than just the CPU to worry about. One of the most contended resources on many systems is core memory. A container which grows without bound and forces other containers out to swap will lead to widespread grumbling on the linux-kernel list. In an effort to avoid this unfortunate occurrence, Balbir Singh and Pavel Emelianov have been working on a container-based memory controller implementation. This patch is now in its fourth iteration. The patch starts with a simple "resource counter" abstraction which is meant to be used with containers. It will work with any resource which can be described with simple, integer values for the maximum allowed and current usage. Methods are provided to enable hooking these counters into container objects and allowing them to be queried and set from user space. These counters are pressed into service to monitor the memory use by each container. Memory use can be thought of as the current resident set: the number of resident pages which processes within the container have mapped into their virtual address spaces. Unlike some previous patches, though, the current memory controller also tries to track page cache usage. So a program which is very small, but which brings a lot of data from the filesystem into the page cache, will be seen as using a lot of memory. To track per-container page usage, the memory controller must hook into the low-level page cache and reclaim code. It must also have a place to store information about which container each page is charged to. To that end, a new structure is created:
struct meta_page {
struct list_head lru;
struct page *page;
struct mem_container *mem_container;
atomic_t ref_cnt;
};
Global memory management is handled by way of two least-recently-used (LRU) lists, the hope being that the pages which have been unused for the longest are the safest ones to evict when memory gets tight. Once containers are added to the mix, though, global management is not enough. So the meta_page structure allows each page to be put onto a separate, container-specific LRU list. When a process within a container brings in a page and causes the container to bump up against its memory limit, the kernel must, if it is to enforce that limit, push some of the container's other pages out. When that situation arises, the container-specific LRU list is traversed to find reclaimable pages belonging to the container without having to pass over unrelated memory. The page structure in the global memory map gains a pointer to the associated meta_page structure. There is also a new page flag allocated for locking that structure. There is no meta_page structure for kernel-specific pages, but one is created for every user-space or page cache page - even for processes which have not explicitly been assigned to a container (those processes are implicitly placed in a default, global container). There is, thus, a significant cost associated with the memory controller - the addition of five pointers (one in struct page, four in struct meta_page) and one atomic_t for every active page in the system can only hurt. With this mechanism in place, the kernel is able to implement basic memory usage control for containers. One little issue remains: what happens when the kernel is unable to force a container's memory usage below its limit? In that case, the dreaded out-of-memory killer comes into play; there is a special version of the OOM killer which restricts its predations to a single container. So, in this situation, some process will die, but other containers should be unaffected. One interesting aspect of the problem which appears to not have been completely addressed is pages which are used by processes in more than one container. Many shared libraries will fall into this category, but much page cache usage could as well. The current code charges a page to the first container which makes use of it. Should the page be chosen to be evicted, it will be unmapped from all containers; if a different container then faults the page in, that container will be charged for it going forward. So, over time, the reclaim mechanism may well cause the charging of shared pages to be spread across the containers on the system - or to accumulate in a single, unlimited container, should one exist. Determining whether real problems could result from this mechanism will require extensive testing with a variety of workloads, and, one suspects, that effort has barely begun. For now we have a memory controller framework which appears to be capable of doing the core job, which is a good start. It is clearly applicable to the general container problem, but might just prove useful in other situations as well. A system administrator might not want to implement full-blown containers, but might be interested in, for example, keeping filesystem-intensive background jobs (updatedb, backups, etc.) within certain memory bounds. Users could put a boundary around, say, OpenOffice.org to keep it from pushing everything else of interest out of memory. There would seem to be enough value here to justify the inclusion of this patch - though a bit of work may be required first.
Large receive offloadHigh-performance networking is continually faced with a challenge: local networking technologies are getting faster more quickly than processor and memory speeds. So every time that the venerable Ethernet technology provides another speed increment, networking developers must find ways to enable the rest of the system to keep up - even on fast contemporary hardware.One recurring idea is to push more of the work into the networking hardware itself. TCP offload engines have been around since the days when systems were having trouble keeping up with 10Mb Ethernet, but that technology has always been limited in its acceptance; see this 2005 LWN article for some discussion of why. But some more restrained hardware assist techniques have been more successful; for example, TCP segmentation offload (TSO), where network adapters turn a stream of data into packets for transmission, is well supported under Linux. Use of TSO can boost networking performance considerably. When one is dealing with thousands of packets every second, even a slight per-packet assist will add up. TSO reduces the amount of work needed to build headers and checksum the data, and it cuts down on the number of times that the driver must program operations into the network adapter. There is, however, no analogous assistance for incoming data. So, if you have two identical Linux servers with one sending a high-bandwidth stream to the other, the receiving side may be barely keeping up with the load while the transmitting side barely breaks a sweat. Proposals for assistance for packet reception often go under the name "large receive offload" (LRO); the idea was first proposed for Linux in this OLS 2005 talk [PDF]. The initial LRO implementation used hardware features found in Neterion adapters; it never made it into the mainline and little has been heard from that direction since. The LRO idea has recently returned, though, in the form of this patch by Jan-Bernd Themann. Interestingly, the new LRO code does not require any hardware assistance at all. With Jan-Bernd's patch, a driver must, to support LRO, fill in an LRO manager structure which looks like this:
#include <linux/inet_lro.h>
struct net_lro_mgr {
struct net_device *dev;
struct net_lro_stats stats;
unsigned long features;
u32 ip_summed; /* Options to be set in generated SKB in page mode */
int max_desc; /* Max number of LRO descriptors */
int max_aggr; /* Max number of LRO packets to be aggregated */
struct net_lro_desc *lro_arr; /* Array of LRO descriptors */
/*
* Optimized driver functions
*
* get_skb_header: returns tcp and ip header for packet in SKB
*/
int (*get_skb_header)(struct sk_buff *skb, void **ip_hdr,
void **tcpudp_hdr, u64 *hdr_flags, void *priv);
/*
* get_frag_header: returns mac, tcp and ip header for packet in SKB
*
* @hdr_flags: Indicate what kind of LRO has to be done
* (IPv4/IPv6/TCP/UDP)
*/
int (*get_frag_header)(struct skb_frag_struct *frag, void **mac_hdr,
void **ip_hdr, void **tcpudp_hdr, u64 *hdr_flags,
void *priv);
};
In this structure, dev is the network interface for which LRO is to be implemented; stats contains some statistics which can be queried to see how well LRO is working. The features field controls how the LRO code should feed packets into the networking stack; it has two flags defined currently:
Checksum information for the final packets should go into ip_summed. The maximum number of "LRO descriptors" should be stored in max_desc. Each descriptor describes one TCP stream, so the maximum limits the number of streams for which LRO can be done simultaneously. Increasing the maximum requires more memory and will slow things a bit, since packets are matched to streams by way of a linear search. max_aggr is the maximum number of incoming packets which will be aggregated into a single, larger packet. The lro_arr array contains the descriptors for tracking streams; the driver should provide it with enough memory for at least max_desc structures or very unpleasant things are likely to happen. Finally, there are the get_skb_header() and get_frag_header() methods. Their job is to locate the IP and TCP headers in a packet as quickly as possible. Typically a driver will only provide one of the two functions, depending on how it feeds packets into the LRO aggregation code. A driver which receives packets in fully-completed sk_buff structures would normally pass them up directly to the network stack with netif_rx() or netif_receive_skb(). If LRO is being done, instead, the packets should be handed to:
void lro_receive_skb(struct net_lro_mgr *lro_mgr,
struct sk_buff *skb,
void *priv);
This function will attempt to identify an LRO descriptor for the given packet, creating one if need be. Then it will try to join that packet with any others in the stream, making one large, fragmented packet. In the process, it will call the driver's get_skb_header() method, passing through the pointer given as priv. If the packet cannot be aggregated with others (it may not be a TCP packet, for example, or it could have TCP options which require it to be processed separately) it will be passed directly to the network stack. Either way, the driver can consider it delivered and move on to its next task. Some drivers receive packets directly into memory represented by page structures, constructing the full sk_buff structure after reception. For such drivers, the interface is:
void lro_receive_frags(struct net_lro_mgr *lro_mgr,
struct skb_frag_struct *frags,
int len, int true_size,
void *priv, __wsum sum);
The LRO code will build the necessary sk_buff structure, perhaps aggregating fragments from several packets, and (sooner or later) feed the results to the network stack. It will call the driver's get_frag_header() method to locate the headers in the first element of the frags array; that method should also ensure that the packet is an IPv4 TCP packet and set LRO_IPV4 and LRO_TCP in the flags argument if so. Combined packets will be pushed up into the network stack whenever max_aggr individual packets have been merged into them. Delaying data for too long while waiting for additional packets is not a good idea, though; occasionally packets should be sent on even if they are not as large as they could be. The function for this job is:
void lro_flush_all(struct net_lro_mgr *lro_mgr);
It will cause all packets to sent on. A logical place for such a call might be at the end of a NAPI driver's poll() method. An individual stream can be flushed with:
void lro_flush_pkt(struct net_lro_mgr *lro_mgr,
struct iphdr *iph,
struct tcphdr *tcph);
This call will locate the stream associated with the given IP and TCP headers and send its accumulated data onward. It will not add any data associated with the given headers; the packet associated with those headers should have already been added with one of the receive functions if need be. That is, for all practical purposes, the entire interface. One might well wonder how this code can improve performance, given that it is just aggregating packets which have already been received in the usual way by the driver. The answer is that it is reducing the number of packets that the network stack has to work with, cutting the per-packet overhead at higher levels in the stack. A clever driver can, using the struct page approach, also reduce the number of memory allocations required for each packet, which can be a big win. So LRO appears to be worth having, and current plans call for it to be merged in 2.6.24.
i386 and x86_64: back together?The arch directory in the kernel source tree contains all of the architecture-specific code. There is a lot of code there, despite years of work by the development community to make things generic whenever possible. There are currently 26 different top-level architectures supported by Linux, many of which contain a number of sub-architectures. Two of those top-level architectures are i386 (the original Linux architecture) and x86_64, which is the 64-bit big brother to i386. There is quite a bit of commonality between those two architectures, and some efforts have been made to share code between them whenever possible. Even so, the source trees for the two architectures remain distinct from each other.In the view of some developers, at least, the separation of the two architecture trees is a problem. A bug fix which must be applied to one often is applicable to the other, but it's not clear that all fixes are being made in both places. New features, too, must be added twice. It is relatively easy to break one architecture while working on the other. Developers working on architecture-specific projects - virtualization is mentioned often - end up having to do a lot of work to keep up with two strongly related trees. In response to this kind of pressure, the 32-bit and 64-bit PowerPC architectures were merged into a single architecture tree in 2.6.15, and the general consensus seems to be that it was a good move. But no such merger has happened for the x86 variants. That may be about to change, though: Thomas Gleixner and Ingo Molnar recently posted a patch to merge the two architectures with a request for comments. This patch is huge: it weighs in at over 9MB and touches 1764 files. It is so tied to the current state of the kernel tree that it can only be reasonably applied to one specific commit point in the git repository. This is not the patch which is meant to be applied, though; its purpose is to show what the final result would look like. If and when the time comes to actually merge this patch, it will be done differently:
As a next step we plan to generate a gradual, fully bisectable,
fully working switchover from the current code to the fully
populated arch/x86 tree. It will result in about 1000-2000 commits.
That is a little intimidating as well. Knowing this, the developers of this patch have gone out of their way to make it possible to apply the change with a high level of confidence. So there will be no code changes associated with the merger: it will be possible to build the exact same kernel image from the source tree before and after the change. The patch creates a new architecture called x86 and moves everything from the two existing architectures over. In the small number of cases where each architecture has an identical copy of the same file, only a single file is created in the new tree. More often, though, the two architectures have a file by the same name in the same place, but their contents differ. In such cases, both files are moved into the new tree with a _32 or _64 suffix, depending on where it came from. So, for example, both architectures contain kernel/ioport.c; the new x86 architecture has ioport_32.c and ioport_64.c. Some simple trickery is then employed to ensure that the correct files for the target architecture are built. In many (if not most) cases, there is a great deal of common code in the two files, and that common code is left there. The idea at this stage of the game is to get the two architecture trees together without affecting the resulting kernel; that is probably the only way that such a big change would ever be accepted. Once things have been merged, the opportunities for eliminating duplicated code between individual files will become more apparent - the files will usually be right next to each other. One imagines that an army of code janitors would swoop in to do this work, much of which would be relatively straightforward. Once it's done, we would have a shiny new, merged architecture with duplicated code squeezed out, and everybody would be happy. Or maybe not. Andi Kleen has expressed his opposition to this change:
I think it's a bad idea because it means we can never get rid of
any old junk. IMNSHO arch/x86_64 is significantly cleaner and
simpler in many ways than arch/i386 and I would like to preserve
that. Also in general arch/x86_64 is much easier to hack than
arch/i386 because it's easier to regression test and in general has
to care about much less junk. And I don't know of any way to ever
fix that for i386 besides splitting the old stuff off completely.
Andi, by virtue of being the maintainer of the i386 and x86_64 architectures, has a relatively strong voice in this discussion. His core argument - that splitting the architectures allows lots of legacy issues to be confined to the i386 tree - reflects a common practice in kernel code management. Code which only supports relatively new hardware tends to be a lot cleaner than code which handles older devices as well, but removal of support for hardware which is still in use is frowned upon. So, instead, a new subsystem is created for the newer stuff, with the idea that the legacy code can be supported separately until it withers away. A classic example is the way that serial ATA support was implemented within its own subsystem instead of being an addition to the IDE code. Andi, along with a few others, argues that x86-family processor support should be handled in the same way. Most of the participants in the early discussion would appear to disagree with Andi, though. Unlike legacy IDE devices, it is argued, the 32-bit architecture is not going to disappear anytime soon. The number of quirks which are truly unique to the i386 architecture is seen as being relatively small. Linus argues that it's easier to carry forward legacy code when it's part of a shared tree than when it's shoved off into a corner. Judging from the conversation which followed the initial posting, there is a near-consensus that the unified tree is the right way to go. There were a couple of suggestions that the patch could go directly into 2.6.23, but it is probably just as well that things did not happen that way. 2.6.23 has a lot of new stuff already, and this patch is new. Allowing a cycle for the work to age can only be helpful. Besides, we have not yet seen a repository with those 1000 or so separate commits in it. More to the point, though: the real discussion on the merger has not yet happened. To rework two architectures into one over the objections of the maintainer would be an extraordinary step verging on a hostile takeover of the code. Maintainers do not have absolute veto power over patches, but overriding a maintainer on a patch this big is not something which is done lightly. So the developers of the unified x86 architecture patch have one big challenge remaining: they have solved the technical issues nicely, and they have convinced much of the development community that this change should be made. But it would be in the best interests of everybody involved if they could find a way to convince the maintainer of the code they are working with as well.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Kernel building
Memory management
Networking
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials The Debian Maintainers General ResolutionThe second call for votes has gone out on the General Resolution (GR) on the concept of Debian Maintainers (DM). This was first covered in LWN here. The current vote is on a modified version of the original proposal. The debate continues though, and it seems likely that "Choice 2: Further discussion" will win this vote, which ends August 4. Here are some quotes from some of the discussion on debian-vote. And for the uninitiated, other common acronyms include DD (Debian Developer) and NM (New Maintainer).Christoph Berg began this thread with:
I haven't said anything in the DM threads yet because I still don't
know which actual problem the introduction of DMs is trying to solve.
IMHO the current process with sponsors reviewing and uploading packages has proven to work nicely, i.e. the amount of broken packages uploaded is not too high. Most of the perceived problems with this process stem from the fact that most of the packages offered on debian-mentors or #debian-mentors are initially crap and need lots of review cycles. Once people produce good packages asking the last sponsor for another upload should work. (And at that point NM will be a breeze.)
IMHO DMs is something Debian needs, a bunch of people stuck at NM is
perfectly able to upload high quality packages themselves but
otherwise I completely agree with the paragraph above. DMs is a small
patch, not a solution.
With your rationale, NMs who maintain packages well and are sufficiently
clueful should be granted upload rights even before finishing NM, instead
of the invention of a second class of maintainers.
You do realize that the DM proposal solves other problems than just
the "it takes forever for a qualified NM to get upload rights", too?
Since not everyone does know what other problems might be solved by this, Raphael Hertzog posted a refresher:
- Not everybody wants to be DD. [1]
- Not everybody deserves to be DD. [2] - Everybody who is able to properly maintain a package according to our rules should have the possibility to maintain that package. This is still not convincing to Josselin Mouette among others:
If someone doesn't want to be a DD because the NM process is broken, we
should fix the NM process. If someone doesn't want to be a DD because of
laziness or whatever other excuse, I think the current rules are
perfect.
It is to others, including Steve Langasek:
The question was,
"will this allow us to integrate the contributions of non-DDs more
effectively, with less overhead and without a reduction in quality, for the
betterment of Debian?"
I believe the answer to this question is "yes", and I don't feel any particular need to belabour the reasons why I think this is the case as it's my impression that they've already been adequately covered in the list discussion. I would only like to point out that it seems to me that many of those speaking out against the DM proposal are doing so on the basis of different questions. This thread continues on for some time. Some oppose the GR because they feel that it will address a broken new maintainer (NM) process (and not do a very good job of that). Some don't believe that Debian needs the introduction of "second class citizens". A few developers support the proposal. There is another thread on the discussion that with this post by Joerg Jaspert:
The short text of this post is _I am against the_
_proposal as it is right now and think it does more harm than good_
and so I did vote for Further Discussion. See below for a bit more about
my reasoning, or just skip if you are already bored. :)
For those who have read this far, Anthony's new proposal is a Constitutional amendment to reduce the length of DPL election process.
New Releases 64 Studio 2.0 'Electric' released64 Studio is a GNU/Linux distribution made for digital content creation, including audio, video, graphics and publishing tools. It comes in both AMD64/Intel64 and 32-bit flavors. The stable 2.0 Debian 'etch' based release has been announced.
LFS 6.3-rc1 ReleasedLinux From Scratch has announced the first release candidate for LFS 6.3. "This being a test release, we would appreciate you taking the time to try it out and report any bugs you find in it to the LFS development team."
LFS LiveCD x86_64-6.3-min-pre1 AvailableThe Linux From Scratch LiveCD team has announced a new 64bit-only CD. "It is a minimal CD, meaning that it contains no X Windows System and dependent software nor any source packages. The LFS book that is included is based on the current development x86_64 branch. Be advised that as of now that book contains no instructions for building a boot loader, and some of the textual information may need adjusting. However, it will produce a working base system."
Lunar 1.6.2-beta1 (i686) ISO ReleasedLunar Linux has announced the first beta release of a new series of lunar-linux installer ISO's. "Our new ISO's will be as easy to install as 1.6.1, but pack an extra punch: This series of ISO's preinstalls a basic Xfce4-4.4.1 desktop with XOrg-7.2, together with firefox, thunderbird, pidgin, audacious, gimp and a few other basic desktop utilities."
Opie 1.2.3 Release AnnouncementThe Opie Project has announced the immediate availability of version 1.2.3 of the Open Palmtop Integrated Environment, a comprehensive user environment and application suite for portable devices running Linux. "Like most Linux software, Opie is able to run on a wide variety of platforms. Opie has direct hardware support for Hewlett Packard iPAQ, Sharp Zaurus, Yopy, Siemens SIMpad devices, and now also various Palm handhelds. Opie is provided in several Linux distributions including Familiar."
Red Hat Enterprise Linux 5.1 Beta AnnouncementRed Hat has announced the availability of a beta release of 5.1 with kernel-2.6.18-36.el5 for the Red Hat Enterprise Linux 5 family of products. "Red Hat Enterprise Linux 5.1 is still in development and therefore the contents of the media kit, the implemented features, and the supported configurations are subject to change before the release of the final product. The supplied beta packages and CD images are intended for testing purposes only."
Distribution News Debian release update: Release goals, testing transition, arch requalificationThe Debian release team has an update for the Lenny release. You can see the current release goals, which are not yet set in stone. The testing transition should be smoothed out by now, but this update has some news about more thrashing soon to come.
Fedora 8 Test 1 delayedWhat's a Fedora release cycle without schedule slips? The word has duly gone out that Fedora 8 Test 1 will be delayed by one week to August 7. "This gives us time to consume the kernel build and generate a release candidate tree early tomorrow, and spend all day, and all of Thursday beating on it for real blocker issues. Friday morning is our Go/No Go point. If all things are Go, we'll be handing it off to mirrors and giving them the weekend and Monday to sync up the release. If we're No Go, we will determine then a new release date."
Ask Fedora: Fedora Weekly News ColumnThe Fedora Weekly News is starting a new column called Ask Fedora. "Send your questions to askfedora@fedoraproject.org and Fedora news team will bring you answers from the right places to selected number of questions every week as part of our weekly news report."
Extra Packages for (Fedora based) Enterprise Linux (EPEL) Now OpenExtra Packages for Enterprise Linux (EPEL) is brought to you by a community of package maintainers working from inside of Fedora. If you are looking for extra packages for a Fedora based Enterprise Linux system (such as Red Hat Enterprise Linux or CentOS) the EPEL repository may have just what you are looking for.
RPM roadmapping on Fedora listPanu Matilainen has started looking forward to the next major release of RPM, on the fedora-devel mailing list. "Not everybody is on rpm-maint list and we'd like to hear the wishes of (Fedora) developers/packagers too. So: what have you always wanted to do with rpm, but wasn't able to? Or the other way around: what you always wished rpm would do for you? What always annoyed you out of your mind?"
Fedora Board Recap 2007-JUL-24John Poelstra presents a recap of the latest Fedora Board Meeting, held July 24, 2007. Topics discussed include Freeze for F8 Test1, Virtual FUDCon Update, Update on Feature Process and Targeted Audience Discussion.
New mailing list: opensuse-kernelThe opensuse-kernel mailing list has been created for the discussion of openSUSE kernel development (Factory et al) and the kernels in the buildservice.
New Distributions Poky 3.0 releasedPoky 3.0 is out; read about it on the project web page. "Poky is an embedded Linux build system, distribution and developer environment which builds upon OpenEmbedded technologies. Poky's focus is purely on building stable optimised GNOME Embedded type platforms (X11/Matchbox/GTK+) together with a streamlined system layer and cross development environment." Features in 3.0 include an early version of the "Sato" smartphone framework, an improved build system, Nokia N800 support, and more. Some Sato screenshots can be found on this page.
Distribution Newsletters Fedora Weekly News Issue 98The Fedora Weekly News for July 27, 2007 looks at Extra Packages for Enterprise Linux (EPEL), 3000 Fedora 7 Installations, FESCo Election Results, the launch of a special section called 'Ask Fedora' where you can ask questions to Fedora Project, and development news covering RPM Roadmap, Fedora Sound System, Desktop Menus, Licensing and several other topics.
Foresight Linux Newsletter Volume 1, Issue 5The Foresight Linux Newsletter for July 2007 covers Foresight Linux 1.3.2 released, Linux World Expo, Foresight Linux logo, and several other topics.
Gentoo Weekly NewsletterThe Gentoo Weekly Newsletter for July 23, 2007 looks at new guides for Gentoo, including the Gentoo Realtime Guide and the Compilation Optimization Guide. Gentoo artwork is looking for volunteers, the Alpha project has a status update, and much more in this edition.
Ubuntu Weekly News: Issue #50The Ubuntu Weekly Newsletter for July 27, 2007 covers Canonical seeking help with training courses, last call for Software Freedom Day registrations, a call to arms for US Lo``Co teams, new Drag & Drop Gnome tabs, new Launchpad features, and much much more.
DistroWatch Weekly, Issue 213The DistroWatch Weekly for July 30, 2007 is out. "The beginning of August is traditionally a month when many Linux distributions launch new development drives and outline some of the planned features for their upcoming releases. And indeed, if all goes according to the plan, we should see the first test release of Fedora 8 and the first beta release of Mandriva Linux 2008 later this week. Before that happens, we'll bring you the highlights of the past week, including updates on Debian "Lenny", the launch of the OpenBSD Foundation, an initiative to provide extra packages for Red Hat and Red Hat-derived distributions, and a coverage of the Ubuntu Live conference. Finally, don't miss our brief article featuring the Linux User Group of New Caledonia, complete with a few thoughts on the availability of bandwidth in remote parts of our planet."
Newsletters and articles of interest Ars at Ubuntu Live: Mark Shuttleworth's keynote (Ars Technica)Ars Technica covers Mark Shuttleworth's keynote presentation at the Ubuntu Live conference. "Shuttleworth started by explaining the distribution's role within the open-source ecosystem. According to Shuttleworth, the Ubuntu project is a "nexus of collaboration" and an "interface point" which facilitates interaction between individual contributors, upstream projects, and third-party vendors. Ubuntu is building stronger ties with industry, said Shuttleworth, because the commercial ecosystem is critical to the future of the project. Hardware and software certification is a big part of those plans, and Shuttleworth also wants the Ubuntu project to work closely with third-party developers and other vendors to help align them with the Ubuntu release cycle."
Distribution reviews Turn your computer into a media center PC with GeeXBoX 1.1 (Linux.com)Linux.com reviews GeeXBox. "GeeXBoX, a small media center Linux live CD distribution, can run from any small device, such as a USB disk or a wallet CD-R, and can play both disk-based media like DVDs and online media like Icecast streams. The project has been in development for several years and has just released version 1.1. I fed it every kind of media file I could lay my hands on -- Ogg, MP3, MP4, AVI, DVDs, VCDs, and their ripped versions -- and it played them all without a hiccup. But what makes GeeXBoX a fantastic distribution is its ease of use and malleability."
Page editor: Rebecca Sobol Development Using Promela and Spin to verify parallel algorithms
Validating Parallel AlgorithmsParallel algorithms can be hard to write, and even harder to debug. Testing, though essential, is insufficient, as fatal race conditions can have extremely low probabilities of occurrence. Proofs of correctness can be valuable, but in the end are just as prone to human error as is the original algorithm.It would be very helpful to have a tool that could somehow locate all race conditions. Such a tool in fact exists in the form of the language Promela and its compiler Spin. What are Promela and Spin?Promela is a language designed to help verify protocols, but which can also be used to verify small parallel algorithms. You recode your algorithm and correctness constraints in the C-like language Promela, and then use Spin to translate it into a C program that you can compile and run. The resulting program conducts a full state-space search of your algorithm, either verifying or finding counter-examples for assertions that you can include in your Promela program.This full-state search can be extremely powerful, but can also be a two-edged sword. If your algorithm is too complex or your Promela implementation is careless, there might be more states than fit in memory. Furthermore, even given sufficient memory, the state-space search might well run for longer than the expected lifetime of the universe. Therefore, use this tool for compact but complex parallel algorithms. Attempts to naively apply it to even moderate-scale algorithms (let alone the full Linux kernel) will end badly. Promela and Spin may be downloaded from here. The above site also gives links to Gerard Holzmann's excellent book on Promela and Spin, as well as online references starting here. The remainder of this article describes how to use Promela to debug parallel algorithms, starting with simple examples and progressing to more complex uses. [Editor's note: the remainder of this article is long. Interested readers are encouraged to read the full article on its own page.]
System Applications Clusters and Grids Release 2.1.2 of Linux-HA is now availableVersion 2.1.2 of Linux-HA, a cluster control system, is out. "This release has been extensively tested and is considered stable. At this time, there are no known regressions fro previous stable releases, or the Novell SLES10 SP1 release. It fixes the annoying installation problems that were observed in 2.1.1, and also fixes a small number of other bugs as well."
Database Software PostgreSQL Weekly NewsThe July 29, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Filesystem Utilities Grsync 0.6 releasedStable version 0.6 of Grsync has been announced. "Grsync is a GUI for rsync, the command line directory synchronization tool. While it can work with remote hosts, its focus is to synchronize local directories."
Libraries libnfnetlink 0.0.30 releasedVersion 0.0.30 of libnfnetlink is out with new capabilities and bug fixes. "libnfnetlink is the low-level library for netfilter related kernel/userspace communication. It provides a generic messaging infrastructure for in-kernel netfilter subsystems (such as nfnetlink_log, nfnetlink_queue, nfnetlink_conntrack) and their respective users and/or management tools in userspace."
Networking Tools conntrack-tools 0.9.5 releasedVersion 0.9.5 of conntrack-tools, a netfilter firewall configuration utility, is out with new features, some code rework and bug fixes.
libnetfilter_conntrack 0.0.81 releasedVersion 0.0.81 of libnetfilter_conntrack has been released. "libnetfilter_conntrack is a userspace library providing a programming interface (API) to the in-kernel connection tracking state table. This release includes minor changes and bugfixes."
Printing CUPS 1.3rc2 has been releasedVersion 1.3rc2 of CUPS, the Common Unix Printing System, has been announced. "This is an updated release candidate that fixes a scheduler crash and two other non-critical bugs."
Web Site Development Django weekly roundupThe July 30, 2007 edition of the Django weekly roundup covers the latest developments on the Django web platform.
lighttpd 1.4.16 releasedVersion 1.4.16 of lighttpd, a light weight web server, is out. "We all could use some refreshment in this hot summer. So how about a fresh and shiny new lighttpd release? Sadly the main reasons are again a few security fixes. (Bad developers, bad!) But we broke it, we fix it. On the other hand we squeezed in a new cool feature aswell. The E-Tag generation is now configurable. So if your files are on a NFS cluster you can now e.g. disable the inode number usage for the E-Tag."
mnoGoSearch 3.3.4 releasedVersion 3.3.4 of mnoGoSearch, a web site search engine, is out with better support for huge documents and other new features. See the change log for more information.
Web Services Developing Web Services Using PHP (O'ReillyNet)Deepak Vohra uses PHP to write web services in an O'Reilly article. "As Software as a Service becomes more of a trend in the industry, Web Services are gaining in importance. When most people think of Web Services, they think of Java or .NET, but as Deepak Vohra shows in this article, it's simple enough to implement them in PHP."
Miscellaneous lshw B.02.11 releasedStable version B.02.11 of Hardware Lister (lshw) has been announced. "lshw can report exact memory configuration, firmware version, mainboard configuration, CPU version and speed, cache configuration, bus speed, etc. on DMI-capable x86 or EFI (IA-64) systems and on some PowerPC machines (PowerMac G4 is known to work). Information can be output in plain text, XML or HTML."
Desktop Applications Accessibility MouseClick 0.8.1 releasedStable version 0.8.1 of MouseClick has been announced. "MouseClick is an ergonomic software intended to help those suffering some form of RSI (Repetitive Strain Injury) or other computer related illnesses and cannot click the mouse or other pointing devices. Whenever the mouse pauses briefly, MouseClick sends a click, the amount of time it waits before it clicks is adjustable. In drag mode, it clicks down and then pauses before it clicks up; if you move the mouse while it is down, MouseClick will wait until you are done before clicking up."
Audio Applications Ardour 2.0.4 releasedVersion 2.0.4 of Ardour, a multi-track audio editor, is out. "Squeaking just before of the end of July, the Ardour project brings you release 2.0.4 ( tarball, DMG to follow), another mix of important bug fixes with some great new features." See the release notes for more information.
FLAC 1.2.0 releasedVersion 1.2.0 of FLAC, the Free Lossless Audio Codec, is out. "New in this release are small speed improvements, and some new options and bug fixes. Also the decoder has been updated to pave the way for some format improvements, so if your software supports FLAC be sure to check it out."
Desktop Environments Frugal Windowing Environment 0.1.5 releasedStable version 0.1.5 of the Frugal Windowing Environment has been announced. "Frugal Windowing Environment is a user-space client-server windowing environment that uses the framebuffer. It is the next logical development of FBUI."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
KDE Software AnnouncementsThe following new KDE software has been announced this week:
Xorg Software AnnouncementsThe following new Xorg software has been announced this week:
Desktop Publishing LyX 1.4.5.1 releasedVersion 1.4.5.1 of the LyX typesetter is available. "This is expected to be the last release in the 1.4.x stable branch. Besides the obligatory bug fixes, its main feature is the ability to read files created by LyX 1.5.0 (this feature requires python 2.3.4 or later). The only change over release 1.4.5 is the addition to the distribution of one file necessary to read and write lyx 1.5 files."
LyX 1.5.0 releasedVersion 1.5.0 of the LyX typesetter has been released. "Since the announcement of release candidate 2, we have fixed bugs and we have updated the documentation. Following the ad hoc tradition of 1.5.0 pre-releases, called respectively Ruby (alpha), Towny (beta) and Quinta ("farm" in Portuguese for the release candidates) this release starts the Vintage selection that is (will be) the 1.5 series."
Electronics Announcing GNU Radio release 3.0.4Version 3.0.4 of GNU Radio, a software-defined radio transmitter system, has been announced. "This is a bug fix release, back-porting all applicable bug fixes on the development trunk into the stable release branch."
gSpiceUI 0.9.33 releasedVersion 0.9.33 of gSpiceUI, a GUI frontend to the spice electronic simulation language, is out. See the change log for a list of new features and bug fixes.
Icarus Verilog 0.8.5 releasedVersion 0.8.5 of Icarus Verilog, an electronic simulation language compiler, is out. See the change log document for more information on this release.
Financial Applications PostBooks accounting package releasedThe company once known as OpenMFG, now called xTuple, has announced the release of PostBooks, a Qt-based accounting package seemingly aimed at winning over QuickBooks users. It is available under the CPAL license, which just got its "open source" seal of approval from the OSI.
Interoperability Wine 0.9.42 is availableVersion 0.9.42 of Wine has been announced. Changes include: Support for activation contexts and side-by-side assemblies, Many more gdiplus functions, More messaging support in crypt32.dll, Many HTTP protocol handling fixes and Lots of bug fixes.
Mail Clients Thunderbird to find new home as Mozilla Foundation focuses on Firefox (MozillaZine)MozillaZine reports that management of the Mozilla Thunderbird mail client will be separated from the Mozilla Firefox browser. "On her weblog, Mozilla Corporation CEO Mitchell Baker has announced that Mozilla Thunderbird is to move to a "new, separate organizational setting" as the Mozilla Foundation continues to focus ever more closely on Mozilla Firefox. While the Mozilla Foundation supports a number of projects, its taxable subsidiary the Mozilla Corporation is responsible for only Firefox and Thunderbird. However, it has become increasingly clear that Firefox is the priority."
Office Applications HylaFAX 4.4.0 releasedVersion 4.4.0 of HylaFAX, a FAX modem control program, has been announced. "The 4.4 branch of HylaFAX has been in development for the past 4 months. This release includes many improvements over the 4.3 branch of HylaFAX and as such, is a recommended upgrade."
Office Suites OpenOffice.org NewsletterThe July, 2007 edition of the OpenOffice.org Newsletter is out with the latest OO.o office suite articles and events.
Digital Photography UFRaw 0.12 releasedVersion 0.12 of UFRaw, a utility that can read and manipulate raw images from digital cameras, is out. "UFRaw-0.12 was just released with many new features including full color management, cropping, rotating, scrolling, noise reduction, two new interpolations, a cinepaint plug-in, 21 new cameras and more."
Web Browsers Firefox 2.0.0.6 releasedFirefox 2.0.0.6 is out - this is yet another security update. The worst of the fixed vulnerabilities involves passing unescaped URIs to external programs. "If you are still running Firefox 1.5.0.x, you are highly encouraged to upgrade to the Firefox 2 series as Mozilla ceased supporting Firefox 1.5.0.x in May 2007."
Languages and Tools Caml Caml Weekly NewsThe July 31, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Java IcedTea 1.2 Fonts and Graphics releaseVersion 1.2 of IcedTea has been announced, testers are needed. "The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools and provides replacements libraries for the binary plugs with code from the GNU Classpath project."
Restlet 1.0.4 releasedVersion 1.0.4 of Restlet, a Lightweight REST framework for Java, is out with lots of bug fixes and a few new features. See the changes document for details.
Python The Python 3000 FAQGuido van Rossum has published the Python 3000 FAQ: "Some questions that people often ask about Python 3000 (and answers)."
Python-URL! - weekly Python news and linksThe July 30, 2007 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk Tcl-URL! - weekly Tcl news and linksThe August 1, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
XML XQuery, libferris, and Virtual Filesystems (XML.com)Ben Martin discusses libferris in an O'Reilly XML.com article. "By bringing together an XQuery engine and a virtual filesystem you can use a familiar query language to access relational databases, Berkeley db4 databases, kernel filesystems, and network files as well as XML. libferris, at its, core is a virtual filesystem allowing many different data sources to be exposed through a filesystem interface. These include the expected things like file://, http://, ftp:// as well as not so expected things like databases, XML files, and even applications like emacs, Evolution, XWindow, and Firefox."
Miscellaneous AutoGen version 5.9.2 releasedVersion 5.9.2 of AutoGen, a tool designed to simplify the creation and maintenance of programs that contain large amounts of repetitious text, has been announced. It adds several new capabilities and some bug fixes.
Page editor: Forrest Cook Linux in the news Recommended Reading FTC complaint flags NFL, MLB, studios for overstating copyright claims (ars technica)Here's an ars technica article about a complaint filed by the Computer & Communications Industry Association - a group which includes Google, Microsoft, and Red Hat, among others. "The CCIA's complaint fingers the NFL, Major League Baseball, NBC Universal, Morgan Creek, DreamWorks, Harcourt Inc., and Penguin Group (USA) for deceptive trade practices, accusing them of systematically misrepresenting the rights of consumers to use copyrighted material. 'These warnings that we have been seeing for decades are false,' CCIA spokesperson Jake Ward told Ars Technica in a Monday interview. 'They are a misrepresentation of the law and a violation of consumers' rights.'"
Do we need an open hardware license? (Linux.com)Joe 'Zonker' Brockmeier wonders if we need an open hardware license. "Nokia researcher Jamey Hicks recently proposed a Open Source Hardware License (OSHL) for approval by the Open Source Initiative (OSI). Is there a need for a hardware-specific license? If so, what makes hardware different from software?"
Linux companies that didn't deserve to die (Linux-Watch)Linux-Watch looks at five Linux companies that aren't around anymore. "A recent story entitled, "Dearly Departed: Companies and Products That Didn't Deserve to Die" didn't cover Linux or open-source companies. That got me to thinking. So here, without further adieu, is my list of five Linux companies that died before their time."
Trade Shows and Conferences Linux: It's Not Just for Servers Anymore (Wired)Wired covers the O'Reilly Open Source Convention. "After years of being relegated to server racks and the desktops of ultrageeks, Linux is finally making some headway as a viable alternative to Windows on the consumer desktop. That's the optimistic message delivered by a newly energized contingent of Linux proponents. By employing the same consumer-friendly marketing techniques practiced by Microsoft, and by taking advantage of the rising popularity of web-based applications, Linux vendors are getting ready for what they say will be a wave of consumer interest in the free operating system. "This is the next great battle, and this is where Linux has never really been before -- Linux as a consumer product," says Gerry Carr, marketing manager of Canonical, one of many Linux distribution makers attending the ninth annual O'Reilly Open Source Convention taking place here this week."
Microsoft trying to get code open-source certification (LinuxWorld)LinuxWorld covers an announcement by Microsoft at OSCON regarding their shared source license being submitted to the OSI for approval. "'I welcome this move by Microsoft,' Asay wrote. 'It continues to impress me as being one of the few big companies that truly understands open source, even if I don't always like how it works with the open-source community.'"
Companies Microsofts big win in China (TechRepublic)TechRepublic has declared Microsoft the victor over Linux in China and looks at how that came to be. "However, Red Flag Linux has turned out to be little more than a key bargaining chip in a high stakes game of commerce between the Chinese government and the worlds largest software maker. Thanks to some major concessions on source code and a precipitous price drop, the Chinese government has now thoroughly embraced Windows and Office. And thanks to a major about-face in the way that it deals with piracy, Microsoft has also won over the Chinese people."
Linux Adoption Vancouver law firm trades in MS for desktop Linux (IT Business)ITBusiness.ca profiles a law office which switched to Linux in Vancouver. "Whitelaw's rollout took one weekend and users were able to adapt to Linux using only a one-page instructional handout, says [IT manager Richard] Giroux. He adds that the change to Linux has reduced desktop maintenance by 20 per cent, 'and that's a conservative number'"
Legal CPAL Approved By OSI (Groklaw)Groklaw looks into the creation of the Common Public Attribution License. "Ross Mayfield of SocialText submitted a license, the Common Public Attribution License (CPAL), which was just approved by OSI as an Open Source license. It is being spun by some as a "victory" for the logo-on-every-page crowd, but it's not that simple. I'd describe it as a compromise in that the license is a very limited arrangement to make sure authors do get some acknowledgement if others do, and the language comes from an OSI-approved attribution license already in existence."
Interviews Fedora stats offer insight into Linux usage (Linux.com)Joe 'Zonker' Brockmeier talks with Fedora's Max Spevack about some recently released statistics. "The Fedora Project offered a peek under its kimono recently with details about Fedora 7 adoption and other statistics. Fedora 7 has snagged more than 300,000 users since its release at the end of May. While that sounds pretty good, Fedora Core 6 managed to attract more than 400,000 in roughly the same amount of time after its release. We asked Max Spevack, the Fedora project leader, whether the numbers are telling the full story."
Resources How To Manage An iPod From A Linux Desktop With Amarok (Howto forge)Howto forge describes how to make Linux and an iPod play nicely together. "It covers how you can upload MP3 files from your desktop to your iPod, download MP3 files from your iPod to your desktop, and how you can delete files on the iPod. Normally, Apple's iTunes software is needed to manage an iPod, but iTunes is not available for Linux. Fortunately, there are Linux alternatives such as Amarok that can handle the task." HowtoForge also covers this using Rythmbox.
Troubleshooting Linux Audio, Part 2 (Linux Journal)Here is part 2 of Dave Phillips' Linux Journal series on troubleshooting Linux audio. "In my last installment of this series I introduced a variety of GUI-based tools that can help you discover more about your system to help identify potentially troublesome components. This week we'll look at some of the command-line utilities that do similar work. In fact, some of these utilities are the engines underneath the more attractive GUI tools, and there may be good reasons to employ the engines directly instead of relying upon their graphic incarnations."
Reviews Startup Locks Down Mobile Linux (Dark Reading)Dark Reading takes a peek at a la Mobile, a Linux startup with a locked-down version of the OS for mobile phones. "Among the security features in the Linux mobile phone OS are a secure boot loader, which uses a digital signature to verify the kernel at startup; data encryption on all data on the device; application sandboxing, which puts unsigned apps in a separate sandbox; and a secure firmware update, which digitally signs and verifies the 'bootloader' before firmware gets updated."
Ingimp's tools may improve FOSS usability (Linux.com)Bruce Byfield takes a look at ingimp. "Since May, ingimp, a modified version of the GIMP, has collected daily logs on what users do with the program in the hope of improving its usability. The richness of this data is unprecedented, yet improving the GIMP is only a sideshow for the project. What ingimp is really designed to do, according to the project's leader, is develop the software and practices to put free and open source software (FOSS) usability testing on a professional footing "without placing an undue burden on either the developers or users.""
Linux tool points out power-wasting applications (LinuxWorld)LinuxWorld's Don Marti takes a look at powertop. "In other words, some of the software on a Linux system is like the person who turns the lights on when he comes in the room, then leaves them on when leaving a minute later. PowerTOP points the finger at programs that wake up the system."
In-vehicle Linux system assists first responders (LinuxDevices)LinuxDevices looks at a Debian Linux-based, in-vehicle computer intended for emergency first responders. "The device's embedded operating system is based on a customized Debian ARM version 2.6 Linux kernel, according to Thorcom. Production units run with a minimal set of OS packages, as required for system operation. "Special versions of the VR2000 are available with integral hard disk drives and full Debian Linux installation for software developers.""
Grandpa Gets a Dell with Ubuntu Linux Preinstalled (Groklaw)Groklaw has a review of a reader's experience getting a Dell with Ubuntu installed. "First, sound. The sound card was automatically found by the operating system, and ready to go for basic things, like mpegs and pre-recorded CD's. I know it can do CD audio, because I put on 'The Sorcerer's Apprentice' on Monday night, and it rained in the Valley of the Sun on Tuesday Night (for reference, see Walt Disney's 'Fantasia', the Mickey Mouse sequence). Midi (which is electronically produced sound, with no actual basis in reality) was a different story. There are a number of ways to get Midi to work, and some of them require a great deal of effort and knowledge. I cheated. I downloaded a program called Automatix which, in turn, downloaded the programs and codecs that I would need for a great deal of multi-media experience. "
Fuzz testing with zzuf (Linux.com)Joe Barr looks at zzuf in a Linux.com article. "Fuzz testing, which uses random input to test software for bugs, has been the biggest thing to happen in IT security in quite awhile. Now you can quickly and easily direct your own fuzz testing ops, thanks to a cool little program called zzuf. We can thank stupid users for the fuzz testing craze -- users who enter dates where dollar amounts are supposed to go, or digits where their names belong, or a ZIP code where a Social Security number is expected"
Miscellaneous SPI election results announced (Linux.com)Linux.com reports on the Software in the Public Interest elections. "Bdale Garbee was re-elected as president of the board, while Joerg Jaspert was elected vice president and Luk Claes secretary. These positions will be officially voted on by the board on August 1. However, since only one board member has stood for the offices of president and vice president, the only actual vote should be for secretary, with a runoff between Claes and Neil McGovern, the current secretary (who did not have to stand for re-election this year)."
Page editor: Forrest Cook Announcements Non-Commercial announcements Atheros driver code cleared by SFLC - againThe Software Freedom Law Center has announced that it has investigated the provenance of the OpenHAL code - part of the ongoing project to create a free Linux driver for Atheros-based wireless adapters - and pronounced it clean. "After performing the audit, SFLC concluded that OpenHAL does not infringe copyrights held by Atheros. As a result, OpenHAL development can now continue safely, unencumbered by legal uncertainty so long as the OpenHAL developers continue their work in isolation from Atheros' proprietary code." This is the second time the SFLC has looked into this code; last November they gave a clean bill of health to the OpenBSD ar5k driver upon which OpenHAL is based.
FSFE offers to help companies adhere to Free Software licence termsThe Free Software Foundation Europe is offering its help to companies who wish to adhere to free software licenses. "The terms of the GNU GPL licence have been confirmed as binding once again, with a German court ruling that Skype was failing to uphold its obligations as a distributor. FSFE wants to help other vendors understand their GNU GPL obligations. Harald Welte of gpl-violations.org took Skype to court in Munich, Germany, regarding misuse of GNU GPL code he wrote for the Netfilter component of the Linux kernel. This is the first time a non-German company has been convicted for GNU GPL licence violations, though the gpl-violations.org project has reached numerous out of court settlements with various vendors in the past."
Industry leaders submit identity governance framework to openLiberty.orgThe Liberty Alliance has announced some new IGF milestones. "Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced two key milestones for the Identity Governance Framework (IGF). Today, industry leaders submitted IGF to openLiberty.org for open source development of IGF implementations. Liberty Alliance also announced the ratification of market requirements documentation (MRD) for IGF and the commencement of technical specification work."
The OpenBSD Foundation launchesThe OpenBSD Foundation has announced its existence. "The OpenBSD Foundation has been formed for the purpose of supporting the OpenBSD project, and related projects such as OpenSSH, OpenBGPD, OpenNTPD, and OpenCVS. In particular it will act as a single point of contact for persons and organizations requiring a legal entity to deal with when they wish to support OpenBSD in any way." More information can be found on the foundation's web site.
Commercial announcements Alfresco becomes an Open Invention Network licenseeAlfresco Software, Inc. has announced that it has become an Open Invention Network licensee. "Alfresco is one of the first Open Invention Network startup licensees, joining a growing number of leading information technology firms that are dedicated to maintaining the health, vitality and collaborative power of Linux. Open Invention Network (OIN) is an intellectual property company that was formed in 2005 to promote Linux by using patents to create a collaborative environment. Open Invention Network promotes a positive, fertile ecosystem for Linux, which in turn drives innovation and choice in the global marketplace."
Concurrent releases new version of debugging tools for LinuxConcurrent has announced version 4.1 of its commercial NightStar LX debugging and analysis tools for Linux. "NightStar is a powerful, integrated tool set for developing and tuning time-critical 32-bit and 64-bit applications. The tools reduce test time, increase productivity and lower development costs. New features introduced in version 4.1 include the Qt graphical user interface (GUI) for improved use on multi-core environments and an application illumination feature allowing programmers to automatically trace application function calls along with programmer customization and examine the values of parameters passed and returned."
Enea open-sources LINX for LinuxEnea has announced the release of its LINX for Linux product as open-source. "LINX(TM) for Linux delivers transparent, reliable, high- performance interprocess communication services for complex distributed systems that employ multiple operating systems. LINX for Linux provides a system-wide, high-performance IPC solution that eliminates the need to use multiple IPC services in the same system."
ITema Releases E-Commerce module for MODx CMSITema, Inc. has announced the GPL release of the KiweeCommerce e-commerce module for the MODx content management system. "KiweeCommerce includes extensive product configuration and options management tools, tax and discount rate tables, and support for PayPal, Google Checkout, and Authorize.Net payment gateways. The module is tightly integrated into MODx, and allows business owners to easily maintain their own product catalogs. Administrators may configure and manage KiweeCommerce through intuitive menus in the MODx CMS Manager."
Keithley Instruments reports 3Q 2007 resultsKeithley Instruments, Inc. has announced its third quarter 2007 fiscal results. Buried within the report we find: "In July, we announced a migration to the Linux Operating System for our S600 Series Parametric Test Systems. This new capability provides a more stable operating system and provides for a longer service life which ultimately reduces our customers' overall cost of test.""
Linspire Joins Interop Vendor Alliance ProgramLinspire, Inc. has announced its joining of the Interop Vendor Alliance. "Linspire, Inc., developer of the Linspire commercial and Freespire community desktop Linux operating systems, today announced its membership in the Interop Vendor Alliance with Microsoft, Novell, Red Hat and other industry leaders. The Interop Vendor Alliance community of software and hardware vendors was established to connect people, data and diverse systems through better interoperability."
rPath reaches one million appliance downloadsrPath has announced its one millionth software appliance download. Sources of the one million downloads of rPath-based appliances include rBuilder Online, as well as partner sites such as VMware's Virtual Appliance Marketplace (VAM). Reflecting the explosive growth in virtualization use, over 50% of the downloads were in virtual appliance format.
Contests and Awards Nominations Open for 2007 Linux Medical News Freedom Award (LinuxMedNews)LinuxMedNews has announced the nomination phase of the Linux Medical News Freedom Award. "Nominations are officially open for the 6th annual Linux Medical News Freedom Award to be presented at the November 10th-14th AMIA Fall conference at the Sheraton Chicago Hotel and Towers, Chicago, Illinois, USA. Deadline for entries is August 24th, 2007. This is NOT a officially sponsored award or event of AMIA. This award is co-sponsored by the IMIA Open Source Working Group. Free and open source software isn't 'magic pixie dust'. There are people making significant personal sacrifices as well as doing difficult work to make medicine's free software future a reality. This award is intended to honor the individual or project who has accomplished the most towards the goal of improving medical education and practice through free/open source medical software."
PyWeek Number 5 announcedThe fifth PyWeek Python Game Challenge has been announced. The online event starts on August 3, 2007.
SourceForge.net announces 2007 Community Choice Awards WinnersSourceForge has announced the winners of its second annual SourceForge.net Community Choice Awards. "Among the many winners, two projects won twice; 7-Zip for Best Project and Best Technical Design; Firebird for Best Project for the Enterprise and Best User Support. Instead of a standard awards ceremony, the party celebrated each winning project in a distinct and unique way. For three projects, a donation was made in the name of the winning project to a charity of their choice. For another project, the crowd was supplied with a special drink entitled "The Bar Coder" to toast the winner in style."
Second Annual SysAdmin of the Year Contest Launches to Celebrate the Rock Stars of ITAccording to this press release from Splunk Inc. the last Friday in July is System Administrator Appreciation Day. So thanks to all you SysAdmins out there. Splunk and others have launched a the "Is Your SysAdmin A Rock Star?" contest. The deadline for nominations is October 12, 2007.
Surveys What hardware is actually used by freebob/ffado users?Pieter Palmers is running a survey on Linux firewire audio usage. "With this I'm hoping to gather some data that can help us in convincing the firewire device manufacturers that we are of some significance to their sales (I'm actually wondering if we are...). So I would like to ask everyone on these lists that has/considers/considered purchasing a firewire audio device if they would be so kind as to answer the following questionnaire."
Event Reports GCC summit proceedings availableThe proceedings from the 2007 GCC Summit (PDF) are now available. It's interesting reading for anybody who is curious about where the GCC and GDB developers are going.
Upcoming Events Author and Professor Michael Sheetz to speak at AIU on CybercrimeMichael Sheetz will speak at AIU in Weston, Florida on August 7. "Computer hacking is a major concern for businesses and individuals alike, resulting in millions of dollars in annual revenue and personal losses. "How to Protect Yourself from Cybercrime" is the topic of Michael Sheetz, author and assistant professor of criminal justice at American InterContinental University (AIU), who will speak on Tuesday, August 7, at 6 p.m. at the AIU campus, 2250 N. Commerce Parkway, Weston. The event is free and open to the public."
IMIA OSWG meeting at medinfo2007 (LinuxMedNews)LinuxMedNews has announced an IMIA Open Source Working Group. "The 2007 business meeting of the IMIA Open Source Working Group will take place as follows: Sunday, 19 August 2007, from 5:30 - 7:30pm Venue: Room P3, Brisbane Convention Centre, Australia (in conjunction with medinfo2007)".
RailsConf Europe: major program updatesRailsConf Europe will take place on September 17-19, 2007 in Berlin, Germany. Several new speakers have recently been added.
Sun Grid Engine Workshop 2007The Sun Grid Engine Workshop 2007 will be held in Regensburg, Germany on September 10-12, 2007. "The Grid Engine technology from Sun Microsystems is a well established policy-based workload management software which is designed to run compute resource intensive applications and services for financial, business, engineering and research organizations in even the largest grids. The Sun Grid Engine software is the commercial version of the open source Grid Engine project. The workshop offers a venue for exchanging experiences among users, discuss needs with their peers and for getting in direct touch with the developers to give feedback and to receive an update on the most recent and coming enhancements."
Events: August 9, 2007 to October 8, 2007The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Audio and Video programs Will Stephenson Talks KDE 4 on Novell Open Audio (KDE.News)KDE.News has announced a new Novell audio program. "The current edition of Novell Open Audio podcast features an interview with KDE core developer Will Stephenson. He discusses what is coming in KDE 4, Novell's commitment to KDE and the changes he has been working on recently."
Page editor: Forrest Cook
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||