LWN.net Weekly Edition for January 15, 2009

The exceedingly grumpy editor's accounting system update

When your editor posted the Grumpy Editor's next project, he certainly did not anticipate that it would take more than a year and a half for the next installment to be written. Or that, even after all that time, the project of moving LWN's accounting from proprietary software to free software would be incomplete. But the world is full of surprises, even in places where surprises are most unwelcome - like accounting. Happily, your editor's surprises do not involve counterparty risk, credit-default swaps, or anything else of that sort.

So why has this project taken so long? What it came down to is that your editor concluded that he was not sufficiently qualified to rip out a functioning accounting system and replace it with something out of a CVS server somewhere. There is simply too much to know about how the accounting system ties into the company's operations, how our accountant uses it, and how it helps keep the tax agencies happy and the company's officers out of jail. That latter point became especially relevant as LWN's longtime bookkeeper and occasional contributor Dennis Tenney headed off to pursue other opportunities, leaving your editor to take up the legally-liable Treasurer position.

In other words, swapping out the accounting system isn't something to be done on a whim, like, say, putting an -rc1 development kernel onto the production server. Whatever is there has to work. So your editor concluded that the first step in this process was to take over the existing system and come to understand it well enough to be able to properly think about a replacement. After closing out the 2008 books, your editor is able to come to a preliminary conclusion: it is almost possible for a small business to dump a system like QuickBooks and use a free alternative. Almost.

There is an interesting gap in the free software community's offerings in this area. A very small business - one involving a sole proprietor, for example - can use a tool like GnuCash to great effect. Almost everything which is needed is there, and most functions work quite well. On the other hand, a very large operation wanting to install a full-scale ERP system has a wealth of options: Compiere, Adempiere, various packages based on OFBiz, and more. If your operation is willing and able to dedicate full-time staff to developing a customized ERP system and keeping it going, there are plenty of frameworks to start with. These systems are not drop-in tools usable by a small business, though.

Small businesses occupy a niche between the sole proprietor and the massive enterprise. At this level, there's not a whole lot available from the free software community. The most active projects appear to be SQL-Ledger, its fork LedgerSMB, and PostBooks. All three work on top of a PostgreSQL database; SQL-Ledger and LedgerSMB are web-based, while PostBooks is a Qt application. Your editor's sense, at this point, is that PostBooks looks like the most advanced, most ambitious, and most actively-developed project among these three. It is, however, tricky to get running, its development model appears to be strongly cathedral-style (there isn't even a project mailing list), and it is distributed under the questionably-free (though OSI-certified) CPAL license. PostBooks has the look of a classic piece of corporate-controlled open source.

Any of the packages listed above (and GnuCash too) will do basic double-entry accounting. They can produce pie charts, reconcile accounts, and so on. Since they use PostgreSQL with an open (if sometimes poorly documented) schema, integrating them with the rest of the business should be relatively straightforward. They are, in essence, almost everything which is needed to enable a business to move away from a package like QuickBooks.

[PULL QUOTE: The key word is "almost." As far as your editor can tell, there are two crucial bits missing. END QUOTE] The key word is "almost." As far as your editor can tell, there are two crucial bits missing: tax form printing and accountant interfaces.

On the first point: this is the time of year when LWN produces 1099 forms for each of its guest authors - at least, for those who pay their tribute to the U.S. A related form (1096) then goes off to the Internal Revenue Service so they can ensure that none of our authors tries to hide the vast amounts of money we pay them. A tool like QuickBooks tracks payments to outside contractors, and will happily print the requisite forms onto special stock which can be purchased, at exorbitant prices, directly from the application itself. There is no equivalent functionality in the free packages, currently.

In truth, this is an area where free software tends to struggle. The printing of tax forms is just not a task which inspires hackers; it is tedious, subject to highly finicky requirements, and is, for all that it may be considered necessary, somewhat distasteful. This work must be revisited every year as the requirements are subject to the whims of legislators and regulatory agencies. And, lest that challenge seem insufficient, one should also bear in mind that every country's requirements are different, so all this work must be repeated many times over.

Creating this kind of code (and keeping it current) is not fun, it requires some specialized domain knowledge, and it can carry certain kinds of legal liabilities. So it's no wonder that a hacker with some free time will, upon considering this kind of task, usually decide to work on enhancing that Klingon translation of OpenOffice.org instead. The Klingons tend to be more forgiving of bugs.

On the accounting side, the problem gets even worse. A typical business accountant uses proprietary software which, in turn, contains a great deal of knowledge of the tax code. Not all countries have a tax system as twisted and complex as the U.S., but the problem is never simple. Your editor believes that it would be entirely reasonable to require governments to provide free software which interprets its tax codes for ordinary citizens, along with a guarantee that, as long as said citizens fed honest numbers to the system, they would not be subject to penalties if the resulting tax calculation were incorrect. In the real world, though, the job of providing such software falls to companies with a squad of on-staff tax lawyers and a firmly proprietary approach to software distribution. That situation does not appear to be likely to change anytime soon.

For the accountant to use his proprietary tools to come to conclusions about a company's tax situation, he must be able to enter quite a bit of data about where the company's money came from and how it was used. There are a couple of ways in which this can be done: (1) it can be manually entered, at great expense to the company involved, or (2) it can be directly imported from the company's accounting system for free. Small companies tend to be quite sensitive to things involving increased expenses, especially when the expense is for an already unwelcome task like tax compliance. So there is great value in having an accounting system which can export data directly to an accountant's tax preparation tools.

In an ideal world, there would be a nice, XML-based format involving large numbers of acronyms which would make this interoperability possible. In the real world, these formats are proprietary and undocumented. So exporting data to the accountant is not really possible with free tools. And that is the single biggest roadblock to the use of free accounting software in any company whose accounts are even remotely complex. Until free programs can export something which looks like the QuickBooks "accountant's copy," they will not be usable in this context.

What makes this situation even more sad is that, as your editor can now attest through painful experience, QuickBooks really does not have much else to offer. Its interfaces are tedious and error-prone; in many ways, free software has done a much better job. As an example, GnuCash will happily import account data from a bank or credit card company, apply default accounts (categories) learned from experience, filter out any duplicate entries, and allow the user to verify and adjust the whole operation before applying it. QuickBooks is, shall we say, nowhere near as accommodating. Your editor ran into a bug (in QuickBooks 2009) which causes the import operation to fail halfway through; a quick search turned up reports of that bug from 2003. There are reasons why any discussion of QuickBooks harps on the need to perform backups frequently - every fifteen minutes or so is good. Your editor has had to restore those backups many times; meanwhile, use of GnuCash over several years has never, ever resulted in a corrupted database.

What it comes down to is that we have solved at least 95% of this problem, and we have done a better job than the proprietary software companies have. But the remaining gaps are crippling, and they are hard to fill. Accounting file formats are more obscure than, say, document formats; there is no effort to create an OpenLedger specification. Any attempt to create files in those formats from free software is likely to involve reverse engineering efforts, and that will be an error-prone process in an area where errors are most unwelcome. So we may well be stuck with proprietary accounting software for some time yet.

That said, your editor does not intend to give up. There will be ongoing discussions with the accountant and continued tracking of free accounting system projects. The free software community has solved no end of difficult problems over the years; we should be able to find a way to take care of this one too. Stay tuned; hopefully the next update will not be so long in coming.

Comments (52 posted)

Python slithers into Wesnoth

Proposing to change the implementation language for a large project is hardly uncontroversial, but when that proposal calls for moving from C++ to Python, one might expect an enormous flame fest. Surprisingly, a proposal to do just that with the code for the "Battle for Wesnoth" strategy game has resulted in a fairly flame-free discussion. Whether or not the project actually makes the switch—it looks unlikely that any wholesale switch is imminent—there is a great deal of value in the discussion, particularly in its tone.

Eric Raymond is the Wesnoth developer proposing this shift, but it is not his "personal fondness" for Python that is behind it. Instead, he sees it as a way to reduce bugs. Raymond has been handling bug triage for the project for the last year or so, which gives him a good grasp of where the Wesnoth bugs tend to be:

Raymond is cognizant of the downsides of moving to Python as well. First, Wesnoth developers will have to be familiar with both languages, which Raymond, at least, does not view as a problem: "Python is much easier to pick up than C++". Performance is another concern, one that he glosses over with a breezy "machines are still getting faster"—others seem less sanguine about the issue—but he does see two major benefits:

Attracting more developers to the project is another reason to move to Python, one that lead developer David White—often referred to by his IRC nickname "Sirp"—is motivated by. Raymond has been thinking about how to move Wesnoth to Python for a while, without making any progress, but recently a new developer, Ivan Illarionov, has appeared on the scene having translated some portions of Wesnoth into Python. Just how much has been done is still something of an open question, but his approach is an evolutionary one. That is important to White:

Overall, the reaction has been fairly positive, Wesnoth developers seem to be open to the possibility that C++ is not the be-all and end-all of languages for game development. That said, they aren't necessarily willing to hear new developers obnoxiously proclaim that Wesnoth should be redone because Python is "better" than C++, without much in the way of details. Unfortunately, that is the tack that Illarionov has taken, which led White to patiently explain:

Illarionov also ran afoul of Raymond, who publicly castigated him: "You [have] done such an inept and -- at times -- arrogant-seeming job of presenting yourself that you have already alienated some senior developers on this project in just the few days since you've shown up here." Illarionov replied contritely, but almost immediately stirred things up again by a posting with the subject "Wesnoth refactoring and future direction plan". In that thread, he also points to Linus Torvalds's rant about C++, which just gets further under the developers' skin.

But, the Wesnoth developers have shown a great deal more patience than many development groups would. As White puts it: "Trust me, if you sent an email to the Linux Kernel Developers Mailing List entitled 'Linux refactoring and future direction', you would receive MUCH more hostile responses then you have received here." It is likely that much of the tone of discussion on the wesnoth-dev mailing list derives from White's leadership; the contrast between his and, for example, Torvalds's more combative tone is quite apparent.

There are hints that some of the conversation has been less civil, especially on IRC but, on wesnoth-dev, even the rebukes have been relatively polite—certainly by the standards of most development mailing lists. This is a project struggling with a difficult decision without lashing out at those questioning it or outright opposing it—or for that matter, those ineptly championing it. The wesnoth-dev conversation went quiet around January 6th, but the project is known to be very active on IRC, so perhaps it moved there. Even if that turned ugly, the email conversation sets quite an example.

Should it come to pass that Wesnoth starts including more Python—by Raymond and Illarionov or others—we will get an opportunity to see if the hoped-for improvements come about. Projects often consider which language to choose, either initially or for a reimplementation, but there are few examples or case studies of comparative language benefits. A year or two down the road, Wesnoth might provide just that kind of comparison.

Comments (62 posted)

GNOME considers DVCS choices

THE GNOME project has completed a survey of active contributors about which distributed version control system (DVCS) they would prefer to switch to in 2009. The project is now in the process of interpreting the results and deciding on the next steps. As the process unfolds, it provides a vivid snapshot of how free and open source software (FOSS) contributors regard DVCS applications.

DVCSes are an idea that have taken hold strongly in the FOSS community in the last few years, and that is starting to edge out older version control systems such as CVS and Subversion. Unlike such older, centralized version control systems, DVCSes do not require a single repository. Instead, on a DVCS, all contributors have their own repositories, and decision-makers decide which ones to merge for a release. In general, DVCSes are seen as more flexible, although critics argue that they can be too decentralized, and that they cause more conflicts than traditional version control systems during merges. All the same, they continue to be popular, partly because of the high-profile of Git, the DVCS originally written by Linus Torvalds for Linux kernel development after the switch from BitKeeper.

The GNOME survey was privately distributed by Behdad Esfahbod, one of the directors of the GNOME Foundation, in December 2008 to gather background information for a possible move away from Subversion, the version control system used by most of GNOME. The survey was distributed to GNOME contributors with Subversion accounts and SSH keys — a total of 1083 people in all, of which 579 replied.

The survey asked those who replied about their current use of Subversion, as well as their role within GNOME, what DVCSes they used or with which they were familiar, and how they felt about switching from Subversion. They were then asked to rank their preferences for Git, Mercurial (often abbreviated to Hg, after the abbreviation for the element Mercury), Bazaar (Bzr), and Subversion.

Analyzing the results

On 3 January, 2009, Esfahbod published the raw results of the survey. Over the next few days, the results were analyzed by a number of people, including Shaun McCance, Andy Wingo and Elijah Newren, all of whom charted the results. Newren's analysis in particular has become a center for discussion about the survey, undoubtedly because it was the most exhaustive analysis.

Looking at Newren's charts, viewers can quickly see approximate but definite results (those who want more exactness can refer to the raw data). The result is a thorough picture of GNOME contributor's views on DVCS.

Newren cross-correlates survey results in every possible way, but here are some highlights:

• About 60% of respondents claimed familiarity with Git, and 25% with Bzr and 20% with Hg.
• 37% of respondents preferred to switch from Subversion, 34% were indifferent either way, and the rest either support Subversion or did not want to switch.
• 48% chose Git as their first choice, and 25% preferred Subversion. Bzr was favored by about 12%, and Hg by 7%, while 5% expressed no preference. Among second choices, Subversion, GIT and Bzr were all between 20-25%, and possibly within any margin of error. However, in the third through fifth choices, Bzr and Hg were favored as much or more than Subversion or Git.
• Preferences for different roles in the project were clearly defined: Package maintainers and coders steadily preferred Git and Subversion. Translators and testers held the same preferences, but less strongly. Surprisingly, documenters preferred Bzr, but, since only four documenters replied, the validity of that result is questionable.
• Those who wanted to switch, or were indifferent both strongly favored Git.

Newren's conclusion was that "there's a strong preference in the community toward switching, and that git has a strong lead in preference among the community."

As might be expected in an online discussion of FOSS, replies to both Esfahbod's publication of results and Newren's results were not long in coming. Still other comments were posted below LWN's brief mention of Newren's analysis.

Replies to the survey and analyses

Probably the most common criticism was that the survey was as much a popularity contest as anything else. Several commenters also wondered why other DVCS software such as Monotone and Darcs were not included in the survey (a question that, so far, no one has answered). In addition, some commenters were quick to talk about Git's shortcomings, while others — obviously unfamiliar with Git — asked questions about its features.

On the GNOME desktop-devel list, Esfahbod's announcement produced dozens of replies. One of the most articulate was by Andrew Cowie, who maintained that "The way the whole survey exercise was conducted it was impossible for Git to lose", and that the desired results were plain beforehand from discussion on the #gnome-hackers channel. Cowie also complained about the fact that GNOME contributors to projects that do not use Subversion were not invited to participate, and that the survey required listing preferences for all choices when he would have preferred not to vote for Git, Mercurial, or Subversion at all.

Much of the discussion below Esfahbod's announcement of the results, did quickly come to center on the assumption that a move from Subversion was now inevitable. Some questioned whether GNOME had the resources to devote to such a move, while others volunteered to be part of a task force to plan and implement the move. Another possibility raised was hiring someone to coordinate the change. Still others attempted to rough out the steps needed to move away from Subversion.

However, while most assumed — however reluctantly — that a change to Git would happen, others tried to raise alternatives. Some suggested that each separate GNOME module should be allowed to use its own DVCS, which others argued would discourage new contributors.

Others championed a suggestion raised on John Carr's blog that GNOME use its bzr-playground server and create plug-ins so that developers could use the DVCS software they personally preferred. However, this idea was dismissed by Esfahbod, who in a reply to the discussion about his announcement condemned such "hacks [developed] in house" because of the potentially high-maintenance they might require in the future.

In the end, however, the usefulness of these criticisms and alternate suggestions is limited. As Esfahbod states: "[...] This thread is not about making decisions. This thread is about giving those making the decision input they need to consider. Who makes the decision? Those who actually have to implement, oversee, and maintain any change" — in other words, the GNOME Foundation directors, and the project's release team and system administrators, the ones who commissioned the survey in the first place. The unspoken assumption in the survey appears to be that the move from Subversion is inevitable, and only the details are up for discussion. So far, though, those details have not been finalized, either by consensus or an announcement.

Meanwhile, for those unaffected by the decision, the survey and the resulting commentary provides a seldom-seen insight into the mindset of active members of the GNOME project — and, very likely, of active FOSS contributors in general.

Comments (25 posted)

Page editor: Jonathan Corbet

Security

SSL certificates and MD5 collisions

There is a fair amount of confusion surrounding the recent research resulting in the ability to create bogus SSL certificates. The research combined a weakness in the certificate generation process with the ability to create MD5 hash collisions and generated a certificate that would be accepted by all browsers. That certificate could be used to sign other certificates, allowing the researchers to create a valid certificate purporting to be from any domain they chose.

Cryptographic hashes, like MD5, are used in digital signature algorithms; in effect it is the hash that is signed as a stand-in for the actual content. It has been known since 2004 that MD5 collisions—two different inputs generating the same hash value—could feasibly be found. So, a signature on data with a specific MD5 hash would be considered a valid signature on any other data that hashed to the same value. What the researchers did was to create a certificate that the certificate authority (CA), in this case RapidSSL, was willing to sign, then transferred that signature to a different certificate. That second certificate hashed to the same value, but had the ability to sign additional certificates.

This is a very significant attack on SSL that was addressed rather quickly. One wonders why these certificate authorities were still using MD5 long after it had been deprecated because of the collision vulnerability. Inertia is the likely culprit, but RapidSSL and other CAs using MD5 changed to SHA-1 within hours of the report in some cases. In addition, RapidSSL stopped using sequential serial numbers in certificates. That flaw helped the researchers immensely, so that they only needed four attempts (with a 200 node Playstation 3 cluster) to create their colliding certificate. A random serial number over a sizable range once again makes this attack infeasible—at least on today's hardware.

Eventually, MD5 will no longer be accepted as the hash used in the signatures on certificates—or anything else, probably—but as of now, SSL implementations will accept them. There are large numbers of such certificates in use today, so browsers cannot just stop accepting them. CAs are generally offering their customers free replacement certificates that use SHA-1. Because users rarely root through the certificates presented to their browser to determine what hash algorithm was used, there is a extension for Firefox called SSL Blacklist that detects these certificates and pops up a warning.

But, for those sites affected—LWN for example—it can be a bit worrying to hear from users that their certificate may be bad. The LWN certificate and countless others are really no more vulnerable to this attack than any other. A site that has an SHA-1 signature can be spoofed by this attack as easily as one with an MD5 signature. But a site that has an MD5 signed certificate does make it harder to switch away from MD5. That switch won't happen soon in any case, but it could be slowed down by sites that are slow to change.

If an attacker currently has a certificate of the type that the researchers created, they can use it to sign certificates for any domain they wish, and they can use SHA-1 in that signature. This particular vulnerability requires an MD5 signed certificate in the chain of certificates, but does not require that the final, domain-specific certificate be signed with MD5. It should also be noted that some of the root certificates distributed with browsers are MD5-signed. Those are not vulnerable because they are distributed with the browser—if an attacker can change one's root certificate stash, there are much easier attacks possible. For this reason, SSL Blacklist looks for MD5 signatures in the certificate chain anywhere after the root certificate.

This incident is a good illustration of how cryptographic research often proceeds. First, small cracks are found in an algorithm, causing some worry in cryptographic circles, then partial attacks are found, which generally starts to raise the alarm in the wider security community. But it usually takes a full-scale attack or proof-of-concept to really cause those who use the algorithms, knowingly or unknowingly, to take remedial action. That delay provides a nice window that attackers can and will exploit.

Comments (19 posted)

New vulnerabilities

bind: validation bypass

Package(s):	Bind	CVE #(s):	CVE-2009-0025
Created:	January 9, 2009	Updated:	July 30, 2009
Description:	From the Red Hat advisory: A flaw was discovered in the way BIND checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks.
Alerts:	Fedora FEDORA-2009-8119 2009-07-30 Gentoo 200903-14 2009-03-09 Mandriva MDVSA-2009:037 2008-02-16 CentOS CESA-2009:0020 2009-01-09 Fedora FEDORA-2009-0451 2009-01-14 Ubuntu USN-706-1 2009-01-09 rPath rPSA-2009-0009-1 2009-01-20 Fedora FEDORA-2009-0350 2009-01-14 Debian DSA-1703-1 2009-01-12 Mandriva MDVSA-2009:002 2009-01-09 SuSE SUSE-SA:2009:005 2009-01-22 Slackware SSA:2009-014-02 2009-01-15 Red Hat RHSA-2009:0020-01 2009-01-08

Comments (none posted)

cups: insecure tmp file usage

Package(s):	cups, cupsys	CVE #(s):	CVE-2008-5377
Created:	January 12, 2009	Updated:	January 14, 2009
Description:	From the Ubuntu advisory: It was discovered that the example pstopdf CUPS filter created log files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:	Ubuntu USN-707-1 2009-01-12

Comments (none posted)

gforge: insufficient input sanitizing

Package(s):	gforge	CVE #(s):	CVE-2008-2381
Created:	January 9, 2009	Updated:	January 14, 2009
Description:	From the Debian advisory: It was discovered that GForge, a collaborative development tool, insufficiently sanitizes some input allowing a remote attacker to perform SQL injection.
Alerts:	Debian DSA-1698-1 2009-01-09

Comments (none posted)

git: arbitrary code execution

Package(s):	git	CVE #(s):	CVE-2008-5517
Created:	January 12, 2009	Updated:	March 9, 2009
Description:	From the SUSE advisory: Insufficient quoting of shell characters allowed remote attackers to execute arbitrary commands via the git web interface (CVE-2008-5517)
Alerts:	Gentoo 200903-15 2009-03-09 Slackware SSA:2009-051-02 2009-02-23 Ubuntu USN-723-1 2009-02-18 Debian DSA-1708-1 2009-01-19 SuSE SUSE-SR:2009:001 2009-01-12 rPath rPSA-2009-0005-1 2009-01-13

Comments (2 posted)

hplip: privilege escalation

Package(s):	hplip	CVE #(s):
Created:	January 14, 2009	Updated:	January 16, 2009
Description:	The hplip installation script was caught in the act of modifying permissions on files in users' home directories. This behavior could be exploited by a local user to change permissions on arbitrary files.
Alerts:	Ubuntu USN-708-1 2009-01-13

Comments (1 posted)

imap: denial of service

Package(s):	imap	CVE #(s):	CVE-2008-5514
Created:	January 12, 2009	Updated:	January 6, 2010
Description:	From the SUSE advisory: Insufficient buffer length checks in the imap client library may crash applications that use the library to print formatted email addresses. The imap daemon itself is not affected but certain versions of e.g. the php imap module are (CVE-2008-5514).
Alerts:	Gentoo 201001-03 2010-01-05 Mandriva MDVSA-2009:146-1 2009-12-28 Gentoo 200911-03 2009-11-25 Mandriva MDVSA-2009:166 2009-07-28 Mandriva MDVSA-2009:146 2009-06-29 Fedora FEDORA-2009-0413 2009-01-14 Fedora FEDORA-2009-0371 2009-01-14 SuSE SUSE-SR:2009:001 2009-01-12

Comments (none posted)

java: multiple vulnerabilities

Package(s):	Java	CVE #(s):	CVE-2008-5339 CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5355
Created:	January 9, 2009	Updated:	November 18, 2009
Description:	Numerous security issues such as privilege escalations, and sandbox breakouts were found in Sun's Java package.
Alerts:	Gentoo 200911-02 2009-11-17 SuSE SUSE-SR:2009:010 2009-05-12 SuSE SUSE-SA:2009:018 2009-04-07 Red Hat RHSA-2009:0369-01 2009-03-25 Red Hat RHSA-2009:0445-01 2009-04-23 SuSE SUSE-SA:2009:007 2009-01-29 Red Hat RHSA-2009:0015-01 2009-01-13 Red Hat RHSA-2009:0016-01 2009-01-13 SuSE SUSE-SA:2009:001 2009-01-09

Comments (none posted)

jhead: multiple vulnerabilities

Package(s):	jhead	CVE #(s):	CVE-2008-4639 CVE-2008-4640 CVE-2008-4641
Created:	January 12, 2009	Updated:	March 5, 2009
Description:	From the Gentoo advisory: * An insecure creation of a temporary file (CVE-2008-4639). * A error when unlinking a file (CVE-2008-4640). * Insufficient escaping of shell metacharacters (CVE-2008-4641). A remote attacker could possibly execute arbitrary code by enticing a user or automated system to open a file with a long filename or via unspecified vectors. It is also possible to trick a user into deleting or overwriting files.
Alerts:	Fedora FEDORA-2009-1824 2009-02-17 Fedora FEDORA-2009-1776 2009-02-17 Mandriva MDVSA-2009:041 2009-02-17 Gentoo 200901-02 2009-01-11 SuSE SUSE-SR:2009:001 2009-01-12

Comments (none posted)

lasso: certificate verification bypass

Package(s):	lasso	CVE #(s):	CVE-2009-0050
Created:	January 12, 2009	Updated:	January 14, 2009
Description:	From the CVE entry: Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.
Alerts:	Debian DSA-1700-1 2009-01-11

Comments (none posted)

mplayer: arbitrary code execution

Package(s):	MPlayer	CVE #(s):	CVE-2008-5616
Created:	January 12, 2009	Updated:	April 29, 2009
Description:	From the Gentoo advisory: Tobias Klein reported a stack-based buffer overflow in the demux_open_vqf() function in libmpdemux/demux_vqf.c when processing malformed TwinVQ files (CVE-2008-5616). A remote attacker could entice a user to open a specially crafted STR, Real Media, or TwinVQ file to execute arbitrary code or cause a Denial of Service.
Alerts:	Debian DSA-1782-1 2009-04-29 Gentoo 200901-07:02 2009-01-12 Mandriva MDVSA-2009:014 2008-01-15 Mandriva MDVSA-2009:013 2008-01-15

Comments (none posted)

ntp: signature verification vulnerability

Package(s):	ntp	CVE #(s):	CVE-2009-0021
Created:	January 9, 2009	Updated:	April 10, 2009
Description:	From the Ubuntu advisory: It was discovered that NTP did not properly perform signature verification. A remote attacker could exploit this to bypass certificate validation via a malformed SSL/TLS signature.
Alerts:	CentOS CESA-2009:0046 2009-04-09 Gentoo 200904-05 2009-04-05 SuSE SUSE-SR:2009:005 2009-03-02 Slackware SSA:2009-014-03 2009-01-15 Red Hat RHSA-2009:0046-01 2009-01-29 rPath rPSA-2009-0010-1 2009-01-20 Debian DSA-1702-1 2009-01-12 Ubuntu USN-705-1 2009-01-08 Mandriva MDVSA-2009:007 2009-01-13 Fedora FEDORA-2009-0544 2009-01-14 Fedora FEDORA-2009-0547 2009-01-14

Comments (none posted)

online-bookmarks: multiple vulnerabilities

Package(s):	online-bookmarks	CVE #(s):	CVE-2004-2155 CVE-2006-6358 CVE-2006-6359
Created:	January 13, 2009	Updated:	January 14, 2009
Description:	From the Gentoo advisory: The following vulnerabilities were reported: * Authentication bypass when directly requesting certain pages (CVE-2004-2155). * Insufficient input validation in the login function in auth.inc (CVE-2006-6358). * Unspecified cross-site scripting vulnerability (CVE-2006-6359). A remote attacker could exploit these vulnerabilities to bypass authentication mechanisms, execute arbitrary SQL statements or inject arbitrary web scripts.
Alerts:	Gentoo 200901-08 2009-01-12

Comments (none posted)

pam_mount: insecure tmp file usage

Package(s):	pam_mount	CVE #(s):	CVE-2008-5138
Created:	January 12, 2009	Updated:	March 2, 2009
Description:	From the Mandriva advisory: passwdehd script in pam_mount would allow local users to overwrite arbitrary files via a symlink attack on a temporary file.
Alerts:	SuSE SUSE-SR:2009:005 2009-03-02 Mandriva MDVSA-2009:004 2009-01-09

Comments (none posted)

pdnsb: denial of service

Package(s):	pdnsd	CVE #(s):	CVE-2008-4194
Created:	January 12, 2009	Updated:	January 14, 2009
Description:	From the Gentoo advisory: The p_exec_query() function in src/dns_query.c does not properly handle many entries in the answer section of a DNS reply, related to a "dangling pointer bug" (CVE-2008-4194). [This] can be exploited by enticing pdnsd to send a query to a malicious DNS server, or using the port randomization weakness, and might lead to a Denial of Service.
Alerts:	Gentoo 200901-03 2009-01-11

Comments (none posted)

python: multiple vulnerabilities

Package(s):	python	CVE #(s):	CVE-2008-4864 CVE-2008-5031
Created:	January 12, 2009	Updated:	July 30, 2009
Description:	From the Mandriva advisory: Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864) Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031)
Alerts:	CentOS CESA-2009:1176 2009-07-29 CentOS CESA-2009:1178 2009-07-27 Red Hat RHSA-2009:1176-01 2009-07-27 Red Hat RHSA-2009:1177-01 2009-07-27 Red Hat RHSA-2009:1178-02 2009-07-27 Ubuntu USN-806-1 2009-07-23 Gentoo 200907-16 2009-07-19 Mandriva MDVSA-2009:036 2009-02-12 SuSE SUSE-SR:2009:001 2009-01-12 Mandriva MDVSA-2009:003 2009-01-09

Comments (none posted)

qemu: password guessing

Package(s):	qemu	CVE #(s):	CVE-2008-5714
Created:	January 14, 2009	Updated:	October 13, 2009
Description:	An off-by-one error in Qemu 0.9.1 makes password guessing attacks easier than they should be.
Alerts:	Debian DSA-1907-1 2009-10-13 Ubuntu USN-776-2 2009-05-13 Ubuntu USN-776-1 2009-05-12 Mandriva MDVSA-2009:009 2009-01-14 Mandriva MDVSA-2009:008 2009-01-14 SuSE SUSE-SR:2009:002 2009-01-19

Comments (none posted)

Streamripper: multiple vulnerabilities

Package(s):	streamripper	CVE #(s):	CVE-2008-4829
Created:	January 12, 2009	Updated:	January 14, 2009
Description:	From the Gentoo advisory: Stefan Cornelius from Secunia Research reported multiple buffer overflows in the http_parse_sc_header(), http_get_pls() and http_get_m3u() functions in lib/http.c when parsing overly long HTTP headers, or pls and m3u playlists with overly long entries. A remote attacker could entice a user to connect to a malicious server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application.
Alerts:	Gentoo 200901-05 2009-01-11

Comments (none posted)

vinagre: arbitrary code execution

Package(s):	vinagre	CVE #(s):	CVE-2008-5660
Created:	January 12, 2009	Updated:	March 9, 2009
Description:	From the SUSE advisory: A format string problem in vinagre potentially allowed malicious VNC servers to have a vinagre client that connects to the server execute arbitrary code. (CVE-2008-5660)
Alerts:	Gentoo 200903-01 2009-03-06 SuSE SUSE-SR:2009:001 2009-01-12

Comments (none posted)

zaptel: arbitrary code execution

Package(s):	zaptel	CVE #(s):	CVE-2008-5396 CVE-2008-5744
Created:	January 12, 2009	Updated:	January 14, 2009
Description:	From the Debian advisory: An array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (CVE-2008-5396). From the CVE-2008-5744 entry: Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check against the value of lc->sync.
Alerts:	Debian DSA-1699-1 2009-01-11

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.29-rc1, released by Linus on January 10. Since then, the flow of patches into the mainline git repository has been relatively slow.

The current stable 2.6 kernel is 2.6.28; there have been no stable updates released against this kernel yet. For 2.6.27 users, 2.6.27.11 was released, with a fair number of fixes, on January 14.

Comments (none posted)

Kernel development news

Quotes of the week

-- Daniel Phillips - filesystems really are tricky code.

-- Linus Torvalds (Thanks to Nicolas Pitre)

-- Linus Torvalds

-- Andrew Morton

-- Nick Piggin

Comments (3 posted)

QOTW II: patch review special

-- Andrew Morton

-- Chris Mason

Comments (none posted)

Open source firmware for Broadcom wireless adapters

Many people complain about the problem of binary firmware blobs; the folks at the OpenFWWF project are doing something about it. They have just released an early implementation of a free firmware load for Broadcom 802.11b and 802.11g boards. "Although the base firmware is not fully 802.11 compliant, e.g., it does not support RTS/CTS procedure or QoS, we believe that someone could be interested in testing it. The firmware does not require the kernel to be modified and it uses the same shared memory layout and global registers usage of the original stuff from broadcom to ease loading by the b43 driver (and ease our writing...)." (Thanks to Luis Rodriguez).

Full Story (comments: 13)

2.6.29 merge window, part 2

Linus Torvalds released 2.6.29-rc1 and closed the 2.6.29 merge window on January 10. A little over 2000 changesets were merged after the writing of last week's merge window summary; this article completes the summary for this development cycle.

Before getting into the details, though, it is worth pointing out that the 2.6.29-rc1 kernel has a couple of unusual traps for developers and testers. If you are playing with this kernel, you should be aware of the following:

• The Btrfs merge brought with it the entire development history for that project. One interesting result is that, if one uses git to check out a tree within that development history, the result will be a tree containing only Btrfs. In particular, this can happen in the middle of a bisection process, yielding a tree which cannot be built or tested - almost certainly not the desired result. The solution is easy, though; simply run:

      git bisect good
  

  and continue with the bisection process as usual.

• There is a portion of the kernel history which contains a badly broken version of reiserfs. Again, only developers running kernels from arbitrary points in the history will be affected by this problem; if you run reiserfs, though, read the summary and take care.

So what else was merged for 2.6.29? User-visible changes include:

• At the top of the list, of course, is the merge of the Btrfs filesystem. It cannot be repeated too many times, though, that Btrfs is still a development filesystem. Things are changing quickly, and it still will panic the system if you run out of space. Now is a good time for people to play with Btrfs - especially those who are willing to report bugs or submit enhancements. But it is not, yet, time to entrust your Valuable Intellectual Property to this filesystem.

• Also merged was the squashfs compressed, read-only filesystem. Squashfs has been packaged by distributors for years; its merger into the mainline was certainly overdue.

• There is now kernel support for WiMAX networking. The current code supports Intel's Wireless Wimax Connection 2400m devices, but others are expected for the future. See this documentation file for a bit of information on the WiMAX stack.

• There are new drivers for Atmel AVR32-based Hammerhead boards, Linear Technology LTC4245 Multiple Supply Hot Swap Controller I2C interfaces, Oxford OXU210HP USB host/OTG/device controllers, MIPS CI13412 USB controllers, Freescale IMX USB peripheral controllers, TI TWL4030 USB transceivers, Dell-specific laptop backlight and rfkill devices, ALIX.2 and ALIX.3 series LED controllers, PIKA FPGA watchdog devices, GE Fanuc watchdog timers, and NXP PCF50633 multifunction chips (as seen in OpenMoko devices).

• The Blackfin architecture has gained symmetric multiprocessing support. Also added is support for the BF51x family of processors.

• The memory controller has been extended to control swap usage as well. Previously, it would be possible for a memory-controlled group to exhaust swap space.

• The new "xenfs" virtual filesystem allows for information sharing and control between Xen domains, the hypervisor, and the host system.

• It is now possible to create and run ext4 filesystems without a journal. One loses the benefits of journaling, obviously, but there is a notable increase in performance.

• The filesystem freeze feature, allowing a suitably-privileged user to suspend changes to a filesystem (for backup purposes, perhaps) has been merged.

Changes visible to kernel developers include:

• The exclusive I/O memory allocation functions have been merged.

• The exports for a number of SUNRPC functions have been changed to GPL-only.

• The internal MTD (memory technology device) API has seen significant changes aimed at supporting larger devices (those requiring 64-bit sizes).

• An infrastructure for asynchronous function calls has been merged. This code is still a work in progress, though, and, for 2.6.29, it will not be activated in the absence of the fastboot command-line parameter.

And that completes the set of major changes added for 2.6.29 - with one possible exception. Linus has indicated that he would be willing to slip in an updated version of the spinning mutex code (as described in this Btrfs article) if it passes review in the near future.

Comments (4 posted)

An asynchronous function call infrastructure

Arjan van de Ven's fast boot project will be familiar to most LWN readers by now. Most of Arjan's work has not yet found its way into the mainline, though, so most of us still have to wait for our systems to boot the slow way. That said, the 2.6.29 kernel will contain one piece of the fast boot work, in the form of the asynchronous function call infrastructure. Users will need to know where to find it, though, before making use of it.

There are many aspects to the job of making a system boot quickly. Some of the lowest-hanging fruit can be found in the area of device probing. Figuring out what hardware exists on the system tends to be a slow task at best; if it involves physical actions (such as spinning up a disk) it gets even worse. Kernel developers have long understood that they could gain a lot of time if this device probing could, at least, be done in a parallel manner: while the kernel is waiting for one device to respond, it can be talking to another. Attempts at parallelizing this work over the years have foundered, though. Problems with device ordering, concurrent access, and more have adversely affected system stability, with the inevitable result that the parallel code is taken back out. So early system initialization remains almost entirely sequential.

Arjan hopes to succeed where others have failed by (1) taking a carefully-controlled approach to parallelization which doesn't try to parallelize everything at once, and (2) an API which attempts to hide the effects of parallelization (other than improved speed) from the rest of the system. For (1), Arjan has limited himself to making parts of the SCSI and libata subsystems asynchronous, without addressing much of the rest of the system. The API work ensures that device registration happens in the same order is it would in a strictly sequential system. That eliminates the irritating problems which result when one's hardware changes names from one boot to the next.

The API is relatively simple. The code needs to include <async.h> and create an asynchronous worker function matching this prototype:

    typedef void (async_func_ptr) (void *data, async_cookie_t cookie);

Here, data will be a typical private data pointer, and cookie is an opaque synchronization value passed in by the kernel. An asynchronous function call is made with a call to:

    async_cookie_t async_schedule(async_func_ptr *ptr, void *data);

The call to the function identified by ptr will happen sometime during or after the call to async_schedule(); in some circumstances, it may happen synchronously. The return value is a cookie identifying this particular asynchronous call.

Code which calls asynchronous functions will eventually want to ensure that those functions have completed. The way to do that is through a call to:

    void async_synchronize_cookie(async_cookie_t cookie);

After this call completes, all asynchronous functions called prior to the one identified by cookie are guaranteed to have completed. Code which makes globally-visible changes (registering devices, for example) should synchronize in this manner first. In so doing, they ensure that any global changes which would have happened first in a strictly-sequential system will happen first in the asynchronous mode as well.

Code wanting to wait for all asynchronous functions to complete can call:

    void async_synchronize_full(void);

This function returns when there are no asynchronous function calls in the system. Of course, another one could always be submitted immediately thereafter.

Internally, the implementation of asynchronous functions is reasonably simple. There a pair of linked lists - async_pending and async_running - containing pending and running function calls, respectively. A call to async_schedule() puts the call onto the pending list and, possibly, starts a kernel thread to get the job done. In general, there will be as many threads as there are outstanding asynchronous function calls, within a hard-coded maximum (currently 256). If a thread completes a function call and finds the pending list to be empty, it will exit.

There is a special-purpose variation of this API:

    async_cookie_t async_schedule_special(async_func_ptr *ptr, void *data, 
                                          struct list_head *running);
    void async_synchronize_cookie_special(async_cookie_t cookie, 
    	 				  struct list_head *running);
    void async_synchronize_full_special(struct list_head *list);

These functions allow the caller to provide a separate list to be used in place of the async_running list. That, in turn, allows them to be synchronized independently of any other asynchronous functions running in the system. In 2.6.29-rc1, there is one prospective user of this API, which is, in fact, not part of the bootstrap process: the inode deletion code in the virtual filesystem layer. Making deletion asynchronous speeds up the process of deleting large numbers of files. It's worth noting that, in 2.6.29, this API also does not work quite as advertised - a shortcoming which, presumably, will be fixed soon.

In fact, asynchronous function calls in general don't work as well as one might have liked at the moment. This code was merged for 2.6.29-rc1, but users immediately started reporting problems. One of those (which your editor stumbled across) is that the process of enumerating SATA disks can be "synchronized" while the partition enumerating process is still running, leading to systems which fail to boot. As a result of this problem and some other concerns, Arjan asked Linus to disable most of the code so that it could be stabilized for 2.6.30. In the end, the code remains in place, but it is not activated in the absence of the new fastboot kernel parameter. So adventurous developers can give asynchronous function calls a try; the rest of us can wait for this feature to cook just a little longer.

Comments (2 posted)

Who is the best inliner of all?

The inline keyword provided by GCC has always been a bit of a dangerous temptation for kernel programmers. In many cases, making a function inline can help performance. In some, it is mandatory; this is especially true for functions which encapsulate specific CPU instructions. But, in other cases, inlining becomes a classic example of premature optimization; at best, it does not help, while, at worst, it can significantly bloat the size of the kernel and harm performance. Since performance matters to kernel developers, the proper way of inlining functions has often been a topic of discussion. The most recent debate on the subject has made it clear, though, that there is still no real consensus on the issue.

The discussion began as an offshoot of the spinning mutex topic when Linus noticed that a posted kernel oops listing showed that the __cmpxchg() function had not been inlined. This function provides access to the x86 cmpxchg* instructions; it should expand to a single instruction. Clearly it makes sense to inline a single-instruction function, but, for whatever reason, GCC had decided not to do that.

Linus quickly concluded that the fault lies with the (non-default) CONFIG_OPTIMIZE_INLINING configuration option. This option, when selected, makes inline into a suggestion which GCC is free to ignore. At that point, GCC makes its own decisions, based on a set of built-in heuristics. In this case, it decided that __cmpxchg() was too complex to inline, so it made it into a separate function. Linus, in disgust, asked Ingo Molnar to remove CONFIG_OPTIMIZE_INLINING and force the compiler to honor the inline keyword.

Some other developers agreed with this request - but not all. GCC will still certainly make mistakes, but there is also a growing feeling that, with more recent versions of the compiler, GCC is able to make good decisions most of the time. If GCC is also given the power to inline functions which have not been explicitly marked by the developer, the results can be even better. There are hazards, though, to giving GCC an overly free hand: excessive inlining can create stack usage problems and make debugging harder. But these are problems that some developers are willing to accept if the benefits are strong enough.

Ingo ran a long series of tests to see what happens when GCC is given free rein over the inlining of functions. His results were fairly clear: recent GCC, when allowed to make its own inlining decisions, produces a kernel that is 1-7% smaller than the kernel which results from strictly following inline declarations. From that data, Ingo concludes that the best solution is to use the inlining features built into the compiler:

Linus, however, is unimpressed. In his point of view, the kernel size reduction provided by automated inlining does not outweigh the drawbacks:

Linus would rather that the inline keyword be considered mandatory by the compiler. Then, if there are too many inline functions in the kernel (and 30,000 of them does seem like a fairly high number), the unnecessary inline keywords should be removed. There was some talk of adding some sort of inline_hint keyword for cases where inlining is just a suggestion, but there is not much enthusiasm for that approach.

The problem with the all-manual approach - even assuming that it can yield the best results - was perhaps best expressed by Ingo:

Solving excessive use of inline functions by diluting the meaning of the inline keyword may look like a misdirected solution. But the alternative would require much more attentive review of kernel patches before they go into the mainline. History suggests that getting that level of review is an uphill battle at best. History also shows that compilers tend to be better than programmers at making this kind of decision, especially when behavior over an entire body of code (as opposed to in a single function) is considered. But it may be a while, yet, before the development community as a whole is willing to put that level of trust into its tools.

Comments (17 posted)

Patches and updates

Kernel trees

• Linus Torvalds: Linux 2.6.29-rc1. (January 11, 2009)

Core kernel code

• Arjan van de Ven: V3 of the async function call patches. (January 8, 2009)

• Peter Zijlstra: mutex: implement adaptive spinning. (January 12, 2009)

• Paul E. McKenney: RCU: the bloatwatch edition. (January 13, 2009)

Development tools

• Joerg Roedel: DMA-API debugging facility v2. (January 9, 2009)

• Mathieu Desnoyers: LTTng 0.74 for Linux 2.6.28 (ext4 tracepoints). (January 11, 2009)

• Paul Mackerras: perf_counter: Add support for pinned and exclusive counter groups. (January 14, 2009)

Device drivers

• Guennadi Liakhovetski: i.MX31: dmaengine and framebuffer drivers. (January 8, 2009)

• James Bottomley: more SCSI updates for 2.6.28. (January 9, 2009)

• dann frazier: add rtc platform driver for EFI. (January 9, 2009)

• Len Brown: ACPI & Suspend patches for 2.6.29-rc0. (January 13, 2009)

• Magnus Damm: early platform drivers V2. (January 14, 2009)

• Stanislaw Gruszka: at91_ide driver. (January 14, 2009)

• =?utf-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?=: Android PM extensions. (January 14, 2009)

• Jochen Friedrich: Add Freescale MC44S803 tuner driver. (January 14, 2009)

Documentation

• Michael Kerrisk: man-pages-3.16 is released. (January 13, 2009)

Filesystems and block I/O

• J. Bruce Fields: please pull nfsd patches for 2.6.29. (January 8, 2009)

• Phillip Lougher: Squashfs pull request for 2.6.29. (January 8, 2009)

• Evgeniy Polyakov: Distributed storage for drivers/staging merge request. (January 13, 2009)

• Nick Piggin: fsblock latest rollup. (January 14, 2009)

Kernel building

• H. Peter Anvin: bzip2/lzma kernel compression. (January 11, 2009)

Memory management

• David Howells: Alter NOMMU mmap handling [ver #3]. (January 8, 2009)

• Nick Piggin: SLQB slab allocator. (January 14, 2009)

Networking

• Jouni Malinen: mac80211: IEEE 802.11w (management frame protection). (January 13, 2009)

Architecture-specific

• Paul Mackerras: Performance counters for POWER. (January 9, 2009)

Virtualization and containers

• KAMEZAWA Hiroyuki: NOOP cgroup subsystem. (January 9, 2009)

Benchmarks and bugs

• Rafael J. Wysocki: 2.6.29-rc1: Reported regressions from 2.6.28. (January 12, 2009)

• Rafael J. Wysocki: 2.6.29-rc1: Reported regressions 2.6.27 -> 2.6.28. (January 13, 2009)

Miscellaneous

• Johannes Berg: add b+tree library. (January 11, 2009)

• Edward Shishkin: Reiserfsprogs-3.6.21. (January 11, 2009)

• Tomas Szepe: Morse code panics for 2.6.29-rc1. (January 12, 2009)

• Geert Uytterhoeven: Partial (de)compression API. (January 13, 2009)

Page editor: Jonathan Corbet

Distributions

News and Editorials

OpenSolaris 2008.11

Sun is continuing to make new steps forward toward a free Unix-like community by presenting and developing a new version of its desktop flavored operating system. OpenSolaris 2008.11, released in early December, enables some of the popular features available in mainstream GNU/Linux distributions: like live CD install, automatic network configuration and a user-friendly package manager, in combination with well known Solaris advantages like ZFS and DTrace.

Probably the biggest issue for an average GNU/Linux user who wants to start using OpenSolaris is the installation. Fortunately, OpenSolaris managed to overcome this potential problem by providing a Live CD image which can be installed to hard drive, simplifying the scary traditional Solaris text mode installation process. After a live CD is booted, and the OpenSolaris desktop appears, double click the INSTALL icon to start the installation GUI.

The first few steps into the installation in the "next, next" manner requires minimal input from the user with the traditional accent on partitioning and partition selection. Partition selection might be a tricky point since the installer does not show any of OpenSolaris' partition nomenclature. This leaves partition size and filesystem as the only attributes for recognition. Compared to the layout in Debian's Gparted, partition order remains the same, but maximum attention is necessary if OpenSolaris is to be installed to the hard drive while preserving data in other partitions. The system is installable only to primary partitions.

The OpenSolaris team managed to improve visual identity in the new release with characteristic artwork during all phases of system startup, together with the login screen and desktop themes. The system takes a bit longer to boot than most popular GNU/Linux distributions, but the difference is small. The default (and only) desktop is GNOME 2.24.

From the perspective of a GNU/Linux GNOME user, OpenSolaris will look familiar. Applications shipped in this release by default won't cover all the needs of average desktop user, mainly because graphics editing and office programs are absent. Internet and multimedia (if we consider only free codecs and formats) are managed a lot better, allowing the user to maintain the most common needs in those areas.

Noticeable differences in GNOME are directly related to one of OpenSolaris' killer features - ZFS snapshots. A closer look at the Nautilus toolbar reveals icons which show how this great system capability can be brought to desktop users. The time slider integrates ZFS snapshots into the file browser allowing users to exercise this functionality by moving the slider to the desired point in the timeline. A cron job triggers a snapshot every fifteen minutes, while the time slider presents them as points in a graphical timeline. For example, a directory created at 8:45PM and deleted at 9:00PM can be restored by moving the slider to 8:45, clicking on the directory and choosing the Restore option. The Time Slider Setup configuration tool allows users to make additional settings to this feature, and to turn it on or off.

The package management realm seems to be taken very seriously by the OpenSolaris team, since it's being shipped with pair of tools for package manipulation and updates. In the GNU/Linux world this is already a winning combination. Package Manager provides basic functionality. Installing, uninstalling, updating, grouping and searching packages is available; together with repository management. Update Manager will check available updates, notify the user from the system tray and do the update if required.

OpenSolaris packages are organized in four repositories on pkg.opensolaris.org: release, contrib, pending and dev. Only the release repository is enabled by default, which requires additional user actions if the other three repositories are needed. There is fifth repository, called extra, but it becomes available only after registration and login to the Sun Online Account. This also requires reading to how-to and getting dirty in shell with SSL certificates.

OpenSolaris 2008.11 was installed on Thinkpad T61 machine for this test and most of the hardware devices were detected. The Nvidia proprietary driver was set automatically during the install, so 3D functionality was delivered out of the box together with Compiz which is stable and fast. The Intel WiFi controller (PRO/Wireless 4965), bluetooth controller and fingerprint reader are on the list of supported devices, according to the Device Driver Utility. This utility should provide information about the detected devices, and installed drivers or potential problems in this context.

Pretty good driver support is not followed by equal application support since Bluetooth and fingerprint tools are not installed by default. The Network Auto-magic Manager applet, available in system tray, is not that magical since the wireless connection was unacceptably unstable during testing. This hardware has worked flawlessly in most GNU/Linux distributions. The usability glitches are mainly manifested by not understanding the purpose of the close button on notifications (some of them are showing up no matter how much the close button is clicked). Network manager is way ahead Sun's magician, so OpenSolaris developers should pay some additional attention here to make OpenSolaris a usable desktop system.

Laptop support needs improvement too, since it wasn't possible to put the test system to sleep. Partly functional Thinkpad buttons and problems with mounting removable devices threw a shadow on the otherwise pleasant impression that OpenSolaris left during the test.

This version of OpenSolaris clearly demonstrates Sun's strategy to develop system with strong desktop orientation, but it also shows a few serious issues which need to be solved. An unacceptably unstable network connection management system and a lack of packages seems to be the two biggest problems for OpenSolaris. The policy of not including KDE or other desktop environments can be understandable to some point, but complete the absence of QT applications will be a problem for many GNU/Linux users.

The latest OpenSolaris release definitely shows potential, making it a possible competitor to Linux in future releases. Currently, good integration of the ZFS snapshot and ZFS itself are the primary reason for the average GNU/Linux user to try it. On the other hand, OpenSolaris users should be very happy with this release since it shows good progress and improvements over earlier versions. For now, GNU/Linux remains as the best choice in the free Unix-like world for those who want a fast moving desktop.

Comments (14 posted)

New Releases

NST (Network Security Toolkit): Version 1.8.1 Released (SourceForge)

Network Security Toolkit (NST) has announced the release of v1.8.1. "Network Security Toolkit (NST) is a bootable ISO image (Live CD) based on Fedora Core 8 providing easy access to best-of-breed Open Source Network Security Applications and should run on most x86 platforms. NST can also be used for crash recovery."

Comments (none posted)

pure:dyne GNU/Linux leek&potato

Pure:dyne leek&potato is out. "pure:dyne is an operating system developed to provide media artists with a complete set of tools for realtime audio and video processing. pure:dyne is a live distribution, you don't need to install anything. Simply boot your computer using the liveCD/DVD or liveUSB and you're ready to start using software such as Pure Data, Supercollider, Icecast, Csound, Fluxus, Processing, Arduino and much much more."

Full Story (comments: none)

XO-LiveCD Version 090110

The XO-LiveCD version 090110 is available for download. This release is based on the stable 8.2 build, but has significant improvements for the Live-System runtime environment.

Full Story (comments: none)

Distribution News

Debian GNU/Linux

New Technical Committee Members

Anthony Towns has resigned from the Debian Technical Committee. Russ Allbery and Don Armstrong are the newest members of the Technical Committee.

Full Story (comments: none)

Ftpteam members

Debian's ftpteam has one new member (Mike O'Connor) and is looking for more. "Even with one new member just added and another one possibly following soon, we can do with more people."

Full Story (comments: none)

Bits from the DPL

Debian Project Leader Steve McIntyre has an update for the Debian community. Topics include a memoriam for Thiemo Seufer, new press contacts, team updates, DPL on the road, recent votes, more discussions for after Lenny, declassification of debian-private archives, and the (imminent) Lenny release. "That's it for now, and I hope to see many of you at FOSDEM next month. If we can manage a Lenny release by then, I'll be buying beer. :-)"

Full Story (comments: none)

Fedora

Fedora 11 release name

Fedora's development branch, Fedora 11, will also be known as Leonidas. Click below for a summary of the candidates and the voting numbers.

Full Story (comments: none)

New Fedora virtualization list: fedora-virt

Fedora now has a dedicated mailing-list for the discussion of virtualization. "The new list would be the correct place for anything related to virtualization in fedora, both user and development issues, and all hypervisors. The old list sounds the right place for people still using Fedora <= 8 with Xen."

Full Story (comments: none)

Fedora 8 End of Life

Fedora 8 has reached its end-of-life. There will be no more security or bug fixes. Fedora 9 will be supported until approximately one month after the release of Fedora 11. Fedora 10 is the current stable version.

Full Story (comments: none)

Fedora Board Meeting Recap 2009-01-06

Click below for a brief recap of the Fedora Board meeting, held January 6, 2009. Topics include FAMSCo Chair Approval and Q&A Topics.

Full Story (comments: none)

SUSE Linux and openSUSE

Minutes from openSUSE Board meeting on Dec 10

Click below for the minutes of the December 10, 2008 meeting of the openSUSE board. Topics include awarding good people, openSUSE conference, FOSDEM, creation of thoughts page, board blog, board's public presence and more.

Full Story (comments: none)

Novell Bugzilla Update to 3.2 and a Guided Report Mode

The Novell Bugzilla has been updated to v3.2. This version includes a "guided mode". "The guided report mode is a feature of bugzilla itself that we just enable. It gives smart hints for reporting bugs including bad and good examples, makes the report more structured, suggests "hot" duplicate bugs and asks for reproducibility, expected and actual result. This should help to create better bug reports and thus help with better resolving of bugs."

Full Story (comments: none)

Unofficial KDE 3.5 Live CD for openSUSE 11.1

Classic KDE is now available for openSUSE 11.1. "Want classic KDE on openSUSE, without the full DVD download? Carlos Goncalves has you covered. openSUSE 11.1 Live CDs and USB images featuring KDE 3.5 are now available for download. Created by openSUSE community member Carlos Goncalves, the KDE 3.5 Live CD and USB images contain openSUSE 11.1 plus several key updates."

Comments (none posted)

Ubuntu family

Ubuntu run-off ballot for Tech Board

A run-off election for an Ubuntu technical board member is currently open. The run-off candidates are Colin Watson and Kees Cook. The election is open until January 20, 2009.

Full Story (comments: none)

Distribution Newsletters

DistroWatch Weekly, Issue 285

The DistroWatch Weekly for January 12, 2009 is out. "Featured in this issue is an interview with Paul Sherman, lead developer of the lightweight derivative of Slackware - Absolute Linux. In the news, Debian announces updated "Lenny" live images and the openSUSE community releases unofficial KDE 3.5 Live CDs. Fedora chooses a name for the upcoming release 11, while in BSD land Sun Microsystems' OpenSolaris and FreeBSD benefit from sharing technology. In other news, Gentoo's Portage package management system gains support for Git repositories and we also include links to two external interviews: the first with PC/OS lead developer Roberto J. Dohnert and the second being a podcast with Gentoo founder and now Funtoo developer, Daniel Robbins. Finally, we would like to thank Russ Wenner for all his hard work throughout 2008 in creating the DistroWatch Weekly podcast and remind our readers of this great way to get your DWW fix. Enjoy the read!"

Comments (none posted)

Fedora Weekly News #158

The Fedora Weekly News for January 11, 2009 is out. "In this first FWN issue of 2009, we bring you several announcements of the outcomes of recent Fedora-related elections. Fedora 8 reaches its end of life (time to upgrade!), and FUDCon 11 reports abound. Much news coverage of the Fedora Planet, including Fedora 10 vs. OpenSuSE, explanations on some of the recent security items now in the latest (2.6.28) Linux Kernel, and Fedora and OLPC goodness. From the development realm, useful coverage of the state of Intel graphics under Fedora 10 and debates on disabling staging drivers. Release notes and packaging guide areas need volunteers in the documentation project, and the translation team welcomes new members and suggests new language teams. In artwork, announcement of a new November/December issue of Echo Monthly News, another great sister Fedora publication. Security advisories for Fedora 9 and 10 are brought to light and the issue round out with more virtualization coverage, including announcement of Xen 3.3.1 in Rawhide and a new Fedora virtualization list, "everything concerning Fedora and virtualization, including Xen." Read on!"

Full Story (comments: none)

The Mint Newsletter - issue 71

The Mint Newsletter for January 12, 2009 looks at Linux Mint 6 "Felicia" x64 RC1 released, Linux Mint 7 will be named "Gloria", mintInstall 5.3.6 - faster refresh, some problems in the forum, and more.

Comments (none posted)

OpenSUSE Weekly News/54

This issue of the OpenSUSE Weekly News covers Bugzilla Update to 3.2, Contributor Gifts, Miguel de Icaza: Mono goes Accessible!, lowobu: Since when do you use (open)SuSE?, Nikesh Jauhari: Read-Write Support for NTFS partition on OpenSUSE 11.x, and more.

Comments (none posted)

Ubuntu Weekly Newsletter #124

The Ubuntu Weekly Newsletter for January 10, 2009 covers: Next Ubuntu Global Bug Jam, Ubuntu Developer Week Returns, New MOTU's, New Ubuntu Members, Ubuntu Hall of Fame: James Westby, Good People-Good Teams, Debian Import Freeze, Changes to Launchpad Legal Page, Open Sourcing Launchpad, 12 Days of Launchpad, Ubuntu Podcast #16, Edubuntu meeting minutes, and much more.

Full Story (comments: none)

Distribution meetings

Ubuntu Developer Week

There will be a Ubuntu Developer Week from January 19, 2009 to January 23, 2009. "From Jan 19th to Jan 23rd we're going to have loads of awesome sessions where Ubuntu developer share their secret of success, spend time asking all of your questions, help you to get involved. It's an awesome opportunity to get started, get to know a lot of people and it's going to be a lot of fun."

Full Story (comments: none)

Page editor: Rebecca Sobol

Development

The Valgrind Project releases version 3.4.0

Valgrind is a suite of code analysis and debugging tools for Linux:

Valgrind version 3.4.0 was recently released, it adds a long list of improvements. The release notes explain the changes, which include:

• The Memcheck utility now reports the origin of uninitialized values.
• The Helgrind thread error detector's race detection algorithm has been redesigned for better scalability.
• Major improvements have been made to the DRD thread debugging tool.
• A new experimental Ptrcheck tool has been added, it checks for misused pointers.
• The exp-Omega instantaneous leak-detecting tool has been deprecated.
• Support has been added for the latest Linux distributions and Gnu toolchain components.
• Suppressions now have support for frame-level wild cards.
• Support has been added for the amd64/SSSE3 and IBM Power6 architectures.
• It is now possible to cross-compile Valgrind so that it runs on one architecture while supporting another.
• The command-line arguments have been added and improved.
• The code has been cleaned up and numerous bugs have been fixed.
• The documentation has been improved and updated.
• Version 1.4.0 of the Valkyrie GUI for Memcheck is coming soon.

Building and installing the Valgrind 3.4.0 source code on an Ubuntu 8.10 system was straightforward. For those who don't need the latest release, version 3.3.1 is available as a standard Ubuntu package. The source code was downloaded, uncompressed and extracted with tar. The standard Unix configure, make and make install steps were run, the code built and installed with no problems.

A test run of Valgrind was done on a fairly simple interactive C program. The Quick Start Guide was consulted, the program was compiled with the -g flag and valgrind was run: valgrind --leak-check=yes ./program options . This produced a report with a list of some still reachable memory and a hint of how to get more information on the problem. Following the hint, Valgrind was run again with: valgrind --leak-check=full --show-reachable=yes ./program options and the location of the code that produced the still reachable memory was revealed.

This experiment only showed the most basic of Valgrind's utility in debugging the simplest of test cases. Even so, it quickly revealed a small memory leak in the tested code. The lengthy online user manual explains the depth of Valgrind's testing capabilities in full. Those who maintain large projects could likely improve their code by running Valgrind and correcting any issues that it finds.

Comments (14 posted)

System Applications

Audio Projects

Rivendell 1.2.2 released

Version 1.2.2 of Rivendell, a radio station automation system, has been announced. "This is a maintenance release of Rivendell. The following issues have been corrected..."

Full Story (comments: none)

Database Software

PostgreSQL Weekly News

The January 11, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

SQLite release 3.6.8 is available

Release 3.6.8 of the SQLite DBMS has been announced. "Changes associated with this release include the following: * Added support for nested transactions * Enhanced the query optimizer so that it is able to use multiple indices to efficiently process OR-connected constraints in a WHERE clause. * Added support for parentheses in FTS3 query patterns using the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time option."

Comments (1 posted)

Device Drivers

CWiid update 2009

Donnie Smith, author of the CWiid driver project for the Wii remote, has published a CWiid update 2009 document. "So I feel like I owe it to my users to give an update on the status of CWiid for now and expected activity over the coming months. There has been the occasional question about whether the site is still active, whether development is still active, etc. The answer for now, is that both are semi-active. I still monitor the activity here on an almost-daily basis (the RSS feed is on my home page), and respond to issues that I have any intelligent input on. However, I'm a man of many interests (probably too many), and CWiid is no longer number 1. While there have been a few contributors, no one has really stepped up with the long-term contributions required of an admin (nickishappy has come closest to filling this role, Nick if you have the time and want the responsibility, just let me know). Such are the breaks of open-source software." The Wii remote and CWiid driver was covered on LWN a few months ago.

Comments (none posted)

Networking Tools

libnfnetlink 0.0.40 released

Version 0.0.40 of libnfnetlink, the low-level netfilter library, has been announced. "This release includes a couple of updates for the interface2index infrastructure one bugfix."

Full Story (comments: none)

Mandriva Directory Server 2.3.2 is available

Version 2.3.2 of Mandriva Directory Server has been announced, a number of new capabilities have been added.

Full Story (comments: none)

Web Site Development

Midgard 8.09.3 released

Version 8.09.3 of the Midgard content management system has been announced. "The 8.09.3 "New Year's diet" release focuses on API and architecture cleanups in order to ease transition from Midgard 1.x series API to Midgard 2.x APIs. Stable 8.09.3 release is recommended for all users of Midgard."

Full Story (comments: none)

web2py 1.55.3 announced

Version 1.55.3 of web2py, a cross-platform database driven web framework, has been announced, it adds a number of enhancements.

Full Story (comments: none)

Zero RRD Framework: Major Update (SourceForge)

A new release of Zero RRD Framework has been announced. "This RRDTool Framework provides a central HTTP-based service for import into standard RRD DBs and graph generation. A lightweight, easily extendable agent for the data sources is pushing updates with minimal resource consumption on the master service."

Comments (none posted)

Miscellaneous

lsscsi 0.22 released

Version 0.22 of lsscsi has been announced, some new features have been added. "lsscsi is a utility that uses sysfs in linux 2.6 series kernels to list information about SCSI devices and SCSI hosts. Both a compact format which is one line per device and a "classic" format (like the output of 'cat /proc/scsi/scsi') are supported."

Comments (none posted)

Desktop Applications

Audio Applications

Amarok 2.0.1.1 released (including security fix)

Version 2.0.1.1 of the Amarok music player has been announced, the release notes have more details: "Just a few weeks after the 2.0 release the new and improved Amarok 2.0.1.1, codenamed Magellan, is ready for you. Don't let the small version number increase fool you though! We brought back features a lot of you have been waiting for and of course fixed a lot of bugs as well as one security issue."

Full Story (comments: none)

BitTorrent Applications

qBittorrent: 1.3.0 (stable) released (SourceForge)

Version 1.3.0 of qBittorrent has been announced. "A Bittorrent client using C++ / libtorrent and a Qt4 Graphical User Interface. It aims to be a good alternative to other bittorrent clients. It has more and more features such as an integrated search engine, UPnP, encryption, PeX, a torrent creation tool Happy new year to you all. With this new year, qBittorrent is growing older (and mature) and we are proud to announce the release of qBittorrent v1.3.0. This is a new major release based on libtorrent-rasterbar v0.14.x and powered by a newly rewritten core code to make it even more efficient."

Comments (none posted)

Desktop Environments

GNOME 2.25.4 released

Version 2.25.4 of the GNOME desktop environment has been announced. "This is the forth development release towards our 2.26 release that will happen in March 2009. By now, development is well under way, and we've already made good progress on some of the goals that we've set ourselves for 2.26 (http://live.gnome.org/GnomeGoals)."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

• Cheese 2.24.3 (documentation work)
• Deskbar-Applet 2.24.3 (bug fixes and translation work)
• Ekiga 3.0.2 (bug fixes)
• Eye of GNOME 2.24.3 (bug fixes and documentation work)
• Eye of GNOME 2.24.3.1 (bug fix)
• gcalctool 5.24.3 (documentation work)
• GLib 2.18.4 (bug fixes)
• GMathml 0.0.1 (initial release)
• gnome-applets 2.24.3 (bug fixes and translation work)
• Gnome Games 2.24. (bug fixes and translation work)
• gnome-pilot 2.0.17 (bug fixes and translation work)
• GTK+ 2.14.7 (bug fixes and translation work)
• libdmapsharing for DAAP and DPAP (renewed development)
• Libgda 3.99.8 (new features, bug fixes and documentation work)
• mousetweaks 2.24.3 (bug fixes and translation work)
• Orca 2.24.3 (bug fixes and translation work)
• Vala 0.5.4 (new features and bug fixes)
• Vala 0.5.5 (new features and bug fixes)
• Vala Toys for gEdit 0.3.0 (new features and bug fixes)

You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE 4.1.4 and 4.2-RC released

Versions 4.1.4 and 4.2-RC of KDE have been announced. "We've done two releases simultaneously tonight: KDE 4.1.4, bugfix and translation update KDE 4.1.4 and 4.2 Release Candidate Available Now".

Full Story (comments: none)

KDE 4.1.4 and 4.2 RC available now (KDE.News)

KDE.News has more information on the two latest KDE releases: "KDE 4.1.4 is the latest update for the KDE 4.1 series. It contains many bugfixes, mainly in the e-mail and PIM suite Kontact and the document viewer Okular. KDE 4.2 RC is the release candidate of KDE 4.2, also bringing new features and thousands of bug fixes to the KDE desktop and applications. KDE 4.1.4 is the last planned update to the KDE 4.1 series and stabilises the 4.1 platform further."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

• Audex 0.62b (new features and bug fixes)
• choqoK 0.3 (new features and bug fixes)
• choqoK 0.3.1 (bug fix)
• digiKam 0.10.0-beta8 (new features and bug fixes)
• FlashQard 0.11.0 (new features and code optimization)
• German Radio Streams Service 0.8 (new stations added)
• KDE Partition Manager 1.0.0-BETA1 (new features and bug fixes)
• Kipi-Plugins 0.2.0-beta6 (new features and bug fixes)
• KNDISWrapper 0.3.8 (new features and translation work)
• Kollection 0.3.5 (new features and bug fix)
• mail account wizard 0.1 (initial release)
• netgo_ng 0.2.2 (bug fix)
• Omaque 0.8 (new features)
• OpenBrain 0.0.2.5 (KDE4 improvements)
• Simple Root Actions Menu 2.1.0 (new features, bug fixes and translation work)
• Spyrit MUSH/MUCK client 0.3 (new features and bug fixes)
• Strigi 0.6.3 (bug fix)
• TreeLine 1.2.2 (bug fixes and translation work)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• xf86-input-evdev 2.1.1 (bug fixes and documentation work)
• xf86-input-keyboard 1.3.2 (bug fixes and code cleanup)
• xf86-input-mouse 1.4.0 (new features bug fixes and code rewrite)
• xf86-video-intel 2.5.99.2 (new features and bug fixes)
• xorg-server 1.5.99.901 (new features and bug fixes)
• xtrans 1.2.3 (new features, bug fixes and documentation work)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Encryption Software

GnuPG 2.0.10 released

Version 2.0.10 of GnuPG has been announced. "We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.10. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography."

Full Story (comments: none)

Financial Applications

SQL-Ledger 2.8.20 released

Version 2.8.20 of SQL-Ledger, a web-based accounting system, has been announced. The What's New document says: "fixed "database handle destroyed" error when printing".

Comments (none posted)

GUI Packages

Another Year of WX

The wxWidgets cross-platform GUI toolkit project has published a 2008 summary entitled Another Year of WX. "So, what have we done in the almost 7000 revisions checked in during 2008? Maybe surprisingly, the most important changes haven't been about writing code at all but rather about improving the project infrastructure. This may not seem like a big deal but the old SourceForge-based bug tracker was completely unusable and basically was unused because of this and literally hundreds of bugs could have been triaged and closed since the switch to using Trac."

Comments (none posted)

Multimedia

Elisa Media Center 0.5.23 released

Version 0.5.23 of Elisa Media Center has been announced. "Elisa is a cross-platform and open-source Media Center written in Python. It uses GStreamer [1] for media playback and pigment [2] to create an appealing and intuitive user interface. The main highlight of this release feature-wise is on the plugins installation: plugin updates will now be silently installed by default as well as new recommended plugins. New configuration options allow to tune this default behaviour."

Full Story (comments: none)

Music Applications

Aldrin 0.13 released

Version 0.13 of Aldrin has been announced. "Aldrin is an open source modular music sequencer/tracker for the GNU/Linux operating system. It is written in python and supported by the Armstrong audio processing backend (previously known as libzzub)."

Full Story (comments: none)

DSSI 1.0 release; FluidSynth-DSSI, hexter, Xsynth-DSSI updates

Version 1.0 of DSSI, an audio plugin API for software instruments and effects, and new releases of FluidSynth-DSSI, hexter and Xsynth-DSSI are out. "This release contains one small addition to the DSSI API itself, allowing for communication of the sample rate to DSSI UIs. Since the DSSI API has been stable now (with minor additions) for four and a half years, and since most active interest in further extending a Linux softsynth plugin standard has been absorbed by the LV2 project, it seems appropriate to call this release "version 1.0"."

Full Story (comments: none)

guitarix 0.03.3-1 released

Version 0.03.3-1 of guitarix has been announced, a long list of new features have been added. "guitarix is a simple Linux Rock Guitar amplifier for jack(Jack Audio Connektion Kit) with one input and two outputs. Designed to get nice thrash/metal/rock/blues guitar sounds. There are controls for bass, treble, gain, compressor, preamp, balance, distortion, freeverb, impulse response (), crybaby(wah) and echo . A fixed resonator will be used when distortion is disabled. For 'pressure' in the sound you can use the feedback and feedforward sliders."

Full Story (comments: none)

GuitarTeX2: 3.2.0 released (SourceForge)

Version 3.2.0 of GuitarTeX2 has been announced. "GuitarTeX is based on the idea of Chord. It takes a Chord file containing Chordpro directives to produce good-looking and easy-to-play song sheets for guitarists in PostScript or PDF format. GuitarTex2 is a further development of GuitarTex. Major change in compatibility with other chordpro files. Also a bugfix in combination Windows + Java 1.6".

Comments (none posted)

MC09Edit: Version 0.1-alpha released (SourceForge)

Version 0.1-alpha of MC09Edit has been announced. "MC09Edit is a complete visual editor for the Roland MC-09 Phraselab. It communicates with the synthesizer over a midi connection. Its main feature is the ability of storing and managing your user patterns on your computer. It is cross-platform. This is the first release, all features aren't active but the soft is usable."

Comments (none posted)

Science

Papywizard 1.6.0 announced

Version 1.6.0 of Papywizard, a panohead control application for the Merlin/Orion astronomic mount, has been announced. "This will probably be the last release of the 1.x branch. Papywizard v2 is on the road; first task will be to switch from PyGTK to PyQt, then re-think the internal design for a better modularity (plugins)."

Full Story (comments: none)

Miscellaneous

The openSUSE Project announces csync

The openSUSE Project has announced the launch of csync. "As mobile computing becomes more and more important, file synchronization is more important than ever. Our jobs often require working not only on multiple computers, but in multiple locations, and disconnected from our networks. To help solve this problem, we need effective strategies for replication of user data and files. csync is a bidirectional file synchronizer for Linux and allows to keep two copies of files and directories in sync. It uses uses widely adopted protocols like smb or sftp so that there is no need for a server component of csync."

Full Story (comments: none)

Languages and Tools

Java

All HTML elements are now included in HtmlUnit (SourceForge)

A new version of HtmlUnit has been announced. "HtmlUnit is a "browser for Java programs". It models HTML documents and provides an API that allows you to invoke pages, fill out forms, click links, etc... just like you do in your "normal" browser. In SVN version, HtmlUnit has recently added all HTML elements (some are rarely used), which may have some backward compatibility effect in the next version 2.5 For example, <b> was evaluated to HtmlUnknownElement, but now will be HtmlBold."

Comments (none posted)

Java INI Package: v1.0.0 released (SourceForge)

Version 1.0.0 of Java INI Package has been announced. "The aim of this project is to develop a straight forward java package for creating, reading and writing INI files (aka configuration files). Furthermore, the package should retain all comments of the INI file when reading and writing the files. After more than 6 months since the last release (due to other comitments), version 1.0.0 of Java INI Package has been released. This release makes the stable version of Java INI Package and locks the API for all future v1.*.* releases."

Comments (none posted)

Python

Jython 2.5 Beta1 released

Version 2.1 Beta1 of Jython, a Python implementation written in Java, has been announced. "Jython 2.5 Beta1 continues a code cooling period where the number of new features should significantly slow as we concentrate on solidifying Jython 2.5 for an eventual release. I would guess that we will put out about two more betas before we start pushing out release candidates, hopefully in February."

Full Story (comments: none)

Python-URL! - weekly Python news and links

The January 13, 2009 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl/Tk

Tcl-URL! - weekly Tcl news and links

The January 14, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

UML

Bouml: 4.9.2 released (SourceForge)

Version 4.9.2 of Bouml has been announced, a number of bugs have been fixed. "BOUML is a free UML 2 tool box allowing you to specify and generate code in C++, Java, Idl, Php and Python. BOUML runs under Unix/Linux/Solaris, MacOS X and Windows. It is very fast and doesn't require much memory to manage several thousands of classes."

Comments (none posted)

IDEs

Pydev 1.4.2 released

Version 1.4.2 of Pydev has been announced, it includes numerous bug fixes and other enhancements. "PyDev is a plugin that enables users to use Eclipse for Python and Jython development -- making Eclipse a first class Python IDE -- It comes with many goodies such as code completion, syntax highlighting, syntax analysis, refactor, debug and many others."

Full Story (comments: none)

Libraries

libsmf 1.2 announced

Version 1.2 of libsmf has been announced. "LibSMF is a BSD-licensed C library for handling SMF ("*.mid") files. It transparently handles time<->pulses conversions, tempo map handling etc. The only dependencies are C compiler and glib. API documentation and examples are included."

Full Story (comments: none)

Version Control

tig 0.13 released

Version 0.13 of tig, an ncurses-based text-mode interface for git, has been announced. "This release contains a major rewrite of the IO layer of tig to use fork+exec instead of popen() and remove use of stdio's fopen() and friends. The new IO API removes the need for shell quoting and improves the overall speed of loading view data. On the downside, it brings a few incompatibilities wrt. commands given via the environment. While the patch series began by being based on git's run-command.c module, the final version contains no code from git."

Full Story (comments: none)

Miscellaneous

MyHDL 0.6 released

Version 0.6 of MyHDL has been announced. "MyHDL is a Python package for using Python as a hardware description language. The highlight of this release is conversion to VHDL, in addition to the existing Verilog capability. Furthermore, the convertible subset has been broadened substantially beyond synthesizable logic, to support test bench conversion."

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

A Software Populist Who Doesn't Do Windows (New York Times)

The New York Times profiles Mark Shuttleworth, which gives a look into how the "mainstream media" views Linux. "The notion of a strong Linux-based competitor to Windows and, to a lesser extent, Apple's Mac OS X has been an enduring dream of advocates of open-source software. They champion the idea that software that can be freely altered by the masses can prove cheaper and better than proprietary code produced by stodgy corporations. Try as they might, however, Linux zealots have failed in their quest to make Linux mainstream on desktop and notebook computers. The often quirky software remains in the realm of geeks, not grandmothers."

Comments (59 posted)

The Perl Future (Heise)

Heise has an extended look at the state of the Perl language. "Probably Perl 6's biggest impact so far is the effect it's had on the Perl 5 ecosystem, as ideas trickle down into Perl 5 implementations and CPAN libraries. If you've used Perl 5 before, but it's been a while, then 2009 will be a good year to take another look."

Comments (9 posted)

Trade Shows and Conferences

Linux Day Italy 2008 (KDE.News)

KDE.News covers Linux Day Italy, and the involvement of KDE Italia. "The Linux Day begins with a day in advance here in Salerno. Despite the inevitable unforeseen, the HCSSLug's boys managed to organise a beautiful Linux Day. A large student participation, some of whom are new to the "strange" world of Free Software, ensured the success of the event."

Comments (1 posted)

The SCO Problem

SCO aims to reorganize, fight on with corporate garage sale (ars technica)

ars technica looks at the latest in the never-ending SCO saga. The company is proposing a way to soldier on by selling its "assets" to keep up the court fights. "In the latest reorganization filing, the company proposes an asset sale that would see its server platform and mobile technology sold off to the highest bidder. After the reorganization, SCO contends that its business would be based on its licensing program, commercial UNIX sales, and one-off custom UNIX enhancement projects for customers. The plan also indicates that SCO will reduce its operating expenses by 20 to 30 percent in 2009."

Comments (16 posted)

Companies

ARM SoC launched with Linux support (Linux Devices)

Linux Devices covers Marvell's launch of the PXA168 system-on-chip device. "The PXA168 is said to offer the processing capabilities of an "entry-level laptop," on devices that still often run single-purpose real-time operating systems (RTOSes), says the company. Touted features include instant-on web surfing and widgets, multi-format video, Adobe Flash-based playback, image processing, video conferencing, and advanced graphical user interfaces (GUIs)."

Comments (34 posted)

Chrome gets Mac deadline, extensions foundation (cnet)

Google is planning to release versions of its Chrome browser for Linux and Mac in the first half of 2009 as outlined in an article over at cnet. "The Mac and Linux versions are up to the level of a basic 'test shell' that can show Web pages. But a test shell is pretty raw. [...] 'That team now is able to render most Web pages pretty well. But in terms of the user experience, it's very basic,' [Chrome product manager Brian] Rakowski said of the Mac version. 'We have not spent any time building out features. We're still iterating on making it stable and getting the architecture right.'"

Comments (1 posted)

Business

Freescale, Intel count on netbook to lift sales (The Arizona Republic)

The Arizona Republic reports that increasing netbooks sales are helping to improve semiconductor manufacturers' revenues. "Banking on netbooks as the next big tech trend to help boost profits, Intel began selling its Atom processor - developed at its Fab 32 facility in Chandler - to the netbook market in June. The company is by far the largest supplier of chips for netbooks, a market which industry analysts say will explode within the next five years. Freescale Semiconductor Inc. announced plans this week to get into the market with a new processor it says will lead to cheaper netbooks with longer battery life."

Comments (30 posted)

Linux Adoption

Vietnam pushes open-source software for government use (NetworkWorld)

NetworkWorld reports on plans to increase the use of open-source software by Vietnam. "The Vietnamese government will move to several open-source applications by the end of next year as the country also tries to reduce the use of pirated software. Vietnam's Ministry of Information and Communications has mandated that applications such as the OpenOffice.org productivity suite, Firefox browser, Thunderbird e-mail client and UniKey Vietnamese keyboard client be installed at government agencies by the end of June, according to a report by Wednesday VietnamNet, a government-owned news agency."

Comments (none posted)

Linux at Work

Healthcare IT News takes open-source approach (Healthcare IT News)

Healthcare IT News covers the use of Drupal for medical content entry. "Pop the hood on our new Web site and you'll find one very powerful engine. It's called Drupal, a free, open-source platform that powers all of our content entry. As many healthcare IT workers know, the value of open-source solutions isn't just the (lack of) price tag: it's the fact that the products are user-developed, community-tested and constantly improved."

Comments (1 posted)

Resources

Holiday Cheer, Holiday Uncheer - Part 1 (Linux Journal)

Dave Phillips looks at a number of interesting Linux audio releases in a Linux Journal article. "The December holidays always hold some interesting surprises for me, and this year's season was no exception. However, in this context "interesting" can mean either "utterly engaging fascination" or "coma-inducing exasperation". This holiday season I got plenty of both."

Comments (none posted)

Help On The Way: Five Great Linux Support Sites (bMighty.com)

Matthew McKenzie suggests a number of Linux support sites in a blog posting. "Linux support and documentation sites are a dime a dozen -- and some aren't worth much more than that. Here are a few sites that really give you your money's worth . . . or at least they would, if most of the content wasn't already free."

Comments (none posted)

Reviews

Chrome 2.0 Preview Means Mac, Linux Versions Coming Soon (Wired blog)

A Wired blog site takes a look at the alpha release of Chrome 2.0. "The Chrome 2.0 alpha also has some big news for for Mac and Linux users who'd like to try Chrome: Chrome 2.0 uses its own HTTP network library rather than the WinHTTP library on Windows. The Windows-only HTTP library was one of the main stumbling blocks to cross-platform support and now that it's gone the Mac and Linux versions should see some significant progress in the near future."

Comments (34 posted)

Ironically, it's free: a review of GIMP 2.6.4 (ars technica)

Ars technica has posted an extensive review of GIMP 2.6.4. "32-bits per pixel images are very important to the high-end 3D people on Linux, and there is no support for HDR images in GIMP. That means that they'll still have to use Cinepaint to deal with 32-bits per pixel and 16-bits per channel images. Similarly, photographers looking to merge multiple shots in order to tweak an HDR image can't do it in GIMP. I don't think that I'm out of line in saying this needs to be very high on the list of features to add. Fortunately, with the recent addition of the GEGL graphics library, the foundation is being laid to get HDR support and eventually CMYK as well."

Comments (17 posted)

7 Linux web editors that get the job done (TechRadar)

TechRadar briefly reviews seven HTML editors available for Linux. The sub-headline of "Break free from the torment of Emacs and into a visual world" makes it clear that they are looking at visual, GUI tools. "You only have to spend some time with the Internet Archive to see shining examples of the terror that could be wrought with a simple text editor and far too much knowledge."

Comments (18 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Dimitris Glezos appointed to Fedora Board

Dimitris Glezos has been appointed to the last seat of the Fedora Board. "Many of you may know Dimitris from his tireless work in the Fedora Localization (L10n/translation) team, as part of its steering committee, his past work on Documentation including its steering committee, and additional work with Websites, Marketing, Ambassadors, and other groups. He is also the upstream creator of Transifex, a web-based application for enabling free and open source, cross-project translation services."

Full Story (comments: none)

New Friends of GNOME program launched

The GNOME project has announced a new Friends of GNOME program. "Now supporters can sign up to help the GNOME Foundation with recurring $10/month donations. Friends of GNOME is a way for individuals to support the GNOME project's mission of providing a free and open source desktop for everyone regardless of ability. With no advertising or outreach, we've raised anywhere from $6,000 to $20,000 a year from generous individuals.That money has contributed to the funds for hackfests, local events and programs which in turn have enabled the GNOME project to create an internationalized, accessible and easy to use desktop software for both traditional desktops and for mobile devices."

Full Story (comments: none)

Qt to be released under the LGPL

Nokia has announced that, as of version 4.5, the Qt library will be available under the Lesser GPL. "The move to LGPL licensing will provide open source and commercial developers with more permissive licensing than GPL and so increase flexibility for developers. In addition, Qt source code repositories will be made publicly available and will encourage contributions from desktop and embedded developer communities. With these changes, developers will be able to actively drive the evolution of the Qt framework." The commercial licensing option will remain, but, one assumes, fewer companies will need it now. (Thanks to Bastiaan Veelo).

Comments (81 posted)

PgUS 2008 end of year summary

The United States PostgreSQL Association has published the PgUS 2008 end of year summary. "It is now 2009 and time for a, "Thanks for all the laughs 2008!" 2008 was the year that PgUS spent getting its feet under itself. We formed our board, filed all of our legally required paperwork, paid a lot of money to attorneys, held elections and even managed to have some fun by working on parts of our mission. Many goals for 2008 were met."

Full Story (comments: none)

Commercial announcements

CadSoft releases Eagle 5.4

CadSoft has released version 5.4 of their Eagle printed circuit CAD application. This release adds some performance improvements and bug fixes. See the What's new document for details.

Comments (none posted)

EMTEC releases the Gdium netbook computer

EMTEC has announced the release of the Gdium netbook computer along with the OLPH (One Laptop Per Hacker) program. "The software application included with Gdium is based entirely on Open Source Software and includes an impressive variety of programs: FireFox, Thunderbird e-mail client, Instant Messaging, VoIP, Blog editor, audio/video players, and security utilities, as well as a complete Open Office suite of application for word processing, spreadsheets, and presentations. What makes Gdium unique is the G-Key, a bootable USB key on which the Linux operating system, applications, and personal data are stored. The G-Key allows each user to store their personal info and preference securely, without leaving a trace on the computer."

Full Story (comments: 18)

Marketcetera releases open-source trading platform

Marketcetera has announced a new open-source trading platform. "This first production-ready release of the most popular open source trading platform for traders, hedge fund managers and broker/dealers offers new features that include robust complex event processing (CEP) capabilities and enhanced strategy development for faster testing and deployment of algorithms."

Full Story (comments: none)

Tim Buckley, Ex-Red Hat COO, Joins rPath as Executive Chairman

rPath has announced that Tim Buckley, principal of Buckley Investments and former chief operating officer of Red Hat, has joined the rPath board of directors as the executive chairman. "From his newly created post, Buckley will help rPath accelerate its push into the enterprise market with solutions for reducing the cost and complexity of delivering applications to traditional, virtualized, and cloud-based environments."

Full Story (comments: none)

New Books

Learning JavaScript, Second Edition - New from O'Reilly

O'Reilly has published the book Learning JavaScript, Second Edition by Shelley Powers.

Full Story (comments: none)

Head First PHP and MySQL--New from O'Reilly

O'Reilly has published the book Head First PHP & MySQL by Lynn Beighley and Michael Morrison.

Full Story (comments: none)

Head First Web Design--New from O'Reilly

O'Reilly has published the book Head First Web Design by Ethan Watrall and Jeff Siarto.

Full Story (comments: none)

Pragmatic Version Control with Git--New from Pragmatic Bookshelf

Pragmatic Bookshelf has published the book Pragmatic Version Control with Git by Travis Swicegood.

Full Story (comments: none)

Contests and Awards

Announcing the "I'm Linux" video contest

The The "I'm Linux" Video Contest has been announced. "If you've been alive and aware of mass media over the last twelve months, you've probably seen television commercials from Apple and Microsoft touting their operating system. From Apple's ubiquitous "I'm a Mac" to Jerry Seinfeld to Microsoft's "I'm a PC" retort, operating system commercials have been flooding the airways. Except one OS has been notably absent - Linux." The winner will receive a transportation and hotel accommodations to the Linux Foundation Japan Linux Symposium.

Full Story (comments: none)

Voting is open for the LinuxQuestions.org Members Choice Awards

Voting is open for the 2008 LinuxQuestions.org Members Choice Awards. "The Members Choice Awards allow the Linux community to select their favorite products in a variety of categories. Awards will be given out in 26 categories this year, including Server Distribution of the Year, Desktop Distribution of the Year, Browser of the Year, Office Suite of the Year, Desktop Environment of the Year and Database of the Year. The polls will close on February 12th."

Full Story (comments: none)

Calls for Presentations

LayerOne 2009 Call for Papers

A call for papers has gone out for the LayerOne 2009 Security Conference. The event takes place in Anaheim, California on May, 23-24, 2009, submissions are due by April 1. "The sixth annual LayerOne security conference is now accepting submissions for topic and speaker selection. As always, we are interested seeing a broad range of pertinent topics, and encourage all submissions."

Full Story (comments: none)

OSCON 2009: Call For Participation

A call For participation has gone out for OSCON 2009. "The O'Reilly Open Source Convention has opened up the Call For Participation -- deadline for proposals is Tuesday Feb 3. OSCON will be held July 20-24 in San Jose, California."

Full Story (comments: none)

ShakaCon 2009 Call for Papers and Trainers

A call for papers and trainers has gone out for the ShakaCon 2009 security conference. The event takes place in Honolulu, HI on June 11-12, 2009, abstracts are due by February 15. "Shakacon will offer local, national, and international participants a casual, social, learning environment designed to present a "holistic" security view and the opportunity to network with peers and fellow enthusiasts in a relaxed setting. Leave your ego at the airport (or shoreline if you come in via another method)as we look forward to attendees varying in skill level from N00b to Ninja."

Full Story (comments: none)

SyScan'09 Call For Papers

A call for papers has gone out for SyScan'09. "This year, SyScan'09 will be held in the 4 exciting cities of Singapore, Shanghai, Taipei and Hong Kong." Submissions are due by February 28.

Full Story (comments: none)

YAPC::EU::2009 cfp

A call for papers has gone out for the YAPC::EU::2009 perl conference. The event takes place in Lisbon, Portugal on August 3-5, 2009.

Comments (none posted)

Upcoming Events

Northwest Python Day - Seattle, WA

The Northwest Python Day will take place on January 31 in Seattle, WA. "If you'll be near Seattle, WA USA at the end of this month, the Seattle Python Interest Group would like to invite you to join us for an informal day of Python talks & socializing."

Full Story (comments: none)

Events: January 22, 2009 to March 23, 2009

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
January 17 January 23	Camp KDE 2009	Negril, Jamaica
January 19 January 24	linux.conf.au - penguins march south	Hobart, Australia
January 25 January 29	Ruby on Rails Bootcamp with Charles B. Quinn	Atlanta, GA, USA
January 25 January 28	GCC Research Opportunities	Paphos, Cyprus
January 31	Greater London Linux Users Group meeting	London, UK
January 31 February 3	Black Hat Briefings DC	Arlington, VA, USA
February 4 February 5	DC BSDCon 2009	Washington, D.C., USA
February 4 February 6	Money:Tech 2009	New York, NY, USA
February 5 February 9	German Perl Workshop	Frankfurt, Germany
February 7	Frozen Perl 2009	Minneapolis, MN., USA
February 7 February 8	FOSDEM 2009	Brussels, Belgium
February 9 February 11	O'Reilly Tools of Change for Publishing	New York, NY, USA
February 15	Free Software Awards 2009 Deadline	Soissons, France
February 16 February 18	Open Source Singapore Pacific-Asia Conference	Singapore, Singapore
February 16 February 19	Black Hat DC Briefings 2009	Washington, D.C., USA
February 20	Demonstrating Open-Source Health Care Solutions	Los Angeles, CA, USA
February 20 February 22	Southern California Linux Expo	Los Angeles, CA, USA
February 24 February 26	VMworld Europe 2009	Cannes, France
February 25 February 27	German Perl Workshop	Frankfurt Main, Germany
February 27	PHP UK Conference	London, UK
February 28	Belgian Perl Workshop	Leuven, Belgium
February 28	uCon Security Conference	Recife, Brazil
March 1 March 4	Global Ignite week	Online,
March 3 March 8	CeBIT 2009	Hanover, Germany
March 4 March 7	DrupalCon DC 2009	Washington D.C., USA
March 6	Dutch Perl Workshop	Arnhem, The Netherlands
March 7	Ukrainian Perl Workshop 2009	Kiev, Ukraine
March 8 March 11	Bossa Conference 2009	Recife, Brazil
March 9 March 13	Advanced Ruby on Rails Bootcamp with Charles B. Quinn	Atlanta, GA, USA
March 9 March 12	O'Reilly Emerging Technology Conference	San Jose, CA, USA
March 12 March 15	Pingwinaria 2009 - Polish Linux User Group Conference	Spala, Poland
March 14	OpenNMS User Conference (Europe) 2009	Frankfurt Main, Germany
March 14 March 15	Chemnitzer Linux Tage 2009	Chemnitz, Germany
March 16 March 20	Android Bootcamp with Mark Murphy	Atlanta, USA
March 16 March 20	CanSecWest Vancouver 2009	Vancouver, BC, Canada
March 18	Linuxwochen Österreich - Klagenfurt	Klagenfurt, Austria
March 21 March 22	Libre Planet 2009	Cambridge, MA, USA

If your event does not appear here, please tell us about it.

Page editor: Forrest Cook