LWN.net Weekly Edition for August 7, 2008

Kernel Hacker's Bookshelf: The Practice of Programming

In The Mythical Man-Month, Fred Brooks observes that the productivity of experienced programmers frequently varies by a factor of 10 or more. What makes the 10x programmers so much better? Undoubtedly some of the difference is due to native facility with language or logic. But even with these advantages, no one is born writing beautiful, elegant, maintainable code; everyone goes through a learning process.

How do we learn to be good programmers? In many ways, the art of computer programming is still stuck in the era of the master-apprentice system. Some of us are lucky enough to learn to program in something like "the UNIX room" at Bell Labs, where you could shoulder-surf the likes of Ken Thompson and Dennis Ritchie. Occasionally someone practices pair-programming instead of just arguing passionately about it, and once in a very long while, a 10x programmer will actually teach another person how to program. Unfortunately, formal university education rarely teaches students about the practical aspects of programming, as any holder of a computer science degree will readily attest, and few programmers have the time, interest, or ability to write accessible books about programming. As a result, most programmers are doomed to a decade of re-inventing wheels by trial and error.

Brian Kernighan and Rob Pike are two 10x programmers who do have the time, interest, and ability to write a book about software engineering best practices. The Practice of Programming aims to fill the gaps in the training of most computer programmers. From the book:

This book probably won't make you ten times more productive, but it can easily make you twice as productive (and half as frustrated). If I could send one book to a programmer trapped on a desert island, this would be the book - and I'd send the same book to the new programmer who just joined my development team.

Overview

The Practice of Programming differs from most programming books in several enjoyable ways. Rather than promoting a particular new programming philosophy, Kernighan and Pike focus on three principles: simplicity, clarity, and generality. As you might guess from the title, the book is short on theory and long on practice. About one third of the ~250 page book is taken up by actual real-world example code, starting with the original dodgy code and showing the step-by-step evolution to better code. Most examples are in C, but the principles illustrated readily translate to other languages.

The writing style of this book is refreshingly practical and down-to-earth, without losing generality. The authors avoid stark black-and-white pronouncements, preferring to discuss why different techniques are useful under different conditions. Clarity is another hallmark of their style; they use as few words as possible to clearly state each point, and dismiss trivialities and side issues quickly and cleanly. A typical example of this approach is their advice on brace and indentation style: "The specific style is less important than its consistent application. Pick one style, preferably ours, use it consistently, and don't waste time arguing."

The book is organized into nine chapters, each covering a topic such as testing or debugging that usually requires an entire book on its own. The table of contents includes headings like "Test as You Write the Code," "Consistency and Idioms," "Strategies for Speed," "Other People's Bugs," and "Programs that Write Programs." I can't cover the whole book in this review, but I'll go into detail on two of my favorite chapters, "Performance" and "Notation."

Performance

The introduction of this chapter gives some very direct advice: "The first principle of optimization is don't." Computers are fast - go run lmbench on your desktop to update your sense of just how fast. For example, some system calls are now in the sub-microsecond range under Linux on modern hardware. Armchair optimization - the practice of making small theoretical optimizations as you code, at the expense of readability, portability, or correctness - is especially foolish in light of Donald Knuth's observation that 4% of the code typically accounts for more than half of the run-time of the program. Kernighan and Pike's first piece of advice is to write simple, clear, concise code, and optimize only when you have some tangible reason to do so.

The chapter begins with a real-world optimization problem: a spam-filter that worked well enough in testing but bogged down in production. The tangible reason for optimizing this program is that the mail queues were filling up with undelivered mail - a clear justification for optimization if there ever was one. The authors show the process they went through to optimize the spam-filter, step-by-step: profiling, analysis, a first attempt at optimization, re-factoring the problem, addition of pre-computation, and measurement of the results. This overview is welcome not only as a good programming war story but also because the overall flow of code optimization is non-obvious (otherwise, "How would you go about optimizing a program?" would not be such a common interview question).

The rest of the chapter talks about best practices for each step of optimization. The first topic is timing and profiling, as it should be. All too often, even good programmers measure performance by "feel" - if you don't believe me, search LKML. Sometimes no easy tool exists to measure what is being optimized, but it's still better to write some kind of measurement tool, no matter how clunky or approximate. Human perception and judgment are heavily influenced by preconceptions and the vast majority of theoretical optimizations have negligible effects on performance. A more subtle piece of advice is to turn performance results into pictures or graphs. Chris Mason's seekwatcher is an excellent example; it turns block traces into graphs - and even movies!

The authors cram a surprisingly complete demonstration of profiling into less than two pages, using prof on their spam-filter as the example. They show how to identify hot spots and do basic sanity checking on the results - e.g., match up the number of times a function call shows up in the profile with the number of iterations of the main loop. While they include some caveats on trusting profiling results, I wish they had spent some time on the design of profiling tools to show the kinds of biases and errors that so often make profiling results misleading. Perhaps it's because I work on systems software, but I've found that I really have to know the details of whether the profiler is using a periodic timer, hardware counters, includes time spent sleeping for IO in the kernel, how many events are dropped or missed, etc. A useful technique to demonstrate, and one in keeping with their minimalist, do-it-yourself philosophy, would be manually bisecting the code with timers to find hot spots when normal profiling tools fail.

The discussion on rewriting code goes beyond "find the top function and optimize it" - it also addresses eliminating calls to hot functions entirely and doing modest amounts of pre-computation. A fair portion of the section on code tuning has been superseded by improved compilers which can do, e.g., loop-unrolling automatically, but it still teaches valuable lessons about how to read code and understand its true cost and complexity.

Notation

The chapter on notation unfolds elegant, beautiful solutions one by one, turning normally painful problems into fun coding exercises. Each technique - little languages, special-purpose notation, programs that write programs, virtual machines - is accompanied by a concrete demonstration of how to implement the bare minimum of the technique to get the job done. The suggestion to "write a new language" seems absurd in the face of most day-to-day programming problems, but writing a very small, very specialized language can save the programmer much time and many bugs, even when replacing only a few hundred lines of conventional code. Their first example, after printf() format specifiers, is a notation for packing and unpacking network packets. I recently implemented this technique and can report that it worked beautifully, repaying the time I invested in it within days of completion.

Another exercise in minimalism is their demonstration of how to write a basic grep in around 100 lines of C, without relying on external libraries. Most of us will never need to re-implement regular expressions from scratch, but we may encounter a problem best solved by writing a small general purpose pattern matcher.

Another example demonstrates the power (and danger) of keeping a variety of scripting languages and data processing tools at your fingertips. The authors implement a crude text-only web browser with about 50 lines of Awk, Tcl, and Perl, again using only built-in language support and no external libraries or modules. Here as elsewhere, Kernighan and Pike refuse to make hard and fast assertions about the One True Scripting Language; they'd rather you used the right language for the right job. From the book:

It can be argued that this approach is less justified now, given the modern plethora of scripting languages written specifically to address the limitations of earlier scripting languages. However, their argument still rings true for me, as someone who has never settled down into one scripting language. I have a decade of experience using a hodge-podge of random scripting languages, and when I do write in one scripting language, I end up spending a lot of time contorting language features to fit situations they were not designed for.

The section on virtual machines shows how to implement a minimal special purpose virtual machine (the Z-machine for Zork comes to mind immediately). The remaining sections cover programs that write programs, using macros to generate code (a common technique in Linux header files), and just a little taste of run-time code generation.

Summary

The Practice of Programming embodies its own principles: simplicity, clarity, generality. First published in 1999, it has aged well due to its focus on general principles of good programming rather than language-specific tricks and tips. The book has something to offer to programmers at all levels of experience; beginners will benefit most but experienced developers will appreciate the more advanced and subtle techniques in the later chapters. Of all the books on the Kernel Hacker's Bookshelf, this one should never be missing.

Comments (29 posted)

Firefox to support Theora video

Video in the browser, at least for Linux, has always resorted to somewhat clunky solutions—Flash plug-ins or external programs—but that is likely to change in Firefox 3.1. Recent commits to the Firefox development tree have added support for the HTML 5 <video> and <audio> tags as well as native Ogg Vorbis and Theora support. Providing multimedia support directly in a free browser, with no plug-in required, is a huge step forward both for Linux and for the royalty-free codecs.

The battle over video and audio formats is an ugly one, largely because they are patent minefields. The "mainstream" formats, MPEG-4 for video and MP3 for audio, are licensed on a royalty basis to companies that want to implement playback. Obviously, Mozilla is not in a position to pay a per-installation royalty, so that leaves various ad hoc methods using Javascript and plug-ins—that users have to track down—to make audio-video playback work in its browser.

Trying the new feature (seen at left) on one of the recent nightly Firefox builds seemed to work pretty well given that it is still under development. The video played smoothly, but the audio was not functional, only producing a rumbling, clicking soundtrack. The Wikimedia Commons video collection was used to test as it is a nice collection of Theora videos.

Some have seen the lack of Theora content currently on the web as a reason to downplay Firefox's support for the format, which is unfortunate, as Mozilla hacker Robert O'Callahan was quick to point out. Unlike the current situation, once a Firefox with video support is released, there will be one format that all content producers can be sure will be available for Firefox. Depending on whose numbers you believe that means that somewhere between 10 and 25% of web surfers (or more than 100 million people) will be using it.

Even with the dominance of Internet Explorer, the plethora of codec plug-ins has made it somewhat difficult for content providers to decide upon which video formats to support. With a substantial fraction of browsers supporting a particular free format, that situation may change. Wikimedia will certainly help by providing reasons for those not using Firefox to demand Theora plug-ins—if not integrated Theora support—for their browsers. As more content is available in that format, the pressure will build on Microsoft and Apple. As we mentioned in an article on web video formats last December, more content is the key to Theora support.

Some have argued that Vorbis and Theora are just as likely to be patent-encumbered as the more mainstream codecs, but so far that is unproven. There is no licensing authority that claims to have patents covering those codecs. Though Mozilla has some depth to its pockets—largely due to its deal with Google—patent holders might be loathe to attack a free software browser. In many ways, patent holders risk upsetting their entire apple cart if their attacks rise too high into the public consciousness. Though, clearly, Mozilla will be taking on some amount of risk with this move.

There have also been arguments that the Theora codec produces inferior video compared to those used by MPEG-4 and others. There is certainly truth to that assertion, but there is ongoing work to bring Theora more in line with the quality of its competitors. Due to the fact that it isn't controlled by a licensing authority with little or no interest in improving it, there is hope that Theora, or some descendant of it, could produce superior results some day.

Dirac—also known by the name of its C language implementation Schrödinger—is another royalty-free codec that is being looked at for inclusion into Firefox. There are currently some performance issues with decoding, but if those get resolved, there might be two free choices for video codecs in Firefox.

There are lots of entrenched interests that would like to see Theora, Vorbis, Dirac, and others like them disappear. They are quite happy with the current state of affairs. For the most part, though, users are not. Even on "well supported" platforms, video—and to a lesser extent audio—is a confusing jumble of plug-ins and formats that make it somewhat painful to use. Flash and Silverlight are supposed to "solve" these problems, but they do it in a not-quite-free way that still requires plug-ins. If web users start to find it easier to use the video formats embedded in their browser, and content producers take notice, it could completely change video on the web.

Comments (24 posted)

Building custom appliance distributions with rBuilder

Linux distributions can be a pain. Users have to go through the whole process of installation, configuration, and updates, and, often, all they really want to do is to run a single application. The vendors of that application, meanwhile, feel the need to support as many distributions as possible, even though the actual system running underneath their code is nearly irrelevant. Wouldn't it be nice if users could simply get their desired application as an "appliance" which comes with all the necessary component parts nicely hidden inside?

As it happens, rPath has been in the appliance business for a little while now. Recently, the company has made its appliance-building infrastructure available to free-software products in the form of rBuilder Online. In essence, rBuilder can be used to create and maintain a custom distribution oriented around the delivery of a specific application. The result is a "software appliance" which, in theory, makes the given application available in a self-contained, standalone distribution.

There are a number of example appliances available on the site. They include:

• Bongo, an attempt to revitalize work on the Hula mail client

• Gallery, a standalone photo album

• LochDNS, a DNS server

• Openfiler, a storage management system

There are several others oriented around content management systems, telephony applications, database servers, and more. All told, quite a few projects have shown interest in creating software appliances for their applications.

Your editor grabbed a copy of the Openfiler appliance and installed it onto a spare box which had been cluttering up the office. Appliances from rBuilder start out looking like a Fedora system; they use the same Anaconda installer. The installed system also shows a lot of Red Hat heritage, such as /etc/sysconfig, various system-config-* commands, an /etc/inittab file which credits Mark Ewing and Donnie Barnes, etc. But there is a crucial difference: there is no rpm command. Instead, these appliances are based on rPath's Conary package management system, which takes a very different approach to the software management problem. But there are still similarities with Fedora: your editor attempted a conary updateall operation on the LochDNS appliance, only to see it fail with a set of file conflict errors; it was almost like running Rawhide again.

Appliance users are not supposed to have to dirty their fingertips with command-line administrative operations, though. To help them avoid this fate, rBuilder-based appliances come with the rPath Appliance Platform Agent, otherwise known as a web-based administration interface. Once the user gets past the usual set of obnoxious Firefox dialogs ("this site has an SSL certificate which is not only unknown, but is almost certainly hostile and is ugly besides"), this interface provides a set of administrative screens for standard tasks (networking, updating the system, etc.) along with some specific to the Openfiler application.

In theory, it should be possible to manage one of the appliances without ever going to the command line - or even knowing that the command line exists. In practice, how well that works depends a lot on how the administration screens are designed. In the Openfiler case, quite a bit of clicking around in circles was required, but your editor did finally succeed in setting up a volume based on a USB key, perform a software update, and shut down the system at the end.

The creation of appliances would appear to be relatively straightforward; details can be found in this document. One creates an account in the rBuilder system, then puts together a file describing which components (packages) are necessary in the final system. Those components will presumably include at least one application provided by the appliance builder - that application being the reason for the creation of the software appliance in the first place. The "rMake" system will then pull all of the pieces together, bring in any needed dependencies, and wrap it all up inside a minimal distribution; the resulting system image seems to run at about 300MB.

There are several possible output formats, including the Anaconda-based installation CD image; the rPath folks would appear to have put a lot of effort into making appliances work on a number of virtualization platforms as well. Appliances can be built for VMWare, various forms of Xen, VirtualIron, and Microsoft VHD. Notably absent is anything based on Lguest or KVM. Even more notably absent is any kind of live CD appliance; anything not running in a virtual machine must be installed onto the host system's disks.

rPath's Conary servers seem to be set up to handle software updates. It is also possible to obtain source for the packages found in an appliance through the rBuilder site, though one must do a little digging first. Both of these features are important: anybody creating a distribution-based appliance has to arrange for updates and source availability somehow. One assumes that most appliance creators have no real desire to get into the broader distribution business, so it's nice for them to be able to offload these tasks. Anybody distributing these appliance images should note that rPath does not appear to have undertaken any obligation to continue to provide these services in the future. Should rPath decide to stop, some interesting questions on who is ultimately responsible for satisfying the source-availability provisions of the GPL could come up.

Naturally enough, rPath offers commercial services for those who would like stronger guarantees about long-term support, or who want to include proprietary software in their appliances.

For the time being, this approach to software distribution would seem to be most useful for companies which are in the business of building real, hardware-based appliances. Distributing software in virtual machines has the look of a new and truly impressive form of bloat; even "just enough operating system" is a lot of baggage for an application to drag around. For situations where one wants to try out a complex system, appliance distribution may be worth its cost, but one would probably not want to get every application this way.

There may be value, though, in software distributions which can run almost anywhere, and which can be nicely isolated from the outside world. Locking network-exposed applications - server processes or web browsers - into their own little world could help to avoid a lot of security problems in a way which seems more straightforward than SELinux or containers.

But, perhaps most interestingly, the appliance approach could eliminate a number of distribution-compatibility issues by putting many more people into the distribution business. Now anybody can throw together a special-purpose distribution without having to deal with all of the plumbing that makes the whole thing actually work. Something interesting will certainly come of this idea, even if it's hard to say just what that might be at the moment.

Comments (21 posted)

Page editor: Jonathan Corbet

Security

OLS: Smack for embedded devices

The Simplified Mandatory Access Control Kernel (Smack) is a Linux access control mechanism akin to SELinux. As its name would imply, it is a much less complex scheme that requires far fewer resources than SELinux, which may make it more palatable to developers of embedded systems. Smack developer Casey Schaufler gave a talk at the recent Ottawa Linux Symposium (OLS) outlining how it could be used for embedded devices.

Smack has the distinction of being the second user of the Linux Security Module (LSM) kernel interface to be merged into the mainline. This finally put to rest the idea that the LSM might some day be removed from the kernel, requiring all security solutions to be implemented in terms of SELinux. But Smack comes at Mandatory Access Control (MAC)—which is at the heart of both SELinux and Smack—from a different perspective. Schaufler believes that MAC rules should be explicitly specified rather than implicit in a set of policies a la SELinux.

In order to get everyone up to speed, Schaufler gave an overview of MAC and Smack. The main thing to remember about MAC is that it is not user controlled. The system makes all decisions about access and the attributes of files that govern access. The standard UNIX model, by way of comparison, is a Discretionary Access Control (DAC) system, where users can change the security attributes of objects under their control.

Smack relies on labels for subjects, which are active entities, and objects which are passive. An access is then an operation that is performed by a subject, generally a task/process, on an object, which is typically a file. In order to determine whether the access succeeds or fails, Smack compares the subject and object labels, if they match access is granted, if they do not match, the explicit access rules are consulted. If one matches the attempted access, it is granted, otherwise it is denied.

There are three system labels defined, along with access rules governing their behavior, but all other rules must be explicitly added by the administrator. Labels are simply strings up to 23 characters long. Rules then specify a subject label, an object label, and a desired access (read, write, execute, append). After mounting a smackfs filesystem at /smack, rules can be written to /smack/load, which stores them in the kernel for immediate use.

It is important to note that objects inherit the label of the subject that creates them. That means that the label on an executable is only relevant to determine whether the subject process is allowed to execute it. The process that gets created has the label of the subject that executed it, not the label associated with the executable file. The same goes for processes that create files, those files get the label of the process. This is very different from the SELinux label inheritance rules.

There is more to it, of course, but not a lot more, which is what makes it attractive to some. Interested readers are directed to our article, Schaufler's OLS paper [PDF], or the Smack home page for more detailed looks at Smack.

Schaufler outlined specific reasons that a simplified system, like Smack, would be attractive in the embedded world. Many embedded devices are single-purpose and geared towards one user. Because cost is often a major factor, the device only needs to implement the exact set of functions that it is meant to provide. As Schaufler puts it: "feature completeness is uninteresting".

Cost often plays a role in the amount of system resources provided, particularly RAM and flash, as well. A solution that uses less memory fits well with the embedded mindset. There have been some efforts to pare down SELinux and its enormous policy file for the embedded world (including a paper at OLS [PDF], and a presentation at the Embedded Linux Conference that we covered briefly), but it is still rather large. It is also a great deal more complex than Smack, which was a major thrust of Schaufler's presentation.

One problematic area for putting SELinux on embedded devices is that most flash filesystems do not have support for extended attributes (xattrs). Both Smack and SELinux use xattrs to store labels for files, but Smack can provide a default label for an entire filesystem to avoid requiring xattr support. Also, system files automatically default to the "_" (called floor) label so, in many cases, labels on individual files may not be required.

In his talk, Schaufler gave several examples of specific sets of applications and how they could be easily cordoned off from each other while still working together. The model he used was of a mobile phone with multiple applications. The phone's system data would have the default floor label which means they can be read—but not written—by a process with any label.

One of Schaufler's examples was of two different applications that each retrieved content from the network to display to a user. Each retrieved headlines from different services, one from CNN, the other from ESPN. At times the content might overlap, in which case the phone vendor wanted each to be able to read the other's data, potentially displaying a sports story as part of the regular news or vice versa. This is easily handled by two Smack rules:

    ESPN CNN r
    CNN ESPN r

Assuming that the CNN application runs with the CNN label, and the ESPN process with ESPN, they can each read and write their own private data (because the labels match). Because of the two rules above, they can also read each other's private data. If at some point, the phone provider decided those two applications should not be able to share data, those rules simply need to be removed, no filesystem relabeling or anything else is required.

Another example that Schaufler gave was of a video process and an audio process that cooperated in sharing system resources by sending messages to each other. They had no need to share data, just to send UDP messages. In Smack, a process can send a UDP packet if it has write access to the label of the other process. So the following Smack rules could be used:

    Video Audio w
    Audio Video w

One might expect that giving write permission would allow Video, for example, to write to data with the Audio label. This is not the case because UNIX file semantics require read access in order to write file data (because the inode of the file must be read). So under this set of rules, each can send (and receive) UDP packets from the other process, but cannot access any of the data labeled for the other process.

Schaufler had some other examples in his presentation (slides [PDF]), that were geared more towards exploring Smack capabilities than specifically at embedded applications. He concluded by directly comparing Smack and SELinux in terms of complexity. Clearly Smack is vastly simpler; whether it has enough capabilities to provide the protection that embedded developers require remains to be seen. On the other hand, whether SELinux can be made to work reasonably in embedded environments is also an outstanding question. It will be interesting to watch.

Comments (1 posted)

Brief items

Phishing Kits Widely Compromised To Steal From Phishers (Information Week)

For your amusement: Information Week reports from a USENIX talk about compromised phishing kits. "In January, Netcraft security researcher Paul Mutton identified a phishing tool kit distributed by a group of Moroccan cybercriminals that had been compromised with a back door. Unbeknownst to its users, the phishing kit sent copies of stolen information to its creators. Now it turns out that more than 40% of the live phishing kits found online (61 out of 150) have back doors designed to steal from the information thieves using them." The moral is clear: one should always stick with open-source malware.

Comments (9 posted)

New vulnerabilities

drupal: session fixation

Package(s):	drupal	CVE #(s):
Created:	August 1, 2008	Updated:	August 6, 2008
Description:	From this Drupal advisory: When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access.
Alerts:	Fedora FEDORA-2008-6916 2008-07-31

Comments (none posted)

filezilla: unsecured data transfers

Package(s):	filezilla	CVE #(s):
Created:	August 1, 2008	Updated:	August 6, 2008
Description:	From the FileZilla homepage: FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors are handled on SSL/TLS secured data transfers.
Alerts:	Fedora FEDORA-2008-6812 2008-07-31 Fedora FEDORA-2008-6865 2008-07-31

Comments (none posted)

httrack: buffer overflow

Package(s):	httrack	CVE #(s):	CVE-2008-3429
Created:	August 1, 2008	Updated:	September 12, 2008
Description:	From the Debian advisory: Joan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs.
Alerts:	Fedora FEDORA-2008-7896 2008-09-11 Fedora FEDORA-2008-7862 2008-09-11 Debian DSA-1626-1 2008-08-01

Comments (none posted)

java-1.5.0-ibm: buffer overflow

Package(s):	java-1.5.0-ibm	CVE #(s):	CVE-2008-3108
Created:	July 31, 2008	Updated:	November 18, 2009
Description:	IBM Java has a buffer overflow vulnerability. From the CVE database entry: Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5.0 before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allows context-dependent attackers to gain privileges via unspecified vectors related to font processing.
Alerts:	Gentoo 200911-02 2009-11-17 Red Hat RHSA-2008:1044-01 2008-12-18 Red Hat RHSA-2008:1043-01 2008-12-18 SuSE SUSE-SA:2008:045 2008-09-17 SuSE SUSE-SA:2008:043 2008-09-04 SuSE SUSE-SA:2008:042 2008-08-25 Red Hat RHSA-2008:0790-02 2008-07-31

Comments (none posted)

libxslt: heap buffer overflow

Package(s):	libxslt	CVE #(s):	CVE-2008-2935
Created:	July 31, 2008	Updated:	October 27, 2008
Description:	From the Red Hat alert: A heap buffer overflow flaw was discovered in the RC4 libxslt library extension. An attacker could create a malicious XSL file that would cause a crash, or, possibly, execute arbitrary code with the privileges of the application using the libxslt library to perform XSL transformations on untrusted XSL style sheets.
Alerts:	rPath rPSA-2008-0306-1 2008-10-27 Fedora FEDORA-2008-7062 2008-08-07 Ubuntu USN-633-1 2008-08-01 CentOS CESA-2008:0649 2008-07-31 Fedora FEDORA-2008-7029 2008-08-07 Mandriva MDVSA-2008:160 2007-08-01 Debian DSA-1624-1 2008-07-31 Gentoo 200808-06 2008-08-06 Red Hat RHSA-2008:0649-01 2008-07-31

Comments (none posted)

nfs-utils: access restriction problem

Package(s):	nfs-utils	CVE #(s):	CVE-2008-1376
Created:	July 31, 2008	Updated:	May 21, 2009
Description:	nfs-utils has an access restriction problem. From the Red Hat alert: A flaw was found in the nfs-utils package build. The nfs-utils package was missing TCP wrappers support, which could result in an administrator believing they had access restrictions enabled when they did not.
Alerts:	CentOS CESA-2009:0955 2009-05-21 Red Hat RHSA-2009:0955-01 2009-05-18 Red Hat RHSA-2008:0486-01 2008-07-31 CentOS CESA-2008:0486 2008-07-31

Comments (none posted)

opensc: unauthorized PIN change

Package(s):	opensc	CVE #(s):	CVE-2008-2235 CVE-2008-3972
Created:	August 4, 2008	Updated:	June 1, 2009
Description:	From the Debian advisory: Chaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN. With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. If the PIN on your card is still the same you always had, there's a resonable chance that this vulnerability has not been exploited. This vulnerability affects only smart cards and USB crypto tokens based on Siemens CardOS M4, and within that group only those that were initialised with OpenSC. Users of other smart cards and USB crypto tokens, or cards that have been initialised with some software other than OpenSC, are not affected.
Alerts:	Fedora FEDORA-2009-2267 2009-03-03 SuSE SUSE-SR:2009:004 2009-02-17 Gentoo 200812-09 2008-12-10 SuSE SUSE-SR:2008:019 2008-09-26 Mandriva MDVSA-2008:183 2007-09-02 Debian DSA-1627-2 2008-08-31 Debian DSA-1627-1 2008-08-04

Comments (none posted)

pan: execution of arbitrary code

Package(s):	pan	CVE #(s):	CVE-2008-2363
Created:	August 1, 2008	Updated:	October 8, 2009
Description:	From the Gentoo advisory: Pavel Polischouk reported a boundary error in the PartsBatch class when processing .nzb files. A remote attacker could entice a user to open a specially crafted .nzb file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.
Alerts:	Ubuntu USN-845-1 2009-10-08 Mandriva MDVSA-2008:201 2008-09-22 Gentoo 200807-15 2008-07-31

Comments (none posted)

pdns-recursor: weak random number generator

Package(s):	pdns-recursor	CVE #(s):	CVE-2008-3217
Created:	July 31, 2008	Updated:	August 21, 2008
Description:	The PowerDNS Recursor non-authoritative/recursing DNS server has a vulnerability involving a weak random number generator that is used for source port selection. This simplifies the process of generating remote attack vectors for conducting DNS cache poisoning.
Alerts:	Fedora FEDORA-2008-6893 2008-07-30 Gentoo GLSA 200804-22 2008-04-18

Comments (none posted)

phpMyAdmin: cross-site framing vulnerability

Package(s):	phpMyAdmin	CVE #(s):
Created:	July 31, 2008	Updated:	August 6, 2008
Description:	phpMyAdmin has a cross-site framing vulnerability, described here: "It was permitted to display phpMyAdmin's frames inside another page, opening phishing or fooling possibilities; now, a parameter AllowThirdPartyFraming must be set to true in config.inc.php to allow this behavior. Also, XSS was possible for someone who could overwrite config/config.inc.php during the time this file is present in this directory."
Alerts:	Fedora FEDORA-2008-6868 2008-07-30

Comments (none posted)

pidgin: memory leak

Package(s):	pidgin gaim	CVE #(s):	CVE-2008-2956
Created:	August 6, 2008	Updated:	August 6, 2008
Description:	Pidgin 2.0.0 ("and possibly other versions") contains a memory leak which is exploitable for a denial of service attack.
Alerts:	rPath rPSA-2008-0246-1 2008-08-05

Comments (none posted)

python: multiple vulnerabilities

Package(s):	python	CVE #(s):	CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144
Created:	August 1, 2008	Updated:	November 1, 2010
Description:	From the Gentoo advisory: Multiple vulnerabilities in Python may allow for the execution of arbitrary code. A remote attacker could exploit these vulnerabilities in Python applications or daemons that pass user-controlled input to vulnerable functions. Exploitation might lead to the execution of arbitrary code or a Denial of Service. Vulnerabilities within the hashlib might lead to weakened cryptographic protection of data integrity or authenticity.
Alerts:	MeeGo MeeGo-SA-10:16 2010-08-03 Pardus 2010-76 2010-06-15 Debian DSA-1977-1 2010-01-25 CentOS CESA-2009:1176 2009-07-29 CentOS CESA-2009:1178 2009-07-27 Red Hat RHSA-2009:1176-01 2009-07-27 Red Hat RHSA-2009:1177-01 2009-07-27 Red Hat RHSA-2009:1178-02 2009-07-27 Mandriva MDVSA-2009:036 2009-02-12 Debian DSA-1667-1 2008-11-19 Mandriva MDVSA-2008:186 2008-09-04 SuSE SUSE-SR:2008:017 2008-08-29 rPath rPSA-2008-0243-1 2008-08-13 Mandriva MDVSA-2008:164 2008-08-07 Mandriva MDVSA-2008:163 2007-08-07 Ubuntu USN-632-1 2008-08-01 Gentoo 200807-16 2008-07-31

Comments (none posted)

RealPlayer: buffer overflow

Package(s):	RealPlayer	CVE #(s):	CVE-2007-5400
Created:	July 31, 2008	Updated:	June 9, 2009
Description:	RealPlayer is susceptible to a buffer overflow. From the national vulnerability database entry: Heap-based buffer overflow in the Shockwave Flash (SWF) frame handling in RealNetworks RealPlayer 10.5 Build 6.0.12.1483 might allow remote attackers to execute arbitrary code via a crafted SWF file.
Alerts:	SuSE SUSE-SR:2009:011 2009-06-09 Red Hat RHSA-2008:0812-02 2008-09-17 Gentoo 200809-03 2008-09-04 Red Hat RHSA-2008:0812-01 2008-07-31

Comments (none posted)

trac: multiple vulnerabilities

Package(s):	trac	CVE #(s):	CVE-2008-2951 CVE-2008-3328
Created:	July 31, 2008	Updated:	August 6, 2008
Description:	The trac integrated software management system has two vulnerabilities. From the Fedora alert: CVE-2008-2951: Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter. CVE-2008-3328: Cross-site scripting (XSS) vulnerability in the wiki engine in Trac before 0.10.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
Alerts:	Fedora FEDORA-2008-6833 2008-07-30

Comments (none posted)

vlc: multiple vulnerabilities

Package(s):	vlc	CVE #(s):	CVE-2008-2147 CVE-2008-2430
Created:	August 1, 2008	Updated:	June 18, 2009
Description:	From the Gentoo advisory: Remi Denis-Courmont reported that VLC loads plugins from the current working directory in an unsafe manner (CVE-2008-2147). Alin Rad Pop (Secunia Research) reported an integer overflow error in the Open() function in the file modules/demux/wav.c (CVE-2008-2430).
Alerts:	Debian DSA-1819-1 2009-06-18 Gentoo 200807-13 2008-07-31

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.27-rc2, released on August 5. There's a lot of changes here, many of which are fixes or include file reorganizations (architecture-specific include files are moving from include/asm-xxx to arch/xxx/include), but there's also a driver for the SGI "GRU" system management device, support for the MIPS architecture in the common kgdb debugger, a new subsystem for the management of voltage and current regulators, some core memory management and VFS locking changes, a driver for the SPI master controller on Orion chips, and the removal of the long-deprecated cli() and sti() functions. See the short-form changelog for details, or the full changelog for lots of details.

As of this writing, no changesets have been merged into the mainline repository since the 2.6.27-rc2 release.

The current -mm tree is 2.6.27-rc1-mm1. Recent changes to -mm consist mainly of a large reduction in size as hundreds of patches flow into the mainline.

The current stable 2.6 kernel is 2.6.26.2, released on August 6. It contains a large set of fixes for a wide variety of problems. Previously, 2.6.26.1 (also a large set of fixes) was released on August 1.

For 2.6.25 users: 2.6.25.14 (August 1) and 2.6.25.15 (August 6) continue the series of fixes for that kernel release.

Comments (none posted)

Kernel development news

Quotes of the week

-- Linus Torvalds

-- Ted Ts'o

Comments (3 posted)

Notes from the Ottawa Linux Power Management Summit

The Ottawa Linux power management summit was held on July 22, 2008 - immediately prior to this year's Linux Symposium. For those who could not be there, Len Brown has posted a set of notes from the meeting. The discussion covered a wide variety of topics, including the OMAP3 processor, snapshot boot, USB power management, server power management, and more.

Full Story (comments: none)

File descriptor handling changes in 2.6.27

One of the changes merged for 2.6.27 is a set of system call extensions designed to get around some longstanding security issues with POSIX file descriptors; LWN covered these extensions back in May. Now the author of that work (Ulrich Drepper) has posted a description of these changes, why they are important, and how they will be used in the C library. Worth a look, especially for developers working on threaded applications.

Comments (39 posted)

Can user-space bugs be kernel regressions?

Adding new functionality to the kernel while maintaining the interfaces for user space is the standard kernel development practice. Sometimes, though, that can tickle bugs in user-space programs in unpleasant ways. When that happens, it is clearly a regression—something that worked before no longer does—but is it a kernel regression? In the end, it doesn't matter, it seems, because the kernel needs to change to keep the user-space program working, even at the expense of "ugliness".

Clearly for purely internal kernel functionality, there is no mandate for compatibility across kernel versions. But, when the user-space interface is involved, things get a bit trickier. A change that alters the way a documented interface works is essentially never done; user-space interfaces are maintained forever. When new functionality properly uses a documented interface, but breaks a user-space program, it gets murkier.

That situation came up recently when Andrew Morton noticed that the linux-next tree broke the X server on his laptop. The problem was quickly diagnosed as a problem in the Synaptics touchpad driver for X. An array that was being passed to an ioctl() was sized based on the number of bits, rather than bytes, it should contain. Thus the maximum buffer length passed was off by a factor of eight.

As a solution, Dmitry Torokhov offered up a patch, not to kernel code, but to the synaptics X driver. That didn't sit particularly well, with Morton and others, eventually leading to a pronouncement from Linus Torvalds:

Torokhov clearly felt that it was the driver, not his changes, that were at fault, which is entirely understandable because it's true. That doesn't alter the fact that new kernels would break existing, working configurations on laptops everywhere. The kernel change just fully used an existing, documented interface as Torokhov explained:

Declaring an array of 64 bytes, but telling the kernel it can store up to 511 bytes into it is obviously a bug. But, as Morton points out:

Since the code was in linux-next, it was targeted at the 2.6.28 kernel. In Torokhov's thinking, this would allow something approaching six months for distributions to update the synaptics driver. But that is a fundamental misunderstanding of how and when kernels are upgraded—it is not only by way of distributions. Introducing a change like this would result in many messages to linux-kernel from unhappy folks with broken X servers.

Kernel hackers purposely build and run kernels on a wide variety of hardware and distributions. That includes older distributions that no longer get updates so they would be stuck with the buggy driver, thus non-working X server, essentially forever. Obviously, they could rebuild the synaptics driver—kernel hackers have been known to compile things other than kernels—but that isn't the point.

There are major benefits to also having lots of regular users update their kernels frequently. Trying to ensure that there won't be any unnecessary barriers to doing that can only help. Torvalds describes it this way:

Torvalds and Torokhov worked out a fix that preserved the old behavior for a specific passed-in buffer length, while allowing the new events to be delivered to any other users of the ioctl() that passed in the proper length. Torvalds commented: "Yeah, it's not pretty, but pragmatism before beauty."

It is, to some extent, a gray area. Regressions are bad for any number of reasons, but maintaining hackarounds for buggy user-space programs has its own set of problems. The hope is that eventually the need for the workaround goes away so that it can be removed. It would seem difficult to determine when the last user of the old synaptics driver finally upgrades, so this code could be with us for a long time. Given the alternative, the price seems worth it.

Though Torvalds was absolute in condemning any known regression, even for programs that are clearly misusing an interface, there must be a line somewhere. If some obscure program, with few users, gets broken by the kernel doing something documented and reasonable, it is hard to imagine that this kind of workaround will be required. This particular problem was relatively easy to decide, the next might not be.

Comments (9 posted)

A kernel message catalog

Kernel developers will often use printk() to output a message when something goes wrong. Such messages tend to be helpful to kernel developers; if nothing else, they can be used to find the place in the source where the message is emitted, and that, in turn, is most useful for somebody trying to figure out what the message is really saying. So, if your kernel tells you, for example, "lguest is afraid of being a guest," a quick dig through the source turns up a comment reading "Lguest can't run under Xen, VMI or itself. It does Tricky Stuff." Problem solved - or, at least, understood.

But, for the bulk of Linux users and administrators, the act of printk() interpretation by recourse to the kernel source is, itself, Tricky Stuff. If the kernel cannot tell them directly what the problem is, they would much rather have a more straightforward means of translating messages into some sort of useful English.

Or maybe not: for many Linux users, English may not be much more helpful than straight kernel-speak. It would be really nice to translate those messages into some sort of useful French, or Chinese, etc. What it comes down to, in the end, is that printk() alone will never be able to provide sufficient information to users in a way which can be understood and used to solve problems.

Just over one year ago, LWN looked at some proposals for adding structure to kernel messages. After that, the discussion went quiet, to the point that it seemed like not much was happening in the messaging area. But one should not forget that we are dealing with companies like IBM which have been creating massive binders full of kernel message documentation for several decades. They're not going to give up so easily. So the posting (by Martin Schwidefsky) of a new kernel messaging proposal is not an entirely surprising event.

In the latest scheme, each source file which generates structured messages defines a macro KMSG_COMPONENT as a string naming the specific subsection. This name will often match the name of the module which is created from that code, but that is not necessarily the case. The name, once chosen, is supposed to remain fixed forevermore; it becomes, in essence, part of the user-space interface and should always match the documentation.

Then, each message is assigned an integer identification number. The combination of the component name and the message number should be unique throughout the kernel; it is used by various tools to associate a more detailed explanation of whatever the message is intended to communicate. The message number is used with one of a number of new printk()-like functions:

    kmsg_alert(id, format, args...);
    kmsg_err(id, format, args...);
    kmsg_warn(id, format, args...);
    kmsg_info(id, format, args...);
    kmsg_notice(id, format, args...);

    kmsg_dev_alert(id, dev, format, args...);
    /* ... */

The "_dev" versions take an additional struct device argument (like dev_printk()) and encode the device name in the resulting message. That message (for all variants) will include the component name and the message number in any output. So, for example, the S/390 "xpram" driver includes the following:

    #define KMSG_COMPONENT "xpram"

        /* ... */
        if (devs <= 0 || devs > XPRAM_MAX_DEVS) {
	    kmsg_err(1, "%d is not a valid number of XPRAM devices\n", devs);

Should this particular error check trigger, the resulting message will look like this:

    xpram.1: 42 is not a valid number of XPRAM devices

Thus far, our user is probably not feeling much better informed than before. But there is additional information which is made available and associated with that message tag. In this particular case, it looks like this:

/*?
 * Tag: xpram.1
 * Text: "%d is not a valid number of XPRAM devices"
 * Severity: Error
 * Parameter:
 *   @1: number of partitions
 * Description:
 * The number of XPRAM partitions specified for the 'devs' module parameter
 * or with the 'xpram.parts' kernel parameter must be an integer in the
 * range 1 to 32. The XPRAM device driver created a maximum of 32 partitions
 * that are probably not configured as intended.
 * User action:
 * If the XPRAM device driver has been compiled as a separate module,
 * unload the module and load it again with a correct value for the
 * 'devs' module parameter. If the XPRAM device driver has been compiled
 * into the kernel, correct the 'xpram.parts' parameter in the kernel
 * parameter line and restart Linux.
 */

Here, we have a more verbose description of the message. Even more helpfully (one hopes), there is a discussion of what can be done to make this message go away. This information can be provided within the source or in a separate documentation file; it can also, presumably, be nicely formatted and distributed to paying customers as a binder for the system administrator's bookshelf. It can be translated into other languages for Linux users worldwide (and beyond: one could have a lot of fun with the Klingon translation for this kind of material).

The patch includes a script (written in Perl with undocumented messages, of course) which (when invoked with make D=1) will go through the source and make sure that every kernel message has an associated description block; it can also format the descriptions into man pages if desired. There are checks for missing descriptions or overloaded message ID numbers; the script does not, at the moment, check for a change in the message text.

Martin's first posting made this work specific to the S/390 architecture; following a suggestion from Andrew Morton, he made it generic in later versions. The cost of this work is zero for those who do not use it, so there is a reasonable chance that it will find its way into the mainline eventually. Before the message catalog system can be truly useful, though, developers will have to go through and document a substantial portion of the messages created by the kernel - and keep that documentation current as the kernel evolves.

Comments (12 posted)

The TALPA molehill

The TALPA malware scanning API was covered here in December, 2007. Several months later, TALPA is back - in the form of a patch set posted by a Red Hat employee. The resulting discussion has certainly not been what the TALPA developers would have hoped for; it is, instead, a good example of how a potentially useful idea can be set back by poor execution and presentation to the kernel community.

The idea behind TALPA is simple: various companies in the virus-scanning business would like a hook into the kernel which allows them to check for malware and prevent its spread. So the patch adds a hook into the VFS code which intercepts every file open operation. A series of filters can be attached to this intercept, with the most important one being a mechanism which makes the file being opened available to a user-space process as a read-only file descriptor. That process can scan the file and tell the kernel whether the open operation should be allowed to proceed or not. In this way, the scanning process can prevent any sort of access to files which are deemed to contain bits with evil intentions.

There are a few other details, of course. A caching mechanism prevents rescanning of unchanged files, increasing performance considerably. There is also a hook on close() calls which can trigger the rescanning of a file. Processes can exempt themselves from scanning if it might get in their way; scanning can also be turned off for specific files, such as those used for relational database storage. But the patch set is relatively small, as it really does not have that much to do.

This capability could well prove to be useful. Even if one is not concerned about malware infections on Linux systems, a lot of files destined for more vulnerable platforms can pass through Linux servers. There is also the potential for the detection of attempted exploits of the Linux host. Normally, in the Linux world, the way we respond to knowledge of a specific vulnerability is to patch the problem rather than scan for exploits, but there may be systems which cannot be restarted on short notice, and which could benefit from an updated scanning database while running code with known vulnerabilities. Also, as Alan Cox pointed out, this feature could be useful for entirely different objectives, such as efficient indexing of files as they change.

What might be best of all, though, is that this hook could replace a number of rather less pleasant things being done by anti-malware vendors now. Some of these products use binary-only modules, plant hooks into the system call table, and generally behave in unwelcome ways. Moving all of that to a user-space process behind a well-defined API could be beneficial for everybody involved.

The patches have gotten a generally hostile reception on the kernel mailing lists, though. Some developers are uninspired about the ultimate objective:

That's an objection which can be worked around; the kernel developers do not normally want to determine which applications will or will not be supported by the system as a whole.

Another objection, though, might be harder: this hook is said not to be the best solution to the problem. Instead of putting a hook deep within the VFS layer, the anti-malware people could simply hook into the C library (perhaps with LD_PRELOAD), put the malware scanning directly into the processes (mail clients or web servers, say) which are passing files through the system, or embed the scanning into a stackable filesystem implemented with FUSE (or a similar mechanism). That has led to counterarguments that scanning implemented in this manner could be evaded by a hostile application - by performing system calls directly, for example, instead of going through the C library. Certain kinds of attacks, it is said, could get around a purely user-space solution.

That argument, however, highlights the real problem with this posting. The patch includes a set of 13 "requirements," including intercepting file opens, caching results, exempting processes, and so on. But none of these requirements describe the problem which is really being solved. In particular, as noted by Al Viro and others, there is no description of the threat which this patch is intended to mitigate:

If the scanning host could be infected, then a scanning mechanism which could be circumvented by a rogue program is indeed a problem. But that is a very different threat than simply trying to prevent evil attachments from creating mayhem on Windows boxes; it does not appear to be a threat which these patches are trying to address.

The lack of a clearly described problem has caused the discussion of these patches to go around in circles; it is not possible to evaluate (1) whether the goals of these patches are worth supporting, or (2) whether the patches can actually be successful in achieving those goals. The code, in other words, cannot be reviewed. Until the TALPA developers can clarify that situation, their work will look like an example of "shoot first, then aim." That kind of code tends not to make it into the mainline, even if it could be useful in the end.

Comments (26 posted)

Patches and updates

Kernel trees

• Linus Torvalds: Linux 2.6.27-rc2. (August 6, 2008)

• Andrew Morton: 2.6.27-rc1-mm1. (July 31, 2008)

• Greg KH: Linux 2.6.26.1. (August 1, 2008)

• Greg KH: Linux 2.6.26.2. (August 6, 2008)

• Greg KH: Linux 2.6.25.14. (August 1, 2008)

• Greg KH: Linux 2.6.25.15. (August 6, 2008)

Build system

• Thomas Petazzoni: [resend] Add configuration options to disable features not needed on embedded devices. (August 4, 2008)

Core kernel code

• Martin Schwidefsky: [RFC] kmsg macros and script, take x+1.. (August 4, 2008)

• Max Krasnyansky: cpuset: Rework sched domains and CPU hotplug handling (2.6.27-rc1). (August 4, 2008)

• Gregory Haskins: Priority Inheritance enhancements. (August 4, 2008)

Development tools

• Subrata Modak: [LTP][ANNOUNCE] The Linux Test Project has been Released for JULY 2008. (July 31, 2008)

• Steven Rostedt: ftrace: printk formatting infrastructure. (August 1, 2008)

• jmerkey@wolfmountaingroup.com: Merkey's Kernel Debugger. (August 4, 2008)

Device drivers

• Eric Anholt: drm: Add GEM ("graphics execution manager") to i915 driver.. (August 4, 2008)

• Andres Salomon: OLPC: psmouse: touchpad driver. (August 4, 2008)

• Paul Mundt: i2c: Renesas Highlander FPGA SMBus support, v2.. (August 4, 2008)

• Matthew Garrett: Add Intel ACPI IGD OpRegion support. (August 5, 2008)

• Matthew Wilcox: ata: Add support for Long Logical Sectors and Long Physical Sectors. (August 5, 2008)

Documentation

• Michael Kerrisk: man-pages-3.06 is released. (August 5, 2008)

Filesystems and block I/O

• Al Viro: vfs patches. (August 1, 2008)

• Andrea Righi: task IO accounting: per block device IO statistics. (August 4, 2008)

• Ryo Tsuruta: I/O bandwidth controller and BIO tracking. (August 4, 2008)

• Mikulas Patocka: beta version of LVM snapshot merging. (August 4, 2008)

• David Woodhouse: 'discard sectors' block request.. (August 5, 2008)

• Chris Mason: Btrfs v0.16 released. (August 5, 2008)

Memory management

• Yasunori Goto: (memory hotplug) rough idea of pgdat removing. (August 4, 2008)

• Christoph Lameter: Slab Fragmentation Reduction V13. (August 4, 2008)

Architecture-specific

• Austin Zhang: [PATCH] Using Intel CRC32 instruction to accelerate CRC32c algorithm by new crypto API -V3.. (August 6, 2008)

• Marc Zyngier: Support for Arcom/Eurotech Viper SBC. (August 6, 2008)

Security-related

• Casey Schaufler: smack: limit privilege by label. (July 31, 2008)

• Eric Paris: [TALPA] Intro to a linux interface for on access scanning. (August 5, 2008)

• David Howells: Introduce credentials [ver #7]. (August 6, 2008)

Virtualization and containers

• Matt Helsley: Container Freezer: Reuse Suspend Freezer. (August 4, 2008)

• Serge E. Hallyn: namespaces: introduce sys_hijack (v11). (August 4, 2008)

• Jeremy Fitzhardinge: State of Xen in upstream Linux. (August 4, 2008)

• Dave Hansen: kernel-based memory checkpoint/restart. (August 4, 2008)

Benchmarks and bugs

• Rafael J. Wysocki: 2.6.27-rc1-git4: Reported regressions from 2.6.26. (August 4, 2008)

Miscellaneous

• Hans de Goede: Announcing libv4l 0.3.8. (August 4, 2008)

• Kay Sievers: udev 126 release. (August 4, 2008)

Page editor: Jonathan Corbet

Distributions

Looking forward to Fedora 10

The Fedora 10 alpha release is now available. At this point, the next Fedora release (due at the end of October) should be mostly feature-complete, though the project reserves the right to continue development work through the beta release (currently planned for August 19). So this seems like a good opportunity to have a look at some of the features which can be expected in Fedora 10.

Rawhide users, who are well known for their masochistic tendencies, are already running the 2.6.27-rc kernels. Given that 2.6.27 should come out in the early part of October, chances are good that this is the kernel version which will come standard with Fedora 10. So Fedora users will be among the first to get enhanced webcam support, UBIFS, ftrace, multiqueue networking, and more.

Improved webcam support is an explicit goal for Fedora 10 in general. The kernel upgrade will help a lot in that regard, but Fedora is taking aim at another longstanding problem: quite a few video applications still use the Video4Linux1 API, despite the fact that said API has been deprecated for years. To help improve this situation, Hans de Goede has been working on another long-missing piece: a user-space library to make the Video4Linux2 API easier for applications to use. It will handle things like format conversions, which, by policy, are not allowed in the kernel; it also does better impedance matching between the V4L1 and V4L2 interfaces. The end result of this work will be better-working webcams for Fedora users - and for everybody else.

A similar objective for Fedora 10 is better support for remote controls. The LIRC remote control package has always been a some-assembly-required affair; Fedora developers are trying to improve this situation and get remote controls to just work.

"Just works," alas, is not a phrase which has been heard often enough around the PulseAudio sound server. The upcoming Fedora release will have a seriously rewritten PulseAudio; the biggest change is a shift to timer-based audio scheduling instead of the older interrupt-driven technique. The promised result will be glitch-free audio; those who are curious about the details of how this will work can find them on this page. PulseAudio is getting better.

Another big change, of course, is the shift to RPM 4.6 - the first real update to the RPM package manager in many years. Being fully aware of the consequences of a failed RPM upgrade, the Fedora developers are proceeding with great caution. The on-disk format will not be changed anytime soon, and newer RPM features are not, yet, being used in Fedora; that means that they can revert back to the older RPM if need be without leaving systems stranded. After some early glitches, RPM 4.6 would appear to be working fairly well, though, so this upgrade will probably stick.

Beyond that, Fedora users can expect a long list of new goodies. NetworkManager now has a feature allowing the sharing of network connections via wireless. There are plans to provide much-improved support of the Haskell programming language, though that project appears to be moving slowly. And there is an interesting new security audit tool intended to look for security problems and signs of intrusions. Your editor would have loved to try out this tool, but, as of this writing, the version in Rawhide appears to be lacking some fundamental features - like being able to start up successfully. Stay tuned.

One thing that apparently will not be in Fedora 10, despite the occasional user request, is KDE 3.5. Some KDE users are not, yet, happy with the state of development of KDE 4 and would like to have their old, familiar desktop back. This note from Fedora leader Paul Frields explains why KDE 3.5 will not be returning to Fedora. In summary: Fedora exists to push the leading edge, QT3 is no longer maintained, and shipping KDE 4 helps that platform improve more quickly. So KDE 3.5 will not be coming back - unless somebody else goes to the trouble of packaging and maintaining it.

All told, there is a lot of work going into this distribution release. The best way to really see what's going on - and to help the process - is, of course, to try out the alpha release and report any problems which result. After making good backups, of course.

Comments (4 posted)

New Releases

Fedora 10 Alpha released

The first Fedora 10 alpha release is now available. "In an ongoing effort to prevent premature kitten death, the Fedora Project is ecstatic to present the availability of Fedora 10 (Cambridge) Alpha. Test now, make it better now, keep Cambridge on schedule, and protect the kittens in the future." See the release notes and the the Fedora 10 feature list for more information.

Full Story (comments: 4)

Distribution News

Debian GNU/Linux

Bits from the Debian Eee PC team, summer 2008

A report from the Debian Eee PC team looks at the support for various models of the Eee, as well as progress towards free drivers for the wireless hardware. "Nick Kossifidis has submitted patches on linux-wireless supporting the Eee models currently supported only by the non-free madwifi in ath5k. This means we'll soon realize our goal of a completely DFSG free system for the earliest models of the Eee. By 2.6.27, or at the latest 2.6.28, these models will be supported. Then we will see about making a patch to support whichever kernel makes it into Lenny." Click below for the full report.

Update: A correction about the driver status has been issued.

Full Story (comments: 3)

Fedora

Production-Ready Fedora 3.0 Fits With the Web (HatCheck Newsletter)

HatCheck Newsletter covers the release of Fedora Commons 3.0. "Today Fedora Commons released version 3.0 of the popular Fedora software that completes all general release features. Dan Davis, Chief Software Architect, Fedora Commons, explained, “We are pleased to offer a Fedora 3.0 that is a foundational step towards a model-driven content architecture.” He went on to say, “Users will find it simpler to maintain and operate their repositories with version 3.0—it’s more scalable and fits better into the Web.”"

Comments (1 posted)

Updated Fedora Privacy Policy

An updated version of the Fedora Privacy Policy has been published. "Previously, Fedora was using the generic Red Hat Privacy Policy, which did not make sense for a number of reasons. Fedora now has its own Privacy Policy at: http://fedoraproject.org/wiki/Legal/PrivacyPolicy I would encourage everyone to read the new Privacy Policy. This policy went through a public review process on the fedora-advisory-board mailing list, and was approved by the Fedora Board on August 5th, 2008. This new policy defines that more of your "Personal Information" is public by default. This will make things much easier for the daily workings of Fedora, however, if you wish for this "Publicly Available Personal Information" to be kept private, it is possible to do so in the Fedora Account System."

Full Story (comments: none)

Red Hat Enterprise Linux

What's next in Red Hat Enterprise Linux (part 2) (Red Hat Magazine)

Here's the second half of Red Hat Magazine's look at features to be found in future RHEL releases. "One of the most requested features since the release of Enterprise Linux 5 is encrypted device support. We support encrypted devices via a technology called LUKS. LUKS, implemented on top of the existing device-mapper cryptography code, standardizes the partition header for the automatic detection of encrypted devices. It also allows for multiple passphrases to decrypt the device. For example, if I insert an encrypted USB stick, the encrypted device is detected via HAL, the GNOME file manager prompts me for the passphrase, and LUKS unlocks the device-which is then mounted and ready to use."

Comments (6 posted)

Ubuntu family

Java related changes in intrepid

The Ubuntu team has sent out a report concerning Java changes in the upcoming Intrepid Ibex release. "Recently Openjdk6 was promoted to main; with today's upload of java-common, OpenJDK6 is the default java runtime / development kit in main, on all architectures..."

Full Story (comments: none)

Distribution Newsletters

Debian Project News - August 4th, 2008

The August 4, 2008 edition of the Debian Project News has been published. "Some of the topics covered in this issue include: "Lenny" frozen, Debian GNU/Linux 4.0 updated to include support for newer hardware, Schedule for 8th annual Debian Conference announced, Debian Days around the world ... and much more."

Comments (none posted)

Fedora Weekly News Issue 137

The August 4, 2008 edition of the Fedora Weekly News has been published. "We are pleased to present a new beat on Virtualization issues and developments brought to you by beat writer Dale Bewley. In Developments we report on "How Maintainers Can Help Reduce XULRunner Breakage". In Announcements we reveal the Fedora 10 codename. In Artwork we examine "The Blue Color of Fedora". In Security Advisories, another new beat authored by David Nalley we run through the week's important updates. We are also saddened to announce the departure of Thomas Chung from the editorial chair, but heartened to be working as a new editorial team consisting of Pascal Calarco, Oisin Feeley and Huzaifa Sidhpurwala."

Full Story (comments: none)

openSUSE Weekly News, Issue 33

Issue #33 of the openSUSE Weekly News has been published. "In this week's issue: * KDE 4.1 Released With openSUSE Packages and Live CD * Help Create the Artwork for openSUSE 11.1 * Reminder: openSUSE Day at LinuxWorld Expo * Banshee 1.2 Released"

Comments (none posted)

Ubuntu Weekly Newsletter #102

The Ubuntu Weekly Newsletter for August 3, 2008 is online. "In this issue we cover: QA to Launchpad Liaison, MOTU news, New Ubuntu Members, Ubuntu Screencasts, Ubuntu Global Bug Jam, New in Intrepid Ibex, Launchpad 2.0, Ubuntu-UK podcast #11, Linux pre-installs at 3%, Steve Stalcup interview, Server Team summary, and much, much more!"

Full Story (comments: none)

DistroWatch Weekly, Issue 264

The DistroWatch Weekly for August 4, 2008 is out. "Things slowed back down this week, but there has been some interesting news. The Debconf8 schedule has been posted, CNET published an interview with Red Hat CEO Jim Whitehurst, and Foxconn has posted an update to the BIOS that made so much news week before last. I test drove the latest release from Parsix GNU/Linux. In Reviewed Last Week FOSSwire examined Pardus 2008 and several sites tested Linux ultraportables."

Comments (none posted)

Distribution meetings

DebConf

The schedule for DebConf8 has been announced. "Note that this schedule only shows events for which we surely know the speakers are actually attending the conference."

A location is being sought for DebConf10. "We currently do not have any (formally) proposed locations, so everyone who wants to run a Debian Conference and thinks they can stand months of work - read on. :)"

Comments (none posted)

openSUSE HelpingHands: Next Event-Banshee

The next openSUSE Helping Hands IRC discussion will be held on Friday, August 8 at 14:30 UTC. "Each week, the openSUSE Helping Hands project introduces a new topic in IRC where users can come to learn about a particular application or service and directly ask questions about that application. This week, HelpingHands is proud host Banshee-Presented by the Banshee Development Team led by Aaron Bockover."

Full Story (comments: none)

Newsletters and articles of interest

Freespire moves back to Debian

Xandros, which recently acquired Linspire, has announced that the "Freespire" distribution will drop its Ubuntu base and move back to Debian. "We will have a leading edge code base while preserving our commitment to Debian, stability, Windows interoperability, and ease of use. This commitment allows us to meet the needs of a wide range of users, from open source enthusiasts to demanding enterprise clients. In addition, we are intensifying our commitment to the Freespire open source community, which will now help to drive both the Freespire and Xandros products."

Full Story (comments: 10)

Page editor: Forrest Cook

Development

The GNOME 2.24 module proposals

The GNOME desktop environment is built in a modular manner with API-stable platform modules and less API-stable desktop modules. Desktop modules can be transitioned to platform modules as they mature. The Damned Lies about GNOME translation site describes the GNOME modules: "Modules are separate libraries or applications, with one or more branches of development included. They are usually taken from CVS, and we keep all relevant information on them (Bugzilla details, web page, maintainer information,...)." The site contains an extensive list of modules for the current GNOME 2.22 release.

On August 4, 2008, list of modules to be included in the upcoming GNOME 2.24 was posted. A quick tour of the new modules to be included follows:

• empathy: "Empathy consists of a rich set of reusable instant messaging widgets, and a GNOME client using those widgets. It uses Telepathy and Nokia's Mission Control, and reuses Gossip's UI. The main goal is to permit desktop integration by providing libempathy and libempathy-gtk libraries. libempathy-gtk is a set of powerful widgets that can be embeded into any GNOME application."

• project hamster: "Project Hamster is time tracking for masses. It helps you to keep track [of] how much time you have spent during the day on activities you have set up. Whenever you change from doing one task to other, you change your current activity in Hamster. After a while you can see some statistics of how many hours you have spent on what. Maybe print it out, or export to some suitable format, if time reporting is a request of your employee."

• clutter: "Clutter is an open source software library for creating fast, visually rich and animated graphical user interfaces. Clutter uses OpenGL (and optionally OpenGL ES for use on Mobile and embedded platforms) for rendering but with an API which hides the underlying GL complexity from the developer."

• libcanberra, announced here, is a lightweight sound event library that implements the XDG sound theming/naming specs.

• PolicyKit (from an LWN article): "Mounting removable filesystems, CDs, USB devices, and the like, is a classic example of a root-only task that some non-privileged users might be allowed to perform. In the past, various mechanisms using groups or mount options in /etc/fstab have been used with some success, but the mechanisms were specific to mounting and did not provide the flexibility that some administrators would like. Network configuration - particularly for wireless networking - is another common task that users might be allowed to do. PolicyKit is an attempt to centralize these kinds of decisions into a single policy file that the administrator can use to set the kinds of access regular users should be allowed."

There's also a few modules which were not accepted this time around:

• Conduit: "Conduit is a synchronization application for GNOME. It allows you to synchronize your files, photos, emails, contacts, notes, calendar data and any other type of personal information and synchronize that data with another computer, an online service, or even another electronic device. Conduit manages the synchronization and conversion of data into other formats." Conduit was partially rejected due to an incomplete UI, but allowed as an external dependency for use by other applications. It should be ready for inclusion in GNOME 2.26.

• WebKit: "WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and JavaScript code began as a branch of the KHTML and KJS libraries from KDE." The plan is to replace the Gecko html rendering engine with Webkit in time for GNOME 2.26.

• libgda (part of Gnome-DB): "Libgda is a database abstraction layer which hides all the database backend specifics from the user, offering a simple interface to each supported database (MySQL, PostgreSQL and SQLite are fully functional while Oracle and MDB are useable and missing features) to run queries." Libgda is required by the Anjuta IDE, it will either be included optionally or bundled with Anjuta.

There is, of course, a lot more to GNOME 2.24 than a few new modules; see the roadmap for more information. This GNOME release is currently scheduled for September 24.

Comments (none posted)

System Applications

Database Software

PostgreSQL Weekly News

The August 3, 2008 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

Security

Dirmngr 1.0.2 released

Version 1.0.2 of Dirmngr has been announced. "Dirmngr is a server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates and for downloading the certificates themselves. Dirmngr also handles OCSP requests as an alternative to CRLs. Although Dirmngr can be invoked on demand, it should in general be installed as a system daemon."

Full Story (comments: none)

Web Site Development

Django 1.0 updates

The Django 1.0 web platform release schedule has been announced. "We’ve been plowing ahead towards Django’s 1.0 release in early September. Since last week’s 1.0 alpha release we’ve continued to make some pretty nice improvements, including more flexible syntax for admin registration, support for custom cache backends, and “else” option for the “ifchanged” tag, and — the biggie — support for intermediary models in many-to-many relations."

Comments (none posted)

This Week in Rails

The July 26, 2008 edition of This Week in Rails has been published. "Welcome to the fourth edition of This Week in Rails, a weekly (and occasionally fortnightly) report with highlights from the Rails community. David broke the news of the availability of confirmed and scheduled talks at RailsConf Europe which will be taking place this coming September. As you can see there will be a lot of exciting material this year, too..."

Comments (none posted)

Web Submission and Review Software: Version 0.62 released (SourceForge)

Version 0.62 of Web Submission and Review Software has been announced. "Web-based software for submission and review of papers to academic conferences. Provides support for the entire life-cycle of the conference review process. This version includes several minor enhancements and bug-fixes."

Comments (none posted)

ZK: 3.0.7 released (SourceForge)

Version 3.0.7 of ZK has been announced. "ZK is Ajax framework. 100% Java, no JavaScript. With event-driven, 170+ components, and markup languages, development as simple as programming desktops and authoring HTML/XUL pages. ZK supports JSF, JSP, J2EE, and scripting in Java, Ruby, Groovy... Over 9 new features and 22 bugs fixed, ZK 3.0.7 focuses mainly on fixing bugs. Tree support paging mold, Images support RenderedImage and more ease-of-use utilities are introduced."

Comments (none posted)

Desktop Applications

Business Applications

Chandler Desktop 1.0-rc2 released

Version 1.0-rc2 of Chandler Desktop has been announced. "The Chandler Project is an open source, standards-based information manager designed for personal use and small group collaboration. For more information on the Chandler Desktop 1.0-rc2, including a link to the list of bugs fixed, see the following blog post: http://blog.chandlerproject.org/2008/08/05/chandler-deskt..."

Full Story (comments: none)

Data Visualization

matplotlib 0.98.3 released

Version 0.98.3 of matplotlib has been announced. "matplotlib is a 2D plotting library for python for use in scripts, applications, interactive shell work or web application servers. matplotlib 0.98.3 is a major release but stable release which brings many new features detailed below."

Full Story (comments: none)

Desktop Environments

GNOME Software Announcements

The following new GNOME software has been announced this week:

• Accerciser 1.3.6 (bug fixes and translation work)
• at-spi 1.23.6 (bug fixes)
• bug-buddy 2.23.6 (bug fixes, code cleanup, documentation and translation work)
• Cheese 2.23.6 (bug fixes and translation work)
• Conduit 0.3.13 (new features, bug fixes and translation work)
• Deskbar-Applet 2.22.3.1 (bug fix)
• Deskbar-Applet 2.23.5 (new features, bug fixes and translation work)
• Empathy 2.23.6 (new features, bug fixes and translation work)
• Eye of GNOME 2.23.6 (code cleanup, bug fixes and translation work)
• gcalctool 5.23.6 (bug fixes and translation work)
• GLib 2.17.6 (new features, bug fixes and translation work)
• gnome-applets 2.23.4 (code cleanup and translation work)
• gnome-control-center 2.23.6 (new features, bug fixes and translation work)
• gnome-games 2.23.6 (bug fix and translation work)
• gnome-keyring 2.23.6(new features, bug fixes and translation work)
• gnome-mag 0.15.2 (bug fix and translation work)
• gnome-settings-daemon 2.23.6 (new features, bug fixes and translation work)
• gnome-speech 0.4.21 (bug fix)
• Gossip 0.31 (bug fixes and translation work)
• gThumb 2.10.9 (bug fixes and translation work)
• GTK+ 2.13.6 (new features, bug fixes and translation work)
• gtk-engines 2.15.2 (code cleanup, bug fixes and translation work)
• Libgda 3.1.5 (bug fixes)
• Metacity 2.23.89 (new feature and translation work)
• mousetweaks 2.23.5 (bug fixes, documentation and translation work)
• Nemiver 0.6.1 (bug fix)
• Orca 2.23.6 (bug fixes and translation work)
• Seahorse 2.23.6 (new features, bug fixes and translation work)
• seahorse-plugins 2.23.6 (new features, bug fixes and translation work)
• Tomboy 0.11.1 (bug fixes and translation work)

You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Commit-Digest (KDE.News)

The June 22, 2008 edition of the KDE Commit-Digest has been announced. The content summary says: "Work on a "Grid" containment for Plasmoids. A Plasma applet to monitor the WiFi signal strength (on Linux systems). Infrastructure in place for a network settings daemon in the NetworkManager Plasmoid. An Akonadi Plasma data engine, intended for initial use by a "Plasmobiff" applet. "Previewer", a new Plasmoid for previewing files using KParts technology. KDevPlatform (the basis of KDevelop4) gets a plugin for basic Git source versioning control. Start of resurrecting C# support in KDevelop..."

Comments (none posted)

KDE Commit-Digest (KDE.News)

The June 29, 2008 edition of the KDE Commit-Digest has been announced. The content summary says: "Some new wallpapers and an Oxygen mouse cursor theme are imported into KDE SVN for the KDE 4.1 release. The KDM login manager gets an Oxygen facelift. Preliminary version of a basic web browser Plasmoid, and a new "ScriptedImage" Plasma applet. Support for storing Amarok 2.0 statistics in NEPOMUK, more work on the new scripting interface, preliminary support for iPod's, and a partially-working "random mode" restored to Amarok 2.0..."

Comments (none posted)

KDE Commit-Digest (KDE.News)

The July 6, 2008 edition of the KDE Commit-Digest has been announced. The content summary says: "In this week's KDE Commit-Digest: Support for moving of applets in Plasma panels. Various work, such as autocompletion and bookmarks (shared with Konqueror) support in the basic Web Browser Plasmoid. Progress in the "Plasma on new form factors" project. A new "LCD Weather Station" Plasma applet makes an appearance. The Powersave and KWeather utilities are ported to Plasma. More work on the "Cube" KWin-Composite effect, including a configuration dialog and keyboard navigation. Work on the multiple choice mode and internet-based translation in Parley. The new "Message List View" becomes more usable, with work on skinning in KMail..."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

• digiKam 0.10.0-beta2 (new features and bug fixes)
• KCheckGMail 0.5.7.6 (bug fixes and translation work)
• kcollectd 0.2 (unspecified)
• KDE3TO4 0.0.3 (new features and bug fix)
• kdesvn 1.0.0 (new features and documentation work)
• kio_bookmarks 0.1 (initial release)
• Krusader 2.0.0-beta1 (first KDE4 release)
• KSplasher 2.0 beta 1 (QT4 version)
• KTorrent 3.1.2 (bug fixes)
• Note Finder 3.0.9 (new features and bug fix)
• NoteFinder 3.1 (new feature and bug fixes)
• NoteFinder 3.1.5 (new feature)
• 'Q' DVD-Author 1.2.0 (new features)
• QSvn 0.7.0 (new features and bug fixes)
• Ruby Lyric Parser 1.0 (initial release)
• Simple4 Root Actions Menu 2.0.0 (unspecified)
• SMILE 0.6.0 (new features and bug fixes)
• SMILE 0.6.1 (new features, bug fixes and translation work)
• taKesum 0.6 (bug fix)
• uRSSus 0.2.9 (new features and bug fixes)
• VariCAD 2008 3.00 (new features and translation work)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• xcb-util 0.2.1 (new features and bug fixes)
• xedit 1.1.0 (new features and bug fixes)
• xedit 1.1.1 (bug fix)
• xf86-input-evdev 2.0.3 (bug fix)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Financial Applications

GnuCash 2.2.6 Released

Version 2.2.6 of GnuCash has been announced. "The GnuCash development team proudly announces GnuCash 2.2.6 aka "Stay@Home v3", the sixth bug fix release in a series of stable releases of the GnuCash Free Accounting Software."

Full Story (comments: none)

SQL-Ledger 2.8.17 announced

Version 2.8.17 of SQL-Ledger, a web-based accounting system, has been announced. Changes include: "added option to process recurring transactions anytime, fixed formatting error for payments when amounts > 1000 and numberformat set to other than NA format, added item lookup on order/invoice forms".

Comments (none posted)

Games

The Player Project: Stage 3.0.1 released (SourceForge)

Version 3.0.1 of The Player Project: Stage has been announced. "The Player Project: Player is a networked robot/sensor device interface; Stage and Gazebo provide 2D and 3D simulated worlds, respectively. The software aims for POSIX compliance and runs on most UNIX-like OS's (including Linux and OS X)".

Comments (none posted)

pygame 1.8.1 released

Version 1.8.1 of pygame has been announced, it includes bug fixes and other improvements. "Pygame is a set of Python modules designed for writing games. Pygame adds functionality on top of the excellent SDL library. This allows you to create fully featured games and multimedia programs in the python language. Pygame is highly portable and runs on nearly every platform and operating system."

Full Story (comments: none)

Music Applications

a2jmidid version 4 released

Version 4 of a2jmidid has been announced, it includes bug fixes and documentation improvements. "a2jmidid is a project that aims to ease usage of legacy ALSA sequencer applications, in a JACK MIDI enabled system. a2jmidid implementation is based on jack-alsamidi-0.5 that is [almost] same as jackd ALSA "seq" MIDI backend, both created by Dmitry Baikov."

Full Story (comments: none)

guitarix first release

The initial release of guitarix has been announced. "guitarix is a simple mono amplifier to jack (JackAudioConnektionKit) with one input and two output's. Designed to get nice trash/metall/rock/guitar sounds. Avaliable are the controls for bass, treble, gain, balance, distortion, freeverb, impulse response (pre state), crybaby(wah), feedback/feedforward-filter and echo . A fixed resonator will use, when distortion is disabled. guitarix based on Gtk, a great part is also realesed as ladspa plugin."

Full Story (comments: none)

Office Applications

pyspread 0.0.8 announced

Version 0.0.8 of pyspread has been announced. "pyspread is a spreadsheet that accepts a pure python expression in each cell. New features: New macro dialog that allows defining python functions, which can be used in the grid. Bug fixes within the copy paste and print code."

Full Story (comments: none)

Office Suites

OpenOffice.org Newsletter

The July, 2008 edition of the OpenOffice.org Newsletter is out with the latest OO.o office suite articles and events.

Full Story (comments: none)

Languages and Tools

C

GCC 4.3.2 Status Report

The July 31, 2008 edition of the GCC 4.3.2 Status Report has been published. "The GCC 4.3 branch is open for commits under normal release branch rules. The 4.3.2 release was expected around 2008-08-06, but as there are still P1s, it might be delayed a little bit."

Full Story (comments: none)

Python

NumPy 1.1.1 released

Version 1.1.1 of NumPy, a Python package for scientific computing, has been announced. "Numpy 1.1.1 is a bug fix release featuring major improvements in Python 2.3.x compatibility and masked arrays"

Full Story (comments: none)

Python-URL! - weekly Python news and links (Aug 5)

The August 5, 2008 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

IDEs

Pydev 1.3.19 released

Version 1.3.19 of Pydev, an Eclipse plugin for Python and Jython, has been announced. This release adds new capabilities and bug fixes.

Full Story (comments: none)

Libraries

Announcing first release of liboggplay

The initial release of liboggplay has been announced. "liboggplay is a C library providing a simple programming interface for reading, decoding and playing back Ogg files and streams. Ogg is an interleaving data container developed by Monty at Xiph.Org, originally to support the Ogg Vorbis audio format."

Full Story (comments: none)

Test Suites

Marathon: 1.2.1 released (SourceForge)

Version 1.2.1 of Marathon has been announced. "Marathon runs gui based acceptance tests against swing applications. It is composed of a runner, and recorder, and an editor. Tests scripts are expressed as python code. Marathon v 1.2.1 is released. This release fixes a major bug that was causing an NPE intermittently during playback and recording. Besides that the editor is improved with options for selecting tab size, conversion of tabs to spaces."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Growing the open-source community (LinuxWorld)

LinuxWorld has an extended report from OSCON. "One lesson learned? [Jono] Bacon said they learned (the hard way) not to try to convert a user community into a developer community. It's tempting, when you a have a million users of your open-source software, to imagine the effect of getting 'just 1 percent' of them to write code. But it doesn't work. 'You're trying to convince a cat to bark,' he said. Instead, community leaders need to put their energy into converting users to advocates."

Comments (none posted)

Trade Shows and Conferences

Full Report: LTSP Hackfest Portland 2008 (LiVE JOURNAL)

Warren Togami presents a report from the LTSP Hackfest Portland 2008. "The Linux Terminal Server Project (LTSP) has for ~9 years enabled Linux to act as a terminal server to diskless thin clients. LTSP has saved schools and businesses countless million, enabled or expanded access to technology to tens of thousands of schools globally, and enabled millions of otherwise useless obsolete computers to be recycled as thin clients. Today LTSP through various distributions like Debian, Ubuntu, Fedora and CentOS is very likely the largest by far exposure of Linux desktops to the general public. Long before OLPC, LTSP has and continues to be a major Linux Desktops for education success story. Now LTSP is becoming a shining star of cross-distribution coordination."

Comments (none posted)

Information from the Ottawa Linux Symposium (OLS) 2008 presentations (Heise)

Heise has posted a look at several OLS presentations - without actually having been to OLS. "A look at the companies employing the various presenters and the respective topics presented can provide valuable insights into the companies' open source activities and fields of interest. The largest number of presentations were given by IBM employees who delivered or contributed to 11 out of a total 54 OLS presentations. Topics include performance and regression testing, file systems, real-time Linux and, of course, the current buzz phrase Cloud Computing. In second place were the employees of Red Hat who contributed to 8 of the presentations. While one of these deals with clusters and real-time Linux, others discuss the general Wifi support in Linux or the budding Augeas 'Configuration API'."

Comments (1 posted)

Companies

Intuit joins the Linux revolution (C|net)

C|net reports that Intuit, producer of the popular QuickBooks financial software, is making some Linux-friendly moves. "Intuit has been sniffing around open source for at least a year now, but predominately as a platform (Linux) upon which its applications could run. It opened the door a bit more in April when it opened up QuickBase to developers, but now seems to be paving the way for a more complete launch into open source with its Linux Business Resource Center. Yes, that Intuit. Promoting Linux and open source."

Comments (none posted)

Bruce Perens: Microsoft and Apache - What's the Angle? (IT Management)

Bruce Perens looks at Microsoft's sponsorship of Apache. "For a decade, Microsoft was open source's worst enemy, combating it at every turn. But last week Microsoft joined the Apache open source project as a platinum sponsor, promising to put $100,000 per year into a project that beats its own IIS (Internet Information Services) in the market. Microsoft also made some of their patents available for use in GPL software like Linux without a royalty. Has Redmond given up the fight? Or is this just their latest strategy? "

Comments (17 posted)

Linux at Work

Teaching tech to tots: The use of Linux and open source in pre-schools (iTWire)

iTWire has a look at using Linux for pre-school education. The author installed Edubuntu on some older machines for his child's pre-school with excellent results. "There are a rich suite of components making up Edubuntu. For me the standout was GCompris which consists of many fun activities involving mathematics, science, geography, reading and spelling, memory development and more."

Comments (2 posted)

Interviews

Will LSB 4 Standardize Linux? (InternetNews)

InternetNews talks to the Linux Foundation's Jim Zemlin about LSB 4.0. "Not all Linux distributions are made with the same components, which can make it difficult for software developers to write applications for multiple Linux distributions. That's where the Linux Standards Base (LSB) comes into play. For years the LSB has not quite lived up to its full potential. That could all change with the upcoming LSB 4.0 release. LSB 4.0, set for release by the end of this year, could be the catalyst that enables independent software vendors, or ISVs TERM (define), to develop applications that will run on any LSB-compliant Linux distribution. If it gets adopted, LSB 4 could bring a new wave of multidistribution Linux application development."

Comments (31 posted)

Miguel de Icaza: "We could refresh the look and feel of the entire desktop with Moonlight" (derStandard.at)

derStandard.at sits down with Miguel de Icaza to discuss Mono and Moonlight at the GUADEC conference in Istanbul. de Icaza has lots to say about both projects, but also seems rather unhappy with the Mozilla folks: "And even the Mozilla guys - the keynote we had here was done on a mac, every single Mozilla developer uses a Mac. And it's funny, they constantly attack Silverlight, they constantly attack Flash and then all of them use proprietary operating systems, they don't seem to have a problem doing it. And then they had the Guiness record thing for Firefox 3 and you went to the website and it had a flash map to show where people are downloading - so there definitely is a double standard here. And that's after all their claiming that you can do everything in AJAX - so they definitely don't 'walk the walk'."

Comments (56 posted)

The A-Z of Programming Languages: Python (TechWorld)

TechWorld has a lengthy interview with Guido van Rossum. "For a few years there were definitely way too many web frameworks. While new web frameworks still occasionally crop up, the bar has been set much higher now, and many of the lesser-known frameworks are disappearing. There's also the merger between TurboGears and Pylons. No matter what people say, Django is still my favorite -- not only is it a pretty darn good web framework that matches my style of developing, it is also an exemplary example of a good open source project, run by people who really understand community involvement."

Comments (1 posted)

Resources

Why Free Software has poor usability, and how to improve it

Free software usability is the focus of an article on Matthew Paul Thomas's blog. He identifies 15 problems and proposes solutions to each. "With volunteer projects, though, any incentive is much weaker. The number of users rarely makes any financial difference to developers, and with freely redistributable software, it's near-impossible to count users anyway. There are other incentives — impressing future employers, or getting your software included in a popular OS — but they’re rather oblique."

Comments (20 posted)

Reviews

Plat’Home OpenBlockS: Made in Japan (ZDNet)

Over at ZDNet, Jason Perlow checks out the Plat'Home OpenBlockS micro-server. The micro-server is a very small, fanless, low-power embedded Linux box that comes with a Debian-derived distribution. "So what is this thing good for? Well, just about anything. If you want to build a specialized solid state mission critical appliance that runs a custom PHP/MySQL application, or want to develop VPN gateways and Asterisk VOIP routers, or just like to hack around with a low-power Linux machine under your desk at work, this is the geek's equivalent of a Linux Heathkit."

Comments (16 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

EFF's Coders' Rights Project

The Electronic Frontier Foundation has announced the launch of the Coders' Rights Project. "'Coders who explore technology through innovation and research play a vital role in developing and securing the software and hardware we use everyday. Yet this important work can be stymied by bogus legal threats,' said EFF Civil Liberties Director Jennifer Granick, who is heading up the project. 'EFF's Coders' Rights Project will provide a front-line defense for coders facing legal challenges for legitimate research activities.'"

Full Story (comments: none)

EFF Releases "Switzerland" ISP Testing Tool

The Electronic Frontier Foundation has announced the release of the Switzerland ISP Testing Tool. "San Francisco - Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications."

Full Story (comments: none)

FSF demonstrates iPhone's incompatibility with free software and GPLv3

The Free Software Foundation has sent out a press release concerning Apple's position on free software on the iPhone. "The statement contrasts the iPhone with other proprietary computer operating platforms that have allowed free software access, saying "For many years, we have been suffering from Microsoft's PC monopoly; a platform that has allowed Microsoft to inflict untold harm on computer users and the computing industry. The free software community has been working for many years to give people an opportunity to escape to GNU/Linux from Windows, but the iPhone would allow no such escape route.""

Full Story (comments: none)

Commercial announcements

IBM, Canonical, Novell, and Red Hat go for the desktop

IBM, Canonical, Novell, and Red Hat have jointly announced a scheme aimed at making progress in "the one billion-unit desktop market." "The four leaders are working with their local business partners in markets around the world to build and distribute a pre-loaded PC offering that features IBM's Open Collaboration Client Solution (OCCS) including Lotus Notes, Lotus Symphony and Lotus Sametime; the Linux operating system of each distributor; and software applications and installation services from the local partners in each market. The final product will be branded by the local IT firms that bring it to market."

IBM has launched a number of other initiatives as well, celebrating its ten years of support for Linux.

Comments (14 posted)

BitRock partners with Rightscale

BitRock and Rightscale have announced a partnership. "BitRock Inc., the leading provider of tools and services for deploying open source applications, and RightScale, the leader in cloud computing management, announced today a partnership to provide one-click deployments of popular open source applications on Amazon's Elastic Compute Cloud (EC2). Users of RightScale's cloud computing management system can now select from a menu of applications, such as Drupal, Joomla!, Wordpress, and MediaWiki, and launch them in an instant to EC2."

Full Story (comments: none)

Funambol Version 7 has been released

Funambol has announced the release of Funambol Version 7, a push email and mobile sync system. "Funambol v7's new capabilities include open source software for BlackBerry push email and PIM sync, an iPhone plug-in for contacts sync, an enhanced Java ME push email client for hundreds of millions of feature phones, Yahoo! and Gmail contact import into the Funambol Portal, server syncing of tasks and notes via native SyncML clients, an enhanced SDK and greater scalability. Funambol v7 ties into key trends in the mobile industry, the first being open source."

Full Story (comments: none)

MontaVista Linux supports Cavium OCTEON processors

MontaVista Software, Inc. has announced support for Cavium Networks OCTEON processor family. "MontaVista® Software, Inc., the leader in embedded Linux® commercialization, today announced that MontaVista Linux Carrier Grade Edition (CGE) 5.0 now supports Cavium Networks OCTEON CN58XX, CN56XX, CN52XX, CN50XX, and CN38XX processor families, enabling embedded developers to use the widely adopted MIPS64-based OCTEON architecture to create high performance multicore applications that are multi-threaded and core-aware while delivering the interoperability, high availability, and field serviceability that carriers need."

Full Story (comments: none)

Openmoko publishes schematics for Neo phones

Openmoko has announced the forthcoming release ("under a Creative Commons License") of the schematics for its Neo 1973 and Neo FreeRunner phones. "Just as Free and Open Source Software provides source code information, open schematics provide vital information to engineers who may want to add functionality, external instruments or sensors, or assist the company in debugging problems, ultimately creating a better product for the entire mobile community."

Full Story (comments: 9)

Partners Embrace Oracle Unbreakable Linux Support Program

Oracle has posted a LinuxWorld press release that promotes the Unbreakable Linux support program. "Further demonstrating its commitment to support, promote and advance Linux in the enterprise, Oracle today announced continued momentum across its Linux partner ecosystem with new partners adopting the Oracle(R) Unbreakable Linux Support Program, by certifying with Oracle Enterprise Linux and participating in the Oracle Validated Configurations testing program. In addition, Oracle announced an enhanced Linux partner program provided through the Oracle PartnerNetwork (OPN)."

Comments (none posted)

Promise Technology announces Linux support for RAID subsystems

Promise Technology has announced Linux support for its products. "Promise Technology, Inc., a global supplier of sophisticated RAID storage solutions for enterprise and SMB customers, today announced Linux support for all its products as an important extension of its Linux business strategy."

Full Story (comments: none)

RedPost announces next phase of it's Ubuntu-based DIY hardware platform

RedPost has announced a new Ubuntu-based digital photo frame device. "Today, RedPost inc. announced the next phase of its Ubuntu-driven hardware with the formation of a strategic partnership with Hurco Automation Ltd., a Taiwan-based industrial computer manufacturer with a twelve year history of building specialized, quality electronics. Hurco will manufacture RedPost's new Sign, a 19" all-in-one PC with the capability of a digital photo frame or as a digital sign when connected to RedPost's software."

Full Story (comments: none)

New Books

FBML Essentials--New from O'Reilly

O'Reilly has published the book FBML Essentials by Jesse Stay.

Full Story (comments: none)

Intellectual Property and Open Source - New from O'Reilly

O'Reilly has published the book Intellectual Property and Open Source by Van Lindberg.

Full Story (comments: none)

The Productive Programmer - New from O'Reilly

O'Reilly has published the book The Productive Programmer by Neal Ford.

Full Story (comments: none)

Learning the vi and Vim Editors - New from O'Reilly

O'Reilly has published the book Learning the vi and Vim Editors by Arnold Robbins, Elbert Hannah, and Linda Lamb.

Full Story (comments: none)

Resources

Git Magic

Git Magic may not be exactly new, but some of us have stumbled across it later than others. It is a highly readable introduction to git with lots of examples of how to get things done. "As Arthur C. Clarke observed, any sufficiently advanced technology is indistinguishable from magic. This is a great way to approach Git: newbies can ignore its inner workings and view Git as a gizmo that can amaze friends and infuriate enemies with its wondrous abilities. Rather than go into details, we provide rough instructions for particular effects. After repeated use, gradually you will understand how each trick works, and how to tailor the recipes for your needs."

Comments (47 posted)

Contests and Awards

Nominations Open for 2008 Linux Medical News Freedom Award (LinuxMedNews)

LinuxMedNews has announced the opening of nominations for the Linux Medical News Freedom Award. "Nominations are officially open for the 8th annual Linux Medical News Freedom Award to be presented at the November 8th-12th AMIA Fall conference at the Hilton Washington and Towers, Washington, D.C. Deadline for entries is August 31th, 2008."

Comments (none posted)

15 Proposals for Third Quarter of TPF Grants (use Perl)

use Perl looks at the proposals received for the 2008 Perl Foundation Grants. "The Perl Foundation grants committee received 15 proposals during the third call for grant proposals for 2008. These proposals are published for public discussion. You are invited to comment each proposal about its relevance and objectives."

Comments (none posted)

Event Reports

OSCON 2008 Proceedings are online

The proceedings from the 2008 O'Reilly Open Source Convention have been published. "Presentation files will be made available after the session has concluded and the speaker has given us the files. Check back if you don't see the file you're looking for—it might be available later! (However, please note some speakers choose not to share their presentations."

Comments (none posted)

Calls for Presentations

O'Reilly Tools of Change for Publishing 2009 Conference opens Call for Proposals

A Call for Proposals has gone out for te O'Reilly Tools of Change for Publishing Conference. "The O'Reilly Tools of Change for Publishing Conference 2009 will parse the future February 9-11, 2009, at the Marriot Marquis in New York City. Following last year's sold-out conference in New York, Program Chair Andrew Savikas invites proposals for conference sessions and tutorials for this third year of the TOC Conference." The proposal deadline is August 25.

Full Story (comments: none)

Upcoming Events

Installfest for Schools at LinuxWorld

For those attending LinuxWorld next week, who might have a little time on their hands, the Installfest for Schools is looking for volunteers. "Building on the success of the first Installfest for Schools on March 1st, 2008, we are launching a global installfest this Summer at LinuxWorld! We'll be refurbishing older computers, recycled by the Alameda County Computer Resource Center, right on the LinuxWorld Expo floor August 4-7, 2008. With over 10,000 GNU/Linux users attending LinuxWorld, theres no telling how many F/OSS computers we can donate to Schools. But why stop there? We're working with volunteers all over the world to organize Installfests for Schools in their own neighborhoods during the week of LinuxWorld."

Comments (none posted)

Linux Foundation announces End User Summit

The Linux Foundation End User Summit has been announced. "Join us on October 13 & 14 as the Linux Foundation holds the first Linux Foundation End User Collaboration Summit at the Desmond Tutu Center in New York City. This event is gathering the leaders of the Linux development and vendor communities to collaborate with CTOs, architects and senior IT representatives from the largest and most dynamic end users in the world to accelerate problem solving and advance the Linux platform."

Full Story (comments: none)

Registration opens for the OpenOffice.org annual conference

Registration for the OpenOffice.org annual conference has been opened. "Please note we have now opened registration for our annual international conference OOoCon 2008, to be held in Beijing, China between 5th.-7th. November. This OOoCon is a double first - it's the first OOoCon to be held outside Europe, and it will also see the biggest concentration of OpenOffice.org developers ever assembled in one location on the planet."

Full Story (comments: none)

Events: August 14, 2008 to October 13, 2008

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
August 9 August 16	Akademy 2008	Sint-Katelijne-Waver, Belgium
August 9 August 17	Linuxbierwanderung (Linux Beer Hike)	Samnaun/Compatsch, Switzerland
August 10 August 16	Debian Conference 2008	Mar del Plata, Argentina
August 11 August 15	SAGE-AU'2008	Adelaide, Australia
August 12 August 14	Flash Memory Summit	Santa Clara, CA, USA
August 13 August 15	YAPC::Europe 2008	Copenhagen, Denmark
August 18	Debian Day	Buenos Aires, Argentina
August 19 August 24	SciPy 2008 Conference	Pasadena, CA, USA
August 20 August 22	Jornadas Regionales de Software Libre	Buenos Aires, Argentina
August 23 August 24	FrOSCon 2008	Saint Augustin, Germany
August 26 August 29	WebGUI Users Conference 2008	Madison, WI, USA
August 27 August 30	Drupalcon Szeged 2008	Szeged, Hungary
August 28 August 30	Utah Open Source Conference 2008	Salt Lake City, UT, USA
September 2 September 4	RailsConf Europe 2008	Berlin, Germany
September 5 September 7	FUDCon Brno 2008	Brno, Czech Republic
September 6 September 7	DjangoCon 2008	Mountain View, CA, USA
September 7 September 10	Workshop on Open Source Software for Computer and Network Forensics	Milan, Italy
September 7 September 14	Python Game Programming Challenge	Online,
September 8	Encontro Nacional de openSUSE	Porto, Portugal
September 9 September 11	EFMI STC 2008	London, England
September 12 September 14	The UK Python Conference	Birmingham, England
September 15 September 18	ZendCon PHP 2008	Santa Clara, CA, USA
September 15 September 16	Linux Kernel Summit 2008	Portland, OR, USA
September 16 September 19	Web 2.0 Expo	New York, NY, USA
September 17 September 19	The Linux Plumbers Conference	Portland, OR, USA
September 18 September 19	Italian Perl Workshop	Pisa, Italy
September 19 September 20	Maemo Summit 2008	Berlin, Germany
September 20	Celebrating Software Freedom Day in Riga, Latvia	Riga, Latvia
September 22 September 25	Storage Developer Conference 2008	Santa Clara, CA, USA
September 23 September 25	4th International Conference on IT Incident Management and IT Forensics	Manheim, Germany
September 24 September 25	OpenExpo 2008 Zürich	Winterthur, Switzerland
September 25 September 27	Firebird Conference 2008	Bergamo, Italy
September 26 September 27	PGCon Brazil 2008	Sao Paulo, Brazil
September 26	Far East Perl Workshop 2008	Vladivostok, Russia
September 26 September 28	ToorCon Information Security Conference	San Diego, CA, USA
September 27 September 28	WineConf 2008	Bloomington, MN, USA
September 29 October 3	Netfilter Workshop 2008	Paris, France
September 29 September 30	Conference on Software Language Engineering	Toulouse, France
September 30 October 1	BA-Con 2008	Buenos Aires, Argentina
October 1 October 3	Vision 2008 Embedded Linux Developers Conference	San Francisco, USA
October 2 October 3	ekoparty Security Conference	Buenos Aires, Argentina
October 3 October 4	Open Source Days 2008	Copenhagen, Denmark
October 4	PyArkansas 2008	Central Arkansas, USA
October 4 October 5	Texas Regional Python Unconference 2008	Austin, TX, USA
October 7 October 10	OWASP NYC AppSec 2008 Conference	New York, NY, USA
October 7	Openmind 2008	Tampere, Finland
October 7 October 10	Linux-Kongress 2008	Hamburg, Germany
October 7	Red Hat Government Users and Developers Conference	Washington, DC, United States
October 10 October 12	Ohio LinuxFest 2008	Columbus, Ohio, USA
October 10 October 12	PostgreSQL Conference West 08	Portland, OR, USA
October 10 October 12	Skolelinux Developer Gathering	Oslo, Norway
October 11 October 12	Pittsburgh Perl Workshop	Pittsburgh, PA, USA
October 11 October 12	MerbCamp	San Diego, CA, USA

If your event does not appear here, please tell us about it.

Audio and Video programs

RHT CEO Talks Biz (CNBC.com)

CNBC.com presents a video interview (Flash format) with Red Hat's Jim Whitehurst. "Discussing Red Hat's stock and business, with Jim Whitehurst, president and CEO of Red Hat, and Mad Money host Jim Cramer." (Thanks to Scott Dowdle).

Comments (1 posted)

Page editor: Forrest Cook