LWN.net Weekly Edition for April 10, 2003
Linux best practices for suits
Pronouncements from the Gartner Group have long been a good source of amusement (and anger) in the free software community. Gartner has often looked down on free software, claiming that it is not suitable for business use. Over the years, however, Gartner's position has softened. Their latest proclamation takes a different tack altogether. Now, rather than avoiding Linux, companies are advised to set up proper policies and "best practices." Some of their suggestions actually make some sense.So what approach does Gartner suggest for the suits in the corner office? The highlights are:
- Create formal guidelines describing the company's policy toward
free software. The sort of company that Gartner presumes to advise
will have such policies for every other aspect of its information
technology operation. The creation of more rules with regard to free
software is just the way these companies can be expected to operate.
- Rather than applying blanket policies to free software in general,
companies should look at individual applications to see whether they
make sense or not. Such advice may seem obvious, but some people need
to be told these things.
- If the company is going to depend on a free application (and
especially if the application needs an enhancement or two), somebody
should be given the role of working with that application's
development community. The company also needs to keep in mind that it
does not control the project or its release schedules.
- Gartner advises against making modifications to free software in
general. The expectation, of course, is that the company has a
support contract with somebody, and tweaking the software can render
it unsupportable. Gartner makes an exception, however, for cases when
the company has the requisite expertise and is willing to feed its
changes back to the development community.
- Care should be taken with regard to licensing, and especially in
mixing GPL-licensed code with the company's own proprietary code. As
Gartner notes, the resulting combination can only be distributed if
the proprietary code, too, is made available under the GPL. Since
this advice is aimed at big companies, Gartner recommends the
formation of the inevitable "code licensing and definition committee"
to oversee licensing policy and compliance. Some may see Gartner's
caution as more "GPL FUD," but the SCO lawsuit shows how careful
companies really have to be in this area.
- Pay attention to standards and certification. Distributions should
be certified by the Free Standards Group, and applications should be
certified by the distribution vendor.
- Make sure your staff is properly trained in corporate policy and working with the free software community. Gartner recommends having employees get LPI or SAIR certification (interestingly, they do not mention Red Hat's RHCE).
Perhaps the most significant point in all the above is that Gartner is advising companies to learn how to work with the free software development community. Free software is not just another shrink-wrapped product you buy from a store shelf or cologne-soaked salesman. It is the product of an active community which must be dealt with in its own way. Companies that work well with the development community will have a far better experience with that community's software. That is good advice.
The RIAA strikes back
The next stage of the copyright wars has begun: the RIAA has filed suit against four university students alleging massive copyright infringement and asking for tens of millions of dollars in damages. That's the sort of action that can make a serious dent in an undergraduate student's beer budget. But these cases have a wider significance which merits a look.The four complaints (which can be found over here) share the same basic form and, indeed, much of the same language. The first claim is that the defendants are directly making copyrighted materials available on the net for copying. This act looks like a fairly strightforward copyright violation, so the RIAA - if it can prove its case - probably has a legitimate complaint there. Copyright is the law of the land, and it's important (the GPL relies on copyright law). If you directly violate copyrights, you should not be too surprised if the owners of those copyrights decide they want to have a talk with you.
But the RIAA does not (yet) go after every student who makes a few MP3 files available. These defendants were chosen because, in each case, they published an index of files available on a campus network. Through this act, according to the RIAA:
In all four cases, the actual distribution of files in this "emporium of music piracy" was performed by others. The defendants just created an index to enable others to find those files. In at least one case, the index included all publicly-available files, not just music files. The defendants, in other words, are being sued for creating a search engine.
This is the point where the RIAA has crossed the line. Rather than go after people who are actually violating copyrights, they are launching million-dollar lawsuits to shut down indexing services. Once again, linking becomes a crime. This is a direct attack on basic freedoms: it is no longer possible to make an index of files available on a network, since some of them might just be copyrighted. No cost is too high, it seems, to save the recording industry from the modern world.
The cost is too high, however. The free software community (and much of the rest of the world) depends on freedom of information flow to function. Every time we are told that we cannot make links, or create an index, or release a bit of scary code our freedoms are reduced and our community functions a little less well. You don't have to be a music trader to feel threatened by that.
(See also: Joseph Barillari's analysis of the complaint against Dan Peng).
Five years of Mozilla
[This article was contributed by Joe 'Zonker' Brockmeier]
It's hard to believe that it's been five years since Netscape released the source code for what was supposed to be Netscape Communicator 5.0 under the Netscape Public License (NPL), and less than a year since Mozilla 1.0 went "gold." In that time, Microsoft has managed to dominate the browser market, Netscape got swallowed up by AOL and the Mozilla project has tackled milestone after milestone to deliver an Open Source browser — though perhaps not as quickly as many would have liked.
More than 200,000 bug reports later, the Mozilla project has put out an excellent browser and a codebase that's being used in a wide array of Open Source and commercial applications. Perhaps even more important than the code itself, Netscape's decision to plunge into Open Source helped to bring the Open Source debate further out into the, well, open. The decision to pursue Open Source was made when relatively few people had heard about this thing called Linux.
You could say that Mozilla is more than the sum of its parts, especially when you consider all that's been done with those parts. Mozilla's Gecko, which replaced the original Netscape layout engine, is being used in the proprietary Netscape offering, AOL's Mac OS X client, a native Mac OS X browser called Camino, the popular Galeon browser and several other projects. It's also being used in products like ActiveState's Komodo, an IDE for Perl, PHP, Python and other popular Open Source languages.
The project has also designed a cross-platform installer (XPInstall), a Document Object Model (DOM) Inspector, and several development tools that are now being used on projects wholly unrelated to Web browsers. The Bugzilla bug tracking system is used by quite a few Open Source projects (and possibly by a few commercial companies behind closed doors). Bonsai and Tinderbox are also by-products of the Mozilla effort that are being widely used elsewhere.
Mozilla's wealth of features has also attracted some criticism. Some feel that Mozilla, with its huge array of options, is too slow and bloated. Apple's decision to use KHTML rather than Gecko in the Safari browser didn't go unnoticed, either. In the article "Browser Innovation, Gecko and the Mozilla Project," Mozilla's Chief Lizard Wrangler, Mitchell Baker, writes:
Judging by the project's recently-updated development roadmap, the Mozilla folks have taken the criticism seriously. The new mission for Mozilla might be summed up as "do less, but better" and a move away from the "swiss army knife" approach. The new development roadmap calls for a switch from the current browser component to the standalone (soon to be renamed) Phoenix browser and an increased focus on the Minotaur mail component. It also calls for a move away from the 1.0 branch to the 1.4 branch when 1.4 becomes stable.
More importantly, though less visible to the majority of Mozilla's users, is the change in the development model. The current model is being replaced by a meritocracy where a few project "drivers" will be responsible for particular components of the project. From the roadmap:
The end goal, according to the new roadmap, is to produce a simpler browser with the potential to have advanced functionality through optional toolkit applications. Kind of an a la carte browser, if you will where additional components can be added easily — but are not required. This should be a big win for proponents of a scaled-down browser.
Mozilla 1.4 alpha was released on April 1st (no, really), and the final 1.4 release is likely around the end of May or beginning of June. The ideal release date for 1.4 is given as May 21, but we all know about ideal release dates. The alpha for 1.4 actually seems very stable, and faster than previous versions of Mozilla, at least based on my experience over the past week or so.
If the project sticks to the proposed roadmap, the next five years look very good for Mozilla.
Security
Brief items
Samba gets hit again
Samba is, by the standards of the field, an old free software project with a good security record. So a number of observers were surprised when the second remotely exploitable hole turned up within a single month. The problem is, of course, yet another buffer overrun; see the vulnerability entry below for the details and update information.It looks like we're dealing with yet another in a long series of mundane security holes. There are a couple of aspects to this one that make it interesting, however:
- The bug has apparently been there for some eight years. Despite
numerous security audits and constant maintenance, this vulnerability
managed to lurk undetected for a long time. The code looked
(to a casual inspection) like it should be correct - it used a bounded
string copy function. A deeper look was necessary to determine that
the bound was wrong. The relatively subtle nature of the bug, along
with the fact that the relevant code "just works" and hadn't needed
much attention for some time, helped this bug to escape detection.
It is also true, however, that finding these vulnerabilities is just hard. Even after a serious audit, you can never be sure that no problems remain.
- This bug was apparently being actively exploited before its discovery by the "white hats." Free software tends to generate a lot of security updates, but relatively little damage results from all those vulnerabilities. The reason for that, of course, is that problems tend to be found by people who will fix them, rather than those who will exploit them. There will always be exceptions, though, and this bug is one of them. It also didn't help, of course, that Digital Defense posted its advisory - and working exploit code - before the Samba team was able to react to the problem.
In the end, the conclusions are the same: apply updates quickly, and do not expose network services to the Internet if you can avoid it.
New vulnerabilities
apache 2.x: denial of service
| Package(s): | apache | CVE #(s): | CAN-2003-0132 | ||||||||||||||||
| Created: | April 9, 2003 | Updated: | May 1, 2003 | ||||||||||||||||
| Description: | Apache 2.0.x (for <= 44) have a denial of service vulnerability; Apache 2.0.45 fixes the problem. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
EOG: vulnerability in Eye of GNOME
| Package(s): | EOG | CVE #(s): | CAN-2003-0165 | ||||||||
| Created: | April 3, 2003 | Updated: | April 16, 2003 | ||||||||
| Description: | A vulnerability was found in EOG version 2.2.0 and earlier. A carefully crafted filename passed to the program could lead to the execution of arbitrary code. An attacker could exploit this because various packages (Mutt, for example) make use of EOG for image viewing. | ||||||||||
| Alerts: |
| ||||||||||
metrics: insecure temporary file creation
| Package(s): | metrics | CVE #(s): | CAN-2003-0202 | ||||
| Created: | April 7, 2003 | Updated: | April 8, 2003 | ||||
| Description: | Paul Szabo and Matt Zimmerman discoverd two similar problems in metrics, a tools for software metrics. Two scripts in this package, "halstead" and "gather_stats", open temporary files without taking appropriate security precautions. "halstead" is installed as a user program, while "gather_stats" is only used in an auxiliary script included in the source code. These vulnerabilities could allow a local attacker to overwrite files owned by the user running the scripts, including root. | ||||||
| Alerts: |
| ||||||
mgetty spool permission
| Package(s): | mgetty | CVE #(s): | CAN-2002-1391 CAN-2002-1392 | ||||||||||||||||
| Created: | April 8, 2003 | Updated: | May 13, 2003 | ||||||||||||||||
| Description: | mgetty is a getty replacement for use with data and fax modems.
mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Unpatched versions of mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
moxftp: buffer overflow
| Package(s): | xftp moxftp | CVE #(s): | CAN-2003-0203 | ||||
| Created: | April 8, 2003 | Updated: | April 8, 2003 | ||||
| Description: | Knud Erik Højgaard discovered a vulnerability in moxftp (and xftp respectively), an Athena X interface to FTP. Insufficient bounds checking could lead to execution of arbitrary code, provided by a malicious FTP server. Erik Tews fixed this vulnerability. | ||||||
| Alerts: |
| ||||||
samba: remotely-exploitable buffer overrun
| Package(s): | samba | CVE #(s): | CAN-2003-0201 CAN-2003-0196 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 7, 2003 | Updated: | May 2, 2003 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Digital Defense Inc. has sent out an advisory describing another remotely-exploitable buffer overrun in the Samba server; all versions through 2.2.8 or 2.0.10 (or Samba-TNG 0.3.2) are vulnerable. The Samba team has released Samba 2.2.8a with a fix for the problem; there is also a patch available for the 2.0 series. An exploit is said to be circulating already, so applying patches quickly would be a good idea. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Resources
Linux Advisory Watch
The April 4 Linux Advisory Watch newsletter from LinuxSecurity.com is available.
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current development kernel is 2.5.67, which was released by Linus on April 7. This big patch includes more IDE work, a big x86-64 merge, more preparation for an enlarged dev_t type, a bunch of PCMCIA work, a new SCSI debug module, some IPSec patches, some driver model work, and many other fixes and updates. See the long-format changelog for the details.Linus's BitKeeper repository contains the first steps in a process of marking user-space pointers with a new __user attribute. This attribute is meant to be used by static code checkers to find places where these pointers are being dereferenced directly. There also a small change to the semantics of msync(MS_ASYNC) (it no longer actually starts any I/O), some reverse-mapping VM speedups, a new requirement that gcc version 2.95 (or later) be used to compile the kernel, a big pile of small fixes from Alan Cox, an NFSv4 update, a big IA-64 update, and a number of other fixes.
The current prepatch from Alan Cox is 2.5.67-ac1; The most significant
change here is the inclusion of Bartlomiej Zolnierkiewicz's new taskfile
IDE I/O implementation (covered briefly here last
week). "Handle with care, no naked flames, do
not inhale....
"
The current stable kernel is 2.4.20. Marcelo released the seventh 2.4.21 prepatch on April 4; it is, he says, hopefully the last prepatch in the 2.4.21 series (before the release candidates start). This prepatch includes e1000 and e100 updates, another large set of fixes from the -ac tree, a bluetooth update, some ext3 fixes, and a number of other tweaks.
Kernel development news
The ongoing device number debate
There have been no new patches toward an expanded dev_t type for a week or two. The discussion goes on, however. Things do seem to be heading toward a conclusion as it becomes clear that the real issue is the scope of the changes to be made for 2.5.The expansion of dev_t is uncontroversial; the only real point of discussion there is how big it should be. That will be Linus's call; he hinted a while back that he was changing his mind and prefered a 64-bit value (32 bits each for the major and minor number) over 32 bits with a 12:20 split. In more recent times he has been silent.
The real disagreement has to do with the form of the expanded dev_t patches, which implement something that looks very much like the old, static device number space. Some developers (well, one at least: Roman Zippel) complain that the patch should "go all the way" and create a fully dynamic number space. He cites numerous quotes from Chairman Linus, who favors a dynamic device numbering scheme, to support his point. (Linus, again, has been silent in the current discussion).
Unless he comes up with some impressive patches quickly, Roman looks likely to lose this argument. The focus of the work at the moment is to relieve an immediate, pressing problem: the lack of available device numbers. The problem is especially acute for SCSI disk drives, where the number of possible disks is too small, and they have been restricted to 16 partitions. A simple fix for this problem will make the people most concerned with dev_t expansion happy for now.
The bigger problem - the management of an entirely dynamic device number space - is still characterized by a paucity of working solutions. One approach (devfs) works, but it is a solution that is disliked by many. The most viable competing approach at the moment looks like the hotplug mechanism, which allows the kernel developers to push the entire problem into user space. Some promising work is being done in that area, but it is unlikely that even those closest to this work would claim that it will be ready for production deployment in the near future. There is also the little matter of the 2.5 feature freeze to worry about.
So a fully dynamic device number space looks like a 2.7 development. Few people contest the idea that a dynamic number space is, in the long run, a better way of doing things. But few people are ready to make that jump for 2.6.
SET_MODULE_OWNER
One would think that it wouldn't be worth arguing over... The macro in question is defined as:
#define SET_MODULE_OWNER(dev) ((dev)->owner = THIS_MODULE)
Rusty Russell had marked that macro as "deprecated" during the course of his module work. There was, he thought, no real reason to keep it around. Others disagreed, though, and Zwane Mwaikambo recently submitted (and Linus accepted) a little patch to un-deprecate the macro. Why do people care, when it's just as easy to set the owner field of the structure in question directly?
The real reason, it seems, is that the macro helps in writing device drivers which work over a wide range of kernels. Various structures (including file_operations and net_device) lacked an owner field in the 2.2 kernel. If a driver uses SET_MODULE_OWNER, it is easy to make that driver compile under 2.2 with a suitable compatibility macro. If the driver sets the owner field directly, the only way to make it work with older kernels is with #ifdef, which is strongly discouraged in kernel code. SET_MODULE_OWNER thus takes the form of a simple accessor function which helps code work regardless of what actually happens inside a particular structure.
The final solution was to leave the macro un-deprecated, but with a comment from Jeff Garzik:
Supporting SELinux
Stephen Smalley has a mission: he would like to get the NSA's Security-Enhanced Linux (SELinux) patches merged into the 2.5 kernel. In theory this task should not be all that hard: the whole point of the Linux Security Module patches is to make it possible to plug in new security regimes at will. At the moment, however, things don't actually work that well. Thus a couple of new patches which have been sent out for comments.The first patch is relatively straightforward. Files in SELinux have "security labels" which provide fine-grained control over which processes can access them. SELinux needs a mechanism to set and read those labels. So the extended attributes patch just provides an easy mechanism for the manipulation of security labels on files in an ext3 filesystem. Eventually, says Stephen, it will be necessary to add this interface to most filesystems - including the virtual ones. For example, a suitably patch version of OpenSSH can set labels on pseudo terminals if /dev/pts supports them..
The second patch is a little trickier. SELinux also attaches attributes to processes, and it needs an interface by which those attributes can be manipulated from user space. At one point, this interface was provided by the general-purpose sys_security() system call that was part of the LSM patch. sys_security() did not sit well with a number of kernel developers, however, and it was removed in 2.5.50. General-purpose "multiplexor" system call interfaces are very much out of favor; they make it almost impossible to understand the actual interface exported by the kernel.
So SELinux has to figure out a way to manage process attributes without sys_security(). Their options would be (1) to add a new, special-purpose system call, or (2) find some other, trickier way of doing it. They opted for the latter.
With the process attributes patch, each /proc entry corresponding to a process would have a new attr subdirectory, containing three files. attr/current could be read to obtain the current security attributes for a process, but (in SELinux, at least), could not be written. A process can write its own attr/exec file, which is a place to store process attributes for the future. The next time that the process performs an exec() call to run a new image, the attributes stored in attr/exec will be applied. Needless to say, the currently loaded security module gets veto power over which attributes can be written to that file. Finally, attr/fscreate contains attributes which will be applied to the next file created by the process. Storing file attributes there avoids race conditions where a program wearing a black hat attempts to access a file in the time between its creation and when security attributes are applied.
Kernel developers do not like multiplexor interfaces, but it is probably worth discussing whether system interfaces based on magic /proc files are better. One could say that, with /proc, at least the interface is visible. For now, at least, that discussion is not happening; there have been, as of this writing, no public comments posted in the day since the patches went out.
Driver porting
Driver porting: DMA changes
| This article is part of the LWN Porting Drivers to 2.6 series. |
The most evident change is the creation of the new generic DMA layer. Most driver programmers will be aware of the pci_* DMA support functions; SPARC programmers may have also encountered the analogous set of sbus_* functions. Starting with 2.5.53, a new set of generic DMA functions was added which is intended to provide a DMA support API that is not specific to any particular bus. The new functions look much like the old ones; changing from one API to the other is a fairly automatic job.
The discussion below will note changes in the DMA API without looking at every new dma_* function. See our DMA API quick reference page for a concise summary of the mapping from the old PCI interface to the new generic functions.
Allocating DMA regions
The new and old DMA APIs both distinguish between "consistent" (or "coherent") and "streaming" memory. Consistent memory is guaranteed to look the same to the processor and to DMA-capable devices, without problems caused by caching; it is most often used for long-lasting, bidirectional I/O buffers. Streaming memory may have cache effects, and is generally used for a single transfer.The PCI functions for allocating consistent memory are unchanged from 2.4:
void *pci_alloc_consistent(struct pci_dev *dev, size_t size,
dma_addr_t *dma_handle);
void pci_free_consistent(struct pci_dev *dev, size_t size,
void *cpu_addr, dma_addr_t dma_handle);
The generic version is a little different, adopting the term "coherent" for this type of memory, and adding an allocation flag:
void *dma_alloc_coherent(struct device *dev, size_t size,
dma_addr_t *dma_handle, int flag);
void dma_free_coherent(struct device *dev, size_t size,
void *cpu_addr, dma_addr_t dma_handle);
Here the added flag argument is the usual memory allocation flag. pci_alloc_consistent() is deemed to have an implicit GFP_ATOMIC flag.
For single-buffer streaming allocations, the PCI interface is, once again, unchanged, and the generic DMA interface is isomorphic to the PCI version. There is now an enumerated type for describing the direction of the mapping:
enum dma_data_direction {
DMA_BIDIRECTIONAL = 0,
DMA_TO_DEVICE = 1,
DMA_FROM_DEVICE = 2,
DMA_NONE = 3,
};
The actual mapping and unmapping functions are:
dma_addr_t dma_map_single(struct device *dev, void *addr,
size_t size,
enum dma_data_direction direction);
void dma_unmap_single(struct device *dev, dma_addr_t dma_addr,
size_t size,
enum dma_data_direction direction);
dma_addr_t dma_map_page(struct device *dev, struct page *page,
unsigned long offset, size_t size,
enum dma_data_direction direction);
void dma_unmap_page(struct device *dev, dma_addr_t dma_addr,
size_t size,
enum dma_data_direction direction);
As is the case with the PCI versions of these functions, use of the offset and size parameters is discouraged unless you really know what you are doing.
There has been one significant change in the creation of scatter/gather streaming DMA mappings. The 2.4 version of struct scatterlist used a char * pointer (called address) for the buffer to be mapped, with a struct page pointer that would be used only for high memory addresses. In 2.6, the address pointer is gone, and all scatterlists must be built using struct page pointers.
The generic versions of the scatter/gather functions are:
int dma_map_sg(struct device *dev, struct scatterlist *sg,
int nents, enum dma_data_direction direction);
void dma_unmap_sg(struct device *dev, struct scatterlist *sg,
int nhwentries, enum dma_data_direction direction);
Noncoherent DMA mappings
The generic DMA layer in 2.6 includes a set of functions for the creation of explicitly noncoherent mappings. Very few drivers will need to use this interface; it is mostly intended for code that must work on older platforms that are unable to create coherent mappings. Note that there are no PCI equivalents for these functions; you must use the generic variants.A noncoherent mapping is created with:
void *dma_alloc_noncoherent(struct device *dev, size_t size,
dma_addr_t *dma_handle, int flag);
This function behaves identically to dma_alloc_coherent(), except that the returned mapping might not be in coherent memory. Drivers using this memory must be careful to follow the ownership rules and call the appropriate dma_sync_* functions when needed. An additional function:
void dma_sync_single_range(struct device *dev, dma_addr_t dma_handle,
unsigned long offset, size_t size,
enum dma_data_direction direction);
Will synchronize only a portion of a (larger) noncoherent mapping.
When your driver is done with the mapping, it should be returned to the system with:
void dma_free_noncoherent(struct device *dev, size_t size,
void *cpu_addr, dma_addr_t dma_handle);
Double address cycle addressing
The PCI bus is capable of a "double address cycle" (DAC) mode of operation. DAC enables the use of 64-bit DMA addresses, greatly expanding the range of memory which is reachable on systems without I/O memory mapping units. DAC is also expensive, however, and is not properly supported by all devices and buses. So the DMA support routines will normally go out of their way to avoid creating mappings that require DAC - even when the driver has set an address mask that would allow it.There are occasions where DAC is useful, however. In particular, very large DMA mappings may not be possible in the normal, single-cycle address range. For these rare cases, the PCI layer (but not the generic DMA layer) provides a special set of functions. Note that the DAC functions can be very expensive to use; they should generally be avoided unless absolutely necessary. These functions aren't strictly a 2.6 feature; they were also added to 2.4.13.
A DAC-capable driver must begin by setting a separate address mask:
int pci_dac_set_dma_mask(struct pci_dev *dev, u64 mask);
The mask describes the address range that your device can support. If the function returns non-zero, DAC addressing cannot be used and should not be attempted.
A DAC mapping is created with:
dma64_addr_t pci_dac_page_to_dma(struct pci_dev *dev,
struct page *page,
unsigned long offset,
int direction);
There's a few things to note about DAC mappings. They can only be created using struct page pointers and offsets; DAC mappings, by their nature, will be in high memory and thus will not have kernel virtual addresses. DAC mappings are a straight address translation requiring no external resources, so there is no need to explicitly unmap them after use. Finally, all DAC mappings are inconsistent (noncoherent) mappings, so explicit synchronization is needed to ensure that the device and CPU see the same memory. For a DAC mapping, use:
void pci_dac_dma_sync_single(struct pci_dev *dev,
dma64_addr_t dma_addr,
size_t len, int direction);
Some other details
On many architectures, no resources are consumed by DMA mappings, and thus there is no real need to unmap them. The various unmap functions are set up as no-ops on those architectures, but some programmers evidently dislike the need to remember DMA mapping addresses and lengths unnecessarily. So 2.6 (and 2.4 as of 2.4.18) has a fairly elaborate bit of preprocessor abuse which can be used to save a couple words of memory. See Documentation/DMA-mapping.txt in the source tree if this appeals to you.The "PCI pool" interface is definitely not a 2.5-specific feature, since it first appeared in 2.4.4. That is new enough, however, that some references (i.e. Linux Device Drivers, Second Edition) do not cover them. The PCI pool interface enables the use of very small DMA buffers. In the past, such buffers would often be kept in device-specific structures. Some users ran into trouble, however, when the DMA buffer shared a cache line with other members of the same structure. The PCI pool interface was created to help move tiny DMA buffers into their own space and avoid this sort of memory corruption. Again, see DMA-mapping.txt for the details.
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Source Based Distributions, Part 2
[This article was contributed by Ladislav Bodnar]
Last week we looked at general advantages and disadvantages of source-based Linux distributions and how they compare to the more widely used binary ones. This week we will take a brief tour of these projects and outline their differences and target audiences.Gentoo Linux is by far the most popular source-based Linux distribution. It was started in 1999 by Daniel Robbins, formerly a Stampede Linux and FreeBSD developer who wrote most of "portage", Gentoo's package management system and core component. It is no coincidence that a similar component called "ports" had already existed in various BSD flavors.
Gentoo Linux 1.0 was released in April 2002. Portage was an instant hit, because it enabled software installation with a single command, which downloaded the source code of a given package, then configured, compiled and installed it on the user's machine. While the initial system installation was long and tedious, Gentoo's excellent documentation eased the pain considerably. Many Gentoo users found the experience of easy installation of the latest available software gratifying - in sharp contrast to the frustration with some of the software package management tools used by binary distributions.
Sorcerer is an independent compile-all-from-source effort started in 2001 by Kyle Sallee. The many unique ideas quickly attracted other developers; unfortunately the developer community split in March 2002, creating not one, but three different branches based on Sorcerer (the other two are now called Lunar Linux and Source Mage GNU/Linux). While the development of the three branches is increasingly independent, they share a common background in "sorcery".
Sorcery is a functional equivalent of Gentoo's portage, except that it is written in pure bash, rather than Python. In fact, the two package managers provide very similar functionality, only differing in implementation and terminology. As an example, installing a new software package is referred to as "cast spell" in Sorcerer's terminology and "emerge ebuild" in Gentoo's speak, but both accomplish exactly the same task. That's not to say that there aren't any fundamental differences. Some users who have tried both distributions report that sorcery is technically better implemented than portage and that creating "spells" is easier than creating "ebuilds". On the other hand, Gentoo excels in providing clear documentation and wealth of related resources and has a large and helpful user community.
ROCK Linux is another independent distribution started by Clifford Wolf and a group of European developers in 1998. The first stable version, ROCK Linux 1.2.0, was released in August 1999.
ROCK Linux takes a different, but no less interesting approach to building a complete distribution from source. While both Gentoo and Sorcerer provide bootable ISO images to install the base system, with ROCK Linux the initial download is a small, about 1 MB set of task-oriented bash scripts. The user then executes the appropriate scripts - one launches a menu driven system configuration panel, another downloads the required software and yet another compiles the source code. Once the build process completes (the time needed depends on the type of system being built, which can be fine tuned), another script creates a bootable CD image for installation and deployment.
One obvious advantage of ROCK Linux is that the long build process is done in the background, so your system is available for normal daily tasks and not tied up as with Gentoo or Sorcerer (unless you build your Gentoo or Sorcerer system in a chroot-ed environment, but this is not well documented and best left to experts). On the other hand, ROCK Linux tends to be less "cutting edge" and generally provides a smaller package selection than either Gentoo or Sorcerer. Also, building ROCK Linux requires a pre-existing Linux installation as a base.
Linux From Scratch, or LFS for short, is the last on this list of established source-based distributions. The project was started by Gerard Beekmans in late 1999.
LFS differs from the other projects mentioned here in that it is not a "distribution" in the true sense of the word, but rather a book describing how to build one from scratch. An existing Linux installation is an essential requirement. While the project can indeed serve as basis for a full-blown and functional distribution, LFS's main purpose is educational. Building up a basic Linux system is a great way to learn all there is about Linux internals, the essential GNU software, as well as other critical considerations, such as security or file system layout. The distribution's web site provides active mailing lists and the book has been translated to many languages.
Opinions about the merits of source-based distributions vary a great deal, but there is no denying that they can be great fun while providing an unparalleled learning experience. Give them a try and see for yourself.
Distribution News
Debian GNU/Linux
The Debian Weekly News for April 8, 2003 is out. It looks at the April Fool's pranks in last week's issue (and which news was real); Bdale Garbee reports on the most recent board meeting of Software in the Public Interest; plus Debian Usability Research; and much more.Bytemark Hosting has recently started to offer Debian systems as part of their Virtual Machine hosting packages, and are offering a 10% discount to authors of DFSG-compliant free software.
Gentoo Weekly Newsletter -- Volume 2, Issue 14
The Gentoo Weekly Newsletter for April 7, 2003 is out. This week, a note on last week's April Foolery; working toward a more secure Gentoo; and much more.Qli Technologies now offering Lycoris Desktop/LX on all Linux Systems
Qli Technologies has partnered with Lycoris to make Lycoris Desktop/LX available on all Qli Linux Computer systems, including Notebooks and the recently announced "Pre-Modded" Linux Systems.Announcing Red Hat Linux 9
Here is the official press release for Red Hat Linux 9. Boxed sets are now widely available for purchase at retail locations.Trustix Secure Linux
Trustix has released some bug fix advisories:- Mkinitrd has been updated to better support certain new SCSI controllers.
- A 'notifempty' was added to the logrotate-statement in apache to prevent mail about empty log files.
- Fusion MPT device support has been added to the kernel.
New Distributions
Mulimidix
Mulimidix is a mini Linux distribution for building a PC-based set-top box and multimedia player system with digital TV, MP3, DivX, etc. support, using VDR, Freevo and other tools. It is currently optimized for i686. Initial version 0.1 was released April 4, 2003.PLD RescueCD
PLD RescueCD is a bootable disk that contains a live Linux distribution based on PLD Linux with a 2.4.20 modular kernel. This version uses transparent compression to fit about 130 MB of software onto a single mini CD 50 MB in usable form. These images are small enough to fit on most business card-sized CD-ROMs (approx. 50MB), but can be burned onto any standard CD-R or CD-RW, as well. PLD RescueCD can be used to rescue ailing machines, perform intrusion post-mortems, act as a temporary secure linux-based workstation (using ssh, vpn connecting to remote host - other networking clients are also supported), install PLD Linux, and perform many other as yet unimagined tasks. Initial version 1.00 was released April 6, 2003.RIMiGate
RIMiGate is a floppy-based Linux distribution for running WA4DSY's aprsd. Its goal is to make it easy to deploy igates for the APRS project. Version 0.2 was released April 4, 2003.Slackware Live CD
Slackware Live CD is a bootable CD containing a Linux operating system. It runs Linux directly from CDROM without installing. The live CD described here is based on Slackware Linux distribution and is downloadable as an ISO. There are also all the scripts and source code needed to build your own live CD. Version 2.9.0.10 was released April 6, 2003.MadPenguin announces TykeLinux project
MadPenguin.org announced its TykeLinux (current working title) project, a Linux distribution geared toward child development and learning. The distribution will be based and built upon Ark Linux 1.0a7.1 and the KDE 3.1.x desktop environment. It will include several educational tools, as well as cross-platform compatible office applications. So far this project remains in the planning stage and additional developer's are requested.
Minor distribution updates
2-Disk Xwindow embedded Linux
2-Disk Xwindow embedded Linux has released source version 1.0.6 with code cleanup. "Changes: The source should now be easier to compile. Some sizable chunks of X libs were removed. Optimizations to BNF were made. The Kaffe Java system was removed from the distribution. 1.4 Mb disk images were made the default build option."
Astaro Security Linux
Astaro Security Linux has released v3.217 with minor feature enhancements. "Changes: This Up2Date adds a new config option for unsuccessful WebAdmin logins, a new config option for old log file handling and renews the GPG key for Up2Date."
Morphix
Morphix has released v0.3-4 with major feature enhancements. "Changes: The packages were updated to the latest versions in Debian sid. integrated nvidiadrivers, translucency and forceusb in base. A new background image was added. Support for video resolutions of 1280x1024 and 1600x1200 was added. The gameiso has been released again, including q3a and ut2003 demos."
NSA Security Enhanced Linux
NSA Security Enhanced Linux has released v2003040708 with major feature enhancements. "Changes: The example policy has been updated with enhancements and cleanups. A number of bugs have been fixed in the SELinux module. The updated module is available for the ia32 2.4.20 Linux kernel. The updated module is also available for both the mainline 2.5.66 Linux kernel and an LSM patched 2.5.66 Linux kernel. The new mainline module also includes work in preparation for a new SELinux API. Finally, a port of SELinux to the arm 2.4.19 kernel is also now available."
RxLinux
RxLinux has released v1.3.3 with minor feature enhancements. "Changes: A couple of bugs in rxmaster.cgi which were introduced in 1.3.2 were fixed. The rxmaster package now includes both Apache for Linux and Win32. The maximum number of loop devices is now 256. Extra libs were added to the RX-lib-1.0-USR packages. The RX-rxmaster-1.0-ETC package was added to start Apache for RX-rxmaster-1.3.3-USR."
TopologiLinux
TopologiLinux has released v3.0.0 with major feature enhancements. "Changes: Based on Slackware 9.0 with some extra packages, and now also with ALSA sound drivers included."
TrustedDebian
TrustedDebian has released v0.9.2 with major feature enhancements. "Changes: This version features transparent proxy support, RSBAC v1.2.2-pre4 patched in but not yet activated, version 200303162116 of PaX, an updated FreeS/WAN, kernel fixes, additional packages, dependency fixes, and some updated packages."
ttylinux
ttylinux has released v3.1 with minor bugfixes. "Changes: This release updates e3, LILO, and modutils to their latest versions."
Distribution reviews
Review of ALT Linux Junior v2.2 (Virtual Sky)
The Virtual Sky Media Group reviews the recently released ALT Linux Junior 2.2. "One thing I like to do after setup is head over to www.grc.com to test my system's vulnerability to Net-attack. Right "out of the box", Junior provided better security to this kind of test than Mandrake or Libranet did. Both Mandrake and Libranet either left certain ports ''open'' or allowed my NetBIOS to divulge certain OS information. Junior prevented all of this. Some good peace of mind for those concerned about their on-line security."
Self-Hosting Movies with MoviX (Linux Journal)
Linux Journal steps through the process of building a live Linux CD for watching movies. "...a few months ago I looked on the Net for a Linux CD mini-distribution that is able to boot and play automatically all audio/video files on the CD. I was very surprised to find none. Therefore, my only chance to get one was to develop it myself, and so I started working on MoviX. Now, I am not a Linux guru and I know close to zero about multimedia playback, but the beauty of open source is you can put together tools developed by people who know much more than you and still create something new and useful. I put together my knowledge of Slackware management (I've been fond of Slackware since 1994) and the MPlayer ("the" multimedia player) and IsoLinux (an easy-to-use Linux CD bootloader) package I had recently found out on the Net and began building my distribution."
Total Computer Newbies Meet Debian: Part 1, The Install (OSNews)
This OSNews article tells the story of a couple of computer newbies who are introduced to Debian for their first operating system. "Diane will be using this computer the most. So I explained to her what Windows is and what GNU/Linux is. She already knew that many businesses run on Microsoft programs. She asked me about the state of office and accounting software on Linux. I explained to her, as best I could, what file formats are. I told her that for word processing, OpenOffice could both read and write the Microsoft formats, and what that meant. As far as accounting, I told her about GNUCash, explaining that I knew it could import QuickBooks formats, but did not know if it could save in QuickBooks formats. She did some software reconnaissance on her own, checking prices on Microsoft Windows, Microsoft Office, and QuickBooks. Amazingly enough, in the midst of her information gathering, she met a lady at one of the office supply houses, who also was a Linux fan, and raved to her about it's stability. Diane decided to go with GNU/Linux, having absolutely not so much as one shred of computer experience to her name."
Page editor: Rebecca Sobol
Development
The Gaim Instant Messaging Client
GnomeDesktop has an announcement for version 0.60 of Gaim, a multi-platform internet messaging client. "Almost 10 months in the making, Gaim 0.60 is finally released, and I'm confident it's the best IM client ever released"
![[Gaim]](https://static.lwn.net/images/ns/gaim.jpg)
As is common in the open-source world, another version, number 0.61, came out shortly afterward with fixes for some newly discovered bugs. The ChangeLog file lists the changes in both versions.
Gaim is described as multi-protocol and multi-platform, it runs on Linux, BSD, MacOS X, and Windows. Gaim runs under GNOME and KDE, and features new GTK2 support. Gaim supports a wide range of chat protocols: AIM, ICQ, MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, and Zephyr networks. In addition, multiple protocols are supported sumultaneously.
As with most GUI-based software, the screenshots go a long way in illustrating the capabilities of the software.
See the Gaim FAQ for help with installation and use as well as a description of current and future features. Gaim may be downloaded here.
System Applications
Audio Projects
Demolition pre-release
A pre-release of Demolition, a destruction testing tool for LADSPA plugins, has been released. "If you write LADSPA plugins, or if you maintain a LADSPA host and don't think much of the quality of some plugins, this tool is for you. Please run out and grab it."
Database Software
MySQL 4.1.0 released
MySQL 4.1.0 - the first MySQL 4.1 alpha release - is now available. It includes a number of new features: subqueries, derived tables, extended INSERT syntax, unicode support, OpenGIS support, protocol improvements, and more.PostgreSQL Weekly News
The April 2, 2003 edition of the PostgreSQL Weekly News is out with the latest PostgreSQL database development information. "Another fun-filled week in PostgreSQL land has passed. It was relatively qui[e]t compared to the activity of the last few weeks, but the steady progression toward 7.4 does continue."
Education
Linux in Education Report
Issue #93 of the Linux in Education Report is out. Topics include South African open source learning centers, reconditioned computers for California schools, the TykeLinux distro, free software in Indian schools, a resolution for open-source software at SUNY, forming local Schoolforge groups, the NoMachine (NX) compressed X protocol, and more.
Mail Software
SquirrelMail 1.4.0 released (SourceForge)
Version 1.4.0 of SquirrelMail has been released. "SquirrelMail is a PHP4-based Web email client. It includes built-in pure PHP support for IMAP and SMTP, and renders all pages in pure HTML 4.0 for maximum compatibility across browsers. It also has MIME support, folder manipulation, etc. Today, after a very long wait, the first stable child of the past development series, 1.4.0, has seen the light! It includes enhancements for stability, performance and compatibility, plus new features and many bugfixes."
Web Site Development
IssueTrackerProduct-0.5.0b is finally out! (ZopeMembers)
A new version of IssueTrackerProduct is available. "The biggest feature-add is the inbound email feature which lets you define one or many email addresses dedicated to fetch incoming issues. Unlike similar software in this genre this is easy to administer." See the CHANGES.txt document for details.
mnoGoSearch 3.2.9 search engine released
Version 3.2.9 of the mnoGoSearch web site search engine has been released. See the Change Log for details.YaBB SE 1.5.1 is out
YaBB SE 1.5.1 final has been announced. "YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another bulletin board). Incorporating the same intuitive user interface, and several of the most popular modifications from YaBB's Boardmod program. After an extensive period of public beta testing, YaBB SE 1.5.1 final is out!"
ZopeMag Issue 4 is now available! (ZopeMembers)
Issue #4 of a publication known as ZopeMag is available online. "The first of two free articles for this quarter, a Product Review of icoya, is now online. Every issue has at least two free articles -- so if your not a subscriber check out the previous editions."
PABlog 1.3 (ZopeMembers)
Zope Members has an announcement for version 1.3 of PABlog. "The latest and greatest release of the blog tool for CMF. Archiving is derived from CMFCalendar, installer script and documentation make setup a breeze (I think)."
Using Mozilla in testing and debugging web sites
Henrik Gemal shows how to use Mozilla for web site debugging. "Mozilla is a great tool to use in developing web sites and web applications. Not as a development tool itself, like an editor, but as a testing and debugging tool. In this article I will describe some very cool features in Mozilla which will enable you to quickly find and debug errors in your web site and web applications."
Apache::VMonitor (O'Reilly)
Stas Bekman writes about Apache::VMonitor, a mod_perl utility that allows system status monitoring via the web. "It's important to be able to monitor your production system's health. You want to monitor the memory and file system utilization, the system load, how much memory the processes use, whether you are running out of swap space, and so on."
Desktop Applications
Audio Applications
MusE release 0.6.0pre8 available
Release 0.6.0pre8 of MusE, the Linux Music Editor MIDI sequencer, has been released. "0.6.0pre8 has in addition to many bug fixes some usability enhancements."
Desktop Environments
KDE-CVS-Digest for April 4, 2003
The April 4, 2003 KDE-CVS-Digest is out. This edition covers: "Continuous improvements to the development tools, with Quanta, Kate and Kdevelop getting optimizations and bug fixes. New and improved filters in Koffice, the large rewrite of Kig is finished, and work on new themes and theme engine."
XFree86 teleconference minutes posted
The minutes of the teleconference referred to by Keith Packard in this week's interview are now available on the net. The main conclusion that the participants came to was to recommend that the XFree86 board make a public statement about what changes, if any, it is willing to consider to resolve the project governance issues.
Here's a
response from XFree86 president David Dawes: "I don't know why you're all wasting your time talking about this
stuff when there's nothing stopping you from just going ahead and
creating your own project.
"
(Thanks to Dan Carpenter).
Evolution 1.2.4 is out (GnomeDesktop)
Version 1.2.4 of Evolution, an integrated mail, calendar, and addressbook application for the GNOME environment, has been announced. "This release adds support for Kerberos 5 authentication using the GSSAPI, although currently only our SuSE 8.1 build has this compile-time option enabled."
Graphics
GSview 4.4 available
Version 4.4 of GSview, a PostScript viewer, has been announced. "This is a bug fix release to handle some interworking issues with Ghostscript 8.00, but also includes new translations for Catalan, Russian and Slovak."
Interoperability
Wine Traffic #164
Issue #164 of Wine Traffic is out with the following topics: Interviews, Reviews, Other News, Wine & RedHat 9.0, Compiling With gcc 2.96, Duplicated Include Parameters?, and How to Just Access a Windows DLL.Vstserver 0.2.6 released
Version 0.2.6 of Vstserver has been released. "Vstlib is a library that can be used by programs to run windows vst audio plugins under linux/freebsd/i386solaris/etc." This version works with the 8.4.2003cvs version of wine.
Office Applications
AbiWord Weekly News
Issue #138 of the AbiWord Weekly News is out. "Johan moves the QNX dialogues to the Photon Application Builder set, but the screenshots are still slated for "later." But if it's screenshots you want, there's been an update to the Nautilus View Controller from Dom, who followed a topic at Footnotes. Jordi also would like to who off the page number dialogue, thus proving that your editor cares about Windows too. All in all, this has really been about squishing bugs for the advent of AbiWord II: The Wrath of Dom."
GNUe Traffic #75
Edition #75 of GNUe Traffic is out with the latest GNU Enterprise news. Topics include: First release of GNUe Small Business, Problems with locale settings in PostgreSQL with GNUe, gnue.conf settings for Application Server, GNUe and the original GNU General Ledger project, and New pre-releases available for testing.LyX Development News
The April 3, 2003 edition of the LyX Development News is available. Topics include: LyX 1.3.1 released, A native Win32 port, Deleting empty paragraphs, Recent developments, and more.OpenOffice.org SDK, Final Release
The OpenOffice.org community announced the final release of the OpenOffice.org 1.0.2 SDK. This release provides independent software vendors, system integrators and enterprise developers with the key set of tools and documentation needed to extend and integrate the OpenOffice.org productivity suite.Scripting Framework Early Developer Release 0.2
Version 0.2 of the Scripting Framework for OpenOffice.org has been announced.
Web Browsers
Independent Status Reports (MozillaZine)
The latest Mozilla Independent Status Reports are available. "The latest set of status reports includes updates from eXPatCOM, XEDE, DailyComics, BBSzilla, NeedleSearch and Mnenhy."
Minutes of mozilla.org Staff Meeting (MozillaZine)
MozillaZine presents the minutes from the March 26, 2003 Mozilla staff meeting. "Issues discussed include Mitchell Baker's visit to Germany, Scott Collins' visit to Carnegie Mellon University, Mozilla 1.3.1, Mozilla 1.4 Alpha, the Gecko Runtime Environment, Mozilla talks at the Open Government Conference and Sun's module requests."
Miscellaneous
KStars: A Desktop Planetarium for KDE
A new snapshot of KStars, a "desktop planetarium", has been announced. "Recently featured in Linux Magazine, KStars displays an accurate representation of the night sky as seen from any location on Earth, on any date, including all of 40 000 stars, 13 000 deep-sky objects, all planets, the Sun and Moon, and 2500 comets and asteroids. KStars has an intuitive interface that makes it easy for anyone to explore the night sky."
Helix Community Updates #4
The fourth edition of the Helix Community Updates is available. "Welcome to the first newsletter since the release of all three major components of the Helix DNA family of projects. Of course, things haven't stood still since then; there's been a lot of activity as we work on stabilizing the code and preparing for shipping products based on the code."
Plea to GNOME/GTK+ Devs: Save Agnubis and Guppi (GnomeDesktop)
Gnome Desktop has a plea for developers to help out with the Agnubis and Guppi projects. "Agnubis is the GNOME Presentation Program comparable to such programs as Microsoft PowerPoint or Corel Present."
"Guppi is a GNOME-based framework for graphing and interactive data analysis.
"
Languages and Tools
Caml
Caml Weekly News
The April 8, 2003 edition of the Caml Weekly News is out. Topics include Our shrinking Humps, C++ embedded ocaml and shared libraries, Wanted - General Purpose "Glue Logic" Data-Structures, and dynamic HTML pages.
Java
Java 1.4.2 beta released (GnomeDesktop)
The GnomeDesktop site mentions the release of Java version 1.4.2 from Sun. "The Java version we mentioned the other day with support for GTK+ and Window Manager themes is out in its first beta release. Be sure to get it and get your Java apps to look like they belong in your GNOME desktop."
JML 3.7 released
Version 3.7 of The Java Modeling Language (JML) has been released. "This release of JML has many improvements over the earlier (3.6) release."
Informa 0.2.6 released (SourceForge)
SourceForge has an announcement for the release of Informa 0.2.6. "The Informa RSS Library provides a convenient Java API for handling news channels and metadata about them. Different syntax formats (like RSS 0.91 and 1.0 RDF) for channels are supported. It is planned to also support channel information descriptions. This release improves the flexibilty of channel parsing, the channel format defintion and contains also some bug fixes."
Securing Linux for Java services (IBM developerWorks)
Dennis M. Sosnoski talks about Tomcat security issues on IBM's developerWorks. "In this article, I review the advantages of the Java platform for server applications, then look at the issues involved in simply and safely deploying Java services on Linux. As a practical example, I'll cover the details of setting up the Apache Software Foundation's widely used Tomcat Java servlet engine for standalone operation."
Top 12 Reasons to Write Unit Tests (O'Reilly)
Eric M. Burke and Brian M. Coyner make the case for writing unit tests. "A concise code example is better than many paragraphs of documentation. We see this time after time in our consulting work. Far too often, teams produce boilerplate documents that are of little practical value. When programmers need to learn an API, they search for code examples. Tests are among the best code examples because they are concise snippets of code that exercise public APIs."
Project management: Maven makes it easy (IBM developerWorks)
Charles Chan compares Maven to Ant on IBM's developerWorks. "Even though Ant acts as the de facto standard for building Java programs, in many ways the tool falls short for project management tasks. In contrast, Maven, a high-level project management tool from the Apache Jakarta project, provides everything that Ant offers plus more. Java developer Charles Chan introduces Maven's features and walks you through a complete Maven project setup."
Lisp
OpenMCL 0.13.5 released
OpenMCL 0.13.5 is available. "This maintenance release provides new debugging commands, a fix to a FORMAT directive, and checks for CPU data cache line size."
CL-BibTeX 0.4 released
Version 0.4 of CL-BibTeX is available. "CL-BibTex is a replacement written in Common Lisp of the BibTeX bibliography database tool. It allows users to format bibliographic entries using Lisp programs rather than the stack language of BibTeX style files."
Perl
This Week on perl5-porters (use Perl)
The March 30 - April 6, 2003 edition of This Week on perl5-porters is out. "Patches, crashes, hashes and stash caches, these are a few of my favorite things. If you like them, too, this week's P5P summary is for you !"
The Perl Foundation - Survey and Proposal Forms (use Perl)
The Perl Foundation has announced its first survey and project proposal form. Help TPF establish the Perl community's funding priorities for 2003 by participating in this survey.
PHP
PHP Weekly Summary
Topics on this week's PHP Weekly Summary include: GD from 2.0.12, standards, var_dump(), ZE2, socket vulnerability, PHP 5 Reflection RFC, ext/xml updated, PECL extensions for Windows, DOMXML function, and openssl_sign() patch.Ten Security Checks for PHP, Part 2 (O'ReillyNet)
Part two of the O'Reilly article on PHP security checks is available. "The same global access that makes web apps useful means that you have to keep on top of security. Though it's easy to create sites in PHP, it's not immune to sloppy coding. Clancy Malcolm explains how to recognize and fix five potential security holes with PHP in the second of two articles."
Python
Python-dev summary
The Python-dev summary for the second half of March is now available. It looks at PyCon, the continuing "lists v. tuples" discussion, capability-mediated modules, and several other topics.This week's Python-URL
Dr. Dobb's Python-URL for April 9 is available. It looks at a proposed ":=" operator which would have no default semantics, along with several other topics.
Ruby
The Ruby Weekly News
Topics on this week's Ruby Weekly News include: J->E translation of Matz's Japan /. interview, Inherit vs. include, and Standardized package installation procedure.
Tcl/Tk
This week's Tcl-URL
Dr. Dobb's Tcl-URL for April 8 is out with the latest from the Tcl/Tk development community.
XML
XML development with Eclipse (IBM developerWorks)
Pawel Leszek illustrates the use of the Eclipse platform with XML. "This article gives you an overview of how the Eclipse Platform supports XML (Extensible Markup Language) development. Eclipse does not support XML code editing right out of the box. However, because Eclipse is a platform-independent framework for building developer tools, you can add support for new languages relatively easily."
Conditional Execution (O'Reilly)
Bob DuCharme introduces xsl:if on O'Reilly. "Most programming languages provide some means of conditional execution, which allows a program to execute an instruction or block of instructions only if a particular condition is true. Many programming languages do this with if statements; the XSLT equivalent is the xsl:if instruction."
Miscellaneous
ROBODoc 4.0.0 released (SourceForge)
Version 4.0.0 of ROBODoc is available. "ROBODoc is a documentation tool. It extracts the documentation from commentheaders in the sourcecode and formats it in HTML, RTF, TeX, or ASCII. Works with C, Tcl, FORTRAN, and any other language that supports remarks."
Regina REXX 3.1 released (SourceForge)
Version 3.1 of the Regina REXX Interpreter is available. "This release makes Regina 100% compliant with the 1996 ANSI Standard for Rexx. The documentation has also been updated and is now available online in HTML and PDF, and dowloadable in HTML, PDF and OpenOffice Writer formats."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Recent security flaws highlight need for vigilance (NewsForge)
This NewsForge article looks into recent security vulnerabilities in open source software. "Most responsible organizations get that far. Many, however, fail to take the next step of correcting the flaws. They may have good reasons: No one wants to be first to install a fix in case the fix breaks something new. Sometimes servers need to run 24/7 and can't conveniently be brought down for maintenance. And it can be awkward to patch only a subset of your servers, leaving your network in an inconsistent state."
US mod chip retailer jailed and fined (Register)
The Register reports that David Rocci has been sentenced to five months in jail for selling Xbox mod chips. "...the sentence will send an extremely powerful message to anyone else involved in the production or sale of Xbox mod chips in the USA (so far, the attempts of the US Department of Justice to extend the reach of the DMCA beyond its borders have - thankfully - been a failure). Expect a lot of mod chip projects and websites to quietly disappear in the next few days."
Trade Shows and Conferences
Perens Addresses Individualism Vs. the Company Line (Linux Journal)
Linux Journal covers Bruce Perens' talk at SD West on "Individualism and the Company Line". "J. Random Hacker may argue that she still has freedom of speech. This is true; however, there is a context for this freedom. Publicly attacking your employer's products or services yields clearly defined results. Although Perens's contract with HP stated he could express his opinion to the press freely, attacking HP's business partner Microsoft was a problem."
Reporter's Notebook: Linux gaining interest from Wall Street (ComputerWorld)
ComputerWorld reports from the Linux on Wall Street Show and Conference. "The show was small by recent IT standards, but it was designed as a comfortable place for Wall Street executives to get a close-up look at the Linux phenomenon. IBM was here, as were SuSE Linux AG, Hewlett-Packard Co., Computer Associates International Inc. and Reuters Market Data System, all showing off some of their Linux technologies to users and potential users." (Thanks to Peter Link)
Companies
Vic Unis sign life sciences computing deal (ZDNet.au)
ZDNet Australia covers a consortium of Victorian Universities that have signed an $AU1 million deal with IBM Australia to give them improved access to computing power and bioinformatics tools. "The Victorian Partnership for Advanced Computing (VPAC), a consortium which provides high-performance computing facilities and support to member universities, said the deal encompassed delivery of a "life sciences solution" including a Linux-based supercomputer cluster and a series of advanced bioinformatics tools." (Thanks to Con Zymaris)
Linux Adoption
Linux Lags On The Desktop (TechWeb)
Here's a lengthy TechWeb article about business deployments of desktop Linux. "Ernie Ball Inc. turned to Linux out of crisis more than cost savings. Three years ago, the global manufacturer of guitar strings was slammed by the Business Software Alliance for running more copies of Windows than the company had paid for. Then there were the pirated copies of software from Autodesk Inc. and FileMaker Inc. It was the spark that turned Ernie Ball into a Linux hot spot. 'We had 120 days to comply with the BSA, and we complied by throwing everything out,' says Jeff Whitmore, an IT manager at Ernie Ball."
Whitehall dips toes into open source purchasing (Register)
The Register looks into the successful roll-out of an open source-based online purchasing system. "Called Purchase & Pay, the Linux-based system is used by civil servants in the Department of Work & Pensions (DWP) for the purchase of printed forms and stationery. The government hopea to extend the role of the system to facilitate the payment of invoices resulting from orders to be added over the coming months."
Desktop Linux Edges Into The Mainstream (TechWeb)
This TechWeb article says Linux on the desktop is coming, but slowly. "No one is predicting a Linux landslide. While the Apache Web server forged a beachhead for Linux, the desktop fight will be an uphill battle. The key to the desktop was pointed out by a very unlikely source, Oracle's Larry Ellison: Applications. But to attract app makers, you need users in number. And to attract users, you need ease of installation, ease of device configuration, and intuitive, full-featured desktop user controls. It's all coming, but slowly."
Legal
Report from the first Oregon open source hearing (NewsForge)
NewsForge reports on Oregon's "open source" hearing. "The sponsors of the bill had their say first. Ken led the testimony with his background and motivation for the bill. He was followed by many others, including members of the LTSP project and representatives from small school districts who said they could not be doing the things they are without the savings Open Source software makes available to them. Others provided a range of thoughtful and well-presented views."
Open-source battle rages in Oregon (News.com)
News.com reports on the fight over the Barnhart open source law proposal in Oregon. "Lined up behind the measure at last week's hearing were Linux user groups and developers, and school district representatives, some of whom testified they were able to save so much money using open-source software that they could afford to hire additional teachers."
'Anonymous' funds patent foe (News.com)
According to News.com, an anonymous donor is funding Bruce Perens to fight software patents. "Perens says the $50,000 yearly grant will let him spend a quarter of his time working on the IETF and other standards groups, including the Organization for the Advancement of Structured Information Standards (OASIS), to urge the adoption of royalty-free policies. He also plans to become an official member of the W3C, which charges a $5,000 membership fee."
Interviews
The Linux Standards Base offers binary compatibility (IBM News)
Here's an IBM interview with George Kraft IV, LSB Chairman and IBM LSB liaison, talking about the Linux Standards Base, and how Linux applications can become Linux Standards Base compliant. "How do you make sure that the standards you specify are consistent with the way that most ISVs are coding their applications?"
George: The LSB is conducting a survey to gather information about how software products are being built. This may give the LSB an opportunity to see if we are on track for ISV adoption. We think it is very important to get the broadest possible ISV participation, and we encourage any ISVs who develop Linux applications and care about binary compatibility to participate. It's a very quick survey to complete, and the results will be tabulated at the end of May.
MySQL's open challenge (InfoWorld)
InfoWorld interviews Marten Mickos, CEO of MySQL. "Jon Udell, the InfoWorld Test Center's lead analyst, spoke with Mickos about dual licensing, modular architecture, and the perception vs. the reality of MySQL."
Grady Booch polishes his crystal ball (IBM developerWorks)
IBM's developerWorks has an interview with Rational Software's Chief Scientist, Grady Booch. "Grady Booch spends his time pondering how to improve software development. As such, he thinks about how current trends -- UML, aspect-oriented programming, Web services, and so on -- will evolve into tomorrow's development environments. Most importantly, Grady believes that we solve the complexity problem by continually raising the level of abstraction."
Interview with Jeff Nguyen from ASL (LinuxQuestions)
LinuxQuestions.org interviews Jeff Nguyen, CEO of ASL. "Jeff: I got involved with Linux due to my working background as Unix software engineer for Fintronic USA during the early 90. Because Unix platforms were expensive due to their proprietary model, there was a need for an alternative solution."
Daddy, Are We There Yet? A Discussion with Alan Kay (O'Reilly)
O'Reilly has an interview with Smalltalk creator Alan Kay. ""Twenty years ago at PARC," Kay says, "I thought we would be way beyond where we are now. I was dissatisfied with what we did there. The irony is that today it looks pretty good. The result of our work is techniques for doing software in an interesting and more powerful way. That was back in the seventies. People today aren't doing a lot of work to move programming to its next phase.""
Resources
Rolling Your Own Firewall (Linux Journal)
The Linux Journal sets up a firewall on an old system. "I had been looking at Pebble, a Debian-based mid-sized distribution, for a while, and it looked perfect for the job. Pebble is designed to run on a 128MB Compact Flash chip, but it works easily with other devices, including CD-ROM. It mounts root read-only and keeps the log files and other writables on a 10MB RAM disk; you can pull the plug on the box and lose only the logs."
Cheap IP Takeover (O'ReillyNet)
In this O'ReillyNet article, Rob Flickenger offers a scheme for monitoring the health of a server that lets another server take it over if it fails. "One way is to use the send_arp utlity from the High Availability Linux project. This very handy (and tiny) utility will craft an ARP packet to your specifications, and send it to a MAC address of your choice on the local network. If we specify all ones (for example, ff:ff:ff:ff:ff:ff) for the destination, then it effectively becomes a broadcast ARP packet."
Who's your favorite Linux hardware vendor? (NewsForge)
NewsForge looks for your favorite Linux hardware vendor. "I strongly prefer dealing with a local company that can say, "Bring it in, let's see what's wrong, and get it working for you right away." Once you get used to this level of service, no national or multinational company can successfully compete for your business, even if their price is slightly lower than you might pay a local vendor -- which it usually isn't anyway for units of similar quality, assuming your local vendor is half-decent in the first place."
Linux Gazette issue #89, April 2003
The Linux Gazette issue #89 for April 2003 is out. This month features articles on The Linux Scheduler, by Vinayak Hegde; Ecol, by Javier Malonda; Laurel and Hardy Try to Write a C Program, by Stephen Bint; and much more.What's So Free About This DVD? (Wired)
The documentary film "REVOLUTION OS" is finally out on DVD. Wired covers the release. LWN received a note from J.T.S. Moore, the director of "REVOLUTION OS", who assures us that "the REVOLUTION OS DVD has been released CSS-Free to call attention to the problems of DRM and the DMCA." For those who may have forgotten about this film, it is a feature length documentary about the origins of GNU, Linux, and the Open Source movement, starring Linus Torvalds, Richard Stallman, and many others.
Anyone can be a Google hacker (Boston Globe)
Here is a Boston Globe column on hacking Google. "Calishain was inspired by the realization that it's possible to write code that modifies the operation of the ultra-powerful Google search engine. Google doesn't mind; as a matter of fact, the company's come up with a way to help people who want to do it. It's published an "application programming interface," or API, a bit of code that allows other programs to hook directly into Google's computers and perform special tricks. But even without using the API, people have found ways to add extra horsepower to their Google searches.""
Reviews
The Web Framework Shootout
Ian Bicking has put together a comparison of a number of web Frameworks. "In the beginning for the Python web programmer there were two choices: Zope and the cgi module. On one hand you had a featureful but complex application environment, on the other a simple but featureless and low-level module. For a significant number of web applications Zope's features weren't helpful and the complexity daunting, but the alternative was discouragingly primitive.
In response to this a variety of web application frameworks have been developed in the last few years, often by developers who created a framework in the process of their own application development. I try in this paper to show the flavor of these alternatives, and to inform the developer that's trying to decide on a framework for their application.
"
FOSS Billing Project Announced (LinuxMedNews)
LinuxMedNews looks at a Free and Open Source medical billing project for FreeMED. "This XML-RPC interface will be FreeMED neutral, which means other. GPL FOSS systems will be able to make us of it. So far at least TORCH and OSCAR have expressed hopes that the system will be designed and implemented well enough that they might be able to integrate it. Hopefully this project will eventually play a similar role as OpenSSH does in the Operating System community. Helping lots of different projects, by addressing a common need."
Miscellaneous
Seti@home flaw could let alien invaders in (News.com)
News.com covers a security flaw in Seti@home. "Wever and SETI@home both recommend that users download the latest software from the project's Web site. In addition, SETI@home software users can download a patch from its Web site. The command-line versions of the software for Windows, Linux and Solaris will be available later on Monday, said SETI@home's Anderson. Information about the security flaw has been sent to open-source projects that have created other versions of the software as well."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
OSAF Status Update Number 3
Status Update #3 is available from the Open Source Application Foundation (OSAF).
Commercial announcements
Linux application in Public Safety
A company called Eventide is introducing the VR778, its fourth generation digital logger. They claim this is the first Linux-based digital voice logging and archiving system on the market, built for mission-critical applications with fault tolerant features.Publisher's Books so Good They Get Hacked
No Starch Press reports that two of its titles, "Absolute BSD" and "Crackproof Your Software" were illegally circulated by a cracker. "Bill Pollock, President of No Starch Press, had this to say: "Clearly, this act violates copyright and is patently illegal. It's also very difficult to prosecute, especially since there is no smoking gun. While some might say that we should pursue both the online reference site and the maker of the tools likely used for the conversion, I disagree. The legal issue is with the copyright violator, not with the maker of the file conversion software.""
Red Hat gets into the content management business
Red Hat has sent out a press release announcing its new "Enterprise Applications" series of products, starting with content management system and portal server offerings. The PR is light on detail (the web pages linked above have a bit more). The CMS system does the usual workflow and content management jobs; the Portal server adds upper-level serving features, along with discussions, calendars, etc. It's all said to be open source, but there's very little information on which free packages it was built on (there is mention of PostgreSQL, Tomcat, and Jakarta).SSH demonstrates QuickSec Toolkit integration with MontaVista Linux
SSH Communications Security announced that it has demonstrated the SSH QuickSec Toolkit with MontaVista Linux. The SSH QuickSec Toolkit Family is specifically designed to let network device developers and OEMs implement IPSec (Internet Protocol Security) functionality.Sybase Developer Network Introduces Code Sharing Forum
Sybase, Inc. has announced the availability of the CodeXchange online forum, available via the Sybase Developer Network (SDN). CodeXchange will foster Sybase developer community interaction with free tools allowing members to share code samples, collaborate on open source projects and exchange ideas via newsgroups.WireSpring Announces Public Beta for Version 2.5 of FireCast Linux Kiosk Software
WireSpring has announced the beginning of a public beta test period for version 2.5 of FireCast, the Linux-based kiosk software suite.Ximian Releases Red Carpet Enterprise Version 1.4 for Centralized Linux Software Management
Ximian, Inc. has announced the availability of version 1.4 of Red Carpet Enterprise, its solution providing enterprises with centralized software management of Linux-based workstations and servers.
Resources
Resolution for University Support of Open Software and Standards
This Resolution for University Support of Open Software and Standards has been approved by the Faculty Senate, at the University at Buffalo, State University of New York. "16 RESOLVED that the Faculty of the University at Buffalo call on the University to implement a policy of promoting open document formats and communication protocols wherever possible and, in the case of broadcast announcements and other documents intended for a general audience, discouraging the use of secret and proprietary formats (such as Microsoft Word format) in favor of open formats (such as plain text or HTML) that are universally accessible." (Thanks to Peter Bakker)
New Version of SAP DB 7.4 Documentation
A new version of the SapDB database documentation has been announced. "As of April 2003, the complete SAP DB documentation has been processed and several new documents were published. The documentation page has been completely reworked."
Linux.conf.au 2003 proceedings ISO now available
The Linux.conf.au 2003 organizers have announced the availability of the CD-ROM image of the conference proceedings. This marks the end of the line for the Linux.conf.au 2003 organizers - there'll be more coming from the 2004 crew when they get up and running.
Upcoming Events
Perl Booth by Israel.pm at GO-Linux (use Perl)
Use Perl has an announcement for the GO-Linux commercial Linux conference, to be held in Tel Aviv, Israel on April 10, 2003.Real World Linux
The Real World Linux Conference & Expo will be held in Toronto, Canada from April 28-30, 2003.Penguicon 2003
An event known as Penguicon will be held in Warren, Michigan on May 2-4, 2003. "Penguicon is a combination Science Fiction Convention and Linux Expo, doing the whole "you got peanut butter in my chocolate" thing. The overlap between the two worlds has been crying out for a combination event for years (the tux in a red starfleet shirt graphic predates us by a lot), so now there is one."
YAPC::NA Schedule
The tentative schedule for the YAPC::NA::2003 Perl conference has been posted. The conference will be held in Boca Raton, Florida on June 16-18, 2003.LinuxWorld Conference & Expo Announces Advisory Board For UK Launch Event
IDG World Expo has announced the support of several Linux 'gurus' who are helping to shape the inaugural LinuxWorld Conference & Expo in the UK, scheduled for September 3 - 4, 2003. Joining the Advisory Board are: Jon 'maddog' Hall, Linux International; Scott McNeil, Free Standards Group; Martin Hingley, IDC; Malcolm Herbert, Red Hat; Richard Moore, IBM; Arthur F. Tyde III, TYDE.NET; and Jasmin Ul-Haque, SuSE.ClusterWorld Conference and Expo
The ClusterWorld Conferenc & Expo will be held in San Jose, California on June 23-26, 2003.Events: April 10 - June 5, 2003
| Date | Event | Location |
|---|---|---|
| April 10 - 12, 2003 | MySQL Users Conference & Expo 2003 | (Doubletree Hotel)San Jose, California |
| April 13 - 17, 2003 | RSA Conference 2003 | (Moscone Center)San Francisco, CA |
| April 14 - 15, 2003 | Samba eXPerience 2003 | (Hotel Freizeit)Göttingen, Germany |
| April 22 - 26, 2003 | Embedded Systems Conference(ESC) | (Moscone Convention Center)San Francisco, CA |
| April 22 - 25, 2003 | The O'Reilly Emerging Technology Conference | (Westin, Santa Clara)Santa Clara, CA |
| April 23 - 25, 2003 | PHPCon East 2003 | (Park Central Hotel)New York, NY |
| April 28 - 30, 2003 | Real World Linux 2003 | (Metro Toronto Convention Centre)Toronto, Canada |
| May 2 - 4, 2003 | Penguicon | Warren, Michigan |
| May 3, 2003 | International Conference on Software Engineering 2003 | Portland, Oregon |
| May 8 - 9, 2003 | International PHP Conference, 2003 | Amsterdam, the Netherlands |
| May 11 - 14, 2003 | The International Symposium on High Performance Computing Systems and Applications(HPCS 2003) | (Sherbrooke Delta Hotel)Quebec, Canada |
| May 11, 2003 | Yet Another Perl Conference, Israel(YAPC::Israel::2003) | (C.R.I.)Haifa, Israel |
| May 15 - 16, 2003 | YAPC::Canada | (Carleton University)Ottawa, Canada |
| May 25 - 27, 2003 | GCC Developer's Summit | Ottawa, Canada |
| May 28 - 30, 2003 | Open Source Content Management, 2003(OSCOM) | (Harvard Law School)Cambridge, Mass |
Software announcements
This week's software announcements
Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
- Sorted alphabetically,
- Sorted by license.
Page editor: Forrest Cook
Letters to the editor
Why I won't be downloading RedHat 9
| From: | John Morris <jmorris@beau.lib.la.us> | |
| To: | letters@lwn.net | |
| Subject: | Why I won't be downloading RedHat 9 | |
| Date: | Wed, 9 Apr 2003 00:10:51 -0500 (CDT) |
I have been running RedHat since 4.0 and used every version since then both
on my own machines and administered the stable versions at work. I say
this only to make it clear that I am not one of the usual suspects who slag
RedHat. Every few months RedHat announces some new policy or product that
causes a chorus of cries that they are 'trying to become the next
Microsoft' or similar hysterics. Those of us with a clue ignored them
because, in the end, it all comes down to the code and RedHat exposed
everything, not only in compliance with the GPL, but above and beyond what
is required by the licenses.
My problem is directly related to the code, or the lack thereof. RedHat
has broken the deal between developers, power users, end users and the
vendor (RedHat). The old deal was people like myself (whom they now refer
to as "Open Source Enthusiasts") grabbed the X.0 version and threw it on a
machine at home to see what is good, bad or ugly about it, and to provide
feedback. Developers made sure their stuff worked. Eventually, it became
stable (usually around X.2) and was used in production environments for end
users. Then X+1.0 showed up and the whole cycle would repeat.
The deal was that the knowledgeable users provided wide testing on diverse
hardware and bug reports/patches and in return got to use the final product
in production environments with at most the purchase of a box set and/or a
subscription to RHN. Sites without a local wizard, who needed hand holding
or needed a higher level of support or longer life cycles would pay cash
for whatever level of support they needed.
But no more. RedHat has made it clear that in the future they intend to
release a neverending stream of X.0 releases under a Free Software License,
reserving stable versions for their "Enterprise" offerings, sealed up
behind dreaded EULAs, per seat/processor licenses and spot license audits.
Since folks like myself only used the X.0 releases to get a heads up on
what was coming and to help ensure that the stable releases would fix the
bugs that we cared about, of what possible interest could RedHat 9 be to me
if there is never going to be a stable version? This is why this RedHat
Network subscriber is not and does not plan to be in the hordes downloading
RedHat 9. Instead I'm downloading and installing other distros into a
VMWare session, looking for something to migrate systems to when 7.3
becomes unsupported on Dec 31.
Since it is now obvious that RedHat wants people like me to go away they
shouldn't be offended by any of the above. Their Enterprise offerings are
aimed, as the name implies, at the Enterprise customer who wants Service
Level Agreements and doesn't mind paying through the nose to get one. On
the small server and desktop RHEL is a non-starter.
As the admin for a public library system with 50+ desktops and a handful of
servers on a five year replacement cycle, I did the math and RedHat
Enterprise would cost almost twice our hardware budget. RHEL Workstation
runs US$179/yr * 5 years = US$895 and basic desktop hardware can be had for
around US$500. RHEL Server starts at US$349/yr * 5 = US$1,745 which is
about what the hardware for a decent departmental server runs.
Their Basic product appeals to the hobbyist users at the lowest end of the
market (the lone "Open Source Enthusiast") and Enterprise appeals to the
very highest end of the market. The middle segments are missing from the
current product mix. It appears they have written off the end user desktop,
the education market and anyone else who is on a budget.... and in this
down economy that really means just about everyone.
Page editor: Jonathan Corbet