LWN.net Weekly Edition for June 20, 2002

Disney goes for Linux

HP issued, on June 18, a press release proclaiming that Disney had chosen HP's Linux-based systems "as components in its next-generation digital animation production pipeline." It looks like another big win for Linux, and the press has generally portrayed it that way. And it is true: Linux continues to grow in popularity as people and companies come to understand its advantages.

LWN has generally applauded Linux's commercial successes - more users will, in the end, mean more developers and more and better free software. And that could prove to be true in this case as well. But we should not lose track of another, important point: Disney is one of the prime movers behind the CBDTPA - a law which would make Linux illegal.

Disney thinks that free operating systems (or free computers in general) are a threat to its business, and thus something to be outlawed. Free DVD players are not to be allowed. Oppressive digital rights management systems will put an end to any sort of fair use of copyrighted materials. The people can not be trusted with control over their own systems. Meanwhile, back at Disney: "Walt Disney Feature Animation will employ HP's Linux infrastructure to give artists more powerful tools to translate their artistry into animation while achieving significant cost reductions".

Supplying Linux to Disney thus looks like aiding the enemy - how much of those "significant cost reductions" will be applied to maintaining the company's private Senators in Washington? But consider this scenario: by the time a new, son-of-CBDTPA starts to look like it might pass, much of Disney's operation could be based on, and dependent on, free software. What fun it would be to attend the meeting where CEO Michael Eisner is made aware of what capabilities would be lost - and how much it would cost - if the company's free software had to be replaced with proprietary code carrying the Big Brother Stamp of Approval.

So Linux's infiltration into Disney could well be something to be encouraged. With luck, freedom slipping in from below could end up subverting the repressive plans of the leadership. One can always hope...

Comments (7 posted)

The Apache vulnerability, full disclosure, and monocultures

The advisory from Internet Security Systems (ISS) came out on June 17: the Apache server has a remotely-exploitable vulnerability in its "chunk handling" code, which is used for handling uploads of unknown size. The alert describes the problem, notes that the Apache project has been alerted, and includes a patch.

It all looks like a fairly normal response to security problems in the free software community, until you look a little more closely. It turns out that the Apache group was already aware of the problem and was working on a fix. The Computer Emergency Response Team (CERT) also was already involved. It also turns out that the ISS patch does not completely fix the problem. ISS, in its hurry to publicise the vulnerability, had not checked with either CERT or the Apache Software Foundation.

Full disclosure of security vulnerabilities is (usually) seen as a good thing in the free software community. Freedom, with regard to software, includes the freedom to know about (and fix) problems. And, of course, full disclosure is a powerful tool for forcing a software maintainer to release a fix - most of the time. As a general rule, nobody is more secure when the crackers are the only ones to know about security problems.

The other side of full disclosure, however, is that, when done too soon, it can leave millions of users open to a vulnerability while no fix is available. Such is the case this time around. Sites running Apache on Windows are most vulnerable to the chunk handling vulnerability; such sites are probably running a binary distribution of Apache, many do not even have a compiler available, and thus they will be poorly served by a source patch.

Full disclosure is a powerful tool which should be used with care. The disclosure of a security vulnerability should never be a surprise to those who must clean up the mess. Those who find security problems should always work with the package maintainer and give that maintainer time to make a fix available. Only in cases of serious stalling or neglect should a disclosure go out before the maintainer is ready.

This is a lesson that the free software community will probably have to relearn every so often. Free software has the potential to be far more secure; its open nature lets any interested party inspect the code for problems. But much of that advantage is lost when vulnerabilities are handled in an immature manner. If you or your company find a security vulnerability, surely you can wait a few days to claim your credit.

This vulnerability raises another concern as well. Much has been said about the dominance of Windows systems on the net; the resulting "monoculture" is highly vulnerable to security problems. Apache's share of the total web server population is such that it could be considered a monoculture as well. Apache has obtained that share through consistent high quality and a strong security record. No package is completely invulnerable, however, and Apache problems, when they do turn up, place much of the net at risk. For the security of the net as a whole, it would be nice if there were another free web server with something resembling Apache's stature and market share.

For details on the chunk handling vulnerability, see the LWN vulnerability entry, the advisory from the Apache Software Foundation or the CERT advisory. Initial indications were that this problem was not remotely exploitable on Linux systems, but that claim is now known to be false. If you are running an Apache server, you want to upgrade as soon as possible.

Comments (6 posted)

MobiliX wins its trademark dispute

Back in January we covered the trials and tribulations of MobiliX, a site dedicated to Linux and BSD on mobile systems. Lawyers representing Les Editions Albert René challenged the MobiliX name, saying that it could be confused with the cartoon character Obélix, who is more concerned with mobile menhirs. Not everybody agreed with this claim, of course; despite the obvious resemblance between Tux the penguin and Obélix, they still are difficult to confuse.

It turns out the German court disagreed with that claim as well, and has turned down the claims by Les Editions Albert René. MobiliX is thus free to use the name without fear of further trademark trouble. Congratulations are due to MobiliX leader Werner Heuser, who decided to stand up to the lawyers and defend his name. See the MobiliX trademark page for the full history of this dispute.

Comments (none posted)

European Digital Rights launches

European Digital Rights is a new, international civil rights organization formed by ten European organizations. "European Digital Rights (EDRi) is an association in which existing European privacy and freedoms organisations work together in raising awareness of policy makers and the public about the upcoming threats to our privacy and freedoms". See the announcement for details.

Comments (none posted)

The Ottawa Linux Symposium

Next week is the Ottawa Linux Symposium, happening June 26 to 29. The schedule is full of seriously technical talks from many prominent Linux developers; it looks to be an interesting event. For those who are unable to attend this (sold out) conference, the full proceedings have been placed online as a single, huge, 630-page PDF file; it has been mirrored by LWN and on William Stearns's site.

Immediately preceeding OLS is the second Kernel Summit. Topics to be discussed there include the Linux Security Module patch, virtual memory, asynchronous I/O, cleaning up the module mechanism, "carrier grade Linux," 2.6 goals, the block I/O subsystem, cleaning up the SCSI layer, and more. It looks to be an interesting event, to say the least.

LWN editor Jonathan Corbet will be taking a break from the smell of wood smoke and the drone of slurry bombers (which are regular Colorado features, these days) to attend both events; he will report back when time and connectivity allow.

Comments (none posted)