LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Leading items
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->Multipage format

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LWN.net Weekly Edition for November 27, 2008

The Grumpy Editor's Asian Tour

By Jonathan Corbet
November 25, 2008
Your editor, having actually managed to spend a few weeks at home, once again succumbed to the allure of long-distance travel. What is life, after all, without jet lag, economy-class seats, and airline meals? The excuse this time was the combination of the Linux Foundation's Japan Linux Symposium and the Consumer Electronics Linux Forum's Korea Technical Jamboree. Both events are intended to increase communications with the Asian technical community and encourage participation in the development process. They are also an opportunity for developers from other parts of the world to learn more about what their colleagues are thinking.

This trip was your editor's second Japanese adventure, so it is interesting to look at what has changed over the intervening 16 months. The organization of the event remains about the same, down to the pizza-and-sushi party at the end of the first day. The agenda was more heavily oriented toward filesystems this time around, along with an overview of control group resource controllers by Hiroyuki Kamezawa. There was a big difference, though, in how the discussions went. Japanese audiences are notoriously quiet and unwilling to ask questions, but the attendees at the Japan Linux Symposium have gotten over this constraint. Questions and discussion abounded - and this is a good thing. Free software development does not work well if people are unwilling to ask questions or raise concerns. The fact that Japanese developers seem to be becoming more willing to participate in this way bodes well for their participation in the process as a whole.

How much are these developers participating now? Your editor did a quick and unscientific pass over the changes merged for the 2.6.28 kernel. It appears that a full 5% of those patches came from Japanese developers. If we exclude the work of one prolific developer who currently lives in Europe, it can be said that about 4% of 2.6.28 came from Japan itself. There has been a distinct increase in the amount of kernel code coming from that part of the world, and that can only be a good thing. The Linux Foundation's events in Japan (which began in the OSDL days and have been occurring regularly for a few years now) are, perhaps, producing the intended result.

Partly in recognition of the larger role now played by Japan in the free software community, the Japan Symposium will be taken to a higher level next year. The 2009 Kernel Summit will be held in Tokyo in October, followed by an expanded, three-day Symposium hosting talks by developers from all over the world. Planning for this event is just getting underway; expect the call for papers to come out early next year. It should be an interesting gathering in a fun city; your editor is already looking forward to attending.

The Korea Technical Jamboree was a lower-key gathering, held for a single afternoon on the 25th floor of a Seoul skyscraper. It lacked some of the infrastructure of the Japan Symposium (simultaneous translation, for example), but made up for it in enthusiasm. Your editor found a highly-engaged group of developers interested in talking about the technology. While much of the discussion was, surprisingly enough, in Korean, your editor was able to figure out that virtualization is high on the list of topics that this group was interested in.

There was also talk of business models and more. What there was less of, though, was talk of working with the community. From this brief encounter, your editor can guess that the Korean community is still working through the stage of figuring out what it can get from free software. Developers there seem to have, for the most part, not yet reached the point of sharing control of our free operating system and driving it in directions which better suit their needs. By their own admission, Korean developers are a little behind their Japanese counterparts in this regard, but that situation may not last for long.

One event your editor was not able to attend was FreedomHEC Taipei, held at the same time. Harald Welte was there, though, and posted a brief report:

I was really happy about FreedomHEC. It is really about time that the Linux world and the Taiwan-based chipset vendors and system integrators start much more interaction. It is a simple economic fact that a lot of hardware development, both in the PC mainboard, Laptop as well as the embedded device space happens in Taiwan. It is also very true, that for whatever reason the gradual Linux revolution in the server and desktop market in the EU, the US and other markets such as Southern America has not really reached Taiwan.

Harald concludes that a higher Linux awareness in Taiwan should lead to better hardware support worldwide. With any luck at all, events like FreedomHEC, like those in neighboring regions, will help to create that awareness and expand our global development community.

Your editor was also unable to attend FOSS.in this year, despite a desire to return to that part of the world. FOSS.in is experimenting with a new event plan which is strongly oriented toward the production of tangible results; it has clearly been influenced by the success of the Linux Plumbers Conference. India has vast numbers of capable developers, relatively few of whom actively participate in our community now. That number has been growing, though, and events like FOSS.in have a lot to do with that change.

Finally: while your editor saw a lot of people expressing enthusiasm for Linux, many of them seemed to be doing it with Windows laptops. It seems that the value of Linux has not yet made itself felt in the desktop setting, even among those whose job it is to develop for or promote Linux. It would be interesting to know why more of this work can't move off of proprietary platforms.

Some of the answer may be related to episodes like this: your editor had rashly upgraded his laptop to a new stable distribution release (we'll call it Incredibly Irritating for the purposes of this discussion) just prior to traveling. The obligatory check to ensure that video projection still worked got forgotten this time; it had always worked before, what could go wrong this time? But it seems that this "upgrade" moved the tools needed to interface with RandR into a separate package, which it did not bother to install. So it was not possible to tell the laptop to send video out the external port.

Suffice to say that, five minutes prior to giving a talk, while disconnected from the network, one does not want to hear "you need to install this package before I'll turn on your external video port" from one's computer. Your editor will accept the blame for not having verified this functionality before traveling, but, still: things like this should Just Work, especially with a distribution which claims to have invested much energy into making such things Just Work. The presenters using Windows laptops were not having to contend with this kind of challenge.

That little glitch notwithstanding, this trip was a big success. The hospitality was amazing, interest was high, and there is always value in seeing how other groups are approaching free software. Our community continues to grow; many good things will come from that.

Comments (12 posted)

ELCE: Free software strategies for business

By Jake Edge
November 26, 2008

Shane Coughlan, legal coordinator for the Free Software Foundation Europe (FSFE), spoke about the advantages of free software from a business perspective at the recent Embedded Linux Conference Europe. His talk was not necessarily directed at his audience—as most were already free software users—but, instead, at the bosses of his audience, the management of companies using or considering using free software. His approach was to use the language that management understands while making a strong case for the value that free software can bring.

Coughlan noted the obligatory analyst projections, including 4% of European GDP coming from free software by 2010 as well as 80% of commercial software projected to contain free software by 2011. These are eye-opening numbers, so Coughlan went on to explain why those numbers are that high. Businesses are created to deliver value to their investors; in order to succeed, they will need to "deliver value now and deliver more value later and that's how you are going to run a successful business". A short-term outlook is not going to deliver real success. Paraphrasing Bill Clinton, he said "it's for the long term, stupid".

Proprietary software allows businesses to "do some stuff", but free software allows them to "do more stuff". As Coughlan describes it, the correct approach is for a business to "do more and keep doing it"; using free software makes that easier. "From a business perspective, free software rocks."

The key to free software is not in the cost nor is it in the availability of source code, he said, as those do not embody the freedoms that are important. The ability to "use, study, share, and improve", known as the four freedoms, are what gives free software its edge. They allow for more flexibility and growth than other kinds of software, he said.

If free software has so many upsides, what's the catch? "Free software is powered by licenses", so businesses need to understand those licenses and, just as importantly, the reasoning behind those licenses. This is no different than any other license, but a common problem is that people don't read the licenses or follow the terms. If they do, there is no problem, though. So, there is a catch, but "the catch isn't too big".

A business must apply some management science to determine its strategy: whether to use an existing solution or work on building a new one. If it decides to build something new, does it foster some kind of community model or not? These are the kinds of questions that need to be answered as part of determining a free software strategy.

Communication with people in the community is important as is choosing licenses that are popular and compatible. There are ways to reduce any risk associated with free software by using existing best practices. That means pro-actively resolving issues, not just putting free software into a product, then "pray, and be upset when someone tells us we were naughty".

One of the resources available to help management is the FSFE's Freedom Task Force (FTF) which is set up to assist everyone in understanding free software licensing. The FTF does training and consulting for businesses to help with licensing or other issues. If one is having trouble getting management on-board, refer them to FTF, "we won't actually lock them up and brainwash them", Coughlan said.

While companies are resistant to releasing their code, "if you're doing your marketing right and you're not relying on temporary monopolies, you can probably release quite a lot" of code without any business harm. It has been estimated that the body of free software is "worth" $12 billion, so a company can reimplement it, "at an estimated cost of $12 billion, or you can share your $2-3 million [investment] and use the code". It's a matter of recognizing the immense benefits that come with free software.

Coughlan also described a legal network that the FTF is fostering in Europe, where lawyers and legal experts can discuss issues of importance to free software, especially across jurisdictional boundaries. That network can help provide businesses with legal information to help reduce risks. There is, as yet, no US equivalent, though some US lawyers are participating with the European network. "Still, I'm confident that eventually the US will catch up with us", he said.

He wrapped up with some thoughts on the GPLv3, noting that "adoption in the first year has been very, very promising". In fact, it has been adopted faster than he expected. He did note that there are some problems with license incompatibilities, but that those are probably unavoidable. The ideal situation would be for every license to be able to work with every other, but it doesn't work that way, which is a bit of an inconvenience, but not really a problem at this point.

Coughlan did not really say very much that LWN readers won't have heard before, but he did put it together in a way that should resonate with businesspeople. It was also interesting to get a look at what FSFE, and particularly FTF, are up to. There is a lot of important free software work, completely separate from development, going on in Europe. Because I am US-based—hopefully not too US-biased—that sometimes gets overlooked, so it was very nice to have a chance to hear about that work.

Comments (1 posted)

An open letter to Evgeniy Polyakov

By Jonathan Corbet
November 25, 2008
[Editor's note: the following article may look like a message to a specific kernel developer, but it is really about the development process in general. Over the years, your editor has seen too many worthy hackers run into development process problems; the end result is often that we lose that person's contributions. We are not so rich that we can afford that sort of loss. The desire to prevent such problems was the motivation behind your editor's recently-written development process document - and this letter.]

Dear Evgeniy,

Your editor has chosen to write to you in a public manner because he hates to see talented developers get frustrated with the kernel process and storm off. We do not have an excess of capable hackers, especially those who can work at your level. Losing one hurts. Your editor hopes that this eventuality can be avoided in this case - for you, and for others who may be encountering the same sort of frustrations you are. Getting code into the kernel can be a pain, sometimes. That said, some 1160 developers have managed it since the opening of the 2.6.28 merge window in October. It is possible to get code merged with sufficient care.

You first posted your distributed storage (DST) patch back in 2007; LWN took a look at it at that time. Since then, this code has come a long way. Beyond the basic task of exporting (and accessing) storage volumes across the net, this code claims "bullet-proof memory allocations," zero-copy transport, failover recovery with full transaction support, support for IPv6 and beyond, and a number of features including encrypted data channels. And, it is said, this code is fast. In general, it looks like good stuff.

You have posted the DST code on the mailing lists a number of times - too many, apparently, for your tastes. Frustration with the process appears to have led to the behavior described in your recent weblog post:

To understand the roots of this issue, I made a simple experiment with the previous DST release. I added following lines into the patch to catch reviewer's eyes: 

    ass licker
    static char dst_name[] = "Successful erackliss screwing into";

As you may expect, this does not compile and thus was never read by the people who are subscribed to the appropriate mail lists. I got one private mail about this fact for the whole week. The same DST code (without above lines) was sent public first time more than month ago and was resent 3 times after that.

That's why I do not care about DST inclusion anymore. I do not care about its linux-kernel@ feedback.

So, because the fourth posting of identical code in one month received little attention, DST now risks joining Kevents, network channels, network tree memory management, asynchronous crypto, and more in that place where dusty, out-of-tree stuff lives. This would not be a good outcome. So let us look at what can be done to avoid that - for your sake, for DST users' sake, and for the sake of other developers who may follow.

One way to get more reviews for your code is to pay attention to what those reviewers are saying. Andrew Morton spent some time on DST back in October. He had a number of concrete requests - such as documenting the user-space ABI and the network protocol - which have not been satisfied. He also asked for better code documentation in general:

So please. Go through all the code and make it tell a story. Ask yourself "how would I explain all this to a kernel developer who is sitting next to me". It's important, and it's an important skill.

The November 25, 2008 version of DST still does not tell that story, and that makes it very hard for other developers to understand. Code review, as you know, is in critically short supply in most free software projects. Getting reviews for difficult-to-understand code is hard, especially when it is a large body of complex code which occupies a niche in which relatively few developers have expertise. So it's not surprising that your most recent comment involved white space - anybody can make that kind of review without any need to actually understand what's going on.

Not only does your patch not tell a story, but the individual pieces of it do not even contain changelogs. For a patch set marked "consider for inclusion," that is a fatal error. Playing along with the system on things like that can seem like a waste of time, especially if you hold out no real hope of the patch being merged, but it is a necessary sign of respect for the people you are asking to consider the patch. No maintainer will accept a patch without a changelog.

While we're on the topic of documentation, your kernel configuration help text reads, in its entirety:

This driver allows to create a distributed storage block device.

You owe your users a little bit more than that. Why might they want to use DST? Where can they get the associated tools? This, too, is a fatal error for any substantive kernel change.

And, while we're still somewhat on the subject of reviews: Andrew naturally called out the generic-looking thread pool implementation buried deep within DST; shouldn't it pulled out and made more generic? Your response can be paraphrased as "I can't be bothered to get the API past the review process, which, in any case, is biased toward those who are 'closer to the high end'." But pulling out this code and merging it separately might be the ideal starting point for getting the larger patch set into the kernel. A generic thread pool hiding within a storage device driver, instead, will be an ongoing impediment to inclusion.

Then there is the issue of motivation: why should the kernel developers want to merge this patch? Who are the users of it - do you have users now? How does it compare to other distributed storage technologies already in the kernel? What's the performance like - can you post some benchmark results? As it stands, DST looks like a nice piece of technology, but its benefits are still unclear. Tell that story, and the level of interest may well go up.

Finally, your editor would like to counsel patience. Some patches just take longer than others to find their way in the kernel. That is especially true of complex patches which touch on issues like memory management and which add new user-space ABIs. As a close-to-home example, look at David Howells's FS-Cache code, recently reposted for consideration. The first LWN article on this code was published more than four years ago. David is probably getting a little tired of maintaining this code out-of-tree, but he sticks with it, responds to reviews, and appears to be getting closer to inclusion.

Evgeniy, you appear to be a brilliant and productive hacker. You charge into places that scare off most kernel developers, and you always come back out with something interesting. We need developers like you. But we need developers like you who can work with the process - no matter how frustrating it gets. The kernel process is certainly far from perfect, but it is built around a set of principles which have served us well for many years. You could easily rise up through that process to become one of the "high end" developers who, you say, have an easier time getting code merged. Or you could take your marbles and storm home, making snide comments about reviewers on the way. But that would not be good for anybody involved.

(See also: Evgeniy's response to this article.)

Comments (21 posted)

Page editor: Jake Edge

Security

Distribution advisories

By Jake Edge
November 26, 2008

Here at LWN, we get a chance to see a fair number of security advisories in the course of a week—sometimes even in just a single day—so we tend to notice the quality, or lack thereof, of these important announcements. There are a few important pieces of information that need to be a part of any security update announcement, but sadly sometimes they aren't included. Overall, the quality of advisories seems to be declining, which is something that we would like to see change. While it clearly would make collecting security advisories easier for us, that is not the primary motivation for this look at security reporting—users are not being well-served by the current state of affairs.

Distributions need to remember that the audience for their security announcements is their users. Those users require some basic information to make an informed choice about whether they need to apply the update as well as how urgently. In order to make those decisions, the following should be present in advisories:

  • the package affected
  • the problem that is being fixed
  • the impact of the vulnerability
  • some kind of unique identifier for the alert
  • links to relevant additional information (CVE, bugzilla, ...)
  • where and how to update the package
  • consistent formatting of advisories is a definite plus
Users are not as familiar with either the package or the distribution as the person writing the alert is, so it should be written with that in mind. The most important thing is to concisely communicate the severity and urgency of the problem in a way that the reader can understand—and figure out what to do about it.

The biggest problem seen with alerts of late is a lack of information about the problem they are fixing. As an example, consider the recent Fedora advisory on kvm. It refers to a recent CVE number (CVE-2008-4539) which is "reserved", but no details are present, and says that it fixes a "cirrus vulnerability". It also references a bugzilla entry that apparently addresses a separate CVE from 2007 (CVE-2007-1320), if you follow that link in the bugzilla, you finally end up somewhere with actual information, though the connection between the two problems is not particularly obvious.

Another example of this is CentOS advisories, which suffer from a number of problems, but the most vexing for folks trying to determine whether they need to update is this lack of bug information. It is not all that hard to get the information as a typical alert has a link to the appropriate Red Hat advisory, but why make users take that step? A concise summary of the bug(s), as well as a reference to the—generally very complete—Red Hat errata, would be quite useful. There is certainly nothing wrong with linking to sources of additional information, but the basics of the problem and its impact should be available in the alert.

Unique identifiers for advisories are useful for a number of reasons: keeping track of which have been addressed, having a unique search string to use, or referring to them in conversations, bug reports, etc. When the identifier is not unique, it muddies the waters a bit, making it more difficult than it needs to be. Sometimes mistakes are made (like the spate of recent Fedora alerts with the same FEDORA-2008-10000 identifier), but there appear to be distribution policies about using identifiers multiple times. CentOS uses the same identifier on multiple advisories, one per architecture, but also shared between CentOS releases. So the same identifier will be applied to an s390 update for CentOS 4 as is applied to x86_64 for CentOS 5.

Another identifier reuse problem comes from Fedora. When mozilla (or more recently xulrunner) library vulnerabilities occur, Fedora pro-actively rebuilds and updates all of the packages that depend on those libraries. This is very much to its credit as the API is not (yet) stable, but all of the resulting alerts refer to the same identifier. For those who try to track vulnerabilities along with alerts, that results in messy listings that don't provide much in the way of helpful information. Other library bugs result in much saner listings where one could relatively easily track down—and keep straight—the advisories for various packages.

There are others problems as well. Alerts that combine unrelated fixes do "avoid flooding mailing lists", but they are a bit painful to tease apart for users that are tracking specific packages. Too much history, in the form of changelogs (example) can also be confusing. If there is only a link to provide vulnerability information, as is the CentOS way, it should probably go directly to a page about the flaw, not to some page that lists all recent upstream flaws (example). And on and on.

Certain distributions have been singled out here, but that is not really the point. These are just recent examples of problems that are regularly seen in distribution security alerts. It should be noted that the commercial distributions (SUSE, Ubuntu, Red Hat, Mandriva) seem to do a much better job overall, which is not surprising, but sometimes they fail as well. The key thing to remember is that security announcements are meant to be read by users and acted upon. If information is lacking, the communication will fail.

This is not the first time we have looked at the problem, way back in 2000 security page editor Liz Coolbaugh took a look at security advisories, and had some of the same complaints seen here. Her conclusion is still valid: it is not that distributions are not trying or that they don't care, but at times the contents of their advisories slip below the radar. After her article, things got better with security alerts, hopefully this gentle prodding will have a similar effect.

Comments (3 posted)

Brief items

A "Grey Hat" guide for security researchers

Jennifer Granick of the Electronic Frontier Foundation (EFF) has created a guide for security researchers who may have run afoul of computer crime laws. It looks at the risks and some possible solutions for revealing information about vulnerabilities so that they can get fixed. Granick is seeking comments to improve the guide. "The researcher is in a quandary when she has potentially broken the law, but never intended to steal information or invade privacy and wants to see the problem fixed. Reporting the information raises a red flag that could result in an investigation and civil claims or even criminal charges. Keeping quiet means that the flaw will go unremedied and potentially could be exploited by someone who does have criminal intent. What is the grey hat hacker to do?"

Comments (21 posted)

New vulnerabilities

cups: denial of service

Package(s):cups CVE #(s):CVE-2008-5183 CVE-2008-5184
Created:November 25, 2008 Updated:March 2, 2011
Description: cupsd in CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.

The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions.

Alerts:
Debian DSA-2176-1 2011-03-02
rPath rPSA-2008-0338-1 2008-12-19
CentOS CESA-2008:1029 2008-12-16
Red Hat RHSA-2008:1029-01 2008-12-15
Fedora FEDORA-2008-10911 2008-12-09
Fedora FEDORA-2008-10917 2008-12-09
Fedora FEDORA-2008-10895 2008-12-09
SuSE SUSE-SR:2008:026 2008-11-24
Mandriva MDVSA-2009:028 2009-01-24
Ubuntu USN-707-1 2009-01-12

Comments (none posted)

dovecot: access restriction bypass

Package(s):dovecot CVE #(s):CVE-2008-4578
Created:November 20, 2008 Updated:December 15, 2008
Description: Dovecot has an access restriction bypass vulnerability. From the National Vulnerability Database entry: The ACL plugin in Dovecot before 1.1.4 allows attackers to bypass intended access restrictions by using the "k" right to create unauthorized "parent/child/child" mailboxes.
Alerts:
Gentoo 200812-16 2008-12-14
Mandriva MDVSA-2008:232 2008-11-19

Comments (none posted)

gvim: multiple vulnerabilities

Package(s):gvim CVE #(s):CVE-2008-3074 CVE-2008-3075 CVE-2008-3076
Created:November 24, 2008 Updated:March 24, 2009
Description:

From the rPath advisory:

Previous versions of the vim package contain multiple vulnerabilities, the most serious of which allow user-assisted attackers to execute arbitrary commands via maliciously crafted file and directory names.

Alerts:
SuSE SUSE-SR:2009:007 2009-03-24
Debian DSA-1733 2009-03-03
Mandriva MDVSA-2008:236-1 2008-12-08
Mandriva MDVSA-2008:236 2008-12-03
CentOS CESA-2008:0580 2008-11-26
Red Hat RHSA-2008:0580-01 2008-11-25
rPath rPSA-2008-0324-1 2008-11-22

Comments (none posted)

hf: arbitrary code execution

Package(s):hf CVE #(s):CVE-2008-2378
Created:November 24, 2008 Updated:November 25, 2008
Description:

From the debian-hams mailing list posting:

The hf package, Described by Debian as an amateur-radio protocol suite using a soundcard as a modem, is a program that eventually becomes setuid(0), and has a trivial security hole in it.

By default the package installs "/usr/bin/hfkernel" as a typical binary, but when first started via the program "hf" the binary is changed to be setuid(root).

[...]

Unfortunately the hfkernel program contains a trivial root hole: 

int main(int argc, char *argv[])
{
        // snip
        while ((c = getopt(argc, argv, "a:M:c:klhip:m:nt:s:r:Rf23")) != -1)
            switch (c) {

            // snip

                case 'k':
                    system ("killall hfkernel");

            //
}
Creating ~/bin/killall is sufficient to gain root privileges.
Alerts:
Debian DSA-1668-1 2008-11-22

Comments (none posted)

imlib2: buffer overflow

Package(s):imlib2 CVE #(s):CVE-2008-5187
Created:November 26, 2008 Updated:January 20, 2009
Description: There is a buffer overflow vulnerability in imlib2; it can be exploited via a specially-crafted XPM file to execute arbitrary code. See this advisory for more information.
Alerts:
Gentoo 200812-23 2008-12-23
Ubuntu USN-683-1 2008-12-02
Debian DSA-1672-1 2008-11-29
Fedora FEDORA-2008-10364 2008-11-26
Fedora FEDORA-2008-10287 2008-11-26
Fedora FEDORA-2008-10296 2008-11-26
Mandriva MDVSA-2009:019 2008-01-19
SuSE SUSE-SR:2009:002 2009-01-19

Comments (none posted)

imp: cross-site scripting

Package(s):imp CVE #(s):CVE-2008-4182
Created:November 25, 2008 Updated:July 27, 2010
Description: Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session.
Alerts:
Fedora FEDORA-2010-11417 2010-07-27
Fedora FEDORA-2010-11478 2010-07-27
Fedora FEDORA-2010-5508 2010-04-01
Debian DSA-1770-1 2009-04-13
SuSE SUSE-SR:2008:026 2008-11-24

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2008-4933 CVE-2008-4934 CVE-2008-5029
Created:November 24, 2008 Updated:November 4, 2009
Description:

From the Mandriva advisory:

Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function. (CVE-2008-4933)

The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image. (CVE-2008-4934)

The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. (CVE-2008-5029)

Alerts:
CentOS CESA-2009:1550 2009-11-04
Red Hat RHSA-2009:1550-01 2009-11-03
Red Hat RHSA-2009:0021-01 2009-02-24
Mandriva MDVSA-2008:246 2008-12-29
CentOS CESA-2009:0014 2009-01-15
Red Hat RHSA-2009:0264-01 2009-02-10
SuSE SUSE-SA:2009:008 2009-01-29
Debian DSA-1687-1 2008-12-15
Debian DSA-1681-1 2008-12-04
SuSE SUSE-SA:2008:057 2008-12-04
Ubuntu USN-679-1 2008-11-27
Mandriva MDVSA-2008:234 2008-11-21
Mandriva MDVSA-2009:032 2009-01-30
SuSE SUSE-SA:2009:004 2009-01-21
Red Hat RHSA-2009:0009-02 2009-01-22
Red Hat RHSA-2009:0225-02 2009-01-20
SuSE SUSE-SA:2009:003 2009-01-20
Red Hat RHSA-2009:0014-01 2009-01-14

Comments (none posted)

libcdaudio: buffer overflow

Package(s):libcdaudio CVE #(s):CVE-2005-0706
Created:November 21, 2008 Updated:December 7, 2009
Description: From the CVE entry: Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected.
Alerts:
Mandriva MDVSA-2008:233-1 2008-12-07
Fedora FEDORA-2008-11848 2008-12-30
Fedora FEDORA-2008-11956 2008-12-30
CentOS CESA-2009:0005 2009-01-07
Fedora FEDORA-2008-10126 2008-12-03
Mandriva MDVSA-2008:233 2008-11-20
Red Hat RHSA-2009:0005-01 2009-01-07

Comments (none posted)

mozilla: denial of service

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2008-5052
Created:November 24, 2008 Updated:November 26, 2008
Description:

From the CVE entry:

The AppendAttributeValue function in the JavaScript engine in Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger memory corruption, as demonstrated by e4x/extensions/regress-410192.js.

Alerts:
SuSE SUSE-SA:2008:055 2008-11-26
Mandriva MDVSA-2008:235 2008-11-20
Gentoo 201301-01 2013-01-07

Comments (none posted)

nagios: authorization bypass

Package(s):nagios CVE #(s):CVE-2008-5027
Created:November 26, 2008 Updated:July 20, 2009
Description: Versions of nagios prior to 3.0.5 contain a bug which can allow an authenticated user to circumvent authorization checks and run arbitrary programs.
Alerts:
Gentoo 200907-15 2009-07-19
Ubuntu USN-698-3 2008-12-23
Ubuntu USN-698-2 2008-12-22
Ubuntu USN-698-1 2008-12-22
Fedora FEDORA-2008-10323 2008-11-26

Comments (none posted)

openoffice.org: insecure temp files

Package(s):openoffice.org, openoffice.org-amd64 CVE #(s):CVE-2008-4937
Created:November 25, 2008 Updated:March 10, 2009
Description: From the Ubuntu advisory: Dmitry E. Oboukhov discovered that senddoc, as included in OpenOffice.org, created temporary files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS.
Alerts:
Mandriva MDVSA-2009:070 2008-03-10
Ubuntu USN-677-2 2008-12-23
Gentoo 200812-13 2008-12-12
Ubuntu USN-677-1 2008-11-24

Comments (none posted)

pidgin: multiple vulnerabilities

Package(s):pidgin CVE #(s):CVE-2008-2955 CVE-2008-2957 CVE-2008-3532
Created:November 24, 2008 Updated:January 18, 2010
Description:

From the Ubuntu advisory:

It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)

It was discovered that Pidgin did not impose resource limitations in the UPnP service. A remote attacker could cause Pidgin to download arbitrary files and cause a denial of service from memory or disk space exhaustion. (CVE-2008-2957)

It was discovered that Pidgin did not validate SSL certificates when using a secure connection. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This update alters Pidgin behaviour by asking users to confirm the validity of a certificate upon initial login. (CVE-2008-3532)

Alerts:
Ubuntu USN-886-1 2010-01-18
Mandriva MDVSA-2009:321 2009-12-06
Gentoo 200901-13 2009-01-20
Mandriva MDVSA-2009:025 2008-01-22
CentOS CESA-2008:1023 2008-12-15
Red Hat RHSA-2008:1023-01 2008-12-15
Ubuntu USN-675-1 2008-11-24

Comments (none posted)

tog-pegasus: authentication issues

Package(s):tog-pegasus CVE #(s):CVE-2008-4313 CVE-2008-4315
Created:November 25, 2008 Updated:November 27, 2008
Description: From the Red Hat advisory:

After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these additional security enhancements were no longer being applied. As a consequence, access to OpenPegasus WBEM services was not restricted to the dedicated users as described in README.RedHat.Security. An attacker able to authenticate using a valid user account could use this flaw to send requests to WBEM services.

Failed authentication attempts against the OpenPegasus CIM server were not logged to the system log as documented in README.RedHat.Security. An attacker could use this flaw to perform password guessing attacks against a user account without leaving traces in the system log.

Alerts:
CentOS CESA-2008:1001 2008-11-26
Red Hat RHSA-2008:1001-01 2008-11-25

Comments (none posted)

vim: heap-based overflow

Package(s):vim CVE #(s):CVE-2008-3432
Created:November 25, 2008 Updated:November 26, 2008
Description: From the Red Hat advisory: A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially-crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code.
Alerts:
CentOS CESA-2008:0617 2008-11-25
Red Hat RHSA-2008:0617-01 2008-11-25

Comments (none posted)

vim: sanitization flaws

Package(s):vim CVE #(s):CVE-2008-4101
Created:November 25, 2008 Updated:March 3, 2009
Description: Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim.
Alerts:
Debian DSA-1733 2009-03-03
Ubuntu USN-712-1 2009-01-27
Mandriva MDVSA-2008:236-1 2008-12-08
Mandriva MDVSA-2008:236 2008-12-03
CentOS CESA-2008:0580 2008-11-26
CentOS CESA-2008:0617 2008-11-25
Red Hat RHSA-2008:0618-01 2008-11-25
Red Hat RHSA-2008:0617-01 2008-11-25
Red Hat RHSA-2008:0580-01 2008-11-25

Comments (none posted)

webkit: arbitrary code execution

Package(s):webkit CVE #(s):CVE-2008-3632
Created:November 24, 2008 Updated:November 25, 2008
Description:

From the Ubuntu advisory:

It was discovered that WebKit did not properly handle Cascading Style Sheets (CSS) import statements. If a user were tricked into opening a malicious website, an attacker could cause a browser crash and possibly execute arbitrary code with user privileges.

Alerts:
Ubuntu USN-676-1 2008-11-24

Comments (none posted)

yast2-backup: code injection

Package(s):yast2-backup CVE #(s):CVE-2008-4636
Created:November 25, 2008 Updated:November 26, 2008
Description: Insufficient shell quoting in yast2-backup allowed local users to craft special file names that inject shell code into the backup process.
Alerts:
SuSE SUSE-SA:2008:054 2008-11-25

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.28-rc6, released by Linus on November 20, just before he fled town for a scuba diving trip. (At least one assumes he fled town; it is not the best season for ocean sports in Portland.) It includes a number of fixes, including one for the high-profile vmalloc() regression. The long-format changelog has the details.

The current stable 2.6 kernel is 2.6.27.7, also released on November 20. It includes a fair number of fixes, including one with a CVE number attached.

Comments (none posted)

Kernel development news

Quotes of the week

+/*
+ * "Define 'is'", Bill Clinton
+ * "Define 'if'", Steven Rostedt
+ */
+#define if(cond) if (__builtin_constant_p((cond)) ? !!(cond) :		\
+	({								\
+		int ______r;						\
+		static struct ftrace_branch_data			\
+			__attribute__((__aligned__(4)))			\
+			__attribute__((section("_ftrace_branch")))	\
+			______f = {					\
+				.func = __func__,			\
+				.file = __FILE__,			\
+				.line = __LINE__,			\
+			};						\
+		______r = !!(cond);					\
+		if (______r)						\
+			______f.hit++;					\
+		else							\
+			______f.miss++;					\
+		______r;						\
+	}))
-- Steven Rostedt debuts the new "if"

Working on lkml often sounds like everyone is screaming NO, channeling nothing but stop energy. Sometimes people are, but more often what they really mean is you just have to take your time and do things right. Admittedly it is a lot of iteration, but Linux is a noble pursuit.
-- Robert Love

But let's look at the problem which we're actually trying to solve. Developer A wishes to write some kernel monitoring/controlling code, so he is forced to stick it on his website, keep reminding people to download updates, act as an independent target of other people's patches, etc, etc. It's all a pain and horror, so developer A gives up and implements his userspace code in the kernel instead. It is, as a result, technically inferior and English-only, but at least it got there.
-- Andrew Morton

Comments (18 posted)

Ksplice and kreplace

By Jonathan Corbet
November 24, 2008
Rebooting a system to apply a security update is a pain. In some situations, it's more than a pain; for various reasons, many systems cannot be taken down at all without compromising the work they are supposed to be doing. Back in April, LWN looked at Ksplice, a mechanism designed to enable the installation of kernel updates without the need to reboot the system. Since then, work has continued on Ksplice, a new version has been posted, and the project is starting to push toward mainline inclusion. So another look is called for.

The core idea behind Ksplice remains the same: when given a source tree and a patch, it builds the kernel both with and without the patch and looks at the differences. To that end, the compilation procedure is modified to put every function and data structure into its own executable section. That makes life a little harder for the compiler and the linker, but developers are notably insensitive to the difficulties faced by those tools. With things split up this way, it is relatively easy to identify a minimal set of changes in the binary kernel image which result from the patch. Ksplice can then, with some care, patch the new code into the running kernel. Once this work is done, the old kernel is running the new code without ever having been rebooted.

This technique works well for code changes, but different challenges come with changes to data structures. Back in April, Ksplice could not handle that kind of change. Even so, the project's developers claimed to be able to apply the bulk of the kernel's security updates using ksplice. Since then, though, the developers have applied some energy to this problem. With the addition of a couple of new techniques - which require extra effort on the part of the person preparing the patch for Ksplice - it is now possible to apply 100% of the 65 non-DOS security patches released for the kernel since 2005.

In some cases, a kernel patch will simply require that a data structure be initialized differently. The way to handle this change in an update through Ksplice is to modify the relevant data structures on the fly. To effect such changes, a patch can be modified to include code like the following: 

    #include <ksplice-patch.h>

    ksplice_apply(void (*func)());

While Ksplice is applying the changes - and while the rest of the system is still stopped - the given func will be called. It can then go rooting through the kernel's data structures, changing things as needed. For example, CVE-2008-0007 came about as a result of a failure by some drivers to set the VM_DONTEXPAND flag on certain vm_area_struct structures. Ksplice is able to apply the fix to the drivers without trouble, but that is not helpful for any incorrectly-initialized VMAs present on the running system. So the modifications to the patch add some functions which set VM_DONTEXPAND on existing VMAs, then use ksplice_apply() to cause those functions to be executed. The result is a fully-fixed system.

Changes to data structure definitions are harder. If a structure field is removed, the Ksplice version of the patch can just leave it in place. But the addition of a new field requires more complicated measures. Simply replacing the allocated structures on the fly seems impractical; finding and fixing all pointers to those structures would be difficult at best. So something else is needed.

For Ksplice, that something else is a "shadow" mechanism which allocates a separate structure to hold the new fields. Using shadow structures is a fair amount of additional work; the original patch must be changed in a number of places. Code which allocates the affected structure must be modified to allocate the shadow as well, and code which frees the structure must be changed in similar ways. Any reference to the new field(s) must, instead, look up the shadow structure and use that version of the field. All told, it looks like a tiresome procedure which has a significant chance of introducing new bugs. There is also the potential for performance issues caused by the linear linked list search performed to find the shadow structures. The good news is that it is only rarely necessary to modify a patch in this way.

The Ksplice developers do not appear to be done yet; from the latest patch posting:

We're currently working on the problem of making it feasible to apply the entire stable tree using Ksplice. Although Ksplice's original evaluation focused on patches for CVEs, we understand the idea that "security bugs are just 'normal bugs'" (i.e., tracking security bugs separately from normal bugs can be difficult and isn't necessarily advisable). We ultimately want to provide to long-running machines hot updates for all of the bug fixes that go into the corresponding stable tree.

This is an ambitious goal; a single stable series can add up to hundreds of changes, some of which can be reasonably large. It will be interesting to see how many users are really interested in this particular sort of update; sites running critical systems tend to have older "enterprise" kernels which are no longer receiving stable tree updates. But a Ksplice which is flexible enough to handle that kind of update stream should also be useful for distributors wanting to provide no-reboot patches to their customers.

Meanwhile, Nikanth Karthikesan has posted a facility called kreplace. On the surface, it looks similar to Ksplice, but the goal is a little different: its purpose is to allow a developer to quickly try out a change on a running kernel. Kreplace works by simply patching out and replacing one or more functions in the kernel. Kreplace may have its value, but the initial reaction has not been greatly enthusiastic. Among other things, it has been pointed out that Ksplice also has a facility to allow for quick experimentation with changes - though it will be quick only if the developer is already set up to use Ksplice with the running kernel.

A final concern with either of these solutions is that they are, for all practical purposes, employing rootkit techniques. A mechanism which can be used by distributors to patch running systems can also be (mis)used by others. Vendors of binary-only modules could, for example, use Ksplice or kreplace to get around GPL-only exports and other inconvenient features of contemporary kernels. Crackers could also use it, of course, but they already have their own rootkit tools and gain no real benefit from an officially-supported runtime patching mechanism. Whether this aspect of Ksplice is of concern to the development community may be seen in the coming months as this code gets closer to mainline inclusion.

Comments (4 posted)

Character devices in user space

By Jake Edge
November 25, 2008

There is a lot of functionality—things like filesystems and device drivers—that are normally considered to be kernel tasks, but have, over time, been allowed to move into user space. The UIO user space driver framework came along in 2.6.23, while filesystems in user space (FUSE) have been around since 2.6.14. Tejun Heo would like to see this idea broadened even further with the character devices in user space (CUSE) patches.

At first blush, the uses for a character device implemented in user space are not obvious. Looking a bit deeper, though, one finds numerous programs—both open and closed source—that rely on legacy character drivers. Those drivers are currently in the kernel, but need not be if there were a way to implement them in user space. In addition, older, deprecated interfaces, such as Open Sound System (OSS) can be better supported without constantly fiddling with the in-kernel emulation.

Providing better OSS support is one of the prime motivators for CUSE as Heo announced in a linux-kernel posting introducing the OSS proxy. The proxy uses CUSE to implement the /dev/dsp, /dev/adsp, and /dev/mixer devices that programs using OSS expect. Adrian Bunk didn't necessarily see this as a good thing:

Sorry for being destructive, but 6 years after ALSA went into the kernel we are slightly approaching the point where all applications support ALSA.

The application you list on your webpage is UML host sound support, and I'm wondering why you don't fix that instead of working on a better OSS emulation?

But Heo sees the current state of OSS emulation as a rather complicated mess that, for better or worse, needs cleaning up:

We now have in-kernel OSS emulation which can't mux with other streams, aoss [ALSA OSS emulation] with its own supported and broken list and can also be routed through PA [PulseAudio] by configuring ALSA right and then padsp [PA OSS emulation] with its own supported and broken list and nothing works good enough. So, if we have one thing which just works, we can in time put all those to rest.

But there are other uses for CUSE too. Greg Kroah-Hartman notes that legacy software for talking to Palm Pilots, much of which is binary-only, expects to talk to a /dev/pilot serial port. The kernel carries around a driver, but "a libusb userspace program can handle all of the data to the USB device instead". So CUSE could be used to eventually remove another crufty driver from the kernel, while still maintaining compatibility with old user space code.

CUSE is implemented on top of FUSE as there is a fair amount of overlap between them. Character devices and filesystems implement many of the same file operations—things like open(), close(), read(), and write()—which makes them a good match. Heo has a separate patchset for FUSE that implements additional operations for filesystems some of which will be used by CUSE.

The additional FUSE operations include an implementation of ioctl() that is necessarily rather ugly. Because an ioctl implementation can access memory in unpredictable ways—and those data structures can be arbitrarily deep—there needs to be a mechanism for user-space CUSE devices to read and write that memory. The CUSE server does not have direct access to the caller's memory, so a multi-step ioctl() with retries must be implemented. This particular bit of ugliness is only allowed for in-kernel use, so that CUSE (or other things like it) can allow "unrestricted" ioctl() implementations. All FUSE filesystems are still required to have "restricted" ioctls where the kernel can determine the direction and amount of data that is transferred. poll() support has also been added to FUSE, which, in turn, requires a separate patch that allows poll() callbacks to sleep (described in this article).

Once the FUSE changes are in place, the actual implementation of CUSE is relatively small, weighing in around 1000 lines plus some housekeeping to rename and export FUSE symbols. At its core, it collects up a FUSE-mounted filesystem that connects to the user-space implemented device along with the kernel-exported character device, binding the two together. FUSE handles the interaction with the user-space code, in the same way that it does for a filesystem.

CUSE creates a device for commands, /dev/cuse, which is opened by a program that wants to implement a particular character device. CUSE queries the opener to determine which device it is implementing and then creates the device node. For most operations, CUSE just hands off to FUSE, but for open() it, instead, opens a file from the FUSE mount, storing the file handle for use by later operations.

In many ways, CUSE is a kind of impedance matching layer that creates something that acts like a character device, but has no hardware directly behind it. This allows CUSE to ignore things like hardware interrupts; those would need to be handled by something else, typically a downstream driver—the soundcard driver in the OSS proxy case. This is one of the big differences between UIO and CUSE. UIO is much more like a regular kernel device driver that requires kernel code to handle interrupts. CUSE drivers, on the other hand, can be created without ever touching kernel space.

The only objection so far seems to be Bunk's complaint about supporting OSS when it has been deprecated for so long. As Heo points out, though, there are still many applications that only support OSS. In addition, all of the code that has been submitted is "way smaller than the in-kernel ALSA OSS emulation which is somewhat painful to use these days", Heo says. Since there are other potential users of CUSE, not just the OSS proxy, it would seem that, absent any major objections, CUSE could make it into 2.6.29.

Comments (5 posted)

Driver API: sleeping poll(), exclusive I/O memory, and DMA API debugging

By Jonathan Corbet
November 24, 2008
There are currently a number of proposed driver API changes being discussed on the lists. None of them are major, but they are worth being aware of.

poll()

Most of the functions in the file_operations structure are concerned with I/O. So it is not surprising that these functions are allowed to sleep. Except that, as it turns out, one of them - poll() - cannot. There is nothing inherent in the poll() or select() system calls which would require the driver poll() callback to be nonblocking; this requirement is, instead, a result of the implementation. In essence, the core poll() implementation looks like this: 

    for (;;)
        set_current_state(TASK_INTERRUPTIBLE)
    	for each fd to poll
	    ask driver if I/O can happen
	    add current process to driver wait queue
        if one or more fds are ready
	    break
 	schedule_timeout_range(...)

The problem is relatively straightforward: if a specific driver chooses to sleep in its poll() callback, the current task state will get set back to TASK_RUNNING and schedule_timeout_range() will return immediately. So a sleeping driver turns the main loop into a busy-wait.

The solution, as developed by Tejun Heo, is also straightforward. His patch causes sys_poll() to define a custom wakeup function which, in turn, sets a new triggered flag when called. That eliminates the need to put the process into TASK_INTERRUPTIBLE for the duration of the main loop; that can be done, instead, right before actually sleeping.

Most driver writers can remain unaware of this change, which looks highly likely to be merged for 2.6.29. But, for those who need it, there will be one more degree of flexibility in the implementation of poll() callbacks.

Exclusive I/O memory

For a while, developers involved in the hunt for the e1000e corruption bug thought that the X server might be the problem. The real bug turned out to be elsewhere, but the suspicion cast upon X led to the development of a new API designed to make it harder for user-space programs to interfere with the operation of an in-kernel driver.

In particular, it seemed sensible to prevent user space from manipulating I/O memory which has been allocated by device drivers. This can be achieved by not allowing an mmap() call on /dev/mem to map regions already given to drivers. If the STRICT_DEVMEM configuration option is set, the kernel will protect its own memory from mapping by user space; protecting I/O memory is really just a matter of extending that mechanism.

Arjan van de Ven has implemented that feature in his MMIO exclusivity patch. He chose, however, not to make this protection the default. Instead, drivers which want exclusive access to an I/O memory region should call one of these new functions: 

    int pci_request_region_exclusive(struct pci_dev *pdev, int bar, 
                                     const char *res_name);
    int pci_request_regions_exclusive(struct pci_dev *pdev, 
                                      const char *res_name);
    int pci_request_selected_regions_exclusive(struct pci_dev *pdev,
				               int bars, 
					       const char *res_name);

There is also a new, low-level allocation macro: 

    request_mem_region_exclusive(start, n, name);

In each case, these functions are equivalent to their non-exclusive cousins, except for the changed name and the resulting exclusive allocation.

There may be cases where a developer wants to be able to map a region from user space on a development system, regardless of what the driver thinks. For such situations, there is a new iomem=relaxed boot parameter. When relaxed is selected, exclusive allocations are not enforced. Clearly this is not an option which one would want to set on a production system, but it may be useful in development environments.

DMA API debugging

The last topic is not actually an API change, but it's worth a look anyway. The kernel provides a nice API for setting up DMA operations. In many cases, the associated functions do little or no work; the system they are running on does not require any additional effort. The result is that a lot of "tested" driver code may, in fact, have serious errors in its use of the DMA API. When those drivers are run on a different system - one with an I/O memory management unit (IOMMU) in particular - those errors could lead to no end of unpleasant behavior.

Kernel developers like the idea of finding bugs before they bite users on remote systems. To help make that happen with the DMA API, Joerg Roedel has posted a new DMA API debugging facility. This feature, when built into the kernel, should make it possible to find a number of previously-hidden bugs in device drivers. It has, in fact, already turned up a few problems with in-tree drivers, mostly in the networking subsystem.

Use of this facility simply requires enabling a configuration option; the API itself does not change. Once it's enabled, this code will check for a number of problems, including freeing DMA buffers with a different size than was given at allocation time, freeing buffers which were never allocated at all, mixing coherent and non-coherent functions on the same buffer, confusion over I/O directions, and more. Each of these problems might slip by on a developer's test system, but might create havoc where an IOMMU is being used. When a problem is found, a warning and stack traceback are logged.

The response to this API has been positive. The biggest complaint seems to be about the fact that this API is implemented as an x86-specific feature. So it will probably have to be made generic before merging - after all, developers on other platforms are entirely capable of introducing DMA-related bugs too. Once it goes in, this feature should probably be enabled on any system used for driver development.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Benchmarks and bugs

Miscellaneous

Page editor: Jake Edge

Distributions

News and Editorials

Interview with Paul Frields

By Rebecca Sobol
November 26, 2008
Paul Frields is the Fedora Project Leader and in the days before the Fedora 10 release he was giving telephone briefings to the media. I took advantage of about an hour of Paul's time to talk about Fedora and the Fedora 10 release. The following article is based on that conversation.

To begin with, we talked about Fedora's new Special Interest Group (SIG) for servers running Fedora. Fedora is a fast-paced distribution, and therefore not suitable for all servers. There are many places Fedora makes an excellent server, though. Some of those uses are: in house, non-internet facing servers or servers with a separate firewall. It is used in server farms and home servers, and other places where the 13 month life cycle is not a problem. The roadrunner supercomputer, a hybrid cluster with both IBM PowerXCell and AMD Opteron processors runs both Red Hat Enterprise Linux and Fedora. Roadrunner holds the number 1 spot in the top500 list.

Fedora is more than a bleeding edge desktop, although it is good at that. Fedora sponsors the development of many projects through FedoraHosted.org, and provides many other contributions to upstream projects. Extra Packages for Enterprise Linux (EPEL) is a community effort by Fedora developers to provide high-quality add-on packages that complement Red Hat Enterprise Linux and its compatible spinoffs such as CentOS or Scientific Linux. Fedora also contributes to The One Laptop Per Child (OLPC) project. Fedora does serve many needs.

Including those of "remixers", the creators of derivative distributions. The new trademark guidelines, still in draft form, are designed to spell out the DOs and DON'Ts of creating a remix. Remixers can chose packages from the official Fedora repository, EPEL, RPMFusion and other repositories. Packages can also be built from source, with or without patches; to create the distribution they want.

Naturally, I asked Paul about the infrastructure/security problems that were announced last August. LWN covered the issue in August and September. We have yet to see a final analysis of what happened. Paul did say that a team of Red Hat engineers and Fedora volunteers rebuilt everything from scratch, and signed the packages with new keys. Beyond that, we were told that the investigation is ongoing and more information will be available once the investigation is complete.

Fedora 10 was announced this week, along with the RPM Fusion and ATrpms repositories, updated for Fedora 10. Here are some highlights of this release.

With Fedora 9 it became possible to create a persistent USB device, that is a key that can be updated, remember settings and store some data. With Fedora 10 you have all that, plus you can encrypt your home directory on the key.

The new NetworkManager features connection sharing to enable collaboration everywhere. PackageKit advances the software management system with its ability of using yum, apt, conary, and other existing tools. PackageKit can search for codecs, listen to dbus and communications between applications. With the long-term roadmap for PackageKit, this utility will understand what packages you need and will get it for you. F10 has faster boot times, kernel mode settings and improved virtualization with KVM.

Paul said that the number of Fedora Ambassadors doubles each year. The ambassador program is world-wide, with people who represent the Fedora Project to the wider public, help spread the word about Fedora, Linux, and Open Source, become a point of contact for local community members and channel the feedback to Fedora Project, help recruit project contributors and think of creative ways for promoting Fedora.

Fedora 10 has more official spins than ever before. These are specialized distributions that contain only packages in the main Fedora repository. A small sampling includes the Fedora Electronics Lab (FEL) Spin, Fedora KDE Desktop, Fedora Edu/Math Spin and Fedora XFCE Desktop. So check out Fedora 10, or one of the many spins and remixes that are available.

Comments (none posted)

New Releases

Fedora 10 released

The announcement for the Fedora 10 release has gone out. "Please remember to polarize viewports to properly enjoy Cambridge's brand new graphics theme, "Solar," shining on the desktop. Also on this flight is a new lightweight desktop environment, LXDE, joining the more recent desktop environment crew member, Sugar (from the starship OLPC XO), and the venerable GNOME, KDE, and XFCE." There is also a new RPM Fusion update to go along with Fedora 10.

Comments (32 posted)

LFS 6.4 is released

The Linux From Scratch community has announced the release of LFS v6.4. "This release includes numerous changes to LFS-6.3 (including update to Linux-2.6.27.4, GCC-4.3.2, Glibc-2.8) and security fixes. It also includes editorial work on the explanatory material throughout the book, improving both the clarity and accuracy of the text."

Full Story (comments: none)

Ubuntu Jaunty Alpha 1 released

Jaunty Jackalope, will become Ubuntu 9.04, has released its first alpha version. "The primary changes from Intrepid have been the re-merging of changes from Debian. We've also been spending some time getting the new ARM port up and running (http://www.ubuntu.com/news/arm-linux), although its build daemons are still catching up so installable images will have to wait for a future Alpha release."

Full Story (comments: none)

Distribution News

Debian GNU/Linux

Bits from the buildd.debian.org world

Click below from some bits from the buildd.debian.org world. "Recent work from Steve McIntyre (current DPL) in coordination with Ryan Murray (wanna-build maintainer and buildd admin for several architectures) has led to the injection of new blood in the buildd.debian.org world. We thank them both for this opportunity, plus DSA for their help throughout the process."

Full Story (comments: none)

Fedora

Fedora IRC Board Meeting Recap

Click below for a brief recap of the November 18th meeting of the Fedora Advisory Board.

Full Story (comments: none)

Gentoo Linux

The Gentoo Council

Doug Goldstein's blog has an article on the Gentoo Council. "The Gentoo Council is a group of elected Gentoo Developers that are elected on a yearly basis by the developer body as a whole for the purpose of deciding on global issues and policies which affect the Gentoo Linux Distro as a whole or part. The Gentoo Council serves as the technical oversight to the the entire project. We are charged with representing the will of the developer body, while maintaining the best interest for Gentoo and it's user base. In effect, the Gentoo Council derives its authority from the developer body, this is what differentiates it from the Gentoo Foundation, which handles the financial side of Gentoo."

Comments (none posted)

Slackware Linux

Slackware Changelog

The Slackware current changelog entry for November 19, 2008 indicates that we are getting closer to the 12.2 release. "NOTE: These are some of the more important updates for X.Org. For the last several days we have been building and testing the very newest X updates, and it seems that the more intrusive updates are probably best left to develop until sometime after the coming -stable Slackware 12.2 release. Those will require a lot of testing and some things don't seem to be quite there yet. "X -configure" is hanging the console, DRI is not yet working on all the hardware tested, and the new xorg-server will render most existing xorg.conf files non-functional until several changes are made."

Full Story (comments: none)

SUSE Linux and openSUSE

openSUSE Sports a New License (Ding dong, the EULA’s dead…)

Joe 'Zonker' Brockmeier has announced the removal of the click-through openSUSE end-user license agreement (EULA) on his blog. The new license is really a license notice, alerting users to the free software licenses of the included software. It is based on the one that Fedora uses, with their permission and encouragement. "The work we’ve done on the openSUSE Build Service and the openSUSE license is all about making it easy to redistribute openSUSE: Either as-is, or modified to suit your needs. Want to ship an Xfce or KDE 3.5 live CD? We want to make that easy. Want to use openSUSE for another project that we haven’t thought of? Again - we want you to, and we want to make it easy! (And, of course, we want you to have a lot of fun while you’re doing this – though our lawyers tell us that’s not legally enforceable.)" The text of the new license is also available.

Comments (9 posted)

YaST Mascot Winner Chosen! Say Hello to Yastie!

YaST, the setup tool used by openSUSE, has a new mascot, named Yastie. "The openSUSE Project and YaST team are happy to announce the winner of the YaST Mascot Contest. After extensive deliberation, the judges have chosen the Aardvark concept, submitted by Klára Cihlárová."

Comments (none posted)

Other distributions

rPath Spurs Operating System Evolution with Ubuntu, CentOS Support

rPath has announced that its rBuilder and the rPath Lifecycle Management Platform will now support Ubuntu and CentOS, SUSE Linux is already supported. "rBuilder is the category-defining build and release management system for creating virtual appliances and application images. The rPath Lifecycle Management Platform extends rBuilder with a comprehensive system for controlling the cost, complexity and risk of deploying, managing and maintaining application images in virtualized and cloud-based environments. The rPath approach assembles and binds application functionality with an operating system, creating a self-contained application image that can be easily deployed, managed and maintained."

Full Story (comments: 8)

A New Direction for Shift Linux

Shift Linux, a project created by the Neowin community, has announced a new direction. "We have several new goals that are being set. First of all, Shift needs to be streamlined. Some things are going to be cut out to make room for others. The biggest changes here: one distribution under one name. Shift Linux will be Shift Linux. There will be no Shift Lite or Shift KDE or Shift Gnome, there will be a Shift Linux. And Shift Linux will run Gnome by default. It is important, however, to make one thing very clear: we will always hold a place for alternatives, and where possible we will always offer KDE and Fluxbox for one click installation."

Comments (none posted)

Happy Birthday sidux

Sidux, a distribution that attempts to stabilize Debian's unstable branch aka sid. The project has announced its second anniversary (in German).

Comments (none posted)

New Distributions

"INX Is Not X", Version 1.0

INX has announced the release of version 1.0. "INX is a "Live CD" distribution of GNU/Linux, derived from Ubuntu 8.04.1 LTS, but using "ubuntu-minimal" and "ubuntu-standard" as a base. It is console only, without any graphical "X" programs. INX is intended as a "tutorial" and introduction to the Bash command line, but is a fully capable, portable GNU/Linux system in its own right. It has a collection of easy-to-use menus, colour themes, easy configuration tools, music (and video on the frame buffer), some games, and several surprises for those who are not aware of what can be done in a console/tty." INX has been added to the "Education" section of the list.

Comments (none posted)

Distribution Newsletters

DistroWatch Weekly, Issue 279

The DistroWatch Weekly for November 24, 2008 is out. "The biggest news of the week was the final decision in the case of SCO vs. Novell in a Utah court. LXer.com summed it up this way: "Novell Wins, SCO Loses." In other news, big box retailers across the United States stocked their shelves with netbooks preloaded with Linux in time for Black Friday, the day after the American Thanksgiving holiday and traditionally the busiest shopping day of the year. Target and Best Buy stores displayed the ASUS Eee PC 900a for US$299 this week. Other netbooks with prices as low as US$199 are expected on shelves by Friday. In the news section, Paul Frields challenges the often-made claims that Ubuntu is the most popular Linux distribution; openSUSE announces Zypper 1.0 and plans for Zypper 2, Gentoo Linux summarises the Gentoo Council functions and activities, sidux celebrates its second birthday, and Shift Linux announces a major shift in the direction of its Ubuntu-based distribution. Finally, we are pleased to announce that the new editor of DistroWatch Weekly is Chris Smart of the Kororaa and MakeTheMove.net fame. Happy reading!"

Comments (none posted)

Fedora Weekly News #153

The Fedora Weekly News for November 23, 2008 is out. "Fedora 10 is released[0] tomorrow and we hope you can find time during the install to read-up on what's going on in our rapidly moving Fedora Project. We include a discussion in Developments of the need for "More and Wider Testing". Translation shares that "Release Announcements in Local Languages" are now possible, Artwork brings an important "Fonts Survey" to your attention and also looks at the "Echo Perspective" icon variants. SecurityAdvisories lists the essential updates. Virtualization gets you up to speed with an overview of all the new features of "Fedora 10 Virtualization". This is just a sampling of this week's essential reading for those who wish to stay abreast of where our distribution is going and why. Enjoy Fedora 10!"

Full Story (comments: 1)

openSUSE Weekly News, Issue 47

This issue of the openSUSE Weekly News covers openSUSE 11.1 Beta 5.1 for PowerPC Released, Fresh Factory Live-CDs, People of openSUSE: Vincent Untz, ARM Support for openSUSE Buildservice and openSUSE, First SUSE Studio Production and several other topics. Click below for links to several translations.

Full Story (comments: none)

PCLinuxOS Magazine, Issue 27

The November 2008 issue of PCLinuxOS Magazine is out. Highlights include Linux Media Player Roundup 5, PCLOSonUSB, Brighten the Puter, and more. As usual the issue is available in PDF or HTML.

Comments (none posted)

Ubuntu Weekly Newsletter #118

The Ubuntu Weekly Newsletter for November 22, 2008 covers: Jaunty Jackalope Alpha 1 released, The Ubuntu Hall of Fame, Ubuntu for the Holidays, New Community Developers, LoCo Release Parties, Launchpad offline November 24th, Meet Barry Warsaw, OpenID from your Launchpad profile, Launchpad t-shirts, Ubuntu UK Podcast, Ubuntu Podcast #12, Linux Identity Magazine Covers Ubuntu 8.10, and much, much more!"

Full Story (comments: none)

Interviews

Fedora 10: the GNU/Linux Desktop Steps Forward (Datamation)

Over at Datamation, Bruce Byfield previews the upcoming Fedora 10 release in a discussion with Fedora project leader Paul Frields. The conversation ranges from the now-infamous "infrastructure problems" (with no new information) to the new features coming in Fedora 10. There is even some speculation on Fedora 11. "In Fedora 11 and later releases, Frields suggests, this basic capacity will be expanded in other ways. For instance, users who click on a file format that requires a program that their system lacks might be given a chance to install the program immediately. Similarly, if a document requires an uninstalled font, then users could install the font before opening the file. Users could even be presented with a list of possible options, complete with ratings from other users to help them make an informed choice about the software they install."

Comments (none posted)

Defending the flame of Linux freedom (TechRadar)

TechRadar interviews Max Spevack, former Fedora project leader and current manager of the Red Hat community architecture team. Spevack talks about the relationship between Fedora and RHEL as well as the value that the Fedora community provides, not just to Red Hat, but to the Linux community as a whole. "Fedora stands on its own as an operating system, and it just so happens that Fedora is upstream of Red Hat Enterprise Linux. No one is going to call Debian a beta of Ubuntu, but Debian is in many ways upstream for a lot of the Ubuntu packages in the same way that Fedora is upstream for a lot of the RHEL packages. That doesn't mean that one is a beta of the other."

Comments (14 posted)

Distribution reviews

SimplyMEPIS: The best desktop Linux you haven't tried (Linux.com)

Steven J. Vaughan-Nichols reviews SimplyMEPIS. "Nowadays, everyone uses Ubuntu, most people have used Fedora, and many folks have tried openSUSE. SimplyMEPIS ... not so many. That's a shame, because this relatively obscure Debian-based desktop distribution from Morgantown, WV, is an outstanding desktop operating system. With SimplyMEPIS 8 at beta 5 and closing in on release, I tested the distribution and found it to be a keeper."

Comments (none posted)

Page editor: Rebecca Sobol

Development

FFADO approaches the 2.0 release

By Forrest Cook
November 25, 2008

The FFADO (Free Firewire Audio Drivers) project allows the support of FireWire (IEEE 1394) audio devices under Linux:

The FFADO project aims to provide a generic, open-source solution for the support of FireWire based audio devices for the Linux platform. It is the successor of the FreeBoB project. FFADO is a volunteer-based community effort, trying to provide Linux with at least the same level of functionality that is present on the other operating systems. It is a work in progress, we are close, but we are not quite there yet.

The About document explains further: "We try to support any FireWire device available out there. The FFADO codebase is a framework that has been built with this in mind. This however doesn't mean that all FireWire devices work with FFADO. In order to support a device, we need cooperation from manufacturers, or somebody that want[]s to reverse engineer the protocol. Luckily we have support from the manufacturers of the three major platforms vendors build their devices around (BridgeCo, TC Applied Technologies and ECHO). The exact devices supported (or not supported) can be found on our device list."

[FFADO]

Release candidate 1 of FFADO 2.0 was announced this week: "This release candidate is intended to collect feedback about the library under wide-spread usage. The code should be free of major bugs. We are looking for packagers that are interested in creating packages for their favorite distribution. Please contact us if you can help us out with this." Users of FreeBoB are encouraged to try this release out.

The full change Log shows the latest changes to the software, most of the work involves bug fixing. The feature list is also found there. Capabilities include:

  • Support for an unlimited number of 24-bit audio I/O channels.
  • Support for all device sample rates.
  • Support for an unlimited number of MIDI I/O channels.
  • Support for the S/PDIF audio interface format.
  • Support for the ADAT SMUX I/O format.
  • Support for external synchronization.
  • Support for internal mixers and other device controls.
  • Support for device aggregation on an externally synced bus.
The project documentation has more information. The installation notes from the FAQ pages explain how the various components of the software work together.

If your favorite application requires FireWire support, or you need to migrate away from the unsupported FreeBoB library, now would be a good time to give FFADO a try.

Comments (none posted)

System Applications

Database Software

PostgreSQL Weekly News

The November 23, 2008 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

SQLite release 3.6.6.1 announced

Release 3.6.6.1 of SQLite, a light weight DBMS, has been announced. "Changes associated with this release include the following: * Fix a bug in the page cache that can lead database corruption following a rollback. This bug was first introduced in version 3.6.4. * Two other very minor bug fixes".

Comments (none posted)

Filesystem Utilities

e2compr for linux-2.6.27.5 announced (SourceForge)

A new version ofe2compr has been announced. "The linux e2compr package consists of a set of patches and utilities to provide transparent compression and decompression in the second extended (ext2) filesystem. e2compr patch with minimal changes for linux-2.6.27.5 released."

Comments (none posted)

pam_mount: 1.4 released (SourceForge)

Version 1.4 of pam_mount has been announced. "pam_mount is a Pluggable Authentication Module that can mount volumes for a user session (login). Supports mounting local filesystems of any kind the normal mount utility supports, with extra code to better support CIFS, FUSE, various crypto, and more.This release contains a few LUKS regression fixes."

Comments (5 posted)

Web Site Development

Django 1.0.2 released

Version 1.0.2 of the Django web development platform has been announced. "Shortly after last week's Django 1.0.1 release, several people noted that the packaging script used to produce the release omitted several directories from the Django source tree; mostly this affected some unit tests, but at least one of the omitted directories affected the use of Django itself (specifically, of django.contrib.gis). So tonight we're issuing Django 1.0.2, which is built around an updated packaging script and should resolve these problems."

Comments (none posted)

Gallery 1.5.10 and 1.6-RC3 Released - Last G1 Releases from (SourceForge)

Versions 1.5.10 and 1.6-RC3 of Gallery have been announced. "Gallery is a slick Web-based photo album written using PHP. It is easy to install, includes a config wizard, and provides users with the ability to create and maintain their own albums in the album collection via an intuitive Web interface. Photo management includes automatic thumbnail creation, image resizing, rotation, ordering, captioning and more. Albums can have read, write, and caption permissions per individual authenticated user for an additional level of privacy. Gallery 1.5.10 and Gallery 1.6-RC3 are now available for download. These releases fix one security issue and a handful of other small issues. These releases are also the last official releases of Gallery 1 from the Gallery project."

Comments (none posted)

nginx 0.6.33 is available

Version 0.6.33 of nginx, a light weight web server, has been announced. This release includes numerous bug fixes and glibc 2.3 support. See the CHANGES document for details.

Comments (none posted)

Xoops Cube Project: Package_Legacy 2.1.6 released (SourceForge)

Version 2.1.6 of Xoops Cube has been announced. "XOOPS Cube is an open-source content management system which allows webmasters to create dynamic content websites with great ease.It is an ideal tool for developing small to large community websites, intranet portals, corporate websites and many more. Thank you for your testing. Here's the latest maintenance release for the v2.1 stable, since it has finished RC schedule. It has a number of bugfixes which we recommend you update."

Comments (none posted)

Miscellaneous

Free-SA: 1.5.0 (SourceForge)

Version 1.5.0 of Free-SA has been announced, it adds numerous enhancements. "Free-SA is statistic analyzer for daemons log files similar to SARG. Its main advantages over SARG are much better speed (7x-20x times), more reports support, crossplatform work and W3C compliance of generated HTML/CSS reports code."

Comments (none posted)

Desktop Applications

Audio Applications

Ardour 2.7 released

Version 2.7 of Ardour, a multi-track audio editor, has been announced. "This release is dominated by dramatic improvements in OS X GUI performance and startup time, but it also contains a lot of significant bug fixes. However, somewhat to my surprise, Ardour also accumulated quite a lot of nice new features since 2.6.1 as you can see below."

Full Story (comments: none)

Early release of jackctlmmc announced

An early release of jackctlmmc has been announced. "We'd like to announce a new release of jackctlmmc, a command line tool for driving JACK transport using Midi Machine Code".

Full Story (comments: none)

BitTorrent Applications

Azureus: Vuze 4.0.0.4 released (SourceForge)

Version 4.0.0.4 of Azureus: Vuze has been announced, it includes several new capabilities and bug fixes. "Azureus: Vuze is a powerful, full-featured, cross-platform bittorrent client and open content platform. We’ve just released Vuze 4.0 for users of Classic Azureus."

Comments (none posted)

Desktop Environments

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week: More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Desktop Publishing

Asymptote: 1.52 released (SourceForge)

Version 1.52 of Asymptote has been announced, it adds some new functionality. "Asymptote is a powerful descriptive vector graphics language for technical drawing, inspired by MetaPost but with an improved C++-like syntax. Asymptote provides for figures the same high-quality level of typesetting that LaTeX does for scientific text."

Comments (none posted)

pdftools.pdfposter 0.4.5

Version 0.4.5 of pdftools.pdfposter, a tool to scale and tile PDF images/pages for printing on multiple pages, has been announced. "Starting with version 0.4.5, the package was renamed to 'pdftools.pdfposter'. This will allow integrating some other tools (pdfnup, pdfsplit, etc.) into a larger toolset somewhen."

Full Story (comments: none)

Educational Software

SchoolTool 1.0 beta released

Version 1.0 beta of SchoolTool has been announced. "The international SchoolTool development team and the Shuttleworth Foundation are proud to announce the release of SchoolTool 1.0 beta, a web-based open source student information system and calendar server for primary and secondary schools around the world. This beta release includes all the major components that will be included in the April 2009 release of SchoolTool 1.0: student demographics, attendance, gradebook, calendaring and reporting. Future releases adding competency tracking and disciplinary intervention management modules are being tested at partner schools now."

Full Story (comments: none)

Financial Applications

LedgerSMB 1.2.17 released

Version 1.2.17 of LedgerSMB has been announced. "1.2.17 has been released and includes a few more fixes for Perl 5.10.0 users, as well as a number of general bug fixes. Three of the bug fixes have come from a new contributor (Sadashiva), highlighting the growing community of LedgerSMB developers."

Full Story (comments: none)

Graphics

G3D Engine: 7.01 Released (SourceForge)

Version 7.01 of G3D Engine, a 3D graphics library for game developers, researchers, and students, has been announced. "Major highlights of this release include: * Video input and output * Extended developer tools and GUI * Parallax bump mapping for SuperShader * Minor feature extensions and documentation on all classes".

Comments (none posted)

Interoperability

Wine 1.1.9 announced

Version 1.1.9 of Wine has been announced. Changes include: "A large number of regression test fixes. Performance improvements in memory management. Improved POP3 support in inetcomm. Initial implementation of the XInput DLL. Various bug fixes."

Comments (none posted)

Mail Clients

Sylpheed 2.6.0beta2 (development) released

Version 2.6.0beta2 of Sylpheed, a mail client, has been announced. Changes include: "The menu was added to the remote POP3 mailbox window. The sorting of remote POP3 mailbox was fixed. The remote POP3 mailbox button was added to the toolbar. The Japanese manual was updated. Warnings about --datarootdir on configure were removed."

Comments (none posted)

Multimedia

Elisa Media Center 0.5.19 Release

Version 0.5.19 of Elisa Media Center has been announced. "Among other things, this release features updated French translations and important bug fixes for the plugins system."

Full Story (comments: none)

Music Applications

guitarix third release announced

The third release of guitarix has been announced, it adds some new capabilities and code cleanup. "guitarix is a simple Linux Rock Guitar amplifier for jack (Jack Audio Connektion Kit) with one input and two outputs. Designed to get nice thrash/metal/rock/blues guitar sounds. There are controls for bass, treble, gain, preamp, balance, distortion, freeverb, impulse response (), crybaby (wah) and echo. A fixed resonator will be used when distortion is disabled. For 'pressure' in the sound you can use the feedback and feedforward sliders."

Full Story (comments: none)

Office Suites

KOffice 2.0 Beta 3 released (KDE.News)

Version 2.0 Beta 3 of KOffice has been announced. "The KOffice Team has announced the release of KOffice version 2.0 Beta 3, the third beta version of the upcoming version 2.0. The goal for the third beta is to show progress made since beta 2, as well as to gather feedback from both users and developers on the new UI and underlying infrastructure. This will allow the team to release a basically usable 2.0 release, demonstrating our vision for the future of the digital office to a larger audience and attract new contributions both in terms of code and ideas for improvements."

Comments (none posted)

Languages and Tools

Assembly Language

CorePy 1.0 released

Version 1.0 of CorePy has been announced. "CorePy is a complete system for developing machine-level programs in Python. CorePy lets developers build and execute assembly-level programs interactively from the Python command prompt, embed them directly in Python applications, or export them to standard assembly languages. CorePy's straightforward APIs enable the creation of complex, high-performance applications that take advantage of processor features usually inaccessible from high-level scripting languages, such as multi-core execution and vector instruction sets (SSE, VMX, SPU)."

Full Story (comments: none)

Caml

Caml Weekly News

The November 25, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

Eiffel

Gobo Eiffel Project: 3.9 released (SourceForge)

Version 3.9 of Gobo Eiffel Project has been announced. "The Gobo Eiffel Project provides the Eiffel community with free and portable Eiffel tools and libraries. This version should work with the forthcoming release of ISE's EiffelStudio 6.3."

Comments (none posted)

Java

[fleXive]: 3.0.1 released (SourceForge)

Version 3.0.1 of [fleXive] has been announced. "[fleXive] is a Java EE 5 framework that provides an enterprise-level persistence engine with security and versioning, a SQL-like query language, a JSF-based web administration and reusable JSF components for integration into existing applications. [fleXive] 3.0.1, the first bugfix release for [fleXive] 3.0, has been released. It contains important bugfixes for our last release, and keeps binary compatibility with 3.0.0."

Comments (none posted)

Perl

This Week on perl5-porters (use Perl)

The November 3-9, 2008 edition of This Week on perl5-porters is out with the latest Perl 5 news.

Comments (none posted)

Python

PyEnchant 1.5.0 released

Version 1.5.0 of PyEnchant has been announced. "Enchant is the spellchecking package behind the AbiWord word processor, is being considered for inclusion in the KDE office suite, and is proposed as a FreeDesktop.org standard. It's completely cross-platform because it wraps the native spellchecking engine to provide a uniform interface. PyEnchant brings this simple, powerful and flexible spellchecking engine to Python".

Full Story (comments: none)

Python 3.0rc3 is available

Version 3.0rc3 of Python has been announced. "This is a release candidate, so while it is not quite suitable for production environments, we strongly encourage you to download and test this release on your software. We expect only critical bugs to be fixed between now and the final release, currently planned for 03-Dec-2008."

Full Story (comments: none)

Python-URL! - weekly Python news and links

The November 24, 2008 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Sphinx 0.5 released

Version 0.5 of Sphinx has been announced, it adds a number of new capabilities. "Sphinx is a tool that makes it easy to create intelligent and beautiful documentation for Python projects (or other documents consisting of multiple reStructuredText source files)."

Full Story (comments: none)

Tcl/Tk

Fltk for Tcl/Tk 1.0

Fltk for Tcl/Tk 1.0 has been announced. "Tcl/Fltk Version 1.0 is a production ready release of this extension package that runs on Linux and Windows platforms. The current release has been extended with several additional mega-widgets that make application development even easier and faster. Some widgets have been enhanced to support use on touch screen platforms such as hand-helds like the Openmoko Freerunner. The internal design of this package has been modified to improve performance and to eliminate some issues related to platform GUI differences such as differing X server implementations. The package itself is now provided as an RPM or DEB archive, and also as an IPK archive for use on the Freerunner."

Comments (none posted)

IDEs

CodeLite: v1.0.2419 is available (SourceForge)

Version 1.0.2419 of CodeLite has been announced. "CodeLite is a powerful open-source, cross platform IDE for the C/C++ programming languages (regularly tested under Windows XP SP2/3, (K)Ubuntu 7.10/8.04 Gutsy Gibbon, and MacOSX 10.5.2). CodeLite is distributed under the terms of the GPL license v2."

Comments (2 posted)

Miscellaneous

Gforth 0.7.0 released

Version 0.7.0 of Gforth, an implementation of ANS Forth, has been announced. "Many new Forth200x features have been added. This release has Unicode support, a new C library interface (requires GCC at runtime), and a number of added libraries. The compilation process now produces good performance automatically (when possible). The license has been changed to the GPLv3 (or later)."

Full Story (comments: none)

Pygments 1.0 released

Version 1.0 of Pygments, a generic syntax highlighter written in Python, has been announced. "Many thanks go to Tim Hatch for writing or integrating many of the bug fixes and new features in this release. Of course, thanks to all other contributors too!"

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Observations on power management

Matthew Garrett has posted some thoughts on power management. In many cases, the proper power management choices are counter-intuitive, so a collection of "best practices" is welcome. "The hardware used to display a static image on the screen is the same regardless of whether the image was generated with the graphics card's 2D or 3D hardware. Regardless of the number of graphical effects used on the desktop, the common case is for the desktop to be static. Composited and traditional desktops will generally consume the same amount of power."

Comments (39 posted)

Robotic arm runs Linux (LinuxDevices)

LinuxDevices covers the Katana Robotic Arm. "Zurich, Switzerland-based Neuronics has released an open-source embedded Linux version of its "Katana" robot." The Katana Robotic Arm runs Linux with Xenomai hard real time extensions on a Freescale MPC5200-based control board, and is aimed at industry, production, and research applications, says the company."

Comments (2 posted)

The SCO Problem

Final Judgment in SCO v. Novell: SCO Loses Again (Groklaw)

Groklaw reports on the final judgment in SCO vs. Novell. "The final judgment from Utah is here at last. It recites what the August 10, 2007 and July 16, 2008 orders said, but it also resolves the recent dispute over SCO's desire to voluntarily waive some claims and then bring them back to the table after an appeal, should it prove successful. Here's SCO's motion to voluntarily dismiss, and Novell's response, so you can verify that this judgment indeed represents another loss for SCO. You'll see that it was Novell that suggested the wording regarding SCO's voluntarily dismissed claims that we see in the judgment, that they be dismissed "without the possibility of renewal following appeal.""

Comments (1 posted)

SCO Files Notice of Appeal in Novell Litigation (Groklaw)

Just in case you thought the SCO story was over: Groklaw looks at the SCO Group's appeal in the Novell case. "This is likely pointing to SCO's main issue, judging from media statements and court filings, that it wanted a jury trial and felt the court made an error hearing the case in Utah before a judge only." It looks like they may be around for a little while yet.

Comments (2 posted)

Companies

Novell, Microsoft ready management pack for SUSE Linux (TechTarget)

TechTarget reports on plans for the release of the System Center Operations Manager (SCOM) by Microsoft and Novell. "Microsoft and Novell Inc. said the two-year-old collaboration to better manage Windows and SUSE Linux will produce its first fruit in the first half of 2009. Novell will make available the Advanced Management Pack for SUSE Linux Enterprise for Microsoft System Center Operations Manager 2007 R2 in the first half of 2009 to coincide with the release of Operations Manager 2007 R2. Novell has not yet set a price. The management pack will supplement the monitoring assessment and deployment features in Operations Manager and let managers view information using one console, said Sanjay Sidhu, director of marketing and business development at Microsoft."

Comments (3 posted)

Interviews

Mandrake Linux Founder Back, Virtually (Internetnews.com)

Internetnews.com talks to Gael Duval about the Ulteo enterprise Open Virtual Desktop Solution. "Whatever happened to the founder of Mandrake Linux? He's back on the scene with a new open source startup and looking to break some ground with its first offering called a Virtual Desktop solution. Ulteo's new enterprise Open Virtual Desktop Solution is an attempt to break into the broader virtualization and remote desktop space. It's a market that is fiercely competitive with Citrix, VMware and Red Hat's Qumranet all angling for a piece of the market."

Comments (none posted)

Interview with Jokosher maintainer Laszlo Pandy (GnomeDesktop.org)

GnomeDesktop.org interviews Laszlo Pandy, one of the Jokosher developers. Some of the history as well as plans for the future of Jokosher are discussed. "Laszlo: Our main goal is to allow users who are new to audio production produce a simple podcast or musical track. This audience might be GNOME users who want a program that integrates will with their desktop, or users coming from other platforms who need to mix audio but don't require many of the advanced features that a program such as Ardour provides."

Comments (none posted)

Resources

Carrier Grade Linux 4.0 - Raising the bar (Electronics Weekly)

Here's a look at the history and current state of Carrier Grade Linux in Electronics Weekly. "The new CGL 4.0 specification also includes useful information and resources for developers. The specific tools and APIs needed for CGL distributions are specified, and proofs of concepts (PoCs) are provided, along with reference code. The PoCs play a critical role, because they refer to existing open-source projects that can be used to implement the CGL requirement. All requirements in the specification must have an associated PoC."

Comments (none posted)

GCC hacks in the Linux kernel (developerWorks)

IBM developerWorks looks at several special capabilities of the GNU Compiler Collection (GCC) suite built into the Linux kernel. "GCC and Linux are a great pair. Although they are independent pieces of software, Linux is totally dependent on GCC to enable it on new architectures. Linux further exploits features in GCC, called extensions, for greater functionality and optimization. This article explores many of these important extensions and shows you how they're used within the Linux kernel."

Comments (16 posted)

Miscellaneous

Linux Guru Reiser Seeks New Murder Trial (Wired)

Wired covers the latest twist in the Hans Reiser murder trial. "Hans Reiser wants a trial do-over. Reiser is the Linux guru who in April was convicted of the first-degree murder of his estranged wife. He's the same defendant who, in exchange for a 15-to-life term instead of a 25-to-life term, brought authorities to the Oakland hills where he buried Nina Reiser's body. He even apologized for killing her. But in a handwritten appellate motion, he is appealing his conviction. Yet there's a glaring problem with this appeal, in which he claims he thought the deal would have only sent him away for three years, not 15-to-life."

Comments (26 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

RosettaNet reinstates free standards access

RosettaNet has announced the lifting of fees for access to its standards. "RosettaNet, a not-for-profit consortium that facilitates development of XML-driven business-process standards for global trade networks, announced it will eliminate the fee requirements for non-member companies to access its standards, beginning Jan. 1, 2009. It also said benefits would be expanded for its members. RosettaNet standards provide a common language for transaction messaging within the global trading network, allowing users to improve the interoperability of their business processes."

Full Story (comments: none)

Commercial announcements

A Mozilla year-end report

Mitchell Baker reports on the state of Mozilla. Income continues to rise, and continues to come mostly from Google. Beyond that: "Our community remains healthy and vibrant. The percentage of code contributed to Firefox by people not employed by Mozilla remained steady at about 40% of the product we ship. This is true despite a significant amount of new employees in 2007."

Comments (8 posted)

VIA releases chipset documentation

VIA chose the FreedomHEC conference in Taipei for the announcement that it has released a bunch of documentation on its graphical processing units and is working actively with the OpenChrome project. Harald Welte responds: "This definitely marks a big milestone in VIA's new, much more FOSS friendly Linux support. Not only releasing the source code to VIA's own graphics driver, but actually interoperating with OpenChrome to help to create one future driver base and fight against the fragmentation of the developer and user base."

Comments (34 posted)

New Books

JRuby Cookbook - New from O'Reilly

O'Reilly has published the book JRuby Cookbook by Justin Edelson and Henry Liu.

Full Story (comments: none)

New Book, After the Software Wars

Keith Curtis has announced his new book After the Software Wars, a freely downloadable PDF version will be available on a temporary basis. "The book talks about why Microsoft is toast, implications for Google, why software is unreliable today, the Java mess, patents and copyright, Ubuntu, remaining challenges for free software, and many other things."

Full Story (comments: 1)

SQL in a Nutshell--New from O'Reilly

O'Reilly has published the book SQL in a Nutshell by By Kevin E. Kline, with Daniel Kline and Brand Hunt.

Full Story (comments: none)

Resources

TuxMobil Surpasses 8,000 Linux Installation Guides Available

TuxMobil, a directory of information about installing Linux on mobile devices, has announced that they have reached 8,000 installation guides on the site. "Because of the growing interest in Linux, the quantity of installation guides has increased rapidly during the past year -- more than any other year since TuxMobil's inception in 1997. The installation guides are ordered by manufacturer, distribution and language, and these guides offer hands-on information for almost any laptop model ever produced." Click below for the full announcement.

Full Story (comments: none)

Education and Certification

MontaVista webinars assist with migration to embedded Linux

MontaVista has announced a pair of Linux migration webinars webinars. "The online webinars, on Tuesday, December 9, 2008, will deliver helpful information for device developers who are looking to migrate their device interfaces from the VxWorks(R) RTOS to embedded Linux."

Comments (none posted)

Calls for Presentations

Call For Papers opens for ApacheCon US 2009

The ApacheCon US 2009 call for papers has been announced. "The Call for Papers is now open for ApacheCon US 2009, taking place 2-6 November in Oakland, California. Proposals are being accepted at http://us.apachecon.com/c/acus2009/cfp/ and can be revised at anytime until the submissions closing deadline of 28 February 2009."

Full Story (comments: none)

CanSecWest 2009 CFP

A call for papers has gone out for CanSecWest 2009. The event takes place on March 18-20, 2009 in Vancouver, BC, Canada. The submission deadline is December 8.

Full Story (comments: none)

FRHACK 01 Call For Papers

A call for papers has gone out for FRHACK 01, the First International IT Security Conference. The event takes place in Besançon, France on September 7-8, 2009, subissions are due by June 1.

Full Story (comments: none)

NLUUG spring conference CfP

A call for papers has gone out for the NLUUG spring conference. The event takes place on May 7, 2009 in Ede, the Netherlands. The submission deadline is January 6. "The NLUUG Spring Conference 2009 focuses on storage and the means to organise it: file systems, physical storage, connections and search."

Full Story (comments: none)

Upcoming Events

FTC Announces First in Series of Hearings on Evolving Intellectual Property Marketplace

The US Federal Trade Commission has announced the first of a possible series of public hearings to explore the evolving market for intellectual property (IP). The hearings will be held beginning on December 5, 2008, in Washington, DC. "The patent system has experienced significant change since the FTC released its first IP Report in October 2003, and more changes are under consideration. The courts and patentees are exploring the full implications of Supreme Court and Federal Circuit decisions on injunctive relief, patentability, and licensing issues. Congress has considered sweeping legislative patent reform, and new debates on the appropriate methods for calculating infringement damages have engaged the patent community. New business models for buying, selling and licensing patents have emerged and evolved since 2003. In addition, there is new learning regarding the operation of the patent system and its contribution to innovation and competition." (Thanks to David A. Wheeler)

Comments (10 posted)

Gran Canaria Desktop Summit 2009

The Gran Canaria Desktop Summit (GUADEC/Akademy) will take place on July 3-11, 2009 in Gran Canaria, Spain. "The GNOME and KDE communities will use this co-located event to intensify momentum and increase collaboration between the projects. It gives a unique opportunity for key figures to collaborate and improve the free and open source desktop for all."

Full Story (comments: none)

Events: December 4, 2008 to February 2, 2009

The following event listing is taken from the LWN.net Calendar.

Date(s)EventLocation
December 2
December 5		 Open Source Developers' Conference 2008 Sydney, NSW, Australia
December 4
December 7		 PIKSEL08 - code dreams Bergen, Norway
December 5
December 6		 FOSSCamp Mountain View, CA, USA
December 5
December 13		 International Joint Conferences on Computer, Information, and Systems Sciences, and Engineering Online,
December 7
December 12		 Computer Measurement Group Conference 2008 Las Vegas, NV, USA
December 8
December 12		 Ubuntu Developer Summit Mountain View, CA, USA
December 8 Forum PHP Paris 2008 Paris, France
December 10
December 11		 First Workshop on I/O Virtualization San Diego, CA, USA
December 13 NLLGG meeting/BSD Community Day Utrecht, The Netherlands
December 27
December 30		 Chaos Communication Congress Berlin, Germany
January 8
January 11		 Consumer Electronics Show Las Vegas, NV, USA
January 9
January 11		 Fedora User and Developer Conference Boston, USA
January 15
January 16		 Foundations of Open Media Software 2009 Hobart, Tasmania, Australia
January 17
January 23		 Camp KDE 2009 Negril, Jamaica
January 19
January 24		 linux.conf.au - penguins march south Hobart, Australia
January 25
January 29		 Ruby on Rails Bootcamp with Charles B. Quinn Atlanta, GA, USA
January 25
January 28		 GCC Research Opportunities Paphos, Cyprus
January 31 Greater London Linux Users Group meeting London, UK
January 31
February 3		 Black Hat Briefings DC Arlington, VA, USA

If your event does not appear here, please tell us about it.

Page editor: Forrest Cook

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds