LWN.net Weekly Edition for April 24, 2003

DARPA Cancels OpenBSD Funding

[This article was contributed by Joe 'Zonker' Brockmeier]

If you follow the news at all, you've probably already heard about the OpenBSD project losing the funding from the U.S. Defense Advanced Research Projects Agency (DARPA). What's less than clear is why the funding has been pulled. In fact, it's quite a test to figure out who's actually responsible for pulling the plug, much less the reason. DARPA is, essentially, just an intermediate agency for the funding, which is passed on to the University of Pennsylvania. The funds themselves come from the Air Force Research Laboratory.

Most speculation has gone to comments made by OpenBSD project leader Theo de Raadt. The comments in question come from an interview in The Globe and Mail, where de Raadt is quoted as saying he's "uncomfortable" about the source of the grant. De Raadt also told the Globe and Mail that, "I try to convince myself that our grant means a half of a cruise missile doesn't get built," which might not sit well with U.S. military types. A few days after the comment appeared in the Globe and Mail, de Raadt was contacted by University of Pennsylvania professor Jonathan Smith. According to de Raadt, Smith objected to the comment, but wouldn't give a specific reason why. The funding was pulled on Thursday of last week.

If that is the reason for the cancellation, it's not the official story from DARPA, in as much as DARPA has or will give an official story. A statement forwarded to LWN by de Raadt, attributed to DARPA spokesperson Jan Walker, claims that the funding is under review.

Walker did not respond to e-mails or phone calls requesting confirmation of this statement or requests to elaborate on or clarify the statement.

The most immediate consequence is that the OpenBSD project has had the rug pulled out from under them with regards to the upcoming hackathon in Canada. 60 OpenBSD developers are scheduled to travel to Canada for the event, almost all of whom have already purchased tickets based on a go-ahead given in January. The hotel was contacted and told to cancel the reservation, despite the fact that an 80% cancellation fee is in effect. According to de Raadt, this amounts to about $24,000 Canadian. De Raadt also reports that the hotel was instructed not to allow anyone to pay the remaining balance to keep the reservation. However, de Raadt said that the hotel has agreed to cut the OpenBSD project a deal for the hackathon, even if they cannot apply the cancellation fee to the bill.

Fernando Pereira, chairman of the Department of Computer and Information Science at the University of Pennsylvania sent this statement to the OpenBSD "misc" mailing list to explain why the cancellation fee cannot be used towards the hotel costs:

Apparently, quite a few people in the OpenBSD community have already sent letters of protest to the University of Pennsylvania, newspapers and other sources. If you'd like to write a letter to complain or comment on the decision to official sources, de Raadt notes that it's helpful to have the contract number. The contract was granted by the Air Force Research Lab, Material Command, and is DARPA contract number F30602-01-2-0537.

With the exception of the hackathon, the loss of funding may not be as dramatic as it sounds. On Monday, de Raadt said that the OpenBSD project had already received about $7,000 in donations, and more was "in the mail." The OpenBSD project has been around for eight years, and has done just fine without the DARPA funding. In addition, the funding was set to run out within four months anyway and de Raadt noted that he works through a Canadian contracting company that should ensure that he receives the rest of his pay for the next four months. The major losers appear to be the University of Pennsylvania grad students who were also receiving money from the grant, as well as the 60 OpenBSD developers who are wondering whether there will be a place for them to stay when they arrive at the hackathon.

Comments (16 posted)

Novell and Linux

Readers of the discussion on LWN.net may have seen comments posted by Kristopher Magnusson, who happens to be the chair of Novell's "Open Source Review Board" and the person responsible for managing the company's relations with the free software community. We had the opportunity to ask Mr. Magnusson a few questions about Novell's plans with regard to Linux; his answers appear below. But first, a couple of other Novell-related items:

• Novell has become a gold sponsor of the Linux Professional Institute, and is recommending LPI certification as part of its own certification program.

• Jack Messman, Novell's CEO, has sent us a clarification of Novell's view of Linux and the free software community, and an apology for some remarks in an interview that did not come out quite right. " Novell wouldn't be spending the tremendous time, money and resources to make this strategy a reality if we didn't believe in the present and future of Linux. After building and enhancing NetWare for 20 years, this is new territory for us. We simply ask for your patience along the way."

And now, on to the interview.

LWN: In the ComputerWorld interview, CEO Jack Messman said "Linux is an immature operating system right now. It hasn't had somebody like Novell worrying about making it robust, reliable and scalable for very much time. We think we can bring that to the Linux kernel." He has since noted that he could have expressed himself better, and his apologies have been accepted. But the point remains that Novell sees room for improvement in the Linux kernel. The kernel developers agree, of course; otherwise they would be working on something else. Could you explain what improvements Novell would like to see in the Linux kernel?

LWN: Which of those (if any) does Novell plan to work on (and contribute back) itself?

LWN: A quick search through the linux-kernel mailing list did not turn up any Novell engineers participating in the discussion - at least, none that identified themselves as such. Does Novell have engineers working on the Linux kernel, and do they plan to participate in the development community?

LWN: The recent announcements mention Novell's contributions to various open source projects, including Apache and OpenLDAP. Can you give a quick summary of what some of the more important contributions have been?

LWN: Novell has released its UDDI code with a fair amount of fanfare. Can we look forward to other releases of Novell technology in the near future?

LWN: If I understand correctly, Netware 7.0 will be able to run on top of the Linux kernel. The thinking seems to be that giving customers the option to move to Linux will make them more inclined to stay with Netware. Is that an accurate summation of Novell's strategy? How will Novell respond if it turns out that most customers would rather run on the Linux kernel?

LWN: Taking it one step further...if Netware 7 runs well on the Linux kernel, what reason would Novell have to continue developing and maintaining its own kernel? What advantage does a proprietary kernel give to Novell when it can run Linux and benefit from the reliability and scalability work being done by IBM, SGI, HP, Red Hat, SuSE, and others?

LWN: For customers wanting to run Netware over Linux, will Novell ship a specific distribution, or will customers be expected to obtain a supported distribution from elsewhere?

LWN: Why is Novell releasing Netware on top of Linux, rather than (or, at least, prior to) Windows?

Comments (5 posted)

Opteron launches

AMD has, at last, released its long-awaited "Opteron" (or "Hammer") processor. LWN does not normally devote much space to following developments in the microprocessor field, but Opteron is worth a mention. There is a good chance that this is the architecture many of us will be running in the future.

Opteron has the potential to deliver the best from both the 32-bit and 64-bit computing worlds. It will run 32-bit x86 code natively, and with good performance. That is a nice feature for people with binary applications, of course, though it is less useful in the free software world. If you have source (and an operating system which has been 64-bit capable for years), support for a new processor is often just a matter of running "make." There is another important aspect to 32-bit support, however: for most applications, 32-bits is the optimal size. Moving to a 64-bit mode involves a sizeable expansion of a program's code and data, with bad effects on cache utilization, virtual memory use, and memory bus bandwidth. Building "cat" as a 64-bit application can only serve to make it bigger and slower. So a processor with native 32-bit support is a good thing.

There are situations, however, where only 64 bits will do. In particular, applications which need to address vast amounts of memory (e.g., big scientific crankers, large databases, emacs) will benefit from 64-bit pointers. So good 64-bit support matters too.

Of course, the thing that really matters for Linux users is Linux support. AMD has worked with the free software community for years to ensure that its processor would be supported. The end result is that you can buy an Opteron server running a stable Linux port (choosing from multiple distributors) today. Windows support, instead, will show up in beta form only later this year, and Apple's support remains a rumor. In some areas, hardware support in Linux still lags behind other systems; with the Opteron, however, Linux got there first. If Opteron lives up to its PR, it could be a platform which brings Linux into many more machine rooms in the next few years.

Comments (16 posted)

Page editor: Jonathan Corbet

Security

Brief items

The other security problem

People who deal with systems security spend a lot of time worrying about buffer overflows, format string vulnerabilities, file creation races, and so on. These problems can all lead to the compromise of an important system, with the usual array of unpleasant consequences. So conscientious administrators pay attention to new vulnerabilities, apply their patches, and so on.

This Register article, however, serves as a good reminder that there are other aspects to the security problem:

What a pain; all that patching and careful administration, then the users hand their passwords over to a stranger when asked. Unfortunately, patches for loose-lipped users are hard to come by. The security advantages of free software also fail to offer much help in the way of blabbermouth mitigation.

Lack of security consciousness is a real problem. Careless users will not increase your exposure to the next Internet worm. But an attacker who has set his sites on a specific target may well want to have a little discussion with your users. Pens are cheap, after all.

Comments (6 posted)

New vulnerabilities

gkrellm-newsticker - multiple vulnerabilities

Package(s):	gkrellm-newsticker	CVE #(s):	CAN-2003-0205 CAN-2003-0206
Created:	April 23, 2003	Updated:	April 23, 2003
Description:	gkrellm-newsticker has two vulnerabilities: a denial of service problem and a failure to filter shell metacharacters which can allow an attacker to run arbitrary commands by way of a hostile (or compromised) news feed.
Alerts:	Debian DSA-294-1 2003-04-23

Comments (none posted)

mime-support: insecure temporary file creation

Package(s):	mime-support	CVE #(s):
Created:	April 22, 2003	Updated:	April 30, 2003
Description:	Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap, most probably root. Additionally the program did not properly escape shell escape characters when executing a command. This is unlikely to be exploitable, though.
Alerts:	Debian DSA-292-3 2003-04-30 Debian DSA-292-2 2003-04-23 Debian DSA-292-1 2003-04-22

Comments (none posted)

rinetd: incorrect memory resizing

Package(s):	rinetd	CVE #(s):	CAN-2003-0212
Created:	April 17, 2003	Updated:	April 23, 2003
Description:	Sam Hocevar discovered a security problem in rinetd, an IP connection redirection server. When the connection list is full, rinetd resizes the list in order to store the new incoming connection. However, this is done improperly, resulting in a denial of service and potentially execution of arbitrary code.
Alerts:	Debian DSA-289-1 2003-04-17

Comments (none posted)

snort - multiple vulnerabilities

Package(s):	snort	CVE #(s):	CAN-2003-0029 CAN-2003-0033
Created:	April 23, 2003	Updated:	May 7, 2003
Description:	Versions of the snort intrusion detection system through 2.0-rc1 contain buffer and heap overflow vulnerabilities which could lead to remote code execution. Sites running snort are advised to upgrade to 2.0.0 as soon as possible; see this CERT advisory for more information.
Alerts:	Conectiva CLA-2003:642 2003-05-06 Debian DSA-297-1 2001-03-05 EnGarde ESA-20030430-013 2003-04-30 Mandrake MDKSA-2003:052 2003-04-28 Gentoo 200304-06 2003-04-28

Comments (none posted)

Updated vulnerabilities

apache 2.x: denial of service

Package(s):	apache	CVE #(s):	CAN-2003-0132
Created:	April 9, 2003	Updated:	May 1, 2003
Description:	Apache 2.0.x (for <= 44) have a denial of service vulnerability; Apache 2.0.45 fixes the problem.
Alerts:	Conectiva CLA-2003:632 2003-04-30 Mandrake MDKSA-2003:050 2003-04-22 Red Hat RHSA-2003:139-01 2003-04-09 Gentoo 200304-01 2003-04-09

Comments (1 posted)

Heap corruption vulnerability in at

Package(s):	at at, sudo, xchat	CVE #(s):	CAN-2002-0004
Created:	May 21, 2002	Updated:	May 15, 2003
Description:	The at command has a potentially exploitable heap corruption bug. (First LWN report:  January 17th).
Alerts:	EnGarde ESA-20030515-015 2003-05-15 Yellow Dog YDU-20020127-9 2002-01-27 SuSE SuSE-SA:2002:003 2001-01-16 Slackware sl-1011706104 2002-01-22 Red Hat RHSA-2002:015-15 2002-02-07 Red Hat RHSA-2002:015-13 2002-01-22 Mandrake MDKSA-2002:007 2002-01-18 Debian DSA-102-2 2002-01-18 Debian DSA-102-1 2002-01-16

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):	bind glibc	CVE #(s):	CAN-2002-0651 CAN-2002-0684
Created:	July 8, 2002	Updated:	October 1, 2003
Description:	The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here. No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago. Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries CAN-2002-0651 CAN-2002-0684
Alerts:	Mandrake MDKSA-2002:050 2002-08-13 Yellow Dog YDU-20020810-3 2002-08-10 Eridani ERISA-2002:035 2002-08-09 Red Hat RHSA-2002:133-13 2002-08-08 SCO Group CSSA-2002-034.0 2002-08-05 Yellow Dog YDU-20020801-2 2002-08-01 Eridani ERISA-2002:028 2002-07-25 Red Hat RHSA-2002:139-10 2002-07-22 EnGarde ESA-20020724-018 2002-07-24 Mandrake MDKSA-2002:043 2002-07-16 Trustix 2002-0061 2002-07-15 Gentoo glibc-20020713 2002-07-13 Conectiva CLA-2002:507 2002-07-11 SuSE SuSE-SA:2002:026 2002-07-09 OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

BitchX - denial of service

Package(s):	BitchX	CVE #(s):
Created:	February 20, 2003	Updated:	May 26, 2003
Description:	From this Bugtraq posting: A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx
Alerts:	Conectiva CLA-2003:655 2003-05-26 Slackware ssa:2003-141-02 2003-05-22 Debian DSA-306-1 2003-05-19 Gentoo 200302-11 2003-02-20

Comments (none posted)

Canna server: exploitable buffer overrun

Package(s):	canna	CVE #(s):	CAN-2002-1158 CAN-2002-1159
Created:	December 10, 2002	Updated:	October 1, 2003
Description:	Canna is a kana-kanji conversion server which is necessary for Japanese language character input. A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt CAN-2002-1158 CAN-2002-1159
Alerts:	SCO Group CSSA-2003-005.0 2003-01-21 Debian DSA-224-1 2002-01-08 Gentoo 200212-8 2002-12-20 Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

dvips: command execution vulnerability

Package(s):	dvips	CVE #(s):	CAN-2002-0836
Created:	October 16, 2002	Updated:	June 10, 2003
Description:	The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system.
Alerts:	Immunix IMNX-2003-7+-016-01 2003-06-09 OpenPKG OpenPKG-SA-2002.015 2002-12-16 Debian DSA-207-1 2002-12-11 Conectiva CLA-2002:537 2002-10-29 Mandrake MDKSA-2002:071 2002-10-24 Mandrake MDKSA-2002:070 2002-10-23 Gentoo tetex-20021018 2002-10-18 Red Hat RHSA-2002:194-18 2002-10-08

Comments (none posted)

EOG: vulnerability in Eye of GNOME

Package(s):	EOG	CVE #(s):	CAN-2003-0165
Created:	April 3, 2003	Updated:	April 16, 2003
Description:	A vulnerability was found in EOG version 2.2.0 and earlier. A carefully crafted filename passed to the program could lead to the execution of arbitrary code. An attacker could exploit this because various packages (Mutt, for example) make use of EOG for image viewing.
Alerts:	Mandrake MDKSA-2003:048 2003-04-16 Red Hat RHSA-2003:128-01 2003-04-03

Comments (none posted)

epic: buffer overflows

Package(s):	epic	CVE #(s):
Created:	April 15, 2003	Updated:	April 16, 2003
Description:	Timo Sirainen discovered several problems in EPIC, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user.
Alerts:	Debian DSA-287-1 2003-04-15

Comments (none posted)

ethereal - format string vulnerability

Package(s):	ethereal	CVE #(s):	CAN-2003-0081
Created:	March 10, 2003	Updated:	June 12, 2003
Description:	The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. See the full advisory for additional information.
Alerts:	Mandrake MDKSA-2003:051 2003-03-24 Red Hat RHSA-2003:076-01 2003-04-23 Conectiva CLA-2003:627 2003-04-16 SuSE SuSE-SA:2003:019 2003-03-21 Debian DSA-258-1 2003-03-10 Gentoo 200303-10 2003-03-09

Comments (none posted)

evolution: multiple vulnerabilities

Package(s):	Evolution	CVE #(s):	CAN-2003-0128 CAN-2003-0129 CAN-2003-0130
Created:	March 21, 2003	Updated:	May 14, 2003
Description:	Multiple vulnerabilities have been found in Ximian's Evolution Mail User Agent, according to this CoreLabs advisory. "Three vulnerabilities were found that could lead to various forms of exploitation ranging from denying to users the ability to read email, provoke system unstability, bypassing security context checks for email content and possibly execution of arbitrary commands on vulnerable systems." Ximian Evolution is a personal and workgroup information management solution for Linux and UNIX-based systems. The software integrates email, calendaring, meeting scheduling, contact management, and task lists, in one application.
Alerts:	Conectiva CLA-2003:648 2003-05-14 Mandrake MDKSA-2003:045 2003-04-15 Yellow Dog YDU-20030409-2 2003-04-09 Red Hat RHSA-2003:108-03 2003-03-31 Red Hat RHSA-2003:108-02 2003-03-24 Gentoo 200303-18 2003-03-21 Red Hat RHSA-2003:108-01 2003-03-21

Comments (1 posted)

Filename disclosure vulnerability in fam

Package(s):	fam	CVE #(s):	CAN-2002-0875
Created:	August 19, 2002	Updated:	January 5, 2005
Description:	"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:	Red Hat RHSA-2005:005-01 2005-01-05 Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail: buffer overflow

Package(s):	fetchmail	CVE #(s):	CAN-2002-1365
Created:	December 17, 2002	Updated:	October 20, 2003
Description:	Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:	Immunix IMNX-2003-7+-023-01 2003-10-17 Mandrake MDKSA-2003:011 2003-01-27 EnGarde ESA-20030127-002 2003-01-27 SCO Group CSSA-2003-001.0 2003-01-09 SuSE SuSE-SA:2003:001 2003-01-02 Debian DSA-216-1 2002-12-24 Red Hat RHSA-2002:293-09 2002-12-17 Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

file - memory allocation problem, stack overflow

Package(s):	file	CVE #(s):	CAN-2003-0102
Created:	March 4, 2003	Updated:	June 4, 2003
Description:	Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file version 3.40. The folks at OpenPKG believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk.
Alerts:	Immunix IMNX-2003-7+-012-01 2003-06-03 SCO Group CSSA-2003-018.0 2003-04-28 Mandrake MDKSA-2003:030-1 2003-04-17 Conectiva CLA-2003:617 2003-04-04 SuSE SuSE-SA:2003:017 2003-03-21 Debian DSA-260-1 2003-03-13 Gentoo 200303-8 2003-03-08 EnGarde ESA-20030307-008 2003-03-07 Red Hat RHSA-2003:086-07 2003-03-07 Mandrake MDKSA-2003:030 2003-03-06 OpenPKG OpenPKG-SA-2003.017 2003-03-04

Comments (none posted)

GNU fileutils race condition

Package(s):	fileutils ucdsnmp	CVE #(s):	CAN-2002-0435
Created:	May 21, 2002	Updated:	May 16, 2003
Description:	A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
Alerts:	Immunix IMNX-2003-7+-010-01 2003-05-16 Red Hat RHSA-2003:015-05 2003-02-12 Trustix 2002-0052 2002-06-06 SuSE SuSE-SA:2002:012 2002-04-08 Mandrake MDKSA-2002:031 2002-05-16 SCO Group CSSA-2002-018.1 2002-05-13

Comments (none posted)

Potential remote root exploit in glibc

Package(s):	glibc	CVE #(s):	CAN-2002-0391
Created:	August 14, 2002	Updated:	June 30, 2003
Description:	Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc. Updating as soon as practical is a good idea. Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream
Alerts:	Debian DSA-333-1 2003-06-27 Conectiva CLA-2002:535 2002-10-29 Trustix 2002-0070 2002-10-17 EnGarde ESA-20021003-021 2002-10-03 Gentoo glibc-20020927 2002-09-27 Gentoo dietlibc-20020927 2002-09-27 Debian DSA-149-2 2002-09-26 Mandrake MDKSA-2002:061 2002-09-23 Gentoo glibc-20020905 2002-09-05 SuSE SuSE-SA:2002:031 2002-08-30 Trustix 2002-0067 2002-08-13 Eridani ERISA-2002:036 2002-08-13 Red Hat RHSA-2002:166-07 2002-08-12 Debian DSA-149-1 2002-08-13

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):	glibc	CVE #(s):	CAN-2002-1146
Created:	November 7, 2002	Updated:	February 5, 2004
Description:	DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331) The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).
Alerts:	Mandrake MDKSA-2004:009 2004-02-04 Red Hat RHSA-2002:197-09 2002-11-06 Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

glibc: integer overflow in the xdrmem_getbytes() function

Package(s):	glibc krb5 dietlibc	CVE #(s):	CAN-2003-0028
Created:	March 21, 2003	Updated:	May 27, 2003
Description:	An integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, and glibc, allows remote attackers to execute arbitrary code via certain integer values in length fields See CAN-2003-0028 and CERT advisory CA-2003-10 for more information.
Alerts:	SuSE SuSE-SA:2003:027 2003-05-26 Slackware ssa:2003-141-03 2003-05-22 Conectiva CLA-2003:639 2003-05-05 Conectiva CLA-2003:633 2003-04-30 Immunix IMNX-2003-7+-009-01 2003-04-14 Debian DSA-282-1 2003-04-09 Gentoo 200303-29 2003-03-31 Debian DSA-272-1 2003-03-28 Trustix 2003-0014 2003-03-26 Mandrake MDKSA-2003:037 2003-03-25 Gentoo 200303-22 2003-03-25 Debian DSA-266-1 2003-03-17 Red Hat RHSA-2003:089-00 2003-03-19 Sorcerer SORCERER2003-03-20-2 2003-03-20 Sorcerer SORCERER2003-03-20-1 2003-03-20 EnGarde ESA-20030321-010 2003-03-21 SCO Group CSSA-2003-013.0 2003-03-19

Comments (3 posted)

gs-common: insecure temporary file

Package(s):	gs-common	CVE #(s):
Created:	April 14, 2003	Updated:	April 16, 2003
Description:	Paul Szabo discovered insecure creation of a temporary file in ps2epsi, a script that is distributed as part of gs-common which contains common files for different Ghostscript releases. ps2epsiuses a temporary file in the process of invoking ghostscript. This file was created in an insecure fashion, which could allow a local attacker to overwrite files owned by a user who invokes ps2epsi.
Alerts:	Debian DSA-286-1 2003-04-14

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):	gtkhtml	CVE #(s):	CAN-2003-0133 CAN-2003-0541
Created:	April 14, 2003	Updated:	April 18, 2005
Description:	GtkHTML is the HTML rendering widget used by the Evolution mail reader. GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.
Alerts:	Debian DSA-710-1 2005-04-18 Mandrake MDKSA-2003:093 2003-09-18 Conectiva CLA-2003:737 2003-09-12 Red Hat RHSA-2003:264-01 2003-09-09 Mandrake MDKSA-2003:046 2003-04-15 Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

IMP - SQL injection vulnerability

Package(s):	imp	CVE #(s):	CAN-2003-0025
Created:	January 15, 2003	Updated:	July 8, 2003
Description:	The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem.
Alerts:	Conectiva CLA-2003:690 2003-07-08 SuSE SuSE-SA:2003:0008 2003-02-18 Debian DSA-229-2 2003-01-15

Comments (1 posted)

ircii: buffer overflow vulnerability

Package(s):	ircii	CVE #(s):
Created:	March 20, 2003	Updated:	April 22, 2003
Description:	Timo Sirainen audited ircII based clients (see this Bugtraq post) and found some buffer overflow vulnerabilities in ircii-20020912.
Alerts:	Debian DSA-291-1 2003-04-22 Gentoo 200303-21 2003-03-24 OpenPKG OpenPKG-SA-2003.024 2003-03-19

Comments (none posted)

kde: arbitrary code execution

Package(s):	kde	CVE #(s):	CAN-2003-0204
Created:	April 10, 2003	Updated:	June 30, 2003
Description:	The KDE Security team has issued an advisory on a vulnerability present in all versions of KDE that allow a remote attacker to execute arbitrary commands under your account. KDE 3.0.5b and KDE 3.1.1a have been released to address this problem. For KDE 2.2.2 patches to the KDE 2.2.2 sources have been made available. KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files. An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means.
Alerts:	Conectiva CLA-2003:668 2003-06-30 Red Hat RHSA-2003:002-01 2003-05-12 Debian DSA-296-1 2003-04-30 Mandrake MDKSA-2003:049-1 2003-04-24 SuSE SuSE-SA:2003:0026 2003-04-24 Debian DSA-293-1 2003-04-23 Slackware sl-1050682024 2003-04-18 Mandrake MDKSA-2003:049 2003-04-17 Sorcerer SORCERER2003-04-12 2003-04-12 Debian DSA-284-1 2003-04-12 Gentoo 200304-05 2003-04-11 Gentoo 200304-04 2003-04-10

Comments (none posted)

kerberos - cryptographic weakness

Package(s):	kerberos, heimdal, openafs	CVE #(s):	CAN-2003-0138 CAN-2003-0139
Created:	March 26, 2003	Updated:	May 27, 2003
Description:	Version 4 of the Kerberos protocol contains a cryptographic weakness which enables a chosen-plaintext attack. A suitably equipped attacker can impersonate any principal in the realm. Another weakness allows the creation of false Kerberos tickets. Given the weaknesses in the cryptography, cross-realm authentication cannot be performed in a secure way. OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is also vulnerable.
Alerts:	Gentoo 200305-09 2003-05-27 Debian DSA-269-2 2003-04-09 Immunix IMNX-2003-7+-007-01 2003-04-07 Red Hat RHSA-2003:091-01 2003-04-02 Mandrake MDKSA-2003:043 2003-04-01 Gentoo 200303-28 2003-03-31 Gentoo 200303-26 2003-03-30 Debian DSA-273-1 2003-03-28 Red Hat RHSA-2003:051-01 2003-03-26 Debian DSA-269-1 2003-03-26

Comments (none posted)

kernel - ptrace-related vulnerability

Package(s):	kernel	CVE #(s):	CAN-2003-0127
Created:	March 17, 2003	Updated:	June 30, 2003
Description:	Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix.
Alerts:	Debian DSA-336-2 2003-06-29 Debian DSA-336-1 2003-06-29 Debian DSA-332-1 2003-06-27 Red Hat RHSA-2003:098-03 2003-06-02 SCO Group CSSA-2003-020.0 2003-05-09 Mandrake MDKSA-2003:038-1 2003-04-09 Red Hat RHSA-2003:135-00 2003-04-08 Conectiva CLA-2003:618 2003-04-07 Debian DSA-276-1 2003-04-03 Mandrake MDKSA-2003:039 2003-03-27 Mandrake MDKSA-2003:038 2003-03-27 Debian DSA-270-1 2003-03-27 SuSE SuSE-SA:2003:021 2003-03-25 Gentoo 200303-17 2003-03-21 Sorcerer SORCERER2003-03-19 2003-03-20 Red Hat RHSA-2003:088-01 2003-03-20 EnGarde ESA-20030318-009 2003-03-18 Trustix 2003-0007 2003-03-18 Red Hat RHSA-2003:098-00 2003-03-17

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):	kernel-utils	CVE #(s):	CAN-2003-0019
Created:	February 7, 2003	Updated:	January 21, 2005
Description:	The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities. The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net
Alerts:	Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):	libpng, libpng3	CVE #(s):	CAN-2002-1363
Created:	December 19, 2002	Updated:	July 14, 2004
Description:	Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:	Gentoo 200407-06 2004-07-08 OpenPKG OpenPKG-SA-2004.030 2004-07-06 Mandrake MDKSA-2004:063 2004-06-29 Whitebox WBSA-2004:249-01 2004-06-21 Fedora FEDORA-2004-176 2004-06-18 Fedora FEDORA-2004-174 2004-06-18 Fedora FEDORA-2004-175 2004-06-18 Fedora FEDORA-2004-173 2004-06-18 Red Hat RHSA-2004:249-01 2004-06-18 Conectiva CLA-2003:564 2003-01-23 Mandrake MDKSA-2003:008 2003-01-20 OpenPKG OpenPKG-SA-2003.001 2003-01-15 Yellow Dog YDU-20030114-2 2002-01-14 SuSE SuSE-SA:2003:0004 2003-01-14 Red Hat RHSA-2003:006-06 2003-01-09 Debian DSA-213-1 2002-12-19

Comments (none posted)

LPRng: insecure temporary file

Package(s):	LPRng	CVE #(s):	CAN-2003-0136
Created:	April 14, 2003	Updated:	June 16, 2003
Description:	Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon.
Alerts:	Gentoo 200306-04 2003-06-14 Immunix IMNX-2003-7+-013-01 2003-06-04 Yellow Dog YDU-20030602-5 2003-06-02 Mandrake MDKSA-2003:060 2003-05-21 Red Hat RHSA-2003:142-01 2003-04-24 Debian DSA-285-1 2003-04-14

Comments (none posted)

lprold - buffer overflow in lprm

Package(s):	lprold lpd	CVE #(s):	CAN-2003-0144
Created:	March 13, 2003	Updated:	May 28, 2003
Description:	The lprm command of the printing package lprold contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges.
Alerts:	Mandrake MDKSA-2003:059 2003-05-21 Debian DSA-267-2 2003-04-15 Debian DSA-275-1 2003-04-02 Debian DSA-267-1 2003-03-24 SuSE SuSE-SA:2003:0014 2003-03-13

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):	lynx	CVE #(s):	CAN-2002-1405
Created:	November 19, 2002	Updated:	October 1, 2003
Description:	If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. CAN-2002-1405
Alerts:	Conectiva CLA-2003:720 2003-08-11 Mandrake MDKSA-2003:023 2003-02-24 OpenPKG OpenPKG-SA-2003.011 2003-02-18 Red Hat RHSA-2003:029-06 2003-02-12 Trustix 2002-0085 2002-12-19 Debian DSA-210-1 2002-12-13 SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

perl-MailTools: remote command execution

Package(s):	MailTools	CVE #(s):	CAN-2002-1271
Created:	November 5, 2002	Updated:	September 19, 2003
Description:	The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body. Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
Alerts:	Debian DSA-386-1 2003-09-18 Gentoo 200302-01 2003-02-02 Mandrake MDKSA-2002:076 2002-11-07 Gentoo 200211-001 2002-11-06 SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

man - code execution vulnerability

Package(s):	man	CVE #(s):	CAN-2003-0124
Created:	March 19, 2003	Updated:	May 7, 2003
Description:	Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details.
Alerts:	Mandrake MDKSA-2003:054 2003-05-06 Red Hat RHSA-2003:133-01 2001-03-05 Conectiva CLA-2003:620 2003-04-07 Gentoo 200303-13 2003-03-18

Comments (none posted)

mgetty spool permission

Package(s):	mgetty	CVE #(s):	CAN-2002-1391 CAN-2002-1392
Created:	April 8, 2003	Updated:	May 13, 2003
Description:	mgetty is a getty replacement for use with data and fax modems. mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Unpatched versions of mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable.
Alerts:	SCO Group CSSA-2003-021.0 2003-05-13 Mandrake MDKSA-2003:053 2003-05-06 Gentoo 200304-09 2003-04-28 Red Hat RHSA-2003:036-01 2003-04-08

Comments (none posted)

micq: Denial of service

Package(s):	micq	CVE #(s):
Created:	December 13, 2002	Updated:	April 24, 2003
Description:	Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash.
Alerts:	Red Hat RHSA-2003:118-01 2003-04-24 Debian DSA-211-1 2002-12-13

Comments (none posted)

mutt: buffer overflow in IMAP client code

Package(s):	mutt	CVE #(s):	CAN-2003-0140
Created:	March 21, 2003	Updated:	April 22, 2003
Description:	Core Security Technologies has found a remotely exploitable buffer overflow in mutt's IMAP client code. This Bugtraq post contains additional information. The problem has been fixed in Mutt 1.4.1 (stable) and 1.5.4 (unstable).
Alerts:	Conectiva CLA-2003:630 2003-04-22 Conectiva CLA-2003:626 2003-04-14 Debian DSA-274-2 2003-04-07 Red Hat RHSA-2003:109-03 2003-04-03 Mandrake MDKSA-2003:041 2003-04-01 Slackware sl-1049141887 2003-03-31 Slackware sl-1049038131 2003-03-30 Debian DSA-274-1 2003-03-28 Debian DSA-268-1 2003-03-25 Gentoo 200303-19 2003-03-22 SuSE SuSE-SA:2003:020 2003-03-24 OpenPKG OpenPKG-SA-2003.025 2003-03-20

Comments (none posted)

mysql - configuration file vulnerability

Package(s):	mysql mysqld	CVE #(s):	CAN-2003-0150
Created:	March 18, 2003	Updated:	May 16, 2003
Description:	According to a report on BugTraq, a vulnerability exists in version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is launched by root, as it is often done by system startup scripts, any database users with the "FILE" privilege can write a configuration file (usually my.cnf) that causes the MySQL server to run under an arbitrary user id, including the user id of the super-user, on the next restart.
Alerts:	Debian DSA-303-1 2003-05-15 Mandrake MDKSA-2003:057 2003-05-14 Red Hat RHSA-2003:093-02 2002-03-05 Red Hat RHSA-2003:093-01 2003-04-29 EnGarde ESA-20030324-012 2003-03-24 Gentoo 200303-14 2003-03-18 OpenPKG OpenPKG-SA-2003.022 2003-03-18 Trustix 2003-0009 2003-03-18

Comments (none posted)

nethack: buffer overflow

Package(s):	nethack, slashem, falconseye	CVE #(s):	CAN-2003-0358 CAN-2003-0359
Created:	February 18, 2003	Updated:	July 15, 2003
Description:	Overflowing a buffer in nethack may lead to privilege escalation to games uid. Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages.
Alerts:	Debian DSA-350-1 2003-07-15 Debian DSA-316-3 2003-06-17 Debian DSA-316-2 2003-06-11 Debian DSA-316-1 2003-06-11 Gentoo 200302-08 2003-02-18

Comments (none posted)

NetPBM: math overflow errors

Package(s):	NetPBM	CVE #(s):	CAN-2003-0146
Created:	March 17, 2003	Updated:	May 27, 2003
Description:	Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code.
Alerts:	Conectiva CLA-2003:656 2003-05-27 Red Hat RHSA-2003:060-01 2003-04-03 Mandrake MDKSA-2003:036 2003-03-25 Debian DSA-263-1 2003-03-17

Comments (none posted)

netscape-flash: buffer overflow

Package(s):	netscape-flash	CVE #(s):
Created:	March 10, 2003	Updated:	June 20, 2003
Description:	Potentially exploitable buffer overflows exist in the Macromedia Flash Player. The full advisory is here. "The cumulative security patch is available today and addresses the potential for exploits surrounding buffer overflows (read/write) and sandbox integrity within the player, which might allow malicious users to gain access to a user's computer. The possibility of running native code on a users machine is a theoretical exploit, and extremely difficult to execute in practice. There are no known examples of running such native code from Macromedia Flash movies; however, even though this issue is difficult and theoretical in nature only, we are encouraging users to upgrade."
Alerts:	Red Hat RHSA-2003:026-01 2003-06-20 Gentoo 200303-9 2003-03-09

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):	net-snmp	CVE #(s):	CAN-2002-1170
Created:	December 17, 2002	Updated:	November 7, 2003
Description:	The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:	Conectiva CLA-2003:778 2003-11-07 Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

openssl: local and remote extraction of RSA private key

Package(s):	openssl, apache, mod_ssl	CVE #(s):	CAN-2003-0147
Created:	March 18, 2003	Updated:	May 22, 2003
Description:	David Brumley and Dan Boneh of Stanford University have researched and documented a timing attack on OpenSSL which allows local and remote attackers to extract the RSA private key of a server. The OpenSSL RSA implementation is generally vulnerable to these type of attacks unless RSA blinding has been turned on. See this paper (pdf format) for additional details. Typically, RSA blinding is not enabled by OpenSSL based applications, mainly because it is not obvious how to do so when using OpenSSL to provide SSL/TLS. This problem affects mostly all applications using OpenSSL and have to be rebuilded against the fixed OpenSSL version (where RSA blinding is now enabled by default) or have to enable RSA blinding explicitly their own. The performance impact of RSA blinding appears to be small (a few percent only) and the RSA functionality is still fully compatible. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 to the problem.
Alerts:	Slackware ssa:2003-141-05 2003-05-22 Debian DSA-288-1 2003-04-17 Conectiva CLA-2003:625 2003-04-10 SuSE SuSE-SA:2003:024 2003-04-04 Red Hat RHSA-2003:101-01 2003-04-01 Immunix IMNX-2003-7+-001-01 2003-03-26 Trustix 2003-0013 2003-03-26 Mandrake MDKSA-2003:035 2003-03-25 Gentoo 200303-24 2003-03-25 Gentoo 200303-23 2003-03-25 Gentoo 200303-20 2003-03-24 SCO Group CSSA-2003-014.0 2003-03-21 Sorcerer SORCERER2003-03-21-0 2003-03-21 OpenPKG OpenPKG-SA-2003.026 2003-03-20 EnGarde ESA-20030320-010 2003-03-20 Gentoo 200303-15 2003-03-20 Trustix 2003-0010 2003-03-18 OpenPKG OpenPKG-SA-2003.020 2003-03-18 OpenPKG OpenPKG-SA-2003.019 2003-03-18

Comments (none posted)

pam_xauth: root exploit

Package(s):	pam_xauth	CVE #(s):	CAN-2002-1160
Created:	February 13, 2003	Updated:	July 10, 2003
Description:	The pam_xauth module is used to forward xauth information from user to user in applications such as 'su'. Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker.
Alerts:	Conectiva CLA-2003:693 2003-07-10 Mandrake MDKSA-2003:017-1 2003-04-28 Red Hat RHSA-2003:035-10 2003-02-12

Comments (none posted)

PHP: vulnerability in mail function

Package(s):	php	CVE #(s):	CAN-2002-0985 CAN-2002-0986
Created:	November 13, 2002	Updated:	October 1, 2003
Description:	Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. CAN-2002-0985 CAN-2002-0986
Alerts:	SCO Group CSSA-2003-008.0 2003-03-04 Gentoo 200211-005 2002-11-20 EnGarde ESA-20021122-031 2002-11-22 Conectiva CLA-2002:545 2002-11-13 Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):	postgresql	CVE #(s):
Created:	February 12, 2003	Updated:	November 7, 2003
Description:	A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:	Debian DSA-397-1 2003-11-07 Immunix IMNX-2003-7+-005-01 2003-04-08 Trustix 2003-0004 2003-02-20 Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):	python	CVE #(s):	CAN-2002-1119
Created:	August 28, 2002	Updated:	October 1, 2003
Description:	Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. CAN-2002-1119
Alerts:	Red Hat RHSA-2002:202-33 2003-02-12 OpenPKG OpenPKG-SA-2003.006 2003-01-23 Red Hat RHSA-2002:202-25 2003-01-21 Mandrake MDKSA-2002:082-1 2002-12-09 Mandrake MDKSA-2002:082 2002-11-25 SCO Group CSSA-2002-045.0 2002-11-14 Trustix 2002-0073 2002-10-17 Gentoo python-20021003 2002-10-03 Conectiva CLA-2002:527 2002-10-01 Debian DSA-159-2 2002-09-09 Debian DSA-159-1 2002-08-28

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):	Safe.pm	CVE #(s):	CAN-2002-1323
Created:	October 9, 2002	Updated:	February 20, 2004
Description:	usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:	SCO Group CSSA-2004-007.0 2004-02-20 Gentoo 200212-6 2002-12-20 Trustix 2002-0087 2002-12-19 OpenPKG OpenPKG-SA-2002.014 2002-12-16 Debian DSA-208-1 2002-12-12

Comments (none posted)

samba: remotely-exploitable buffer overrun

Package(s):	samba	CVE #(s):	CAN-2003-0201 CAN-2003-0196
Created:	April 7, 2003	Updated:	May 2, 2003
Description:	Digital Defense Inc. has sent out an advisory describing another remotely-exploitable buffer overrun in the Samba server; all versions through 2.2.8 or 2.0.10 (or Samba-TNG 0.3.2) are vulnerable. The Samba team has released Samba 2.2.8a with a fix for the problem; there is also a patch available for the 2.0 series. An exploit is said to be circulating already, so applying patches quickly would be a good idea.
Alerts:	SCO Group CSSA-2003-017.0 2002-03-05 Yellow Dog YDU-20030409-3 2003-04-09 Red Hat RHSA-2003:137-02 2003-04-09 Gentoo 200304-02 2003-04-09 Conectiva CLA-2003:624 2003-04-08 Slackware sl-1049831915 2003-04-08 Sorcerer SORCERER2003-04-08 2003-04-08 Trustix 2003-0019 2003-04-07 Red Hat RHSA-2003:137-01 2003-04-08 SuSE SuSE-SA:2003:025 2003-04-07 Immunix IMNX-2003-7+-006-01 2003-04-07 Debian DSA-280-1 2003-04-07 Mandrake MDKSA-2003:044 2003-04-07 OpenPKG OpenPKG-SA-2003.028 2003-04-07

Comments (none posted)

sendmail - buffer overrun

Package(s):	sendmail	CVE #(s):	CAN-2003-0161
Created:	March 31, 2003	Updated:	April 30, 2003
Description:	There is yet another buffer overrun in sendmail; this one was discovered by Michal Zalewski. From the CERT Advisory: "There is a vulnerability in sendmail that can be exploited to cause a denial-of-service condition and could allow a remote attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root." Sendmail 8.12.9 was released with a fix for the problem.
Alerts:	Conectiva CLA-2003:614 2003-04-04 Debian DSA-290-1 2003-04-17 Yellow Dog YDU-20030409-1 2003-04-09 Conectiva CLA-2003:614 2003-04-04 Debian DSA-278-2 2003-04-04 Debian DSA-278-1 2003-04-04 SCO Group CSSA-2003-016.0 2003-04-03 Immunix IMNX-2003-7+-002-01 2003-03-31 Mandrake MDKSA-2003:042 2003-04-01 SuSE SuSE-SA:2003:023 2003-04-01 Red Hat RHSA-2003:120-01 2003-03-31 Gentoo 200303-27 2003-03-31 Slackware sl-1049038109 2003-03-30 OpenPKG OpenPKG-SA-2003.027 2003-03-30

Comments (none posted)

slocate - buffer overflow

Package(s):	slocate	CVE #(s):	CAN-2003-0056
Created:	February 5, 2003	Updated:	May 8, 2003
Description:	version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details.
Alerts:	Conectiva CLA-2003:643 2003-05-08 SCO Group CSSA-2003-009.0 2003-03-06 Debian DSA-252-1 2003-02-21 Mandrake MDKSA-2003:015 2003-02-05 Gentoo 200302-02 2003-02-02

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):	tar unzip	CVE #(s):	CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:	October 1, 2002	Updated:	April 10, 2006
Description:	The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:	Fedora-Legacy FLSA:183571-1 2006-04-04 Red Hat RHSA-2006:0195-01 2006-02-21 Conectiva CLA-2002:538 2002-10-29 Mandrake MDKSA-2002:066 2002-10-10 Mandrake MDKSA-2002:065 2002-10-10 EnGarde ESA-20021003-022 2002-10-03 Gentoo unzip-20021001 2002-10-01 Gentoo tar-20021001 2002-10-01 Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump - infinite loop

Package(s):	tcpdump	CVE #(s):	CAN-2003-0108
Created:	February 28, 2003	Updated:	May 1, 2003
Description:	Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted network packet which causes tcpdump to enter an infinite loop. In addition to the above problem the tcpdump developers discovered a potential infinite loop when parsing malformed BGP packets. They also discovered a buffer overflow that can be exploited with certain malformed NFS packets.
Alerts:	EnGarde ESA-20030430-014 2003-04-30 Red Hat RHSA-2003:032-01 2003-04-23 Conectiva CLA-2003:629 2003-04-22 Debian DSA-261-1 2003-03-14 SuSE SuSE-SA:2003:0015 2003-03-13 Gentoo 200303-5 2003-03-05 OpenPKG OpenPKG-SA-2003.014 2003-03-04 Mandrake MDKSA-2003:027 2003-03-03 Debian DSA-255-1 2003-02-27

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):	telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5	CVE #(s):
Created:	May 21, 2002	Updated:	October 5, 2004
Description:	This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:	Gentoo 200410-03 2004-10-05 Yellow Dog YDU-20010810-2 2001-08-10 Yellow Dog YDU-20010810-1 2001-08-10 SuSE SuSE-SA:2001:029 2001-09-03 Slackware sl-997726350 2001-08-09 Red Hat RHSA-2001:100-02 2001-08-09 Red Hat RHSA-2001:099-09 2002-02-07 Red Hat RHSA-2001:099-06 2001-08-09 Progeny PROGENY-SA-2001-27 2001-08-14 Mandrake MDKSA-2001:093 2001-12-17 Mandrake MDKSA-2001:068 2001-08-13 HP HPSBTL0202-023 2002-02-12 Debian DSA-075-2 2001-08-14 Debian DSA-075-1 2001-08-14 Conectiva CLA-2001:413 2001-08-24 SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

typespeed: buffer overflow

Package(s):	typespeed	CVE #(s):
Created:	January 1, 2003	Updated:	June 17, 2003
Description:	A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games.
Alerts:	Debian DSA-322-1 2003-06-16 Debian DSA-217-1 2002-12-27

Comments (none posted)

vim - modeline vulnerability

Package(s):	vim	CVE #(s):	CAN-2002-1377
Created:	January 16, 2003	Updated:	February 10, 2004
Description:	VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:	Conectiva CLA-2004:812 2004-02-10 Mandrake MDKSA-2003:012 2003-02-03 Yellow Dog YDU-20030127-3 2003-01-27 Gentoo 200301-13 2003-01-22 OpenPKG OpenPKG-SA-2003.003 2003-01-21 Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

vixie-cron: Local vulnerability

Package(s):	vixie-cron	CVE #(s):	CVE-2001-0559
Created:	April 17, 2003	Updated:	October 3, 2003
Description:	From the ISS advisory: "Vixie Cron is a scheduling daemon that ships with several Linux distributions. Vixie Cron version 3.0pl1 could allow a local attacker to gain root privileges. Crontab fails to properly drop privileges in certain cases after a crontab modification operation. A local attacker could exploit this vulnerability to gain root privileges on the system since crontab is installed setuid root." Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.
Alerts:	Conectiva CLA-2003:758 2003-10-03 Conectiva CLA-2003:757 2003-10-03 Conectiva CLA-2003:628 2003-04-17

Comments (none posted)

vnc - replay and cookie vulnerabilities

Package(s):	vnc	CVE #(s):	CAN-2002-1336 CAN-2002-1511
Created:	February 21, 2003	Updated:	May 5, 2003
Description:	VNC is a tool for providing a remote graphical user interface. Two vulnerabilities have been found in versions of VNC shipped by Red Hat. The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. The VNC DES authentication scheme is implemented using a challenge-response architecture, producing a random and different challenge for each authentication attempt. A bug in the function for generating the random challenge caused the random seed to get reset to the current time on every authentication attempt. Therefore, two authentication attempts within the same second could receive the same challenge. An eavesdropper could exploit this vulnerability by replaying the response, thereby gaining authentication. All users of VNC are advised to upgrade to these erratum packages, which contain patches to correct these issues.
Alerts:	Conectiva CLA-2003:640 2003-05-05 Mandrake MDKSA-2003:022 2003-02-24 Gentoo 200302-16 2003-02-24 Gentoo 200302-15 2003-02-24 Red Hat RHSA-2003:041-12 2003-02-20

Comments (none posted)

wget:directory traversal bug

Package(s):	wget	CVE #(s):	CAN-2002-1344
Created:	December 10, 2002	Updated:	October 1, 2003
Description:	Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system. FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine. See also this Bugtraq article from 1997. CAN-2002-1344
Alerts:	Immunix IMNX-2003-7+-011-01 2003-06-03 OpenPKG OpenPKG-SA-2003.007 2003-01-23 SCO Group CSSA-2003-003.0 2003-01-16 Gentoo 200212-7 2002-12-20 Trustix 2002-0089 2002-12-19 Conectiva CLA-2002:552 2002-12-13 Debian DSA-209-1 2002-12-12 Mandrake MDKSA-2002:086 2002-12-11 Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

Problems with libgtop_daemon

Package(s):	wuftpd libgtop	CVE #(s):
Created:	May 21, 2002	Updated:	May 7, 2003
Description:	The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th disabling the libgtop_daemon on systems where it is running until an update is available. Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.
Alerts:	Debian DSA-301-1 2003-05-07 Mandrake MDKSA-2001:094 2001-12-19 Debian DSA-098-1 2002-01-09 Conectiva CLA-2002:448 2002-01-03

Comments (1 posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):	wwwoffle	CVE #(s):	CAN-2002-0818
Created:	August 14, 2002	Updated:	October 1, 2003
Description:	The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." CAN-2002-0818
Alerts:	SCO Group CSSA-2002-048.0 2002-11-18 Debian DSA-144-1 2002-08-06 SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

xfsdump: insecure file creation

Package(s):	xfsdump	CVE #(s):	CAN-2003-0173
Created:	April 11, 2003	Updated:	April 16, 2003
Description:	Ethan Benson discovered a problem in xfsdump, that contains administrative utilities for the XFS filesystem. When filesystem quotas are enabled xfsdump runs xfsdq to save the quota information into a file at the root of the filesystem being dumped. The manner in which this file is created is unsafe. While fixing this, a new option ``-f path'' has been added to xfsdq(8) to specify an output file instead of using the standard output stream. This file is created by xfsdq and xfsdq will fail to run if it exists already. The file is also created with a more appropriate mode than whatever the umask happened to be when xfsdump(8) was run.
Alerts:	Mandrake MDKSA-2003:047 2003-04-16 Debian DSA-283-1 2003-04-11

Comments (none posted)

zlib 1.1.4 has buffer overrun

Package(s):	zlib	CVE #(s):	CAN-2003-0107
Created:	February 25, 2003	Updated:	April 29, 2003
Description:	From this Bugtraq posting: "zlib contains a function called gzprintf(). This is similar in behaviour to fprintf() except that by default, this function will smash the stack if called with arguments that expand to more than Z_PRINTF_BUFSIZE (=4096 by default) bytes."
Alerts:	Red Hat RHSA-2003:079-01 2003-04-29 Conectiva CLA-2003:619 2003-04-07 Gentoo 200303-25 2003-03-28 Mandrake MDKSA-2003:033 2003-03-18 SCO Group CSSA-2003-011.0 2003-03-10 OpenPKG OpenPKG-SA-2003.015 2003-03-04 Sorcerer SORCERER2003-08-25 2003-02-25

Comments (none posted)

Resources

Linux Advisory Watch

The April 18 Linux Advisory Watch newsletter from LinuxSecurity.com is available.

Full Story (comments: none)

Events

HiverCon 2003 Call For Papers

The call for papers has gone out for Hivercon 2003 (Dublin, November 6 and 7). Submissions are due by the beginning of August.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.5.68, which was released by Linus on April 19. This is a large patch which has been a while in coming; it includes the usual big pile of fixes along with a bunch of devfs tweaking (read Linus's note if you use devfs), a new h8300 architecture, some NFS performance tuning, some changes to the workqueue interface, the merging of s390 and s390x into a single architecture (along with a bunch of other s390 work), the generation of hotplug events from kobject registration, a new __user attribute to mark user-space pointers (to help static analysis tools find bugs), a small change to the semantics of msync(MS_ASYNC) (it no longer actually starts any I/O), some reverse-mapping VM speedups, a new requirement that gcc version 2.95 (or later) be used to compile the kernel, a big pile of small fixes from Alan Cox, an NFSv4 update, and a big IA-64 update. The details can be found in the long-format changelog.

Linus's BitKeeper repository contains a change to the interrupt handler prototype (see below), a patch for runtime barrier instruction patching (which allows optimal performance on different processors without the need to ship multiple kernels), more devfs cleanups, more preparation for an expanded dev_t type, some swapoff improvements, a new set of memory allocation flags (described below), and numerous other fixes and updates.

The current stable kernel is 2.4.20. The 2.4.21 release got a little closer with the announcement of the first release candidate. 2.4.21-rc1 adds a relatively small number of fixes to -pre7, and includes a plea for extensive testing.

Comments (none posted)

Kernel development news

Some new memory allocation flags

Dealing with memory allocation failures is a requirement for all kernel code (and user-space code as well). But there are some places in the kernel where failures cannot be allowed to happen. So it is not uncommon to see kernel code which doesn't take "no" for an answer. As Andrew Morton put it:

As a way of helping kernel code get it right, Andrew has created a patch - since merged for 2.5.69 - which adds a new set of __GFP flags for get_free_page() and the other memory allocation functions. These flags are:

__GFP_REPEAT

This flag tells the page allocater to "try harder," repeating failed allocation attempts if need be. Allocations can still fail, but failure should be less likely.

__GFP_NOFAIL

Try even harder; allocations with this flag must not fail. Needless to say, such an allocation could take a long time to satisfy.

__GFP_NORETRY

Failed allocations should not be retried; instead, a failure status will be returned to the caller immediately.

These flags should make memory allocation operations a little more predictable. There is a moral hazard here, however, that programmers will start simply supplying __GFP_NOFAIL instead of making the extra effort to deal with failed allocations. __GFP_NOFAIL has its place, but, in most cases, it is probably better to be able to deal with low-memory situations directly.

Comments (2 posted)

An interrupt handling change

One problem that can confront an operating system kernel is that of "screaming" devices - hardware which continually raises interrupts, but for which there is no driver to tell it to shut up. If the offending hardware is yanking on an interrupt line which is not otherwise in use, the kernel can quickly disable that line and be done with the problem. If, however, the interrupt line is in use in a shared mode, there is (in kernels through 2.5.68) no way for the kernel to know that nobody is dealing with the loud device. All it can do is pass an interrupt request to the registered handlers and hope for the best.

Of course, there is no need for things to be that way; each device driver knows whether it handled a specific interrupt or not. So all that's needed is for the drivers to communicate that information back to the kernel. The 2.5.69 kernel does exactly that - thanks to a patch by Linus - at the cost of breaking every driver which registers an interrupt handler.

Interrupt handlers no longer return void; instead, they must return an irqreturn_t value (adding typedefs to the kernel is OK when Linus does it). The values are IRQ_HANDLED if the driver recognized the interrupt or IRQ_NONE if the interrupt was not for one of the driver's devices. The IRQ_RETVAL(handled) macro can also be used; the handled parameter should be nonzero if the interrupt was handled in the driver.

With this change, the kernel can tell whether a particular device is being handled or not. As of this writing, the "fix the drivers" effort is in full swing; by the time 2.5.69 is released, most of the (in-tree) drivers should be working again. At least, with regard to the interrupt change.

Comments (5 posted)

The internal representation of device numbers

The expanded device number type - one of the big remaining items for the 2.5 development cycle - is getting closer to reality. Much of the preparation work has been done. There are still a few issues to be resolved, however; this week's discussion mostly centers around how device numbers should be represented in the kernel.

One seeming outcome is that the kdev_t type will go away. Alexander Viro, who has recently resurfaced behind a UK email address, is pushing strongly for this change. Among other things, he has posted a set of "kdev_t-ectomy" patches which remove the kdev_t type from the TTY layer and a few other spots. kdev_t variables are replaced with direct pointers to driver data structures or integer indexes, depending on the context. Every instance of kdev_t, according to Al, is a sign of a problem; he'll be submitting more cleanup patches in the future.

As this work progresses, device numbers will become less visible throughout much of the kernel. But there will still be a need to work with device numbers; they are, after all, token which is passed between kernel and user space. A 64-bit device number seems like a done deal, but it's still not entirely clear how they will be represented. A few schools of thought exist:

• Many developers have been proceeding on the assumption that a simple, 64-bit integer would be used to hold device numbers in the future. This approach, of course, is just an extension of the current 16-bit number scheme.

• While most developers, perhaps, see that 64-bit quantity as being split into 32-bit major and minor numbers, there are still people who would like to get rid of the major/minor distinction altogether. The management of the device number space will make that distinction increasingly unimportant. Still, retention of the distinction between major and minor numbers seems likely for now.

• Linus has been advocating a tuple representation, where major and minor numbers would be carried around independently of each other. Few others have argued for this representation, however, and Linus does not appear to feel strongly enough to force the issue.

The end result will matter little for most developers, since the MAJOR() and MINOR() macros will work as always. The real concern has to do with how backward compatibility will be supported. We all have filesystems and applications with 16-bit numbers wired deeply into them; we all expect those filesystems and applications to work with the 2.6 kernel. That means that a 16-bit device number, with eight-bit major and minor numbers:

major								minor

will look to the kernel like a device number with a major number of zero and a large minor number:

major																																minor

This case is easy to detect, of course, and it is not that big a deal to map it into the proper large representation:

major																																minor

The important thing is that this remapping must happen consistently everywhere in the kernel. So, in every place where device numbers enter the kernel, they must be turned into a standard form, be it a combined device number or some sort of tuple representation. In practice, this remapping need not happen in many places; the mknod(), open() and stat() system calls are the big ones.

Peter Anvin proposed a different way of representing device numbers in a 64-bit word:

major																								minor																								major								minor

This representation appears to be more complicated, since obtaining the major and minor numbers would require extracting and splicing bit fields. It's worth noting again, however, that this work would be hidden within the MAJOR() and MINOR() macros, and invisible to kernel code. And, with this representation, no remapping of device numbers would be required.

The discussion seemed to wind down in an inconclusive manner. The real decisions will be made, of course, when the patches appear and are merged.

Comments (1 posted)

Driver porting

Driver porting: Atomic kmaps

This article is part of the LWN Porting Drivers to 2.6 series.

High memory can be a pain to work with. The addressing limitations of 32-bit processors make it impossible to map all of high memory into the kernel's address space. So various workarounds must be employed to manage high memory portably; this need is one of the reasons for the increasing use of struct page pointers in the kernel.

When the kernel needs to access a high memory page directly, an ad hoc memory mapping must be set up. This is the purpose of the functions kmap() and kunmap(), which have existed since high memory support was first implemented. kmap() is relatively expensive to use, however; it requires global page table changes, and it can put the calling function to sleep. It is thus a poor fit to many parts of the kernel where performance is important.

To address these performance issues, a new type of kernel mapping (the "atomic kmap") has been created (they actually existed, in a slightly different form, in 2.4.1). Atomic kmaps are intended for short-term use in small, atomic sections of kernel code; it is illegal to sleep while holding an atomic kmap. Atomic kmaps are a per-CPU structure; given the constraints on their use, there is no point in sharing them across processors. They are also available in very limited numbers.

In fact, there are only about a dozen atomic kmap slots available on each processor (the actual number is architecture-dependent), and users of atomic kmaps must specify which slot to use. A new enumerated type (km_type) has been defined to give names to the atomic kmap slots. The slots that will be of most interest to driver writers are:

• KM_USER0, KM_USER1. These slots are to be used by code called from user space (i.e. system calls).

• KM_IRQ0, KM_IRQ1. Slots for interrupt handlers to use.

• KM_SOFTIRQ0, KM_SOFTIRQ1; for code running out of a software interrupt, such as a tasklet.

Several other slots exist, but they have been set aside for specific purposes and should not be used.

The actual interface for obtaining an atomic kmap is:

    void *kmap_atomic(struct page *page, enum km_type type);

The return value is a kernel virtual address which may be used to address the given page. kmap_atomic() will always succeed, since the slot to use has been given to it. It will also disable preemption while the atomic kmap is held.

When you have finished with the atomic kmap, you should undo it with:

    void kunmap_atomic(void *address, enum km_type type);

Users of atomic kmaps should be very aware of the fact that nothing in the kernel prevents one function from stepping on another function's mappings. Code which holds atomic kmaps thus needs to be short and simple. If you are using one of the KM_IRQ slots, you should have locally disabled interrupts first. As long as everybody is careful, conflicts over atomic kmap slots do not arise.

Should you need to obtain a struct page pointer for an address obtained from kmap_atomic(), you can use:

    struct page *kmap_atomic_to_page(void *address);

If you are wanting to map buffers obtained from the block layer in a BIO structure, you should use the BIO-specific kmap functions (described in the BIO article) instead.

Atomic kmaps are a useful resource for performance-critical code. They should not be overused, however. For any code which might sleep, or which can afford to wait for a mapping, the old standard kmap() should be used instead.

Comments (none posted)

Patches and updates

Kernel trees

• Linus Torvalds: Linux 2.5.68. (April 20, 2003)

• Andrew Morton: 2.5.68-mm1. (April 20, 2003)

• Andrew Morton: 2.5.68-mm2. (April 23, 2003)

• Martin J. Bligh: 2.5.68-mjb1. (April 21, 2003)

• J,Av(Brn Engel: 2.5.68-je1. (April 22, 2003)

• Chuck Ebbert: Linux 2.5.68-ce2. (April 22, 2003)

• Alan Cox: Linux 2.5.67-ac2. (April 18, 2003)

• Andrew Morton: 2.5.67-mm4. (April 18, 2003)

• Marcelo Tosatti: Linux 2.4.21-rc1. (April 21, 2003)

• Con Kolivas: 2.4.20-ck6. (April 17, 2003)

• Jörn Engel: 2.4.20-je2. (April 17, 2003)

Core kernel code

• viro@parcelfarce.linux.theplanet.co.uk: more kdev_t-ectomy. (April 20, 2003)

• Andries.Brouwer@cwi.nl: mknod64 with major,minor. (April 21, 2003)

• Ingo Molnar: HT scheduler, sched-2.5.68-A9. (April 21, 2003)

• Ingo Molnar: HT scheduler, sched-2.5.68-B2. (April 23, 2003)

• Andy Pfiffer: kexec for 2.5.68 available. (April 21, 2003)

• Andrew Morton: implement __GFP_REPEAT, __GFP_NOFAIL, __GFP_NORETRY. (April 22, 2003)

Development tools

• Mel Gorman: VM Regress 0.9 released. (April 18, 2003)

• dan carpenter: smatch/kbugs.org update 2.5.68. (April 23, 2003)

Device drivers

• Mukker, Atul: version 2.00.3 megaraid driver for 2.4.x and 2.5.67 kernels. (April 17, 2003)

• Greg KH: More USB fixes for 2.5.67. (April 17, 2003)

• Linus Torvalds: device driver irq routine change in 2.5.x. (April 21, 2003)

• Marc Zyngier: EISA/sysfs update. (April 21, 2003)

• Geert Uytterhoeven: dmasound resurrection. (April 21, 2003)

• Greg KH: Device class rework [0/5]. (April 22, 2003)

• Greg KH: Device class rework [1/5]. (April 22, 2003)

• Greg KH: Device class rework [2/5]. (April 22, 2003)

• Greg KH: Device class rework [3/5]. (April 22, 2003)

• Greg KH: Device class rework [4/5]. (April 22, 2003)

• Greg KH: Device class rework [5/5]. (April 22, 2003)

• Jamie Lenehan: ANNOUNCE - DC315/DC395 driver for 2.5. (April 23, 2003)

• Bartlomiej Zolnierkiewicz: 2.5.67-ac2 direct-IO for IDE taskfile ioctl (0/4). (April 23, 2003)

• Bartlomiej Zolnierkiewicz: 2.5.67-ac2 direct-IO for IDE taskfile ioctl (1/4). (April 23, 2003)

• Bartlomiej Zolnierkiewicz: 2.5.67-ac2 direct-IO for IDE taskfile ioctl (2/4). (April 23, 2003)

• Bartlomiej Zolnierkiewicz: 2.5.67-ac2 direct-IO for IDE taskfile ioctl (3/4). (April 23, 2003)

• Bartlomiej Zolnierkiewicz: 2.5.67-ac2 direct-IO for IDE taskfile ioctl (4/4). (April 23, 2003)

Documentation

• Denis Vlasenko: lk maintainers. (April 17, 2003)

• Larry McVoy: SCM access to the kernel trees. (April 22, 2003)

Filesystems and block I/O

• Neil Schemenauer: new IO scheduler for 2.4.20. (April 17, 2003)

• Peter Chubb: Large block device support: new 2.4 patch; new mailing list. (April 23, 2003)

• Anton Altaparmakov: NTFS 2.1.3a for kernel 2.4.20 released. (April 23, 2003)

Memory management

• Thomas Schlichter: second try for swap prefetch (does Oops!). (April 17, 2003)

• Rik van Riel: rmap VM, version 15g. (April 17, 2003)

• William Lee Irwin III: pgcl-2.5.68-1. (April 22, 2003)

Networking

• Arnaldo Carvalho de Melo: take2: new module infrastructure for net_proto_family. (April 22, 2003)

• Shirley Ma: new release for dhcpv6 is available (ver 0.5). (April 23, 2003)

Architecture-specific

• Jeff Garzik: remove __constant_memcpy. (April 17, 2003)

• Andi Kleen: Runtime memory barrier patching. (April 21, 2003)

Security-related

• Stephen Smalley: Extended Attributes for Security Modules. (April 18, 2003)

• Stephen Smalley: Process Attribute API for Security Modules. (April 18, 2003)

Benchmarks and bugs

• Sowmya Adiga: AIM9 benchmark result for kernel 2.5.68. (April 21, 2003)

• Sowmya Adiga: unixbench result for kernel 2.5.68. (April 21, 2003)

Miscellaneous

• Robert Love: mknod64(1). (April 18, 2003)

• Gary_Lerhaupt@Dell.com: devlabel: added multipath support. (April 21, 2003)

• Mika Kukkonen: OSDL CGL-WG draft specs available for review. (April 22, 2003)

Page editor: Jonathan Corbet

Distributions

News and Editorials

The State of Regional Linux Distributions

[This article was contributed by Ladislav Bodnar]

Many people assume that since China produces a Linux distribution called Red Flag Linux, it must be the most widely used distribution in China. By the same extension, Conectiva Linux is surely the most popular distribution in Brazil and Gelecek Linux is the biggest in Turkey. Right? This assumption couldn't be further from the truth. In fact, the most popular distributions in China, Brazil, Turkey and everywhere else are much the same as in Europe or North America - Red Hat, Mandrake and Debian.

"Which upcoming distribution release do you most look forward to?" asked a recent poll on linuxfans.org, a popular Chinese Linux community web site. Red Hat and Mandrake were the top choices, together generating nearly 70% of all votes. Of course, a poll like this can hardly be considered statistically correct and yes, not everybody has a choice over the matter. Some would even argue that regional distributions make a lot of sense. They usually offer expert support for the local language(s) and writing system as well as email and telephone technical support in the country's language(s). Still, there are indications that they are unable to compete with the big internationally recognized distributions and some of them might not even be around for much longer.

Let's take a look at some reasons supporting the above statements.

1. Business considerations. Many of the regional distributions were created during the "dotcom" boom, when a new company with the word "Linux" in its name seemed like an easy road to instant riches. The task at hand wasn't difficult either. All that these companies needed to do was download the latest Red Hat, modify the installer, set a different default language and put it into a box to be sold by software stores. Unfortunately for them, the anticipated mass conversion to Linux did not materialize and some of these companies have either refocused their efforts or closed down completely. Many of those that are still around have neglected web sites, don't bother with providing post-release security updates (now you know why Red Flag's web site is hosted on Red Hat's distribution) and, with Conectiva being one major exception, don't contribute much back to the community.

2. Community support. As we all know, the commercial support that comes with the purchased box is rather limited so many people turn to community resources. As an example, a Mandrake user will find the vanilla installation lacking many useful applications - due to their questionable legal status in certain countries. That's where a community web site, such plf.zarb.org comes in handy. The applications found on the site can be easily added to the urpmi utility which makes installing all the great multimedia application a single-click breeze. Similar web sites exist for Red Hat (freshrpms.net) or Debian (apt-get.org). Regional distributions often lack such excellent community resources.

3. Download options. Many regional distributions are only able to offer their slow, low-bandwidth servers and very few mirrors (if any) for users to download their products. This is in sharp contrast with fast FTP servers, often found at universities, providing complete and up-to-date mirrors for the major distributions.

4. Language support. The argument that regional distributions provide better language support is fading fast. Debian's language support has always been exceptional, thanks largely to the fact that their developers can be found in all corners of the world. Mandrake has made a lot of effort to support even some obscure languages. Starting with version 8.0, Red Hat has moved to Unicode, a text encoding standard that enables intermixing different writing systems in documents (even at the expense of making a few applications unusable).

5. Availability of learning material. What are the choices for those wishing to learn about Linux? Japan has produced more local distributions than most other countries; yet if you walk into a Tokyo bookstore and look at the shelves displaying Linux books, you'll find rows and rows of Red Hat publications, but only one or two books dealing with the local products, such as Turbolinux. This situation is certainly not unique to Japan.

People new to Linux are frequently astonished to learn that there are possibly two or three hundred Linux distributions, yet they might not realize that less than a dozen of them have any measurable market share. Those created to exist within the realms of national boundaries are increasingly marginalized by the fearless expansion of the "brand name" product. The fact that the Internet lacks borders is even more against them.

Comments (2 posted)

Distribution News

Debian GNU/Linux

Bdale Garbee has sent out a final "Bits from the DPL" posting on his last day as Debian Project Leader. "Debian is perhaps the finest example in the world today of the community development model at work. It has been a great privilege to serve for the last year as your elected Project Leader, and your continuing enthusiasm for our vision of Debian as a Universal Operating System is very gratifying!"

Martin Michlmayr provides his first message as Debian Project Leader. "This is my first message as DPL. My term has officially started today and I look forward to acting as your DPL for the next 12 months. The leader@debian.org alias now points to my address and I encourage you to contact me there with your ideas or concerns. As I have stated in my platform, I think that communication is very important. I will try to keep you up to date with what's going on in the community so expect more messages from me in the future. I will also encourage other people to make announcements or give status reports when appropriate."

This Debian Planet article steps through the process of installing Debian remotely, over an existing Linux install. "The situation I found myself in a few weeks ago was with the purchase of a hosted system running another popular flavor of Linux. Unfortunately, they did not offer manual assistance, so I had to find my own way to get my server of choice installed."

Raphael Hertzog reports on changes to the Package Tracking System.

Comments (none posted)

Gentoo Weekly Newsletter -- Volume 2, Issue 16

The Gentoo Weekly Newsletter for April 21, 2003 is out. This week's topics include Portage security features detailed; Open positions with the Gentoo Linux project; Gentoo Linux is seeking additional source mirrors and colocation space; Gentoo Linux now available on the HPPA Platform; and more.

Full Story (comments: none)

Mandrake Linux Corporate Server 2.1 for the AMD Opteron

MandrakeSoft announced the immediate availability of Mandrake Linux Corporate Server 2.1 for the newly released AMD Opteron processor.

Full Story (comments: none)

SuSE Linux for the AMD Opteron Processor

SuSE Linux announced the availability of SuSE Linux Enterprise Server 8 for AMD64, Powered by UnitedLinux.

UnitedLinux announced support for AMD64 (Opteron) in a separate press release.

Full Story (comments: none)

Guardian Digital Plans Upgrade To Secure Linux Distribution (TechWeb)

Tech Web covers the release of EnGarde Secure Linux Community Edition. "EnGarde Secure Linux Community Edition is designed as a platform for secure Internet applications. It includes integrated intrusion detection, cryptography, improved authentication and access control, and protection from buffer overruns, denial of service attacks and other intrusion techniques."

Comments (none posted)

Slackware Linux

Slackware Linux has Slackware 9.0 updates available, fixing security problems in KDE 3.1.1a and openssl.

Comments (none posted)

New Distributions

Boten GNU/Linux

Boten GNU/Linux is intended for home users and provides a fully-localized GNU/Linux environment in Hebrew. It's especially made for those new to Linux, though aimed to please all users, experts and newbies alike. It's currently based around the 2.4 Linux kernel series (USB supported) and the GNU C Library version 2.2.5 (libc6 ELF). Boten GNU/Linux could be installed in a UMSDOS partition as well and can run on 386 systems all the way up to the latest x86 machines. Version 9.5 h1/i1 was released April 21, 2003.

Comments (none posted)

Eshida Instant Embedded Linux

Eshida Instant Embedded Linux is an embedded Linux distribution for people who want to deploy embedded Linux technology immediately. Because the system runs directly on CD-ROM users spend zero effort to explore embedded systems. Version 1.0 was released April 18, 2003.

Comments (none posted)

Minor distribution updates

BBIagent

BBIagent has released v1.8.0 with minor feature enhancements. "Changes: Bandwidth control with HTB is now supported, and it is easy to define traffic classes and filters to shape traffic for computers on the internal network. The bandwidth control modules are loaded on demand from the server."

Comments (1 posted)

Damn Small Linux

Damn Small Linux has released 0.3.6. "Changes: This release adds PPP and WvDial, some scripts that simplify modem setup, and a script that will save your modem configuration to a floppy disk."

Comments (none posted)

Eagle Linux

Eagle Linux has released v2.1.1. Version 2.1.1 is based on Debian and contains full DHCP network functionality. It uses no compression loop devices, allows network device module loading, and provides DHCP or static network configuration - all within a 4MB CD iso image! Capability to include additional software is also discussed in the Eagle Linux 2.10 how-to, making it easy to create your own standard and 'business card' bootable CDs.

Comments (none posted)

IPCop Firewall

IPCop Firewall has released v1.3.0 with major feature enhancements. "Changes: The Linux 2.4 kernel and iptables are now used. All ECI ADSL supported modems and the Alcatel Speedtouch 330 modem are now supported. The port forwarding interface was improved with support for port ranges and PPTP (GRE). Danish, Dutch, Greek, Norwegian, Spanish, and Swedish languages are now available and can be selected from the Web interface. Improvements were made to log reporting, the open connections display, dial-on-demand traffic selection, and traffic graphing (which now uses MRTG)."

Comments (none posted)

KNOPPIX

KNOPPIX has released v3.2-2003-04-15 with minor bugfixes. "Changes: This version cleans up the menu entries, fixes bugs, and updates OpenOffice and ALSA."

Comments (1 posted)

LinuxInstall.org Project

LinuxInstall.org has released v3.0. "Changes: New features include Mozilla 1.3, Evolution 1.2.4, and OpenOffice.org 1.1Beta. It also includes Blackdown Java Plugin 1.4.1 and Korean, Japanese, Chinese TrueType fonts for Mozilla. OpenOffice.org 1.1Beta is very stable and comes with many new features including PDF (Portable Document Format) export and SWF (Macromedia Flash file format) export."

Comments (none posted)

MURIX Linux

MURIX Linux has released v2003-04-22 with major feature enhancements. "Changes: CPUs better than i486 are now supported. Versions of packages in ramdisk.gz were updated. SCSI drivers are not included except for IDE-SCSI emulation, and some PCI ethernet adapters are supported."

Comments (none posted)

rpm-livelinuxcd

rpm-livelinuxcd has released v0.9-98 with major bugfixes. "Changes: The system was switched to a loopback image. tmpfs support was added. Tools to find local Windows and Linux partitions were added. Many bugs in buildroot toolkit were fixed. /usr/share/doc and man-pages are now included. The RPM database is included. The CDROM will now boot from any IDE CD drive if there is more than one. Non-interactive hardware detection now works. The system now works fine in a machine with 64MB of RAM."

Comments (none posted)

Trusted Debian

Trusted Debian has announced the release of v1.0. The announcement is also available in Dutch. There is also a demonstration available. "The main focus of this release has been on fixing many (but not all) buffer overflow problems. Buffer overflows have been a popular way to break system security for years. A large portion of the Linux exploits found on the Internet today involve buffer overflows."

Comments (none posted)

UHU-Linux

UHU-Linux has released v1.0. "Changes: This stable release includes the 2.4.20 Linux kernel with ALSA, supermount, and devfs. It also features glibc 2.3.2, GCC 3.2.2, and XFree86 4.3. GNOME 2.2.1 is installed by default, but KDE 3.1.1a, IceWM, Window Maker, and BlackBox are included. A Hungarian spell checker is included and integrated with OpenOffice.org and AbiWord. The installer and control center are currently only available in Hungarian."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Three-dimensional mesh graphics with Gmsh

Christophe Geuzaine and Jean-François Remacle have authored a graphics utility known as Gmsh.

Some of the available Gmsh documentation includes the online reference manual and FAQ. The overview section of the documentation mentions a number of possible applications for Gmsh. As with most graphical software, the screenshots give you a good idea of the software's capabilities. Some interesting electrical, mechanical, and fluid engineering drawings are included.

Version 1.44 of Gmsh has been released. Changes include new documentation and PNG support, see the VERSIONS file for more information on the project's history.

Gmsh is a cross-platform project, it runs on Linux, various flavors of UNIX, and Windows. Gmsh has been licensed under the GPL, downloads are available here, tarballs and RPMs are available. Dependencies include the OpenGL libraries, GSL (>1.2), and FLTK 1.1.X.

Comments (3 posted)

System Applications

Clusters and Grids

OSCAR 2.2.1 released (SourceForge)

Version 2.2.1 of OSCAR has been announced. "The OSCAR working group is pleased to announce the release of version 2.2.1 of the Open Source Cluster Application Resources (OSCAR) toolkit. This release offers full IA-64 support with the inclusion of updated SIS and Kernel_Picker packages. OSCAR (Open Source Cluster Application Resource) is a snapshot of the best known methods for building, programming, and using clusters. It consists of a fully integrated and easy to install software bundle designed for high performance cluster computing."

Comments (none posted)

Database Software

The Dynamic Duo of PEAR::DB and Smarty (O'ReillyNet)

Joao Prado Maia writes about Pear::DB and Smarty on O'Reilly. "It can be difficult to separate business logic and formatting in PHP. There are several good templating solutions, though, including the popular and powerful Smarty. Joao Prado Maia demonstrates how to use Smarty with a database back end through the PEAR::DB library."

Comments (none posted)

Education

Linux in Education Report

Issue #94 of the Linux in Education Report is out. Topics include a genetic algorithm/evolutionary program, the Schoolforge UK status, an interview with David Trask on Linux at the Vassalboro Community School, the DistrictDNA administrative software package, some updated Linux training curricula, the YOUTH Technology Summit in Pittsburgh, PA, a new academic helpdesk application, and more.

Comments (none posted)

Printing

CUPS 1.1.19rc2 available

Version 1.1.19rc2 of CUPS, the Common UNIX Printing System, has been released with a number of bug fixes. See the Release Notes for more information.

Comments (none posted)

Web Site Development

Filters in Apache 2.0 (O'Reilly)

Geoffrey Young writes about Apache 2.0 and mod_perl on O'Reilly. "One of the more interesting and practical features to come out of the Apache 2.0 redesign effort is output filters. While in Apache 2.0 there are all kinds of filters, including input and connection filters, it's output filters that are most interesting to me - mostly because 2.0 discussions make a point of saying that it's impossible (well, really, really hard) to filter output content in Apache 1.3, despite the fact that mod_perl users have been able filter content (to some degree) for years."

Comments (none posted)

Standards

TAG: Fragment Identifiers, Subsets, and Metadata (O'Reilly)

Kendall Grant Clark covers the latest progress from the W3C's Technical Architecture Group (TAG). "For a geeky journalist, or for anyone who cares about the infrastructure of the Web broadly conceived, watching the TAG can be an incredibly efficient use of one's time. Some of the most engaging, vital technical issues regularly fly over the TAG's transom--often in volumes which, or so I have suggested in the past, threaten to swamp TAG members. In short, if you want to take the technical pulse of the Web, surveying the lines and directions of its future development, watching the TAG at work is ideal."

Comments (none posted)

Miscellaneous

Etherboot 5.0.10 (production) released

SourceForge has an announcement for a new version of Etherboot. "Etherboot is Open Source code for creating boot ROMs for network booting x86 platforms. It is also a coordination point for information about free software related to network booting. eepro100 users should give this release a try, hopefully it deals with the issues that caused the driver to be broken after 5.0.7."

Comments (none posted)

Desktop Applications

Audio Applications

Glame 1.0.0 released

SourceForge has an announcement for version 1.0.0 of Glame. "Glame 1.0.0 is the first release of the stable series 1.0 that will be the last Gnome 1.x based one. Compared to the 0.6 series improvements were made to multitrack recording and speed. GLAME is targeted to be the GIMP for audio processing. Currently we support non destructive multitrack editing and recording, undo, redo, cut&paste and even realtime effects with OSS/ALSA."

Comments (1 posted)

Desktop Environments

Bitstream Vera Fonts 1.10 Released (GnomeDesktop)

GnomeDesktop has an announcement for a new release of the Bitstream Vera Fonts. "There are four monospace and sans faces (normal, oblique, bold, bold oblique) and two serif faces (normal and bold). Fontconfig/Xft2 can artificially oblique the serif faces for you: this loses hinting and distorts the faces slightly, but is visibly different than normal and bold, and reasonably pleasing."

Comments (2 posted)

Coaster status report (GnomeDesktop)

According to GnomeDesktop, a status report has been published for Coaster, a cd burning utility for GNOME. "One of the last pieces missing in GNOME 2 is a really nice cdburning application. Sure the nautilus-burner is very nice, but it doesn't really tackle the full spectrum of our burning needs ;)".

Comments (none posted)

GNOME Summary for April 19, 2003

Here is the GNOME Summary for March 30 - April 19, 2003. This week's topics include; Desktop docs in more languages; Alleyoop plugs those memleaks; GStreamer 0.6.1 and incoming developments; Bitstream Vera fonts released; Running GNOME on your Laptop; Wrap GObjects in Python; The future of Rhythmbox; Java and GNOME; GNOME in Hindi; Abiword and Evolution closing in on GNOME 2; and much more.

Full Story (comments: none)

Heartbeat 0.1 released (GnomeDesktop)

A project called Heartbeat, a server and service monitoring system for GNOME, has been announced.

Unfortunately, this creates a name collision with the other heartbeat, part of the Linux High Availability Project.

Comments (none posted)

KDE-CVS-Digest

The April 18, 2003 edition of the KDE CVS Digest is out. "We can now do bash scripting in KDevelop. KGhostview gets command line switches and some bug fixes. Konqueror tab delay fixed again, Safari fixes to v68 (current is v73) merged. Kicker docking and Kwin crash bugs fixed."

Comments (none posted)

Games

Pygame updates

New Python-based game software on the Pygame site includes: Bubbrothers 1.0 and Sulk .27.

Comments (none posted)

GUI Packages

Glade 2.0.0 Released (GnomeDesktop)

GnomeDesktop has announced the release of Glade 2.0.0, a user interface builder. Enhancements and bug fixes are included.

Comments (none posted)

Interoperability

Wine Traffic

Issue #166 of Wine Traffic is out. Topics include: WineX 3.0, TransGaming Updates, Interview with Marcus Meissner, Updated To Do List, Updated Starcraft Patch, Making Windres Similar to WRC, Patch Submission and Acceptance Issues, and What It Would Take To Just Link With -lwine.

Comments (none posted)

Multimedia

GStreamer 0.6.1 released

Version 0.6.1 of GStreamer, a streaming multimedia framework, has been released. "The GStreamer team is proud to announce an updated version in the ABI-stable 0.6.x series, which features many bugfixes and some feature improvements over the previous 0.6.0 release. At this point in time GStreamer is fully functional for creating audio-based applications, as shown by applications such as gnome-sound-recorder, net-rhythmbox, sound-juicer and nautilus-media."

Full Story (comments: none)

Office Applications

AbiWord Weekly News

Issue #140 of the AbiWord Weekly News is out, with the latest AbiWord word processor development news. "In case you missed the major change to the development series...it's gone to 1.9.0! Martin's continued to work on the future Nautilus View for Abi while the Macintosh port, happy with its progress in Cocoa, has discontinued the Carbon porting. On that note, it would be nice if someone familiar with Cocoa might consider taking up some of its development with the AbiTeam. A usability point comes to light after last week's preview of the Win32 work for the format table dialogue with a counter-visual from GNOME 2. Sinitsyn Valentine continues work on mingw for Win32 users."

Comments (none posted)

AbiWord 1.9.0 released (GnomeDesktop)

GnomeDesktop covers the release of AbiWord 1.9.0. "The Abiword team is moving closer to Abiword 2.0 at top speed. In their effort to beat Evolution in a race to be first to complete the GNOME 2 port, they released the 1.9.0 development release today."

Comments (none posted)

SQL Ledger Version 2.0.6 released

A new version of the SQL Ledger accounting package has been released. Changes include support for balance sheet and income statement subtotals, tightened security, updated translations, and more.

Comments (none posted)

Web Browsers

Galeon 1.2.10 and 1.3.4 released! (GnomeDesktop)

GnomeDesktop has an announcement for two new releases of Galeon, a minimalist web browser. "1.2.10 is a simple bug fix and api sync update for the 1.2.x branch. Tommi thinks I'm wierd for bothering anymore. :-) 1.3.4 is a pretty big release. We've restored all the cookie/image/password handling capabilities that 1.2.x has".

Comments (none posted)

Mozilla 1.3.1 Release Candidate Builds Available (MozillaZine)

MozillaZine mentions that a new Mozilla build is available. " Asa Dotzler writes in with news that release candidate builds of Mozilla 1.3.1 are now available. The main fix in 1.3.1 is the restoration of XPInstall for Mac OS X but the release will also include a few other bug fixes. Read Asa's message for full details and download links."

Comments (none posted)

Mozilla status update

The April 18. 2003 Mozilla status update has been published. Check it out for the latest Mozilla development news.

Comments (none posted)

Miscellaneous

Chandler 0.1 released

The first release of Chandler (the personal information manager system being developed by Mitch Kapor's Open Source Applications Foundation) is now available. It is an early (v0.1) release, aimed more at letting people look at the code than providing a useful application.

Full Story (comments: none)

Mono Weekly News

The April 17-22, 2003 edition of the Mono Weekly News is out with the latest Mono project development news.

Comments (none posted)

Languages and Tools

C

C/C++ development with the Eclipse Platform (IBM developerWorks)

Pawel Leszek shows how to work with C/C++ on the Eclipse Platform. "Get an overview of how to use the Eclipse Platform in your C/C++ development projects. Though Eclipse is mainly a Java development environment, its architecture ensures support for other programming languages. In this article, you'll learn how to use the C/C++ Development Toolkit (CDT), which is the best C/C++ toolkit available for Eclipse."

Comments (none posted)

Caml

Caml Weekly News

The April 15-22, 2003 edition of the Caml Weekly News is out with current Caml language news.

Full Story (comments: none)

COBOL

TinyCOBOL documentation updated

New documentation is available for TinyCOBOL. "There's a spanish translation of the introduction to Tiny Cobol by Juanjo and a new FAQ by Ronald."

Comments (none posted)

Java

Cooking with Java XP (O'Reilly)

O'Reilly has published an excerpt from the book "Java Extreme Programming Cookbook". "In this first sample recipe from O'Reilly's Java Extreme Programming Cookbook (from Chapter 5 on "Ant"), you'll learn how to set up an efficient development environment using an Ant buildfile. In the coming weeks, we'll offer sample recipes from the book on Mock Objects, JUnitPerf, and XDoclet, so check back here over the next few weeks to sample the latest recipes."

Comments (1 posted)

Java theory and practice: Urban performance legends (IBM developerWorks)

Brian Goetz looks at Java performance issues on IBM's developerWorks. "Unfortunately, many pointers and tips about Java performance tuning are a lot like urban legends -- someone, somewhere, passes on a "tip" that has (or had) some basis in fact, but through its continued retelling, has lost what truth it once contained. This month, Brian Goetz examines some of these urban performance legends and sets the record straight."

Comments (none posted)

Perl

This Week on perl5-porters (use Perl)

The April 14-20, 2003 edition of This Week on perl5-porters is out. "Not a good week to stop smoking ! Test-wise, that is. In this week's summary, read about configuration changes, language proposals, and the usual amount of bug fixes."

Comments (none posted)

This week on Perl 6 (O'Reilly)

The April 13, 2003 edition of This week on Perl 6 has been published. Topics include: Support for true and false properties, PMC elements() inaccessible from the assembler?, Parrot on Win32, Dan's Blog, and Meanwhile over in perl6-language.

Comments (none posted)

PHP

PHP Weekly Summary

Topics on this week's PHP Weekly Summary include: PHP in CVS, Status of 4.3.2 RC 2, building for hosting, get_class() for ZE2, stream filter patch, and broken array pointer.

Comments (none posted)

Python

Dr. Dobb's Python-URL! - weekly Python news and links (Apr 21)

The April 21, 2003 edition of Dr. Dobb's Python-URL! is available with the usual assortment of Python stories and links.

Full Story (comments: none)

A Primer on Python Metaclass Programming (O'ReillyNet)

David Mertz writes about Python metaclass programming on O'Reilly. "Classes and objects are simple, right? Once you really get it, isn't that all there is? Well, no--there's a whole class of advanced object-oriented techniques to make your code simpler, stronger, and more elegant. This week, David Mertz explains metaclasses--the building blocks of classes. Though the examples are in Python, the ideas translate to many other languages."

Comments (none posted)

Wrap GObjects in Python (IBM developerWorks)

Ross Burton discusses the wrapping of GObjects in Python. "Learning how to wrap GTK+ C modules for use in Python will enable you to use a C-coded GObject in Python whenever you like, whether or not you're especially proficient in C."

Comments (none posted)

Ruby

Ruby Weekly News

The March 21, 2003 edition of the Ruby Weekly News is out. Topics include the latest ruby-dev summary, Ruby's history, and Ruby in a university course.

Comments (none posted)

Scheme

Scheme Weekly News

The April 21, 2003 edition of the Scheme Weekly News is out with the latest Scheme language news.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL! - weekly Tcl news and links (Apr 21)

The April 21, 2003 edition of Dr. Dobb's Tcl-URL! has been published. Check it out for the latest Tcl/Tk news.

Full Story (comments: none)

Visual Tcl 1.6.0b2 released

Version 1.6.0b2 of Visual Tcl has been released. "This release fixes problems seen with the img package on tck/Tk 8.4.2, hanging vTcl on startup or with broken image links. More simple tutorials have been added, and support for creating and reusing megawidgets enhanced. Easy implementation of modal dialogs can be done with the toplevel alias command."

Comments (none posted)

XML

All That We Can Leave Behind (O'Reilly)

Mark Pilgrim examines what will be dropped in XHTML 2. "Last month I promised an article on the venerable <img> tag, which has been dropped from XHTML 2.0. It was supposed to be a gentle introduction to "stuff we lose in XHTML 2.0, and what we gain in return". However, during the course of researching, I realized that it was turning out to be not so introductory after all. So you'll have to wait another month for that. There are several key elements and attributes that are slated to be dropped from XHTML 2."

Comments (none posted)

Miscellaneous

KDevelop 3.0 (Gideon) Alpha 4 is Out

KDE.News has an announcement for version 3.0 Alpha 4a of KDevelop, a C/C++ IDE for KDE. "The KDevelop team announces the availablility of KDevelop 3.0 Alpha 4a (yes, 4a). In the more than 3 months since the last release, many new features have been added, bugs have been squashed, and existing features have been refined and polished."

Comments (none posted)

Treebeard/Fangorn v0.8rc1 is released

Sourceforge has the announcement for version 0.8rc1 of Treebeard/Fangorn. "Treebeard is an XSLT IDE written in Java; a text editor that allows the loading and editing of an XML document and an XSLT document at the same time. It also can apply the XSLT to the XML and display the output for further editing/saving. Plugable XML and XSLT parsers. The new 0.8rc1 version fixes several bugs from the 0.7 version, it also adds the ability to save your desktop, and has look and feel support."

Comments (none posted)

CUTE 0.1.5 released

SourceForge has an announcement for version 0.1.5 of CUTE, a Qt-based programmer's editor. "With this release, key mapping can now be done with map python function. There is also a dialog for shortcut manipulation. Began to implement ctags support."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Will patents pillage open source? (News.com)

News.com looks at software patents and how they might effect open source software. "Software patents sometimes cause legitimate controversy not because computer programs somehow differ from other patentable technologies, but because patents on software are relatively new. Undergirding every patent is faith that the U.S. Patent and Trademark Office has performed a competent literature search, and awarded patent protection only to subject matter that's "inventive"--i.e., new and different from prior work. That faith has been sorely tested in the software arena." (Thanks to Richard Jones)

Comments (8 posted)

XFree86(tm) Project Mission Statement

A new XFree86 project mission statement has been published. The statement defines the project's primary goals, formal organizational structure, and daily operational structure.

Comments (3 posted)

Trade Shows and Conferences

Social software author 'not miffed' by conference shutout (Register)

The Register reports on who was not invited to the O'Reilly Emerging Technology Conference. "So it's odd, when you peruse the Emerging Technology Conference agenda, to get the sense that you're staring at a scene that resembles the Scientology cult. It achieves this spooky effect by pandering extensively to a tiny part of the idea spectrum and excluding not just important historical figures with rich contributors to make, but emerging researching entrepreneurs and researchers, too."

Comments (1 posted)

Companies

IBPhoenix Calls For More Focussed and Courteous Protest Campaign (MozillaZine)

MozillaZine reports that IBPhoenix, the FirebirdSQL Foundation sponsor who yesterday called for a mass forum posting and emailing campaign in opposition of Phoenix's renaming to Firebird, have reconsidered the scale of their protest.

Comments (2 posted)

SuSE offers Linux for Opteron (News.com)

News.com covers the release of SuSE Linux for Opteron. "SuSE has been a tight AMD partner, beginning work in 2000 to create a version of Linux for Opteron and future members of the x86-64 chip family such as Athlon 64. Rex said AMD took suggestions on how best to design the chip's circuitry for running Linux, and when the first chip prototype emerged, it took three days to get the SuSE version up and running."

Comments (none posted)

Linux Adoption

Linux moving into the household moving business (ComputerWorld)

ComputerWorld looks at the reasons a large moving company has moved their computers to Linux. "All-American, which is the largest moving agent under the Mayflower Transit LLC banner, settled on Linux last year as it sought cheaper alternatives to rising licensing costs for Microsoft Corp.'s Windows 2000 server operating system, Pekol said. The company was also worried about security issues with Windows NT and 2000. "Windows NT servers are constantly being hacked, so we were very concerned about customer data," Pekol said." (Thanks to Peter Link)

Comments (none posted)

Interviews

Interview: Taking Samba beyond POSIX (IBM developerWorks)

IBM developerWorks interviews Andrew Tridgell on his latest Samba rewrite. "And what exactly does Tridge have to say about exotic filesystem backends? It turns out that since being hired by IBM's Almaden Research Center in January of this year, the Australian hacker has been working on pushing Samba beyond the POSIX world and figuring out what work needs to be done to get Samba to support new filesystems such as XFS, ext3, and Storage Tank. The answer is nothing less than a complete rewrite of Samba's smbd code, which has become his latest pet project."

Comments (2 posted)

Interview: MySQL rides open source wave into DBs (InfoWorld)

InfoWorld has an interview with Marten Mickos, CEO of MySQL. "MM: We are never on the bleeding edge, but we are fast movers. We hadn't spent millions on .Net thinking, but when we decided to get into it we immediately created a .Net interface and were the first non-Microsoft database to have that available. That's how we deal with any new technology. We take our time, but once we move, we move fast. XML will clearly be an important standard in the future and for us it is a tactical decision when to provide that functionality." (Thanks to Peter Link)

Comments (3 posted)

Firebird Database Project Admin Ann Harrison Interviewed (MozillaZine)

MozillaZine interviews Ann Harrison, project administrator of the Firebird Database Project. "A little bit of history here. Borland owns the InterBase copyright and released one version under a variant of the Mozilla license in July of 2000. Borland declined to allow write access to "outsiders" and to accept contributions from them -- us. Mark O'Donohue and a few others who wanted to work on the code created a fork and called it Firebird. All work on InterBase Open Edition has stopped. Firebird is an active project."

Comments (none posted)

The People Behind Quanta Plus (KDE.org)

Here's an interview with Eric Laffoon and András Mantia about the Quanta Plus project. "My vision for Quanta is to make it the next "killer app" on Linux. Even though the use of web development tools is currently limited among computer users I feel there are two key aspects people overlook when they say that Quanta is not well suited for this mantle." (Thanks to Navindra Umanee)

Comments (none posted)

SCO CEO Defends $1 Billion Lawsuit Against IBM (CRN)

Computer Reseller News talks with SCO CEO Darl McBride about the IBM lawsuit. "There will be a day of reckoning for Red Hat and SuSE when this is done. But we're focused on the IBM situation." (Found on Slashdot).

Comments (20 posted)

Resources

Secure Programming Techniques (O'ReillyNet)

O'Reilly begins a multipart series on secure programming, with excerpts from Practical Unix & Internet Security, 3rd Edition. "Software engineers define errors as mistakes made by humans when designing and coding software. Faults are manifestations of errors in programs that may result in failures. Failures are deviations from program specifications. In common usage, faults are called bugs."

Comments (3 posted)

Quality of Surfing: An Intermediate Level HowTo (Linux Journal)

Here's a Linux Journal article on how to use the (much underutilized) fair queueing features of the Linux networking subsystem. "We'll use a fairly simple kernel filter called u32 to ferret out interactive traffic (looking at the ToS or Type of Service field in the packet), bump it to the head of the line outbound and set the bulk traffic filter ('queueing discipline') to use only a percentage of the outbound bandwidth."

Comments (none posted)

Tracking Tux: Research Round-up (NewsForge)

NewsForge looks at reports from from research groups like Gartner and Illuminata. "Gartner vp's George Weiss and Andy Butler replaced a two-year-old generic "Linux" entity on the Midrange Server Magic Quadrant with three specific Linux servers. In addition to the Red Hat AS ranking, Weiss and Butler awarded respectable positions to Linux on IBM zSeries and SuSE on x86."

Comments (none posted)

Reviews

Opera 7 browser goes with Linux (vnunet)

Vnunet surfs the web with Opera, version 7. "The Opera 7.10 browser for Linux Beta, which is shipping alongside Opera 7.10 for Windows, comes with features that the company claims "are not only new to Opera, but also completely new to the world of browsing"."

Comments (2 posted)

Miscellaneous

Open Source Development Lab names new CEO (NewsForge)

Here's a NewsForge article covering the appointment of Stu Cohen as the first CEO of the Open Source Development Lab. "Stu Cohen, the new CEO, will concentrate on corporate Linux evangelism. We had a brief AIM chat with Cohen Friday. He didn't have much to say; he's only been on the job for a few days, after all. But it's nice to see a new face in charge of this valuable Linux and Open Source organization, and to learn a little bit about him."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Request for Submissions for Open Source Reference Book 2003

The Center of Open Source & Government has announced that it will publish The Open Source Reference Book 2003 subtitled [What Local/National Governments, the Defense Establishment, and The Global 1000 Need To Know About Open Source Software]. This is a request for submissions.

Full Story (comments: 8)

Commercial announcements

Human-Size Household Robot Developed on MontaVista Linux

MontaVista Software has announced that Mitsubishi Heavy Industries Ltd. has chosen MontaVista Linux to power 'wakamaru,' the first human-size robot that can provide companionship, or function as a caretaker and house sitter.

Comments (7 posted)

GRID WARS Parallel Programming Challenge Featured at ClusterWorld Conference and Expo

Engineered Intelligence Corporation (EI) has announced that the next "GRID WARS" parallel programming challenge will be held live at the ClusterWorld Conference and Expo in San Jose, June 23-26. HP will provide a Linux-based Itanium cluster for the challenge.

Comments (none posted)

The Axis device server

Axis has announced the availability of the "AXIS 83 Device Server." It's a Linux-based single board system with two ethernet ports, a USB port, and some flash memory. It looks like a fun toy for the creation of well-connected embedded systems.

Comments (none posted)

Novell Becomes LPI's Latest Gold Sponsor

Linux Professional Institute has announced that Novell has selected LPI's professional certification program as a step towards its own Novell Certified Linux Engineer (Novell CLE). LPI exams are now available at Novell's Utah test centers as part of the Novell CLE certification program.

Comments (none posted)

Resources

Comparing Microsoft's EULA and the GPL

The folks at Cybersource have taken a long look at the Microsoft Windows XP Professional end user license agreement and produced a document comparing it, in detail, to the GPL. The result is available as a 30-page PDF file. It is a good analysis of what a user is getting into by agreeing to either license.

Comments (7 posted)

Upcoming Events

Jupitermedia Announces IBM as Cornerstone Sponsor for Its Enterprise Linux Forum

Jupitermedia Corporation has announced that IBM has signed on as the Cornerstone Sponsor for its upcoming Enterprise Linux Forum Conference & Expo, to be held June 4-6, 2003 at the Santa Clara Convention Center in Santa Clara, California.

Comments (none posted)

First ever Linux Summit in Finland a success

The first Linux Summit in Finland has been declared a success for both organizers and attendees. Arranged by SOT in co-operation with HP, Oracle and F-Secure, the conference attracted close to 400 visitors from Finland's largest corporations and public organizations.

Full Story (comments: none)

PHPCon East Opens Wednesday in NYC

The PHP conference circuit heads to New York City this week with an expanded program that includes a third day of tutorials and several new and returning PHP gurus. PHPCon East 2003, the first of two regional, PHP-centric shows scheduled in 2003, runs April 23 to 25, 2003 at the Park Central Hotel in New York City, NY.

Full Story (comments: none)

Pogo Linux Inc. Supports LinuxFest Northwest

Pogo Linux Inc. has announced it will provide free, round-trip transportation for Seattle-area attendees to LinuxFest Northwest (LFNW) in Bellingham, Washington, on Saturday, April 26, 2003.

Comments (none posted)

London Open Source Conference

The Open Group Conference / Open Source in the Enterprise event will be held in London, England on May 7, 2003.

Full Story (comments: none)

CFP: Real Time Linux Workshop, Valencia

A Call for Papers has gone out for the Fifth Real-Time Linux Workshop, to be held in Valencia Spain on November 9-11, 2003.

Full Story (comments: none)

WSJX 2003 series, Europe

The WSJX 2003 series will be held across Europe from September 15 - October 30, 2003. "LogOn is launching a new series of pan-European events which integrates and expands the existing series of XML and Java Days into a comprehensive pan-European tour focusing on Web Services, Java and XML."

Full Story (comments: none)

Events: April 24 - June 19, 2003

Date	Event	Location
April 24 - 26, 2003	Embedded Systems Conference(ESC)	(Moscone Convention Center)San Francisco, CA
April 24 - 25, 2003	The O'Reilly Emerging Technology Conference	(Westin, Santa Clara)Santa Clara, CA
April 24 - 25, 2003	PHPCon East 2003	(Park Central Hotel)New York, NY
April 25 - 26, 2003	Scandinavian Perl Workshop	(Symbion Science Park)Copenhagen, Denmark
April 28 - 30, 2003	Real World Linux 2003	(Metro Toronto Convention Centre)Toronto, Canada
May 2 - 4, 2003	Penguicon	Warren, Michigan
May 3, 2003	International Conference on Software Engineering 2003	Portland, Oregon
May 7, 2003	The Open Group Conference/Open Source in the Enterprise	(Hilton London Paddington)London, England
May 8 - 9, 2003	International PHP Conference, 2003	Amsterdam, the Netherlands
May 11 - 14, 2003	The International Symposium on High Performance Computing Systems and Applications(HPCS 2003)	(Sherbrooke Delta Hotel)Quebec, Canada
May 11, 2003	Yet Another Perl Conference, Israel(YAPC::Israel::2003)	(C.R.I.)Haifa, Israel
May 15 - 16, 2003	YAPC::Canada	(Carleton University)Ottawa, Canada
May 25 - 27, 2003	GCC Developer's Summit	Ottawa, Canada
May 28 - 30, 2003	Open Source Content Management, 2003(OSCOM)	(Harvard Law School)Cambridge, Mass
May 30 - 31, 2003	4th European Tcl/Tk Users Meeting(Tcl'Europe 2003)	Nürnberg, Germany
June 4 - 6, 2003	Enterprise Linux Forum Conference & Expo	(Santa Clara Convention Center)Santa Clara, California
June 9 - 14, 2003	USENIX 2003	(Marriott Hotel)San Antonio, TX
June 10, 2003	Linux For Business	(The Commonwealth Institute)London, England
June 16 - 18, 2003	Yet Another Perl Conference::North America(YAPC::2003)	(Florida Atlantic University)Boca Raton, FL
June 16 - 18, 2003	GNOME User and Developer European Conference(GUADEC)	(Trinity College)Dublin, Ireland
June 18 - 23, 2003	Open Source Clinical Application Resource Workshop(OSCAR)	(McMaster University)Ontario, Canada

Comments (none posted)

Web sites

New Perl Beginners Portal (use Perl)

Use Perl mentions the move and rework of the Perl Beginners' Site, a resource for new Perl programmers.

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

• Sorted alphabetically,
• Sorted by license.

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Deploying Linux on the Desktop

From:		Paul Sheer <psheer@icon.co.za>
To:		letters@lwn.net, psheer@icon.co.za
Subject:		Deploying Linux on the Desktop
Date:		Sat, 19 Apr 2003 15:49:42 +0200

 
Deploying Linux on the Desktop
------------------------------
 
This is a discussion to try explain some of the deficiencies
in Linux desktops that make it difficult to deploy to mass end
users. It's intended for sysadmins who are trying to install
Linux for users familiar only with Windows, and for developers
who are designing user interfaces.
 
I recently had a dinner conversation with Jon "Maddog" Hall,
who insisted that it was feasible to deploy Linux in a typical
end user environment as a replacement to Windows. I think he
presents the opinion of most Linux enthusiasts: most such
people believe that performing such a deployment is feasible
and that it is really managers who are stalling the migration
process only out of dogma.
 
Now there is only one group of individuals that can say for
certain whether such a deployment is possible. This group are
the end user supporters that have actually tried to do such
deployments. We should look at their experiences for
understanding. On the other hand, thought experiments that use
software feature counts as input are theoretical and
inconclusive.
 
Small businesses (10-50 employees) are the target market here.
This is the bulk of most economies. Most such discussions
ought to clarify that the large cubical farms of Dilbert are
actually a rare minority and not worth consideration at this
time.
 
Here is a list of problems and experiences:
 
1. Manager: "I tried to buy a cinema ticket on this web site
with my credit card and it didn't work. My other Internet
purchases work fine, what's wrong with this site?" I
discovered that the problem was some incompatible JavaScript
that only IE could handle. I found that he could use Konqueror
on that site. He started using Konqueror, but certain sites
only worked with Mozilla, and the time fiddling trying to get
things working was starting to escalate. This irritated the
manager who then decided that Linux was not for him, and that
he would rather continue with Windows even if he had to reboot
twice a day, etc.
 
2. How do I save to my CD-Writer? On Windows, I believe this
is merely a drag and drop operation --- all writing is handled
transparently. On Linux we have several comprehensive
interfaces with an enormous range of options. Even if I could
get an average user to remember the sequence of steps needed
to create a working CDROM, they would be convinced that
something was wrong with "Linux" because of the large number
of steps necessary.
 
3. Word document formats. Word documents load perfectly under
OpenOffice. But that's theory talking again. In practice, if
someone emails me a complex 50 page document, a secretary
cannot load it with OpenOffice, make a few changes, save it
again in Word format, and email back and expect all formatting
to be preserved. Most users are impressed by OpenOffice's
ability to handle Word documents... until the day comes when
they have to spend hours fiddling with the paragraph spacing,
margins, and page breaks --- all to get a once perfect
document looking the way it already looked under Word.
 
4. "A:" Drives. It took the average Windows user weeks to get
used the the abstraction that an "A:" represents a floppy
drive and a "C:" represented an internal drive. From file
managers in Windows, it is universal and trivial to save a
file to floppy. Many secretaries (who should be using SMB or
email) still insist on exchanging files by floppy disk. On
Linux, there are those extra few clicks that frustrate such
users and make them think there is something wrong with Linux.
Even the fact that "A:" might be called a different thing
under Linux makes them think that there is something wrong
with Linux.
 
5. Excel spread sheets / PowerPoint presentations / Drawing
Programs. There are many file formats that are problematic.
Moreover, the Linux equivalents of such programs are never
easier to use than the Windows ones. Also, in each case there
is some additional complexity when trying to include one kind
of document inside another kind. The user can easily be shown
how to do it, but they will not remember it when they have to
do it again next week. This will frustrate them.
 
6. Scanning: see point 2. Windows has several idiot proof
single click scanning programs. Even if you totally botch it,
you still get a 30 Meg A4 TIFF file that you can email to your
granddaughter.
 
7. Hardware. Every office has at least one piece of hardware
that you are going to need to replace. Finding replacements is
time-consuming. Even to establish what software within that
Linux distribution is responsible for the deficiency, is a
massive problem for any small business.
 
On Linux, *almost* everything works fine. On Linux almost
*nothing* takes less clicks or is easier than Windows.
 
Users just want things to be the same as they are used to. Any
change is difficult for them to master and wastes precious
office hours.
 
Unless Linux dsitributions can come up with a desktop that is
click-for-click the same to operate as Windows, there is no
chance of migration.
 
Here are some axioms for developers and people who create
Linux distributions:
 
0. Any computer experience that is not *even* *easier* to use
than Windows will not be able to compete. All other reasons to
switch to Linux are precluded by other solutions that the vast
Windows development community is constantly inventing.
 
1. An extra configuration parameter is a poor excuse for not
thinking about what the default SHOULD be. Example:
application fonts being too small at 1280x1024. There should
be no setting to change the application font --- the most
readable font should be the default.
 
2. If a user EVER has to type any command at a shell prompt,
then the operating system is broken. Example: when do you have
to supply DOS commands under Windows or MACs?
 
3. If it takes one more click than on Windows, then you might
as well not have that feature because Windows users are not
going to remember the steps to carry out.
 
4. Desktops are confusing to users. The more lights and
buttons, the more difficult it is to remember what to click
on. 90% of buttons under KDE/Gnome will never get selected. If
you have more options than Windows, then users will get
confused.
 
5. End users of Windows are FAR less intelligent than you
might expect. It's EXTREMELY difficult for them to remember
even how to select bold fonts under a word processor. You will
probably have to train a person for two hours just to show
them how to do headings, bold, and italic under Word. A week
later they will have forgotten unless they are pressured with
constant repetition.
 
6. Most people are not interested in playing MP3 files.
 
7. Almost no people anywhere are interested in authoring their
own raster images.
 
8. A GUI that does not factor in the intelligence of the
end-user is useless. The intelligence of the developer is
vastly superior to that of the end-user. This gap has been
underestimated by all software vendors except Microsoft.
 
-paul
 
 
Postscript: I suspect that people are going to be offended by
my insistence that end-users are near-retarded. To be offended
by an undeniable fact is stupidity in of itself. Developers
tend to assume a tremendous amount --- just to be able to
understand the concept of abstracting a problem into a
sequence of steps requires tremendous genius (by comparison to
the average person). Such genius should be normal. In fact it
is rare --- there are very few software developers compared to
clerks, salesmen, and cleaners. The intelligence to view a
computer screen (that is essentially inoperative) and surmise
that its pictures are in fact control switches, requires a
leap of faith which an unintelligent person is going to
require much time and training to make. The average desktop
interface has thousands of lines and glyphs. Making sense of
them is extremely complex for most people. DO NOT assume that
because all-the-people-you-know are able to fiddle to get
something to work that the majority fit that same category. If
you really want to understand the end-user then go take a
training course that introduces first time users to MSWord.
 
 
 

Comments (19 posted)

Good alternative names for Mozilla/Firebird

From:		Jonathan Walther <krooger@debian.org>
To:		letters@lwn.net, asa@mozilla.org, mitchell@mozilla.org, hyatt@apple.com, shaver@mozilla.org
Subject:		Good alternative names for Mozilla/Firebird
Date:		Wed, 23 Apr 2003 09:45:59 -0700

There is a famous Russian folk story about a Firebird, which was made
into a beautiful piece of music by composer Igor Stravinsky. The
Russian word for firebird is "zhar-ptitka", or "heat-bird". I suggest
the Mozilla team solve the hard feelings they have caused with the
Firebird database project by choosing another name based on the Russian
word for Firebird.
 
If that is not satisfactory, "ere" from irc.mozilla.org suggested the
Finnish word for firebird: "Tulilintu".
 
Given the strong folktale associations most people have of the word
"firebird", it would be compellingly appropriate to revive the name in
one of it's original languages.
 
Please show us that you aren't barbarians; please show us that you have
some culture. For the goodwill of the Free Software community and the
world at large, please change the "Firebird" projects name to one that
will be both more distinctive, and aesthetically pleasing.
 
Cheers!
 
Jonathan
 
--
                     Geek House Productions, Ltd.
 
  Providing Unix & Internet Contracting and Consulting,
  QA Testing, Technical Documentation, Systems Design & Implementation,
  General Programming, E-commerce, Web & Mail Services since 1998
 
Phone: 604-435-1205
Email: djw@reactor-core.org
Webpage: http://reactor-core.org
Address: 2459 E 41st Ave, Vancouver, BC V5R2W2

Comments (none posted)

LWN: Searching for software or having an itch...

From:		Ewen McNeill <ewen@naos.co.nz>
To:		atorrey@cybercom.net
Subject:		LWN: Searching for software or having an itch...
Date:		Thu, 17 Apr 2003 16:05:20 +1200
Cc:		letters@lwn.net

In a letter to LWN you write:
>I just had a need to make a few campaign signs for my effort to get
>elected to Town Meeting locally. I'm a really lousy artist, so I had the
>idea of printing out the content of my signs on letter paper using very
>large type, and either gluing the paper printout onto my poster-board
>signs, or cutting them out in order to make stencils.
>[....]
>We couldn't find anything on Google, searching on things like 'Linux
>Large Fonts' gave lots of advice on changing font size on the video
>display, but no programs.
 
The traditional program for doing this under unix is: banner.
 
On my Debian Linux system it is in /usr/games/banner, from the package
bsdmainutils.
 
banner produces large letters in ASCII-art form, ie by drawing them with
ASCII letters. It dates back to the days when line printers were king;
the earliest copyright date in it is 1980.
 
>I'm not sure what the answer is, but it seems to me like the Open Source
>world needs a better CENTRAL catalog of available software
 
http://freshmeat.net/
 
It's not perfect, but it's the closest thing there is to a central catalog,
and generally I've found it useful when I've got a "I need a program to do
this" type query. However sometimes browsing through an appropriate
category is more useful than word-based searching.
 
In addition to that I use Debian's package repository:
 
apt-cache search ....
 
on a debian system; or visit:
 
http://www.debian.org/distrib/packages
 
and use the search forms there. Debian is useful for this because
they have a lot of free and open source software packaged.
 
Sourceforge: http://sourceforge.net/ can also be useful, but only for
the fraction of open source software hosted on SourceForge (maybe 30%-40%
at most).
 
Google is useful for some things, but you need to be very particular with
your search terms some of the time to narrow the results down to the right
set of things, otherwise as you found you end up with "lots of similar but
not the same thing" hits.
 
Ewen

Comments (3 posted)

Page editor: Jonathan Corbet