LWN.net Weekly Edition for October 2, 2008 [LWN.net]

Ubuntu debuts its Upstream Report

By Jake Edge
October 1, 2008

Ubuntu has taken some heat over the years for its relationship with upstream projects, but the distribution seems determined to change that impression. To that end, Ubuntu has started by looking at bugs and bug reporting between the distribution and upstream projects. The visible result is the beta release of the Ubuntu Upstream Report, which displays the progress of getting bugs upstream.

Users of Ubuntu report lots of bugs in the software they use but, for the most part, those bugs aren't in any way specific to Ubuntu; they tend to also exist in the upstream project. Ubuntu collects its bugs at Canonical's Launchpad web site which allows linking those bugs to bugs in the bug tracking system of an upstream project. Once the link—or watch as it is called in Launchpad—is established, updates to the upstream bug's status will be reflected in the Ubuntu bug as well.

That capability has been available for some time, but as Ubuntu looked at ways to improve how well their bugs were flowing upstream, they needed a way to measure how well watches were being used. Canonical's Ubuntu community manager Jono Bacon describes the idea behind the report:

In terms of this project, I was keen to see graphs that show the number of upstream bug linkages going on, the total number of open vs. upstream bugs and how many bugs are fixed elsewhere. We could use these graphs to determine our progress in improving our bug workflow, but this was not enough - we also needed raw data about which projects needed the most focus. Which projects were struggling the most with bug figures? Which projects were not forwarding bugs upstream? Which projects didn't have an upstream bug tracker registered in Launchpad? We had all the answers to these questions in Launchpad, but no means of gathering them. To fix this, we created the Ubuntu Upstream Report.

The report ranks Ubuntu projects by the number of open bugs, while also showing how many have progressed towards upstream. Bugs in Ubuntu get triaged by the Ubuntu bug team, with some of them getting classified as "upstream"—meaning that they exist in the project itself, rather than just Ubuntu's build. Upstream bugs that are linked to a bug in the projects bug tracker are considered "watch" bugs. Each successive stage shows the difference between the previous, both as a number and a percentage so that it is easy to see how bugs are being handled as well as where the bottlenecks are. This dashboard-style interface also allows sorting by column and retrieving lists of bugs by following the numeric links.

The report was created by Jorge Castro, who is in charge of external project developer relations for Canonical. The tool has multiple uses, as Castro explains:

We wanted to provide a tool that not only shows upstreams how well we're linking and forwarding bugs, but a day-to-day tool for maintainers to see where there are targets of opportunity to forward to upstream. And lastly, for triagers we wanted to provide real-time working "bug lists" that you can work through if you want to help be the bridge that connects the downstream Ubuntu Package to the upstream project.

Part of the idea is for the report to be used by participants in Ubuntu's 5-A-Day initiative. 5-A-Day is an effort to make the Ubuntu bug list better by encouraging users and developers to work on five bugs each day. Users can do things like try to reproduce the bug, cleaning up and adding more information to the report; while developers can triage bugs or look at patches to the upstream project to see if they are needed for Ubuntu. The report will also help those who are running or participating in Bug Jams—focused efforts to gather people together to move Ubuntu bugs along.

Linking to existing upstream bugs or creating new ones for problems that Ubuntu users find can be helpful for projects. Some projects will find it more helpful than others, as Bacon notes:

If we do link a bug upstream, we had no firm idea how useful an upstream actually find our bug data. Our discussions suggested very mixed reactions - a small project is likely to have a very different perspective on bugs than a large project. Just think about this in purely quantitative states - a small project will likely get fewer bugs, and these bugs can probably be dealt with by a small collection of volunteers. This is unlikely to scale to something like the Linux kernel or OpenOffice.org.

One of the problems, of course, is the one-way nature of the watch link—Ubuntu sees changes to the upstream bug, but the reverse is not true—as projects have to come looking in Launchpad for updates. There is also resistance to using Launchpad because it is not free software, though that is slated to change by mid-2009. Overall, this new report and the focus on improving upstream relations are very welcome, but tracking bugs only goes so far; fixing upstream bugs is an important, but missing, piece.

In order to not be seen as just a consumer of upstream software, one needs to not only report bugs, but fix them as well. For all of the various bug-related efforts that Ubuntu is sponsoring, there is very little mention of actually fixing problems and sending patches upstream. There are tools like Harvest that make it easier to find upstream patches—bug fixes and enhancements for possible inclusion in the Ubuntu packages—but the focus is clearly on improving Ubuntu, as opposed to improving the software ecosystem that makes up the distribution.

It is important to remember that the efforts so far are just a start; Ubuntu is working on additional projects to improve its upstream relations. One gets the sense that they have heard the criticisms and are working to address them. Like it or no, Ubuntu has its own way of doing things which may mean it takes longer than some would like, but it certainly looks to be headed in the right direction.

Comments (67 posted)

openSUSE and the distribution of proprietary software

By Jonathan Corbet
September 29, 2008

Every Linux distributor must find its own peace when it comes to the issue of proprietary software. Some distributors will avoid anything non-free to the point of tearing firmware out of the kernel. Others, like Fedora or Debian, will not include any non-free code. Distributors like Ubuntu are rather more willing to facilitate the use of non-free software, but even they are, perhaps, not 100% comfortable with it. And distributions like Xandros positively embrace proprietary code.

OpenSUSE (like SuSE Linux before it) has traditionally taken a position which is relatively friendly toward proprietary software. It was only in 2006 that Novell announced its intention to stop shipping non-GPL kernel modules, but it never made any such promises with regard to user space. So a typical openSUSE installation disk includes a number of proprietary goodies, including the Adobe Flash player, a number of fonts, ARCAD, the Acrobat PDF reader, the Opera web browser, RealPlayer, and more.

The presence of all this proprietary code is unwelcome to some users, of course, but it has another interesting effect: it requires that openSUSE be distributed with an end-user license agreement which has some very un-free-software-like terms. Among other things, it reads:

Novell reserves all rights not expressly granted to You. You may not: (1) reverse engineer, decompile, or disassemble the Software except and only to the extent it is expressly permitted by applicable law or the license terms accompanying a component of the Software; or (2) transfer the Software or Your license rights under this Agreement, in whole or in part.

In other words, redistribution of the openSUSE DVD is not permitted. Members of the openSUSE mirror network are, technically, in violation of the EULA, though nobody appears to be in a hurry to call them on that. But the EULA raises eyebrows and makes some users uncomfortable; many people got into free software to avoid dealing with agreements like that.

The need for the EULA, rather than problems with proprietary software in general, is causing developers at Novell to reconsider which packages should go onto an openSUSE DVD. To that end, Novell product manager Michael Löffler has proposed a new scheme whereby the DVD would only contain redistributable software (including proprietary software, such as firmware, which allows redistribution). The openSUSE project would set up a network-based repository from which other proprietary applications could be installed; the installer would then install a couple of packages (the Adobe Flash player and Fluendo's MP3 codec) by default.

The end result for most users would be the same: an openSUSE installation with both free and proprietary software. At least, that would be the case for users with a decent network connection. But those users would also gain a DVD with a much less restrictive EULA allowing the DVD to be redistributed at will. (The current plan is to still have an agreement for trademark control and warranty disclaimer reasons, even though other software distributors have managed to eliminate EULAs for those purposes). At this point, it would also be easy to add an option to simply skip the configuration of the non-free repository for users who want a "clean" installation.

Most responses to this proposal have been positive. The happiness is not universal, though; one user complained:

I don't think Novell, openSUSE and us should be influenced by "bad press" of doubt quality and change what is a key point of openSUSE: offering also proprietary software ready to go on the DVD. Moving these packages to an online repository makes no difference from downloading and installing them by hand.

It is true that one-stop shopping has long been a feature of the SUSE distribution. And a recent survey [PDF] suggests that a significant portion of the openSUSE user base makes use of at least a few of the proprietary tools included there. If the presence of this code is truly a "key point" of openSUSE, then taking it out could risk upsetting users at a time when, by some accounts, the visibility of this distribution is already dropping.

This risk would be mitigated by a couple of factors, though. One is that the need to download those packages over the net is not much of a stopping point for most users. After all, people installing Linux from a CD or DVD have usually resigned themselves to a massive download of package updates after the first boot anyway. Tossing a few more packages into that download - assuming they weren't set to be updated by then anyway - is not going to change the experience in any significant way.

But the other relevant point is that the need for much of this proprietary code is decreasing. Java used to be a big part of the openSUSE proprietary software load, but Java is now free. Your editor cannot remember when he last encountered a PDF file which could not be managed by at least one free viewer - though, evidently, such files do still exist. Perhaps the biggest remaining problem is Flash; progress is being made there, but Flash is most certainly not a solved problem. Beyond that, though, there are few situations indeed where a proprietary application is really needed for ordinary tasks.

The openSUSE distribution is not distancing itself from proprietary software at this time; it is just reorganizing its management of that software to address one of the problems it brings. But it is still hard to avoid the temptation to read between lines and look forward to a day when openSUSE, too, distributes only free software - not as a result of any sort of push for purity, but just because its users no longer have any need for anything else.

Comments (26 posted)

The CME Group sees a future with the Linux Foundation

October 1, 2008

This article was contributed by Lisa Hoover

The Linux Foundation has another new organization on the membership roster this week. The CME Group announced it has joined the nonprofit organization, and its associate director, Vinod Kutty, will chair the Foundation's End User Council. The CME Group is made up of three derivatives, or futures, exchanges: the Chicago Board of Trade, and the New York and Chicago Mercantile Exchanges. Linux has played a major part of the financial services industry for many years, and representatives of the CME Group say it's time to become more involved in the evolution of open source technology.

In a prepared statement Kevin Kometer, Managing Director and Chief Information Officer of CME Group, says, "Our Linux Foundation membership allows us to move beyond just being users of Linux to being participants in the direction of this important technology. Joining the Linux Foundation and being deeply involved in Linux will also help the exchange determine the future use of our own technology."

Practically speaking, the move will increase the Group's input into the development of software developed for the financial industry, thereby giving them a boost in a very competitive global marketplace.

Kutty explains, "By most accounts, derivatives exchanges around the world do not compete with one another. Unlike the securities markets that compete for listings, the majority of derivatives products are created with intellectual capital or they are licensed products. Our main competition comes in the form of the over-the-counter (OTC) marketplace where 80% of the world's derivatives trade; only 20% of derivatives globally trade on an exchange. The OTC products often are similar or lookalike products to what an exchange would trade."

That competitive threat is a chief reason the CME Group chose to join the Linux Foundation.

"We're excited to see CME join, but not surprised at its intent," says Amanda McPherson, the Linux Foundation's VP of marketing and developer programs. "CME realizes that direct collaboration with the Linux community gives them a competitive advantage. They have bet their business on Linux to very good effect. We're seeing the innovators and leaders understand that to get the most of Linux it's important to collaborate with the community directly. Through our end user council and the yearly Collaboration Summits, companies like CME can collaborate closely with the brightest minds in Linux."

While it's unusual for large financial exchanges to sit down with kernel developers, it's not unheard of. Head Bubba, IT manager for international financial services group, Credit Suisse, was part of a panel that met with developers at last year's Kernel Summit to talk about the challenges companies face when using Linux.

Kutty will be picking up where Bubba left off. After attending this year's Kernel Summit, Kutty is slated to speak on behalf of the CME Group at October's Linux Foundation's End User Summit in New York, where he'll be talking about how the exchange has deployed Linux and where he hopes to see it go in the future.

Historically, financial transactions have taken place on an exchange's trading floor in a process known as "open outcry." This method is increasingly being replaced by electronic trading, however, and the financial industry appears to be ready to embrace open source technology in the process.

McPherson says, "the NYSE and most bank's trading systems are based on Linux. We're entering a third phase of adoption by financial services and Linux. At first it was just small, skunk works projects. Then it moved into broad-based adoption through vendors. Now we're seeing companies getting the most out of their investment by partnering directly with the community."

As a means to that end, Kutty, will work with members of the End User Council, Linux vendors, and also leaders within the Linux community to collaborate on technical and legal issues that affect FOSS. The CME Group has relied on Linux since 2003 and though it employs a variety of commercial and open source tools, Linux remains the dominant technology in use today. Kutty describes what they hope to accomplish:

The open source solutions tend to address some niches at the web tier as well as scripting tools, performance monitoring tools, log file analysis, development tools and simple document/content management.

Additionally, many of the GNU tools that are bundled with our Linux distribution are taken for granted as being available for use on any system we deploy, typically by our sysadmins as part of day-to-day operations. Some pre-date our migration to Linux because it was and is possible to use GNU tools on commercial UNIX. As open source alternatives to commercial products mature, we evaluate them and select them if they make sense. We're trying to play a more active role in the evolution of these products higher up the stack than the OS, but our initial priority is to focus on Linux improvements.

Given the current state of the economy in the US, any small advantage for the financial industry is welcome. McPherson says Linux and open source technology can certainly help play a role in fixing what's broken. "The great thing about Linux is it's open and gives customers a great deal of flexibility in working with their vendors. It runs on multiple architectures and you can get support from various vendors (or not pay for support at all). This will become more and more appealing in our current economic environment. But given the collaborative development model, Linux thrives in any economic environment because of the choice it provides."

Comments (6 posted)

Page editor: Jonathan Corbet

Security

ParanoidLinux: from fiction to reality

By Jake Edge
October 1, 2008

A novel for young adults by Cory Doctorow has inspired the creation of a new Linux distribution focused on privacy. ParanoidLinux is still in the planning stages, but it adopts some interesting ideas from Doctorow's book to place atop a Debian Testing base. It is targeted at those who have a very strict need to disguise their documents and network traffic because of a repressive regime.

Doctorow is familiar to many in the free software world, for his work as a science fiction author as well as a digital rights activist and blogger. His recent novel, Little Brother is set in the US after another devastating terrorist attack. Because of the attack, most civil liberties have been suspended leading some characters to use an alternative operating system:

ParanoidLinux is an operating system that assumes that its operator is under assault from the government (it was intended for use by Chinese and Syrian dissidents), and it does everything it can to keep your communications and documents a secret. It even throws up a bunch of "chaff" communications that are supposed to disguise the fact that you're doing anything covert. So while you're receiving a political message one character at a time, ParanoidLinux is pretending to surf the Web and fill in questionnaires and flirt in chat-rooms. Meanwhile, one in every five hundred characters you receive is your real message, a needle buried in a huge haystack.

It is that description, along with others in the book, that is guiding the development of the "real" ParanoidLinux. While it is relatively easy to come up with a fictional privacy-oriented operating system, the reality of building one is rather challenging. The project has only existed since May, so the current focus is to get some kind of alpha system put together as a starting point.

The idea of "chaff" is one that has been taken up on the ParanoidLinux wiki. There are several facets to the problem: how does one generate normal-looking traffic while somehow transferring encrypted data as part of that traffic. There are existing techniques that could be used. Chaff combines the ideas of steganography—hiding even the existence of a message—with cryptographic techniques.

The discussion about chaff makes it clear that the ParanoidLinux developers are looking at Doctorow's ideas carefully before implementing them. Chaff is certainly not a panacea, as it won't hide the traffic from an adversary that has specifically targeted someone. It is, instead, a means to fly under the radar, to appear to be a "normal" internet user with standard traffic patterns.

Using Tor (i.e. The Onion Router) is one way to anonymously use the internet—within limits—but traffic bound for a TOR node would be very suspicious to any monitoring agency. Another privacy-enhancing feature would be full-disk encryption, but that would be yet another red flag for an agency that was inspecting the computer. These are kinds of trade-offs that are being discussed by the project as they try to narrow their focus to something that can be implemented in the near term.

Hiding, or at least obfuscating, the existence of ParanoidLinux on the computer is another piece of the puzzle. It could be very dangerous to be required by the authorities to boot one's ParanoidLinux laptop. But, if it appears to be a "regular" system—perhaps looking much like Windows—it may escape scrutiny. Encrypted data might then be stored on partitions that are not directly accessible from the desktop.

This is an interesting project for those who worry about government crackdowns or perhaps already live under a repressive regime. Even if the ParanoidLinux distribution does not meet one's needs, the various discussions on options and different ways to approach a privacy-oriented operating system will be useful. One hopes not to ever need such a system, but knowing that people are thinking about the problem—while generating a working version—is certainly reassuring. For that, we can thank Doctorow for popularizing the idea.

Comments (11 posted)

New vulnerabilities

emacspeak: temporary file vulnerability

Package(s):

emacspeak

CVE #(s):

CVE-2008-4191

Created:

October 1, 2008

Updated:

October 1, 2008

Description:

The emacspeak extract-table.pl script (in versions 26 and 28) suffers from a temporary file vulnerability.

Alerts:

Fedora	FEDORA-2008-8379	2008-10-01
Fedora	FEDORA-2008-8423	2008-10-01

LWN.net Weekly Edition for October 2, 2008

emacspeak: temporary file vulnerability

firefox: multiple vulnerabilities

initscripts: local system file removal vulnerability

kernel: denial of service

kernel: privilege escalation

mono: CRLF injection

openafs: denial of service

pam_mount: restriction bypass

phpMyAdmin: code execution vulnerability

phpMyAdmin: cross-site scripting vulnerability

rkhunter: insecure temp file

rubygem-rails: SQL injection

thunderbird: buffer overflow

viewvc: ignore user-provided MIME types

Events: October 9, 2008 to December 8, 2008