Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for December 20, 2007Insufficiently free? Watching an extended flame war between Richard Stallman and Theo de Raadt is an interesting experience. The realization that one can sit back and watch without having to really care about the result brings a sense of profound tranquility and relief. Along the way, one gets to learn things like how mean Theo can be, or that Richard does not use a web browser. It all seems like good fun. Even so, when the discussion reaches levels like this:
Richard, your pants are full of hypocritical poo.
it becomes impossible not to wonder if one hasn't wandered into an elementary school yard by mistake. Most observers would probably conclude that Mr. Stallman has chosen to express himself with less childish terms than Mr. de Raadt. Still, this conversation came about as a result of a statement made by Mr. Stallman, one which upset the OpenBSD community greatly. It is worthwhile to look at where the disagreement was. In particular, Richard Stallman started the discussion by saying that he cannot "recommend" OpenBSD because the "ports" system they use facilitates the installation of certain non-free packages. His reasoning comes down to this:
Since I consider non-free software to be unethical and antisocial,
I think it would be wrong for me to recommend it to others.
Therefore, if a collection of software contains (or suggests
installation of) some non-free program, I do not recommend it. The
systems I recommend are therefore those that do not contain (or
suggest installation of) non-free software.
There are all kinds of things which can be said about the OpenBSD community, but statements that they lack a proper appreciation for freedom are not among them. This community's view of what makes a system truly free differs from that of the Free Software Foundation, but what they produce is undeniably free software. It is, arguably, one of the most free systems available, with careful attention paid to the licensing of even things like firmware blobs which are not part of the system itself. So folks in the OpenBSD community resent this sort of claim, even if they profess to care little about the opinions of the person making it. Of course, it's not only OpenBSD which fails to pass Mr. Stallman's test. The list of recommended distributions from the GNU web site has grown recently; it now contains gNewSense, Ututo, Dynebolic, Musix, BLAG, and GNUstep. True statistics are hard to come by, of course, but your editor would be most surprised if the combined installed base of these distributions added up to a full 1% of the Linux systems in use. Most of us, in other words, are using systems which Mr. Stallman is unable to recommend. Many of us will be using distributions like Fedora or Debian which are strongly committed to the creation of free systems. The developers behind these distributions have gone to considerable trouble to be sure that everything which is part of their system is truly free software, even when, as has happened at times, the result has been trouble for users. These distributors have clearly advanced the cause of free software greatly through their efforts over many years. One might well wonder just why Mr. Stallman cannot bring himself to recommend the result of this work. The OpenBSD developers, though, have been asking a different question: why is the GNU project happy to enable its software to be installed on non-free systems? That is where the charges of hypocrisy come from. Mr. Stallman answered both questions together. It seems that, in his view, there is little risk of leading users astray by letting them install programs like Emacs on proprietary systems:
People already know about non-free systems such as Windows, so it
is unlikely that the mention of them in a free package will tell
them about a system and they will then switch to it. Also,
switching operating systems is a big deal. People are unlikely to
switch to a non-free operating system merely because a free program
runs on it.
Thus, the risk of leading people to use a non-free system by making a free program run on it is small. It would appear, however, that proprietary applications carry a much higher degree of risk:
By contrast, many non-free applications are not well known, and
installing one is much easier--it does not require changing
everything else you do. Thus, even telling people about a non-free
application could very well lead them to install it.
It is not all that hard to see, embodied within a statement like this, a somewhat condescending view of computer users, who have to be "led" to install the right software. It is a position which disallows the recommendation of completely-free operating systems which most of us use. It places a sort of ideological purity above the vast amounts of work which have gone into the creation of a variety of free systems available for all to run. It is, in other words, an unreasonable position - as can be seen by the fact that almost no free software users actually follow Mr. Stallman's advice when they choose their systems. Before condemning this unreasonable position, though, it's worth a quick review of the famous George Bernard Shaw quote:
The reasonable man adapts himself to the world; the unreasonable
man persists in trying to adapt the world to himself. Therefore,
all progress depends on the unreasonable man.
There is no doubt that we have benefited from Mr. Stallman's lengthy, sometimes unreasonable campaign. Certainly he has no doubt on that score, saying "Free operating systems exist today because of the campaign which I started in 1983." But it's worthwhile to remember that free operating systems also exist because thousands of others have put in hard work for many years. It seems appropriate to wonder whether telling those people that their work still is not free enough really helps the cause of free software. On the other hand, one need not wonder about the value of responding to a "refusal to recommend" with an extensive attack which ventures into pure character assassination. Vitriolic flaming helps nobody's cause. One may not agree with Mr. Stallman's position in this discussion, but one thing should be said: he kept his cool, remained respectful and stayed on-topic when others lost it completely. That is the way to promote free software.
Ruby on Rails releases 2.0 
Rails (aka Ruby on Rails or RoR) is a framework for building web applications. It has gotten a lot of attention – some would say hype – over the past few years as easy to use and learn, while allowing the creation of complex database-backed web services. In the year since Rails 1.2, the team has not been idle, with their work culminating in the release of Rails 2.0 this month. RoR is based around the idea of using the model-view-controller (MVC) pattern to cleanly separate the user interface from the application logic and data storage. All of the Ruby code written or generated for a Rails application is organized into a directory hierarchy based on what part of the MVC they implement. All of the parts of the application know how to find the others because of this convention, which is in keeping with the two principles that guided the development of RoR. Fundamentally, RoR is built around two principles. The first is "convention over configuration", which is the idea that only things that deviate from standard practices need to be specified via configuration. One can get surprisingly far by sticking with these standard practices. The other principle is "don't repeat yourself", which means that there is a single place to go to specify something about the application; other places that need it or things derived from it, retrieve it from the canonical place. This is most evident in the specification of database table and column names; they are described in the model and other parts of the application retrieve them as required. The principles are interrelated, of course, and are two of the innovations that RoR has popularized for web application frameworks. Many previous attempts required a huge amount of configuration information to be specified, often nearly identically in multiple places. Simplifying this configuration headache was explicitly a goal for Rails. It can take a bit of time to come to grips with the conventions used, but once that is done it is straightforward to use the framework. Generating code to handle simple modifications to the database data, known as scaffolding, is another technique popularized by RoR. From the specification of the data model, Rails will generate an interface to create, read, update, and delete data in that model. It can also generate "migrations" which contain the SQL necessary to create or modify the database tables to reflect changes in the model. Migrations can be used in both a forward and backward direction to keep the database in sync with the state of the application as changes are made. Rails itself is broken up into multiple components implementing each piece of the MVC architecture: ActiveRecord for the model, ActionPack for the view and controller, along with a number of lesser players. It provides extensive test harness facilities that allow testing of the web application without using a browser or network at all. RoR is a comprehensive solution, with a large number of very vocal supporters. The new release provides a number of new features, some performance enhancements, as well as the requisite bug fixes. The bulk of the changes in 2.0 are in the controllers. The first is better support for "representational state transfer" (REST) style web application APIs, which were introduced in Rails 1.2. Better support for multiple different views based on application criteria were also added, allowing the interface to change based on the device accessing it, for example. Security enhancements were made as well, with code being added to help protect against cross-site scripting and cross-site request forgery attacks. These two web application flaws are becoming rather popular to exploit, so any assistance a web framework can give is welcome. The default session objects have changed to be cookie-based, rather than stored in a file or the database. This allows snooping of the session data, but the data is hashed to prevent forgery. Performance and scalability have been the traditional knocks against Rails, and though there were some enhancements, especially to ActiveRecord, that should provide some boost, it is not clear how well Rails handles huge sites. It is something the Rails team is aware of, so, over time, those kinds of problems should be solved. RoR is a very capable framework and the 2.0 release looks very good. The Rails community should find much of use.
Looking back at 2007 Consistent with our usual practice, LWN will not be publishing a Weekly Edition during the last full week of the year. This is thus the last such for 2007; the next weekly will be published on January 3, 2008. Also consistent with usual practice, you editor will look back on the year which is about to end, with an emphasis on evaluating how his predictions made at the beginning of the year came out. There is amusement to be had in exposing the flaws in one's crystal ball, but there is also value in seeing how one's view of the world has changed over the course of the year.Your editor bravely predicted that GPLv3 would be finalized and adopted by the FSF; sure enough, that happened right on schedule. Your editor also admitted to having "no clue" of how the FSF would respond to the criticism of the anti-DRM provisions of GPLv3. Certainly it would have been hard to predict the addition of the "user product" language and associated exemptions. So far, the impact of GPLv3 has been relatively small, but use of this license will surely grow over time. Another prediction said that somebody would be sued for the distribution of proprietary kernel modules. That did not happen - at least, not in a way that the public (or your editor) heard about it. What your editor did not foresee was the burst of energy coming from the Software Freedom Law Center on behalf of the BusyBox developers. Thus far, GPL enforcement activities continue to focus on the relatively clear-cut cases. They also continue to have a very high success rate. Still, going after a company like Verizon is an ambitious move; it will be interesting to see how that one settles out. The end of SCO was predicted. Your editor thought it might happen in March, when new dispositive motions would once again be entertained by Judge Kimball. Instead, the clear end of SCO happened in August when the court ruled that Novell still owned the Unix source and that SCO owed Novell a chunk of money. Like a fish thrown on the shore, SCO will continue to flop around for a while, but there can be little doubt about its ultimate fate. The prediction that there would be serious talk of patent reform did not really come through. There were a couple of U.S. court decisions in 2007 which, arguably, raised the bar slightly for patent trolls. In general, though, the software patent situation remains unchanged - and as dangerous as ever. There were a couple of predictions about closed hardware, together saying, essentially, that the situation would get better but that the problem would not go away. Things clearly got better when AMD decided to open up information about ATI's video hardware and assist with the creation of free drivers for that hardware. The progress toward a viable Atheros wireless chipset driver for Linux is also a happy development. The situation has improved, and will continue to do so. [PULL QUOTE: Your editor predicted a serious war on bloat as people got tired of running out of memory. Wishful thinking, it seems, is alive and well. END QUOTE] Your editor predicted a serious war on bloat as people got tired of running out of memory. Wishful thinking, it seems, is alive and well. In practice, people just bought more memory; even the OLPC project decided it had to increase the amount of memory in its XO system. Your editor will not be repeating this prediction for 2008. "Fedora will come into its own as a free, community-oriented distribution" has, beyond any doubt, come true. The Fedora 7 release brought community developers in from the margins, and Fedora 8 solidified the new process. The bulk of the packages in Fedora are now maintained by community developers. Red Hat's controlling hand, while still clearly present, is weaker than before. Fedora leader Max Spevack has presided over a crucial transformation of this important project; he will be moving on to other challenges early in 2008, but will be leaving behind a distribution in far better shape than the one he inherited a few years ago. Predicting Debian releases is a dangerous business, but, in this case, Debian Etch was close enough to make it a relatively safe proposition. Your editor had also suggested (facetiously) that the Debian developers would subsequently go back to arguing about firmware in the kernel; that quite clearly did not happen. The prediction that free software would play a larger role in online gaming was, for the most part, wishful thinking again. The release of the Second Life client code was a step in the right direction, but not much happened after that. Your editor still hopes that free software will be at the core of the games of the future, or he may never see his children again. The Microsoft/Novell deal, predicted your editor, would blow over with relatively few consequences. In many ways that was true. One could argue that the whole "235 patents" routine would have come out anyway - we heard similar claims before Novell signed this deal. Your editor failed to guess that a whole stream of companies (Samsung, Xandros, LG Electronics, Linspire, Turbolinux) would follow Novell into similar agreements, though. Your editor suggested that the "open source" term would suffer as a result of companies trying to retain higher levels of control over "open source" code. Certainly the OSI's approval of the CPAL "badgeware" license will not have helped in this regard. On the other hand, SugarCRM decided to just go with the GPLv3 in favor of its attribution-required license. As a whole, "open source" means almost what it meant one year ago. Contrary to prediction, there have not been OLPC systems distributed to millions of children - though thousands should start getting them soon. We are still waiting to see what impact the OLPC project will really have - on free software, and on the world as a whole. Stay tuned. Finally, the growth of desktop Linux was predicted, though your editor refrained from saying that 2007 would be the year of the Linux desktop. Clearly, progress has been made in that direction - we now have major vendors like Dell selling desktop systems, Wal-Mart's desktop offering sold out in days, and the number of pocket-sized "desktops" running Linux continues to grow. Perhaps the biggest thing which your editor missed entirely was the fight over Microsoft's proposed OOXML standard. This issue came to light in January of this year, though it had been simmering for a little while before - the ECMA TC45 committee was already considering this proposal in the middle of 2006. The fight over the fast-tracking of OOXML and the ensuing questions on just how the community should work with the standards practice will continue to echo into 2008. Overall, your editor feels like the predictions went reasonably well. Too well, perhaps; next year's predictions may need to be a little more adventurous. Those predictions will be posted in the January 3 edition. In the mean time, your editor wishes for a great holiday season and new year for everybody in the community; we have accomplished much over the last year and have many things to celebrate.
Page editor: Jonathan Corbet Security The backdooring of SquirrelMail SquirrelMail advertises itself as "webmail for nuts." It is a PHP-based package which is in wide use; most distributions include a SquirrelMail package. Security problems in SquirrelMail are certainly not unheard-of; even so, the announcement that the source distribution for version 1.4.12 had been compromised raised some eyebrows. Initially the project downplayed the problem:
Further investigations show that the modifications to the code
should have little to no impact at this time. Modifications seemed
to be based around a PHP global variable which we cannot track
down. The changes made will most likely generate an error, rather
than a compromise of a system in the event the code does get
executed.
It only took one day, though, before Uwe Schindler pointed out that, in fact, the changes made to the source opened a remote-execution back door into deployed SquirrelMail systems. Somewhere along the way, the project discovered that the 1.4.11 release had also been tampered with. The SquirrelMail developers released version 1.4.13 to close the vulnerabilities. There have not been any public reports of systems being compromised by way of this vulnerability. Additionally, it would appear that all of the distributors which shipped the affected versions got their version of the code prior to the attack. So the episode would appear to have ended reasonably well - as far as we know. There are some lessons that one can take from this attack, though. The downplaying of the problem initially was a potentially fatal mistake. If somebody has been tampering with the sources, there is no excuse not to go into red-alert mode immediately, even if the developers involved do not understand the attack. When a project has been compromised at such a fundamental level, one must assume the worst. The compromise was discovered after a user noticed that the tarballs on the download site did not match the posted MD5 checksums. Your editor suspects that very few of us actually verify checksums in the packages they take from the net. Doing so more often would be a good exercise in software hygiene for all of us. That said, the project got lucky this time around. A smarter attacker would have replaced the checksums after adding the back door, making the changes harder to detect. Longer-term, the increasing doubts about the security of MD5 suggest that relying on it to detect changes to tarballs might not be entirely safe. Far better to use public-key signatures; they should have a longer shelf life, and, if the keys are managed properly, they are impossible to replace. It seems that the project has posted GPG signatures for 1.4.13, though the Wayback Machine suggests that this is a recent practice. Your editor was unable to find the public key needed to verify the signatures. The modifications to the tarballs were done using a compromised developer's account. The specific changes made were not put into the SquirrelMail source repository. The project has said nothing, though, about what has been done to ensure that no other changes were made there. Some sort of statement from the project along these lines would be most reassuring to SquirrelMail's users. Perhaps the most encouraging conclusion, though, is this: there have been several attempts to compromise source distributions over the years. Many of them have succeeded in getting bad code into high-profile packages. But none of these attacks - so far as we know - have escaped detection for any significant period of time, and none of them have led to any sort of wide-scale exploit. As a whole, we would appear to be reasonably resistant to this kind of attack, even when the front-line defenses fail. With luck, and continued vigilance, that trend will continue. Both will be required, though: there is no doubt that the attackers will keep trying.
Security news 'You've Got Cross-Site Scripting' (Dark Reading) Dark Reading reports on a new email alert service for cross-site scripting bugs. "So XSSed.com, a site dedicated to archiving publicly disclosed XSS bugs, is now offering a free email alert service that notifies you as soon as an XSS vulnerability affecting your Website gets indexed to its archive. XSSed claims to have the industry's largest XSS archive, with over 17,000 disclosed vulnerabilities as of this posting."
New vulnerabilities clamav: integer overflow and off-by-one
cups: multiple vulnerabilities
flash-plugin: lots of problems
IRC Services: denial of service
kdebase: denial of service
kernel: denial of service
libexif: integer overflow
libexif: denial of service
libgd2: buffer overflow
mysql: privilege escalation
portage: information disclosure
squid: denial of service
wpa_supplicant: stack-based buffer overflow
Xfce: buffer overflows
Updated vulnerabilities apache2: information disclosure
apache: multiple vulnerabilities
apache: cross-site scripting
apache2: denial of service
httpd: denial of service, cross-site scripting
asterisk: possible SQL injection
autofs: insecure default configuration
cacti: SQL injection vulnerability
cacti: denial of service
cairo: integer overflow
centericq: buffer overflows
clamav: denial of service
clamav: multiple vulnerabilities
cups: denial of service
debian-goodies: privilege escalation
Django: denial of service
dovecot: privilege escalation
dovecot: directory traversal
e2fsprogs: integer overflows
eggdrop: stack-based buffer overflow
emacs: buffer overflow
emacs: command execution via local variables
emul-linux-x86-qtlibs: arbitrary code execution
evolution: format string error
firebird: arbitrary code execution
firebird: buffer overflow
firefox: multiple vulnerabilities
firefox: multiple vulnerabilities
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||