HP issued, on June 18, a
proclaiming that Disney had chosen HP's Linux-based
systems "as components in its next-generation digital animation production
pipeline." It looks like another big win for Linux, and the press has
generally portrayed it that way. And it is true: Linux continues to grow
in popularity as people and companies come to understand its advantages.
LWN has generally applauded Linux's commercial successes - more users will,
in the end, mean more developers and more and better free software. And that
could prove to be true in this case as well. But we should not lose track
of another, important point: Disney is one of the prime movers behind the
CBDTPA - a law which would make Linux illegal.
Disney thinks that free operating systems (or free computers in general)
are a threat to its business, and thus something to be outlawed. Free DVD
players are not to be allowed. Oppressive digital rights management
systems will put an end to any sort of fair use of copyrighted materials.
The people can not be trusted with control over their own systems.
Meanwhile, back at Disney: "Walt Disney Feature Animation will employ HP's Linux
infrastructure to give artists more powerful tools to translate their
artistry into animation while achieving significant cost
Supplying Linux to Disney thus looks like aiding the enemy - how much of
those "significant cost reductions" will be applied to maintaining the
company's private Senators in Washington? But consider this scenario: by
the time a new, son-of-CBDTPA starts to look like it might pass, much of
Disney's operation could be based on, and dependent on, free software.
What fun it would be to attend the meeting where CEO Michael Eisner is made
aware of what capabilities would be lost - and how much it would cost - if
the company's free software had to be replaced with proprietary code
carrying the Big Brother Stamp of Approval.
So Linux's infiltration into Disney could well be something to be encouraged.
With luck, freedom slipping in from below could end up subverting the
repressive plans of the leadership. One can always hope...
Comments (7 posted)
The advisory from Internet Security Systems
(ISS) came out on June 17: the Apache server has a remotely-exploitable
vulnerability in its "chunk handling" code, which is used for handling
uploads of unknown size. The alert describes the problem, notes that the
Apache project has been alerted, and includes a patch.
It all looks like a fairly normal response to security problems in the free
software community, until you look a little more closely. It turns out
that the Apache group was already aware of the problem and was working on a
fix. The Computer Emergency Response Team (CERT) also was already
involved. It also turns out that the ISS patch does not completely fix the
problem. ISS, in its hurry to publicise the vulnerability, had not checked
with either CERT or the Apache Software Foundation.
Full disclosure of security vulnerabilities is (usually) seen as a good
thing in the free software community. Freedom, with regard to software,
includes the freedom to know about (and fix) problems. And, of course, full
disclosure is a powerful tool for forcing a software maintainer to release
a fix - most of the time. As a general rule, nobody is more secure when
the crackers are the only ones to know about security problems.
The other side of full disclosure, however, is that, when done too soon,
it can leave millions
of users open to a vulnerability while no fix is available. Such is the
case this time around. Sites running Apache on Windows are most vulnerable
to the chunk handling vulnerability; such sites are probably running a
binary distribution of Apache, many do not even have a compiler available,
and thus they will be poorly served by a source patch.
Full disclosure is a powerful tool which should be used with care. The
disclosure of a security vulnerability should never be a surprise to those
who must clean up the mess. Those who find security problems should
always work with the package maintainer and give that maintainer
time to make a fix available. Only in cases of serious stalling or neglect
should a disclosure go out before the maintainer is ready.
This is a lesson that the free software community will probably have to
relearn every so often. Free software has the potential to be far more
secure; its open nature lets any interested party inspect the code for
problems. But much of that advantage is lost when vulnerabilities are
handled in an immature manner. If you or your company find a security
vulnerability, surely you can wait a few days to claim your credit.
This vulnerability raises another concern as well. Much has been said
about the dominance of Windows systems on the net; the resulting
"monoculture" is highly vulnerable to security problems. Apache's
share of the total web server population is such that it could be
considered a monoculture as well. Apache has obtained that share through
consistent high quality and a strong security record. No package is
completely invulnerable, however, and Apache problems, when they do turn
up, place much of the net at risk. For the security of the net as a whole,
it would be nice if there were another free web server with something
resembling Apache's stature and market share.
For details on the chunk handling vulnerability, see the LWN vulnerability entry, the advisory from the Apache Software
Foundation or the CERT advisory. Initial
indications were that this problem was not remotely exploitable on Linux
systems, but that claim is now known to be false. If you are running an
Apache server, you want to upgrade as soon as possible.
Comments (6 posted)
Back in January
we covered the
trials and tribulations of MobiliX
site dedicated to Linux and BSD on mobile systems. Lawyers representing
Les Editions Albert René challenged the MobiliX name, saying that it could
be confused with the cartoon character Obélix, who is more concerned with
mobile menhirs. Not everybody agreed with this claim, of course; despite
the obvious resemblance between Tux the penguin and Obélix, they still are
difficult to confuse.
It turns out the German court disagreed with that claim as well, and has
turned down the claims by Les Editions Albert René. MobiliX is thus free
to use the name without fear of further trademark trouble. Congratulations
are due to MobiliX leader Werner Heuser, who decided to stand up to the
lawyers and defend his name. See the MobiliX trademark
page for the full history of this dispute.
Comments (none posted)
European Digital Rights is a new, international civil rights organization
formed by ten European organizations. "European Digital Rights
(EDRi) is an association in which existing European privacy and freedoms
organisations work together in raising awareness of policy makers and the
public about the upcoming threats to our privacy and freedoms
Comments (none posted)
Next week is the Ottawa Linux
, happening June 26 to 29. The schedule
of seriously technical talks from many prominent Linux developers; it looks
to be an interesting event. For those who are unable to attend this (sold
out) conference, the full proceedings have been placed online as a single,
huge, 630-page PDF file
; it has been mirrored by
and on William
Immediately preceeding OLS is the second Kernel Summit. Topics to be
discussed there include the Linux Security Module patch, virtual memory,
asynchronous I/O, cleaning up the module mechanism, "carrier grade Linux,"
2.6 goals, the block I/O subsystem, cleaning up the SCSI layer, and more.
It looks to be an interesting event, to say the least.
LWN editor Jonathan Corbet will be taking a break from the smell of wood
smoke and the drone of slurry bombers (which are regular Colorado features,
these days) to attend both events; he will report back when time and
Comments (none posted)
Page editor: Jonathan Corbet
Inside this week's LWN.net Weekly Edition
- Security: IBM's 802.11 security tool; Mozilla 1.0 DoS vulnerability; Apache vulnerability
- Kernel: Asynchronous I/O; symlinks, select, and the kernel stack; rmap for 2.5
- Distributions: Slackware 8.1, the new Debian security mechanism.
- Development: SCE 1.5, Koha 1.2.0, Sentinel 1.2.4b, Midgard 1.4.3,
SashXB 1.0, Twisted 0.18.0, WaveSurfer 1.4.1, GNOME 2.0 Desktop rc1,
Boson 0.6, distcc 0.4, Sun JDK 1.4.0_01, OpenMCL 0.12.
- Commerce: Wal-Mart sells Lindows PCs, Red Hat 1Q results,
Fujitsu NetCOBOL for Linux, Companies debut at LinuxWorld
- Press: Linux in Government, The Open Studios Initiative, US Patents,
Red Hat and HP, Sun's Linux server, Linux in animation.
- Announcements: KDE report from LinuxTag, YAPC lightning talks schedule,
SciPy 2002, PHP 2002 conference.
- Letters: PostgreSQL; Lindows and the GPL