LWN.net Weekly Edition for January 22, 2009

Nokia relicenses Qt

When Nokia purchased Trolltech in early 2008, it stated that the acquisition would "enable the acceleration of their cross-platform software strategy for mobile devices and desktop applications, and to develop its Internet services business." It is not entirely clear what that means, but one thing is certain: Nokia is now a major player on the free desktop since it owns the library upon which KDE is based. The free software community is not unfamiliar with large, well-established firms taking an interest in and contributing to an endeavor. But there is always the question: How well would Nokia work with the community?

It was a pleasant surprise, then, when Nokia announced that the Qt library will be released under the LGPL version 2.1. This is for the coming Qt 4.5 release that is due in March 2009, and applies across almost all its products. The new license is in addition to the existing commercial and GPL licenses.

Some history

Trolltech (now known as Qt Software) started marketing the Qt cross-platform library in 1996, and made the X11 version available under a free use, code available license. It was later offered under the Q Public License (QPL), which is an OSI approved license. Later Linux versions were released under the GPL. If someone desired to write a closed source binary application, they could purchase developer licenses from Trolltech.

Shortly after the initial release of Qt, Matthias Ettrich proposed using the library as a basis for the Kool Desktop Environment, better known as KDE.

One can think of many examples of successful business ventures based on free software, but they are usually in the server market. The desktop is much more challenging; against a well entrenched and rather rich competitor, we have something not quite done, but free. What Trolltech managed to accomplish is noteworthy. It had a library with a free license; the KDE developers tested it, learned how to use it, and evangelized about it. Trolltech got a large developer pool eager to use the product, and the irreplaceable hard knocks feedback from KDE developers. Over the years many KDE developers got jobs with Trolltech, or established consulting businesses selling services based on Qt, cementing the good will further.

But that necessity of selling licenses caused friction. The desire of Trolltech to own and control the code created a situation where outside patches were rarely accepted. KDE has long maintained a patch set called qt-copy, while they awaited the next version of Qt with the fixes written by a Troll (Trolltech engineer). The trend in free software has been to offer libraries under a license which allows closed source application development but, with Qt, that required paying for a license.

Although KDE is a vigorous project with a large user and developer base, the licensing and Trolltech's tight control over its library has relegated KDE and Qt somewhat to the margins within the free desktop stack. The rejection of the Qt due to its license prompted the creation of GTK and Gnome as a free alternative, and even elicited condemnation from Richard Stallman. Happily the relationship has improved to the point where both desktops are having a joint developer conference.

Opening the repository to contribution

Along with the license change, Qt Software is proposing to open the source repository to external contribution. The purpose is to make it easier for external developers to contribute to Qt, while still maintaining the quality and cross platform characteristics of the library.

Knut Yrvin, the Open Source Community Manager for Qt Software outlined the proposed criteria for accepting external contributions. In order to be accepted, the code would:

Qt Software will give full access to the internal unit tests that Qt developers have been using. It has already switched to Git internally, and is setting up Gitorious for hosting Git repositories.

There is more to the task than just providing access, as Mr. Yrvin described:

Mr. Yrvin described how Nokia benefits from all this. He explained that instead of having different code bases for the same application when targeting different devices, Qt can improve the time to market, targeting desktop, mobile and embedded platforms with a single code base. The increased use, contributions, and feedback from projects across all the platforms will ensure a high quality library. Nokia and all users of the platform benefit.

George Makrydakis raised some questions regarding the LGPL and C++ templates. Mr. Yrvin said that the legal department is aware of this and are currently investigating the template situation. They will come back with more details. He said that Nokia wants to ensure that it will be easy for developers to adopt Qt. It's worthwhile to note that gtkmm, the GTK C++ bindings, has the same issue.

This is a significant step for Nokia. It has been very difficult to attract developers to large commercial code releases. Nokia and Qt Software seem aware of the difficulties, and with feedback from KDE developers are attempting to avoid the pitfalls and make the process mutually beneficial. Let's not forget that Nokia makes phones, so it will be interesting to see how this move will play out in the briskly competitive smart phone marketplace.

Comments (19 posted)

Mobile Linux at linux.conf.au

The first two days at linux.conf.au are dedicated to "miniconfs," which cover specific areas of interest. The 2009 event in Hobart, Tasmania included a miniconf for mobile Linux; your editor attended a few talks there. As might be expected, there is a lot going on with mobile Linux, and a lot of interest.

Baglady

Nancy Mauro-Flude is a performance artist who has used mobile Linux as part of a device intended as an artistic and political statement. The Baglady device is a purse with a numeric keypad on the outside. Inside, it contains a Linux-based system with wireless networking. A camera and microphone have been discreetly placed on the strap. When enabled, this device captures pictures and audio from its owner's travels, then immediately uploads them to a remote server. It allows its owner to capture the events around her, perhaps in situations where recording devices are not appreciated or allowed. The immediate-upload feature ensures that the data gets out, even if the device is discovered - at least, in places where an open access point is available.

The subversive possibilities of such a device are clear; so are the potential privacy problems. Nancy was clearly aware of those issues, but, arguably, has not worked through them completely. Others will certainly follow this particular artist's lead; expect to see more mobile devices which record their immediate environments and put the results on a server for all to see. It is going to be interesting.

Ubuntu Mobile

Canonical's David Mandala gave a well-attended talk on Ubuntu's efforts in the mobile arena. Like other such projects, the Ubuntu Mobile effort faces challenges beyond simply making the distribution run on mobile systems. Mobile systems truly are different, and, as a result, a user's expectations of the operating system are quite different. Small screens are a problem; not all applications have been written to function well when the amount of screen space is limited. Touchscreens complicate things further; David issued a challenge to developers to find ways to allow more space in menus so that fat-fingered users can use them on touchscreen-based systems.

The Ubuntu Mobile effort is actually two related projects: Ubuntu MID (for small, tablet-like devices) and the newer Ubuntu Netbook, aimed at larger devices. The Ubuntu MID work is currently based on GNOME Mobile, though David suggested that things could change at that level. In particular, he said, the Qt license change has stirred things up a bit. There is a selection of applications which are optimized for small screens. The distribution as a whole is intended for original equipment manufacturers; it is not expected that users of MID devices will be installing their own distributions.

MID systems typically use a touchscreen as their primary input device. Netbooks, instead, combine a larger screen with a real keyboard; that leads to different requirements. The Ubuntu Netbook distribution uses the full GNOME desktop - for those applications which behave well on an 800x600 display, at least. This distribution should be available in stable form at the end of the Jaunty development cycle.

David seemed to be having the most fun, though, with the new Ubuntu ARM port. One does not normally think of the ARM processor when one ponders netbook devices, but it seems that ARM is making a real effort to enable products in that area. As part of that work, ARM is working with Ubuntu to have a proper distribution ready. This effort seems to have gone pretty well; at this point, the full Ubuntu distribution is available for ARM systems. The biggest difficulty, it seems, is that ARM-based systems lack proper video acceleration. Canonical is working around this issue, though, and plans to support this port along with the others.

It seems that Canonical sees a bright future for the ARM port. While there are a number of systems available for x86-based devices, there is no real competition to Linux on the ARM processor. Windows does not run there. Symbian does, but it is not a true desktop-based system. So, any ARM-based netbook devices which appear on the market are sure to be running Linux. Canonical is doing its best to ensure that they run Ubuntu in particular.

Poky Linux

An alternative for small systems is Poky Linux, a system put together by Opened Hand prior to its recent acquisition by Intel. Poky Linux is, in fact, two different things: it is a system for building Linux-based platforms, and it is also the distribution which is that system's output. Rob Bradford, in his presentation, acknowledged that this naming practice may lead to some confusion. Still, while Poky may suffer from some ambiguity, its developers seem to make up for that with enthusiasm.

Poky Linux started as a fork of the Open Embedded platform. The developers tossed in a bunch of tools which are useful on small devices: the Clutter desktop work, GeoClue, the "Sato" user interface, the Pimlico personal information management system, GStreamer, WebKit, etc. The result is a fully-featured distribution which is well tuned to the small device environment. Perhaps the highest-profile use of Poky Linux is in the Vernier Labquest device.

Rob discussed at length the build system that was created to allow the creation of Poky Linux distributions. There are a lot of tools there which make the task relatively easy, and which, as Rob pointed out, are well suited to people who do not like to type very much. More information on how that works can be found on the Poky Linux site.

What the audience really wanted to know, though, was Intel's intentions for Poky Linux, which it acquired with Opened Hand. Though Rob didn't say so directly, the real answer appears to be that Intel doesn't have much interest in Poky Linux and is not putting resources into its further development. So, says Rob, while the infrastructure is still in place, Poky Linux has become a community project. The future of this project, it seems, is in the hands of those who use it and wish to see it continue.

Android

GeunSik Lim gave a talk outlining the internals of the Android system. Much of that talk is not amenable to summarizing here, though there were useful details which will help as your editor digs more deeply into that system. One thing that jumped out, though, was this: Google decided to create its own C library for this platform. The size of glibc was part of the motivation for this work, but the real reason, it seems, is that Google doesn't want to have GPL-licensed code running in user space. They worried, perhaps, that glibc could go to GPLv3 in the future; that, of course, would make it impossible to use in a locked-down device. So they started with a BSD-licensed libc which was then tweaked extensively for their needs. The resulting library (called "Bionic") has some big gaps (no support for C++ exceptions, for example), but it evidently suits the Android platform well.

In summary: mobile Linux is clearly one of the hot topics for this year. There are a lot of people and projects working in this area, doing no end of interesting things. It is going to be fun to see what our community comes up with.

Comments (14 posted)

Finding and using free fonts

Free and open source software (FOSS) has produced several off-shoots, including the Open Access Movement for academic literature and the Free Hardware Foundation. As the FOSS desktop matures, one of the most important off-shoots is the free font movement. Designing free, general-purpose typefaces and font tools, this loosely organized group of typographers is starting to make graphic design on FOSS easier, and to give ordinary users a more aesthetic desktop. The only catch is that you sometimes have to dig to find the free typefaces and tools, and knowing how to use them appropriately frequently requires expert knowledge about what to look for.

Free fonts have been released under a variety of licenses. As the Free Software Foundation points out on its license page, standard FOSS licenses like the GNU General Public License (GPL) are not really designed for fonts. In particular, the fact that fonts are embedded in a document means that the GPL is suitable only if the document is also released under the GPL unless an exception is added to the license.

Another problem is that many font designers do not want to see their work bundled on a CD by a third party. To provide at least a token solution to this concern, many free typographers now favour the SIL Open Font License, a GPL-compatible license developed by SIL International, a Christian academic organization concerned with literacy and the preservation of minority languages.

Whatever their license, free fonts come in three different file formats: Postscript (.pba, .pfm, .inf, and .atm), TrueType (.ttf), and OpenType (.otf). TrueType is the most common, although OpenType is rapidly gaining. All three work on GNU/Linux systems, although some programs might not take full advantage of OpenType's features. Those still in development may come in the format for FontForge (.sfd), the main free software tool for designing fonts, and require you to load the raw files into FontForge so that you can output them to one of the three main file formats, a process roughly equivalent to compiling source code.

Where to get free fonts

Many major distributions include free fonts in their repositories, and include them in basic installations. Ubuntu, in particular, is rich in free fonts in order to supplement its multi-language support. However, as with any software, distribution packages can sometimes be slow to include the latest versions, or all the available free fonts.

Those who want the widest selection of free license fonts (as opposed to fonts that are simply free for the download), can find them at:

• Open Font Library: A sister-site to the Creative Commons' Open Clip Art Library, the Open Font Library is the largest single repository of free fonts, with over 100 selections — a small number compared to proprietary fonts, but a much larger number than even a few years ago. The site includes users' reviews, tags, and ratings, as well as remixes of various fonts.
• SIL Font Downloads: This is the main site for free fonts for language support, especially for minority languages, but also for the full range of western and eastern European languages, Cyrillic, Greek, and Hebrew. Some of these typefaces are so obscure that only specialists will use them regularly, but they include a number of general purpose fonts for English and other western European Languages, such as Gentium, Charis SIL and Doulos SIL.
• Raph Levien's fonts:A maintainer for GhostScript, Raph Levien also designs some of the best free fonts for everyday use. Be warned, though, that these are works in progress, and some are not be completely ready for use.
• Linux Libertine: Linux Libertine is designed as a free replacement for the ubiquitous Times Roman. Its letters are designed to have the same proportions as those of Time Roman, so that, when a recipient's machine replaces Linux Libertine in a document with Times Roman, your document's design does not suffer.
• Liberation fonts: A set of three fonts designed as free replacements for Times Roman, Arial/Helvetica, and Courier — respectively the most commonly used serif, sans serif, and monospace fonts used on Windows.
• DejaVu: DejaVu is a version of the Bitstream Vera family, one of the first free fonts. The main difference is that it includes support for a greater number of international characters.

Installing free fonts

Once you download free fonts, the easiest way to install them in GNU/Linux is with the font installer included in KDE's setup tool. Using KDE's font installer, you can make selected fonts available to all users on the system, or just the current one, as well as previewing all installed fonts. The installer makes fonts available to the X Window System, not just KDE, so you can use the fonts it installs regardless of your choice of desktops.

If you do not have KDE installed, then you can use a font manager such as Fonty Python or FontMatrix. Both these applications enable or disable fonts on the fly for your current account, and allow you to group fonts in sets — for instance, the fonts you need for a certain project — so that you do not clutter your system with seldom-used fonts, and can enable or disable related fonts with a single action. Of the two, FontMatrix has an edge because of its cleaner interface and its ability to print out sample fonts for easy reference.

In programs like OpenOffice.org or LaTeX, you can install fonts only for that program. However, so long as a program can read system fonts, installing for a single program hardly seems worthwhile.

The use of free fonts

Whether free fonts are useful depends very much on your needs. If language support is your priority, you have hundreds to choose from, with those from SIL International being among the highest quality. Typically, the files for such fonts are much larger than those for traditional fonts, because they contain hundreds of additional Unicode characters — for example, SIL Doulos checks in at one and a half megabytes, as opposed to about 50 kilobytes for all the files associated with a postscript font — but on a recent hard drive, this increased size should not be much of a problem.

If compatibility with the fonts on another operating system is your concern, you have several choices, including Linux Libertine, the Liberation fonts, and SIL Doulos. Of these choices, Linux Libertine is probably the more aesthetically pleasing, although you may prefer SIL Doulos if international character support is also a concern.

Other fonts are useful for a specific need. For instance, Deja Vu or Vera Sans are not among the best-designed fonts, but their large size and wide letters make them well-suited for online display because they are highly readable and easy on the eyes.

However, if you want everyday fonts for documents, your choices are still relatively limited compared to those you have when using proprietary fonts. Many free font designers, like font designers in general, prefer to design decorative fonts that have limited use, and are not suitable for large blocks of text or, at best, anything more than a heading. If you exclude the poorly designed fonts that have always accompanied the average distribution, such as Nimbus or Lucida, at most you have maybe a couple of dozen choices for everyday use, as opposed to the hundreds available in proprietary fonts.

Of the workday choices that are available, the most aesthetically pleasing text fonts include Goudy Bookletter 1911 and Raph Levien's Century Catalog and LeBe, the incompleteness of the last one not withstanding. Perhaps the strongest choice is Gentium, an award-winner that, with its calligraphic influence, is among the most beautiful fonts ever.

For heading fonts, choices are even scarcer, although you might use Levien's LeBe Titling. Levien's Museum Caps looks promising as well, although no download is currently posted on his site. The available monospace fonts are also hard to find, although you might look at OCR-A, NotCourier-sans or Rursus Compact Mono.

Until high quality free fonts for common uses become more numerous, the FOSS desktop is unlikely to attract large numbers of designers. Still, the free fonts that are available are a start, and an improvement over what was available as recently as two years ago. As with the FOSS desktop itself, the choices are only going to improve. But, for now, the choices are limited and restricting for professional designers who would prefer to use only free fonts. Before too many projects have passed, the average designer will almost be forced into importing fonts from Windows, or else buying proprietary typefaces from vendors such as Adobe, just to get some variety.

Comments (39 posted)

Page editor: Jake Edge

Security

Firefox security add-ons

From a security perspective, Firefox add-ons are a nightmare. If you read the legal notice, even on the official download site, Mozilla neither reviews add-ons nor assumes any responsibility for the consequences of using them. Yet any add-on could open unexpected vulnerabilities — at times because of the unexpected consequences of using several in combination — and they provide a new door to your system for crackers. As if to mitigate such concerns, the last year has seen a steady trickle of of security-focused add-ons — and more are on the way. Some of these extensions control how you browse individual web pages, and others alter how Firefox uses passwords, cookies, and scripts, but, if you choose carefully, you should have no trouble finding several that can greatly improve your security while browsing.

Different security for different sites

One of the simplest security-oriented extensions is PrefSwitch. All PrefSwitch does is add a series of icons to the status bar at the bottom of the browsing window for changing existing Firefox preferences, such as the ones for handling javascript, frames, and images. Yet, by making these controls accessible, instead of buried several layers down in Edit -> Preferences, PrefSwitch makes it easier for you to change preferences for each web page. You will still want to add continually visited sites to the exceptions defined in Preferences, but, for on-the-fly browsing, PrefSwitch is more convenient.

By contrast, SecureBrowse takes a more organized approach, offering three sets of preferences for security and privacy that you can assign to each site. The add-on includes a pre-defined set of "Sensitive Sites" — mostly banks and popular sites such as Flickr and Slashdot — that you can edit and extend as you choose.

Still another approach is used by Karma Blocker, which rates the sites you visit according to how it accesses Mozilla's chrome files (so you can see if anything non-standard is happening), and the resources it uses from other sites (the apparent assumption being that a malicious script is likely to be hidden on another site, and, the more off-site resources are used, the more likely cracker activity might be happening). If a site is rated above a certain karma — the default is 100 — then Karma Blocker prevents access to it unless you specifically add the site to the extension's white list. To help you evaluate the automatic rating, you can monitor what Karma Blocker reports to decide whether a use is harmless or not. The monitoring is especially useful because, as you soon discover, many modern sites use off-site resources for harmless reasons — for instance, to link to a graphic on Flickr. One drawback is that Karma Blocker's configuration is a plain text file, which might intimidate more inexperienced users.

Passwords and cookies

If you are concerned about password security, an extension to start with is Master Password Timeout. Its sole purpose is to add a control that should have been in default Firefox long ago: An expiry time in seconds for the master password — set in Edit -> Preferences -> Security — which protects access to the site passwords stored by Firefox.

For more detailed control of passwords, you can install Password Hasher. Password Hasher replaces your password on sites with a master key and a hash; you enter the hash to prevent your key strokes from being monitored. It also obscures passwords as you enter them to prevent anyone who is physically present from learning any details about them, such as the number of characters. It also enforces a minimum size and contents for passwords, and, like the Master Password extension, limits the time that the master password remains in effect once entered.

Cookies are reasonably well handled by Firefox, though you will find a number of add-ons to make control easier. By using Cookie Watcher, you can view and edit cookies in more detail than when you click the Show Cookies button on the Privacy tab in Edit -> Preferences. By contrast, Extended Cookie Manager and Cookie Context take a different approach, adding pop-up controls directly on each web page.

However, none of the extensions for handling standard cookies is much good against the new generation of Super Cookies, such as the Local Shared Objects deposited on your system by Flash or click-pings (scripts that record when you select certain items on a web page, allowing your activities to be detected and logged). Both Local Shared Objects and click-pings are frequently used for reasons no more malicious than any cookie, but the point is that such items are generally stored outside Mozilla's usual cookie folders, and are therefore not removed when you remove cookies using Edit -> Preferences -> Privacy -> Cookies. Fortunately, you can remove Super Cookies with Better Privacy, which provides an insightful and rather alarming glimpse of what can creep into your home directory without your knowledge.

Script controls

Other extensions change how Firefox works with scripts. For instance, Controle de Scripts, which specifically targets Javascript, a language that is praised and discouraged in almost equal measure. The default Firefox preferences give you half a dozen options for specifying what you will allow Javascript to do to your browser window, but Controle de Scripts allows you to control another half-dozen basic Javascript actions, as well as the behavior of pop-up windows and the maximum time that a script is allowed to run. You can also set your own limitations, provided you are familiar enough with Javascript to know what you might want to prevent.

But by far the most comprehensive extension for controlling scripts is NoScript. NoScript is a detailed set of controls for Java, Flash, and Silverlight, as well as frame and iframe tags (both of which could potentially be used to embed a malicious script), and HTTPS-carried content. All these settings, as well as a whitelist, can be set globally from Tools -> Add-ons -> NoScript -> Preferences, or for individual sites from the icon in the lower right of the status bar at the bottom of the Firefox window.

As you might expect from the name, NoScript begins with the sound security practice of forbidding scripts on every site except for those entered by default on the whitelist. That means that you need patience to bring NoScript to a state with which you can live, especially since the white list is all or nothing — either you allow all types of scripts to be run on a site, or none. Still, the Preferences tab in Tools -> Add-ons links to clear and comprehensive help, and the end results will be peace of mind if you persist.

These are just the most useful security extensions I've encountered. If you check under Privacy and Security on the Add-on site, you can find dozens more. You might especially want to note some of the extensions currently marked as experimental, such as Content Security Policy, Policy Manager, Magic Password Generator and Startup Master. These extensions are not quite ready for you to rely on them, but together they suggest that even more security options will soon be available for Firefox users.

Comments (11 posted)

Security reports

Enterprise Linux 5.2 to 5.3 risk report (Red Hat Magazine)

Red Hat's Mark Cox has put out another risk report looking at the vulnerabilities fixed from RHEL 5.2 until today's release of RHEL 5.3. In the report, he looks at the number of vulnerabilities as well as the time it took to fix them. "In fact, for Red Hat Enterprise Linux 5 since release and to date, every critical vulnerability has had an update to address it available from the Red Hat Network either the same day or the next calendar day after the issue was public."

Comments (21 posted)

New vulnerabilities

amarok: integer overflows

Package(s):	amarok	CVE #(s):	CVE-2009-0135 CVE-2009-0136
Created:	January 16, 2009	Updated:	December 9, 2009
Description:	From the Debian advisory: Tobias Klein discovered that integer overflows in the code the Amarok media player uses to parse Audible files may lead to the execution of arbitrary code.
Alerts:	Mandriva MDVSA-2009:030-1 2009-12-08 Gentoo 200903-34 2009-03-20 Ubuntu USN-739-1 2009-03-17 Mandriva MDVSA-2009:030 2008-01-26 SuSE SUSE-SR:2009:003 2009-02-02 Fedora FEDORA-2009-0715 2009-01-21 Debian DSA-1706-1 2009-01-15

Comments (none posted)

bind: load problem

Package(s):	bind	CVE #(s):
Created:	January 16, 2009	Updated:	January 21, 2009
Description:	From the Slackware advisory: Updated bind packages are available for Slackware 10.2 and 11.0 to address a load problem. It was reported that the initial build of these updates complained that the Linux capability module was not present and would refuse to load. It was determined that the packages which were compiled on 10.2 and 11.0 systems running 2.6 kernels, and although the installed kernel headers are from 2.4.x, it picked up on this resulting in packages that would only run under 2.4 kernels.
Alerts:	Slackware SSA:2009-015-01 2009-01-16

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):	drupal	CVE #(s):
Created:	January 19, 2009	Updated:	January 21, 2009
Description:	From the drupal advisory: Access Bypass: The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that process the existing node's content is copied into the new node's submission form. The module contains a flaw that allows a user with the 'translate content' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes. Validation Bypass: When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted. Hardening against SQL injection: A parameter passed into the node access API was not properly escaped or validated before being used in SQL queries. While there is no direct risk of SQL injection from Drupal core, it's possible that this could have presented a risk in combination with a contributed module. Additional validation has been added to eliminate this risk.
Alerts:	Fedora FEDORA-2009-0653 2009-01-16 Fedora FEDORA-2009-0678 2009-01-16

Comments (none posted)

ffmpeg: several vulnerabilities

Package(s):	ffmpeg	CVE #(s):	CVE-2008-4866 CVE-2008-4867
Created:	January 16, 2009	Updated:	April 29, 2009
Description:	From the Mandriva advisory: Several vulnerabilities have been discovered in ffmpeg, related to the execution of DTS generation code (CVE-2008-4866) and incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867).
Alerts:	Debian DSA-1782-1 2009-04-29 Gentoo 200903-33 2009-03-19 Ubuntu USN-734-1 2009-03-16 Mandriva MDVSA-2009:015 2008-01-15

Comments (none posted)

git: shell command execution

Package(s):	git-core	CVE #(s):	CVE-2008-5516
Created:	January 20, 2009	Updated:	March 9, 2009
Description:	From the Debian advisory: It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality. See also CVE-2008-5517.
Alerts:	Gentoo 200903-15 2009-03-09 Slackware SSA:2009-051-02 2009-02-23 Ubuntu USN-723-1 2009-02-18 Debian DSA-1708-1 2009-01-19

Comments (none posted)

kernel: buffer underflow

Package(s):	kernel	CVE #(s):	CVE-2008-5702
Created:	January 15, 2009	Updated:	June 8, 2009
Description:	The kernel has a buffer underflow vulnerability. From the vulnerability database entry: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel before 2.6.28-rc1 might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.
Alerts:	SuSE SUSE-SA:2009:030 2009-06-08 Debian DSA-1794-1 2009-05-06 Debian DSA-1787-1 2009-05-02 SuSE SUSE-SA:2009:010 2009-02-26 Ubuntu USN-714-1 2009-01-29 Ubuntu USN-715-1 2009-01-29 SuSE SUSE-SA:2009:003 2009-01-20 CentOS CESA-2009:0014 2009-01-15

Comments (none posted)

kernel: denial of service

Package(s):	kernel-debug	CVE #(s):	CVE-2008-5700
Created:	January 20, 2009	Updated:	May 4, 2009
Description:	From the SUSE advisory: libata did not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.
Alerts:	Debian DSA-1787-1 2009-05-02 CentOS CESA-2009:0331 2009-04-20 CentOS CESA-2009:0326 2009-04-01 Red Hat RHSA-2009:0326-01 2009-04-01 Red Hat RHSA-2009:0331-01 2009-03-12 SuSE SUSE-SA:2009:010 2009-02-26 Red Hat RHSA-2009:0053-01 2009-02-04 Ubuntu USN-714-1 2009-01-29 SuSE SUSE-SA:2009:003 2009-01-20 Ubuntu USN-715-1 2009-01-29

Comments (none posted)

kvm: arbitrary code execution

Package(s):	kvm	CVE #(s):	CVE-2007-5729
Created:	January 19, 2009	Updated:	January 21, 2009
Description:	From the SUSE advisory: Virtualized guests could potentially execute code on the host by triggering a buffer overflow in the network emulation code via large ethernet frames (CVE-2007-5729)
Alerts:	SuSE SUSE-SR:2009:002 2009-01-19

Comments (none posted)

netatalk: command injection vulnerability

Package(s):	netatalk	CVE #(s):	CVE-2008-5718
Created:	January 16, 2009	Updated:	March 26, 2009
Description:	From the Debian advisory: It was discovered that netatalk, an implementation of the AppleTalk suite, is affected by a command injection vulnerability when processing PostScript streams via papd. This could lead to the execution of arbitrary code. Please note that this only affects installations that are configured to use a pipe command in combination with wildcard symbols substituted with values of the printed job.
Alerts:	Fedora FEDORA-2009-3069 2009-03-26 Fedora FEDORA-2009-3064 2009-03-26 SuSE SUSE-SR:2009:004 2009-02-17 Debian DSA-1704-2 2009-01-30 Debian DSA-1705-1 2009-01-15

Comments (none posted)

shadow: privilege escalation

Package(s):	shadow	CVE #(s):	CVE-2008-5394
Created:	January 21, 2009	Updated:	March 11, 2009
Description:	From the Debian advisory: Paul Szabo discovered that login, the system login tool, did not correctly handle symlinks while setting up tty permissions. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation.
Alerts:	Gentoo 200903-24 2009-03-10 Mandriva MDVSA-2009:062 2008-03-02 Debian DSA-1709-1 2009-01-21

Comments (none posted)

squirrelmail: session handling flaw

Package(s):	squirrelmail	CVE #(s):	CVE-2009-0030
Created:	January 20, 2009	Updated:	February 17, 2009
Description:	From the Red Hat advisory: The Red Hat SquirrelMail packages provided by the RHSA-2009:0010 advisory introduced a session handling flaw. Users who logged back into SquirrelMail without restarting their web browsers were assigned fixed session identifiers. A remote attacker could make use of that flaw to hijack user sessions.
Alerts:	SuSE SUSE-SR:2009:004 2009-02-17 CentOS CESA-2009:0057 2009-01-19 Red Hat RHSA-2009:0057-01 2009-01-19

Comments (none posted)

valgrind: arbitrary code execution

Package(s):	imlib2, valgrind, kvm, cups, lynx, xterm	CVE #(s):	CVE-2008-4865
Created:	January 19, 2009	Updated:	February 26, 2009
Description:	From the CVE entry: Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario.
Alerts:	Mandriva MDVSA-2009:057 2009-02-26 Gentoo 200902-03 2009-02-12 SuSE SUSE-SR:2009:002 2009-01-19

Comments (none posted)

virtualbox: symlink vulnerability

Package(s):	virtualbox	CVE #(s):	CVE-2008-5256
Created:	January 15, 2009	Updated:	February 17, 2009
Description:	virtualbox has a symlink vulnerability. From the Madriva alert: A vulnerability have been discovered and corrected in VirtualBox, affecting versions prior to 2.0.6, which allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-qateam-ipc/lock temporary file.
Alerts:	SuSE SUSE-SR:2009:004 2009-02-17 Mandriva MDVSA-2009:011 2009-01-14

Comments (none posted)

xine-lib: multiple vulnerabilities

Package(s):	xine-lib	CVE #(s):	CVE-2008-5234 CVE-2008-5236 CVE-2008-5237 CVE-2008-5239 CVE-2008-5240 CVE-2008-5243
Created:	January 15, 2009	Updated:	June 1, 2010
Description:	xine-lib has multiple vulnerabilities. The project release notes has more details: - Heap overflow in Quicktime atom parsing. (CVE-2008-5234 vector 1) - Multiple buffer overflows. (CVE-2008-5236) - Multiple integer overflows. (CVE-2008-5237) - Unchecked read function results. (CVE-2008-5239) - Unchecked malloc using untrusted values. (CVE-2008-5240 vectors 3 & 4) - Buffer indexing using an untrusted value. (CVE-2008-5243)
Alerts:	Gentoo 201006-04 2010-06-01 Mandriva MDVSA-2009:319 2009-12-05 Ubuntu USN-746-1 2009-03-26 SuSE SUSE-SR:2009:004 2009-02-17 Fedora FEDORA-2009-1524 2009-02-12 Fedora FEDORA-2009-1525 2009-02-12 Ubuntu USN-710-1 2009-01-26 Fedora FEDORA-2009-0483 2009-01-14 Fedora FEDORA-2009-0542 2009-01-14 Mandriva MDVSA-2009:020 2009-01-21

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.29-rc2, released by Linus just before heading out the door to travel to linux.conf.au. "But despite being small, that's probably more important and noticeable to most people: the first slew of regression fixes. We had non-working 3D acceleration on many machines (no compiz! What shall we do without those wobbly windows!) that should be fixed, and a ton of other irritating issues like that." See the short-form changelog for details, or the full changelog for lots of details.

As of this writing, no changeset have been merged into the mainline repository since 2.6.29-rc2. Linus may be a bit busy with his new barbershop career (he agreed to shave Bdale Garbee's beard in response to a challenge at the linux.conf.au "penguin dinner" charity auction) to merge patches for a little while yet.

The current stable 2.6 kernel is 2.6.28.1, released with a long list of fixes on January 18.

For 2.6.27 users, 2.6.27.12 was also released on the 18th. Previously, 2.6.27.11 was released on January 14. Greg Kroah-Hartman says that he plans to maintain 2.6.27 as a relatively long-term release, and Adrian Bunk plans to pick it up thereafter, so fixes should be available for this kernel for quite some time.

Comments (none posted)

Kernel development news

Quotes of the week

-- Andrew Morton, worried about adaptive mutexes.

-- Linus Torvalds

-- Andrew Morton on merging SLQB

Comments (2 posted)

LCA: The security panel

The linux.conf.au security miniconf hosted a number of talks on specific security technologies, many of which have been covered here in the past. The final event of the day, though, was a panel discussion covering a wide variety of security issues. Panellists Casey Schaufler (who also doubled as moderator), Russell Coker, James Morris, Z. Cliffe Schreuders, and Kentaro Takeda discussed module stacking, increasing the use of security technology, authoritative hooks, and more.

Module stacking was the first topic of interest. "Stacking" refers to the practice of loading more than one security module, allowing each of them to participate in security decisions. The technique has its appeal; it would allow more tightly-focused modules to be written and mixed together in interesting ways. But stacking of security modules is not currently supported in the Linux kernel - a situation which does not appear to be set to change anytime soon.

Casey, who had raised the issue, answered his own question by saying that he would like to see module stacking supported; it would add to the flexibility of the system. His preferred solution would involve the creation of a special security module which would arbitrate between all the others, deciding which modules get to make decisions in each specific situation. As far as your editor knows, this stacker module does not actually exist yet.

Russell's response was simpler: he would like to see a reasonable number of users actually running with a single security module first. Once that problem has been solved, one can move on to more complicated tasks.

James raised the issue of the "composability problem": the combination of security technologies in ways not anticipated by their designers can lead to unpredictable results. People working on security technologies hate unpredictable results. The SELinux developers tried to deal with this problem by turning SELinux into the one true security module (your editor's term, not James's), so that any security situation could be addressed within a single module. This aspect of SELinux is not really being used, though.

Cliffe's response was that stacking should be allowed, if only to discourage developers from adding parallel sets of hooks to support their own security technologies. James responded, though, that many security-related modules (integrity management, say, or malware scanning) really should have their own API. Kentaro noted that the TOMOYO Linux developers really want their work to be able to coexist with other modules, so he would like to see stacking supported as well.

From there, your editor asked the panelists to follow up on Russell's point: what is it going to take to get people to actually use the security technologies that we have now? A security module does little good if frustrated system administrators simply turn it off as soon as it gets in their way. Casey responded that it was unfortunate that the first security module made available for widespread use (SELinux) was such a complex one. A lot of people really don't need all of the capability which is provided by SELinux. A set of smaller, more understandable security modules would have gained acceptance much more easily. SELinux is far too monolithic; there is no easy way into it.

Russell, instead, suggested that we should look at the history of security. Once it was accepted that all important processes would run as root. Over time, it has been made clear that this is a bad idea, and various system daemons have been moved to other user IDs. Ill-advised practices like running IRC clients as root have been banned. It has taken a long education process to get to this point; this process will have to continue for technologies like SELinux. James agreed that time was required, and noted that, over time, use of SELinux is increasing. Some simple things, like getting administrators to shift SELinux to permissive mode when they run into problems rather than turning it off altogether, can also help in this regard.

In the longer term, though, there is still a need for higher-level tools. The current SELinux policy interface is really the assembly language of (SELinux-based) security; most users should not have to deal with the system at that level. Cliffe agreed, saying that blaming users for turning off security is the wrong thing to do. It is the fault of the security developers, who have not made their tools sufficiently easy to use. Security must be built using higher-level abstractions which users can understand; the technology he is working on (FBAC-LSM), is designed with this goal in mind. Kentaro added that most users don't want to have to think about security; it needs to be implemented so that they don't have to.

From there the panellists went into a rather cloudy discussion of cloud computing. James, after asking what that term really meant, noted that there are useful things to be done in this area, and that Linux offers a number of useful technologies, such as namespaces, which can help. There is, though, a lot of work to be done. Cliffe added that the infrastructure is there for people who want to work on secure cloud computing, but that module stacking would make it easier. Kentaro stated that cloud computing is, in fact, one of the core targets for his work; there is a lot of space for Linux here. We do, however, need to be sure to avoid creating single points of failure, which can bring the whole thing down. Casey's take on this topic was that cloud computing is likely to bring cryptography back to the forefront of security research; when all of your data is on other people's servers, that data needs to be well protected.

Russell took a different tack, noting that the security of a number of current cloud offerings is substandard. They often provide distributions which no longer receive security support, and they provide lots of unpatched software. They are insecure by default and "ripe for harvesting," but it is not easy, in such environments, for even a relatively high-clue user to figure out how to secure things. The real problem, he says, is that there is no business model for better security, so "cloud" providers are not investing in that area.

A member of the audience asked about authoritative hooks. These hooks were a contentious issue early in the development of the Linux security module architecture. LSM is current designed to allow restrictive hooks only: a security module can only make policy tighter than basic Linux discretionary access control would allow. The thinking is that, with restrictive hooks only, a buggy security module cannot make things worse than they were before. Authoritative hooks would, instead, let a security module empower a process to do things which would not otherwise be allowed.

[PULL QUOTE: This policy has not slowed down proprietary security modules, and, at this point, a model allowing authoritative hooks would be better. Making that change would be "a really big deal," though. END QUOTE] Casey reiterated the history behind the current "no authoritative hooks" policy, adding that the kernel developers also feared that authoritative hooks would make the LSM API more suitable for abuse by binary-only modules. Indeed, he says that was the primary reason for disallowing those hooks. But this policy has not slowed down proprietary security modules, and, at this point, a model allowing authoritative hooks would be better. Making that change would be "a really big deal," though. Russell agreed that the "irrational fear" of authoritative hooks remains widespread, but the reassurance provided by their absence may be worth it in the end. Both Cliffe and Kentaro thought that interesting things could be done with authoritative hooks, and that it would be a good time to review just how Linux security modules work.

There was a brief discussion on the feeling that the LSM API is too heavily oriented toward the needs of SELinux. James agreed that it was "SELinux-shaped," but noted that this was a natural result of the fact that SELinux has been the only user of the API for most of its history. Casey noted that things have recently been changed to support the needs of his SMACK module. There have also been some new hooks added to support pathname-based modules like TOMOYO Linux and AppArmor.

Going back to another point raised by Russell, a member of the audience asked what distributions should do once they go past their end of life. Should a system with an unsupported kernel refuse to boot, or, at least, refuse to bring up network interfaces? Russell came back with the obvious response: how would one then update such a system? Casey pointed out that there are an awful lot of routers out there running old, unsupported software. The Internet, he says, is made of expired systems. Russell suggested that ISPs should, perhaps, enforce the use of supported software, and that, maybe, governments could compel such behavior. Cliffe noted that all of this really poses another usability problem; what we really need to do is to make it easy to run a current system. Quite a bit of progress has already been made in this direction.

The final topic had to do with "security mythology," things that "everybody knows" improve security but which really don't. Forced password rotation was one such idea. Casey said that, for some 20 years, everybody "knew" that security meant strong cryptography. There's no real way to address such things except as a people problem. Russell added that there's often no way to know what the consequences of security rules are. James said that there is a real need for technical people to push back against silly security rules. He likened the problem to the early adoption of Linux, where people with clue simply deployed it, then asked for forgiveness later. Cliffe's point of view is that users do not really know when they are being asked to make security decisions, so they don't really know when their actions may be putting their security in peril. And Kentaro agreed, noting that we need to find ways to provide more information to users about what their security technology is really for.

Thereafter the panel broke up, and the PGP key signing party (done, no doubt, in a highly secure manner) began.

Comments (6 posted)

New NFS to bring parallel storage to the masses

Sometime around the end of January or early February, the Internet Engineering Task Force will give its final blessing to the latest version of the venerable Network File System (NFS), version 4.1. While the authors of the standard have stressed that this is a minor revision of NFS, it does have at least one seemingly radical new option, called Parallel NFS (pNFS).

The "parallel" tag of pNFS means NFS clients can access large pools of storage directly, rather than go through the storage server. Unbeknown to the clients, what they store is striped across multiple disks, so when that data is needed it can be called back in parallel, cutting retrieval time even more. If you run a cluster computer system, you may immediately recognize the appeal of this approach.

"We're starting the process of feeding all these patches up to the Linux NFS maintainers," said Brent Welch, the director of software architecture for Panasas who is also one of that storage company's contributors of the pNFS code. He noted that the work for the prototyping and implementing pNFS in Linux, as part of NFS, has been going on for about two years. Ongoing work has included updating both the NFS client and NFS server software.

The code will be proposed for the Linux kernel in two sets, according to Welch. The first set will have the basic procedures for setting up and tearing down pNFS sessions, using Remote Procedure Call (RPC) operations for exchanging IDs and initiating and ending sessions. The development teams are gunning to have this basic outline of pNFS included in the 2.6.30 version of the kernel. The second set, ready for the 2.6.31 version of the kernel, will be a larger patch, including the I/O commands for accessing and changing file layouts as well as reading and writing data. Given that it will take a few more months after the 2.6.31 Kernel for it to be picked up by the major distributions, pNFS probably won't start to be deployed by even the most ambitious IT shops at least until the early part of 2010.

We all know NFS. It allows client machines to mount Unix drives that reside across the network as if they were local disks. Many Network Attached Storage (NAS)-based storage arrays use NFS. With NAS, a lot of hard drives all lie behind a single IP address, the drives are all managed by the NAS box. NAS allows organizations to pool storage, so storage administrators can more fluidly (and hence efficiently) allocate that storage across all users.

In a 2004 problem statement, two of the developers responsible for getting pNFS in motion, Panasas chief technology officer Garth Gibson and Network Appliance (NetApp) engineer Peter Corbett, explained the limitations of this approach, especially in high performance computing environments:

In a nutshell, the potential roadblock with NAS, or any type of NFS-based network storage, is the NAS head, or server, they explained. If too many of your clients hit the NAS server at the same time, then the I/O slows for everyone. You could go back to direct access, but you lose the efficiencies of pooled storage. For cluster computer systems, in which dozens of nodes can be working on the same data set, such partitioned storage just isn't feasible. Nor are multiple storage servers: An NFS-based system can not support multiple servers writing to the same file system.

Gibson and Corbett were early champions of developing pNFS, along with Los Alamos National Laboratory's Gary Grider. Additional work was carried out by engineers at EMC, Panasas, NetApp and other companies. The University of Michigan's Center for Information Technology Integration (CITI), along with members of the IBM Almaden Research Center are developing a pNFS implementation for Linux, both for clients and storage servers.

pNFS will allow clients to connect directly to the storage devices they need, rather than go through a storage gateway of some sort. The folks behind pNFS like to say that their approach separates the control traffic from the data traffic. When a client requests a particular file or block of storage, it sends a request to a server called the Metadata Server (MDS), which returns a map of where all the data resides within the storage network. The client can then access that data directly, according to permissions set by the file system. Once that storage is altered, the client notifies the MDS of the changes, which updates the file layout.

Since pNFS allows clients to talk directly to the storage devices, as well as permitting client data to be striped across multiple storage devices, the client can enjoy a higher I/O rate than would be had simply by going through a single NAS head—or by communicating with a single storage server. In 2007, three developers from the IBM Almaden Research Center, Dean Hildebrand, Marc Eshel and Roger Haskin, demonstrated [PDF] at the Supercomputing 2007 conference (SC07) how three clients could saturate a 10 gigabit link by drawing data from 336 Linux-based storage devices. Such throughput "would be hard to achieve using standard NFS in terms of accessing a single file," Hildebrand said. "We wanted to show that pNFS could scale to the network hardware available."

pNFS is largely made up of three sets of protocols. One protocol is for the mapping, or layout, of resources, which resides on the client. It interprets and utilizes the data map returned from the metadata server. The second is the transport protocol, which also resides on the client. It coordinates data transfer between the clients and storage devices. The transport protocol handles the actual I/O with the storage devices. A control protocol will synchronize the metadata server with the storage devices. This last protocol is the only one not specified by NFS—It will be left to storage the vendors, though much of the work that this protocol will do can be codified in NFS commands.

pNFS can work with three types of storage—file-based storage, object-based storage and block-based storage. The NFSv4.1 protocol itself contains the file-based storage protocol. Additional RFCs are being developed for object and block protocols. File-based storage is what most system administrators think of as storage; it is the standard approach of nesting files within a hierarchical set of directories. Block-based storage is used in Storage Area Networks (SANs), in which the applications access disk space directly, by sending the Small Computer System Interface (SCSI) commands over Fibre Channel, or, increasingly of late, TCP/IP via the Internet SCSI (iSCSI) protocol. Object-based storage is somewhat of a newer beast, a parallel approach that involves embedding the data itself with self-describing metadata.

A word on semantics: Keep in mind that just as NFS is not a file system itself, neither is pNFS. NFS provides the protocols to work with remote files as if they were local. Likewise, pNFS offer the ability to work with files managed by a parallel file system as if they were on a local drive, handling such tasks as setting permissions and ensuring data integrity. Fortunately, a number of parallel file systems have been spawned over the past few years that should work easily with pNFS. On the open source front, there is the the parallel Virtual File System (pVFS). Perhaps the most widely-used open-source parallel file system now in use is Lustre, now overseen by Sun Microsystems. On the commercial front, Panasas' PanFS file system has been successfully deployed in high performance computer clusters, as has IBM's General Parallel File System (GPFS). All of these approaches use a similar idea—let the clients talk to the storage server's devices directly, while having some form of metadata server keep track of the storage layout. But most other options rely on using a single vendor's gear.

"The main advantage [to using pNFS] is expected to be on the client side," noted CITI programmer J. Bruce Fields, who does the NFS 4.1 testing on Linux servers. With most parallel file systems you have to do some kernel reconfigurations on the clients so that they can work with the file systems. With the prototype Linux client, you can run a standard mount command and get the files you need. "The client will automatically negotiate pNFS and find the data servers. By the time we're done that should work on any out-of-the-box Linux client from the distribution of your choice," he says.

The advantage that pNFS will bring is familiarity, and that it will come already built in as part of NFS. Since NFS is a standard component in almost all Linux kernel builds, that will greatly reduce the amount of work administrators need to do to set up a parallel file system for Linux servers. Most administrators are more familiar with the general operating procedures of NFS, much more so than dealing directly with, say, Lustre, which requires numerous kernel patches and a different mindset when it comes to understanding commands.

pNFS should help storage vendors as well, as they will not have to port client software to numerous Linux distributions. Welch, for instance, noted that Panasas has to maintain code for dozens of different Linux distributions. Instead, they can rely on NFS and focus on storage devices. Already, Panasas, NetApp, EMC, IBM and have all promised [PDF] to support pNFS in at least some of their storage products, according to a collective talk some of the developers gave last month at the SC08 conference. Sun Microsystems also plans to support pNFS in Solaris.

And while much of the early focus of pNFS has been for large scale cluster operations, one day it may be feasible that even workstations and desktops will use pNFS in some form. LANL's Gary Grider pointed out that, "at some point, having several teraflops may even be possible in your office, in which case you may need something more than just NFS for data access for such a powerful personal system. pNFS may end up being handy in this environment as well."

Indeed. Once upon a time we were limited to working on files on our own machines, FTP'ing in anything that was located elsewhere. But NFS allowed us to mount drives across the network with a relatively simple command. Now, pNFS may take simplify things a step further, by allowing to us to pull in and write large files or myriad files with a speed that we can now only dream about. At least that is the promise of pNFS.

Comments (11 posted)

Semantic patching with Coccinelle

We've all been there: You're tracking down some evil bug, and you have the sudden chilling realization that you're going to have to refactor an enormous chunk of code to fix it. You break out in a cold sweat as you run a quick grep over the source base: hundreds of lines of code to change! And the change is too complex to do with a script because it depends on the calling context, or requires adding a new variable to every caller.

This happened to me last month when I was adding support for 64-bit file systems to e2fsprogs. I thought I was nearly finished when I discovered I needed to write (yet another) new interface and convert (yet another) several hundred lines of code to it. The changes were complex enough that I couldn't use a script, and simple enough that I wanted to claw my eyes out with the soul-killing boredom of doing it by hand. That's when the maintainer, Theodore Ts'o, suggested I look at Coccinelle (a.k.a., spatch).

Coccinelle

Coccinelle is a tool to automatically analyze and rewrite C code. Coccinelle (pronounced cock'-see-nel) means "ladybug" in French, a name chosen because ladybugs eat other bugs. Coccinelle is not just another scripting language; it is aware of the structure of the C language and can make much more complex changes than are possible with pure string processing. For example, Coccinelle can make a particular change only in functions which are assigned to a function pointer in a particular type of array — say, the create member of struct inode_operations.

The input to the tool is the file(s) to be changed and a "semantic patch," written in SmPL (Semantic Patch Language). SmPL looks a like a unified diff (a patch) with some C-like declarations mixed in. Here's an example:

    @@
    expression E;
    identifier fld;
    @@

    - !E && !E->fld
    + !E || !E->fld

This semantic patch fixes the bug in which the pointer is tested for NULL — and then dereferenced if the pointer is NULL. An example of a bug this semantic patch found in the Linux kernel (and automatically generated the fix for):

    --- a/drivers/pci/hotplug/cpqphp_ctrl.c
    +++ b/drivers/pci/hotplug/cpqphp_ctrl.c
    @@ -1139,7 +1139,7 @@ static u8 set_controller_speed(struct controller
    *ctrl, u8 adapter_speed, u8 hp_
            for(slot = ctrl->slot; slot; slot = slot->next) {
                    if (slot->device == (hp_slot + ctrl->slot_device_offset))
                            continue;
    -               if (!slot->hotplug_slot && !slot->hotplug_slot->info)
    +               if (!slot->hotplug_slot || !slot->hotplug_slot->info)
                            continue;
                    if (slot->hotplug_slot->info->adapter_status == 0)
                            continue;

(More on the semantic patch format later.)

Coccinelle is designed, written, and maintained by Julia Lawall at the Department of Computer Science at University of Copenhagen, Gilles Muller and Yoann Padioleau at the Ecole des Mines de Nantes, and René Rydhof Hansen at the Department of Computer Science of Aalborg University. Coccinelle is licensed under the GPL, however, it is written in OCaml, so the potential developer base is somewhat limited.

The original goal of Coccinelle was to automate as much as possible the task of keeping device drivers up to date with the latest kernel interfaces. But the end result can do far more than that, including finding and fixing bugs and coding style irregularities. Over 180 patches created using Coccinelle have been accepted into the Linux kernel to date.

Coccinelle quickstart

Like many languages, SmPL is best learned through example. We'll run through one simple example here just to get started. After that, the Coccinelle web page has some documentation and a plethora of examples.

First, download Coccinelle and install it. I used the source version rather than any of the precompiled options. The Coccinelle binary is called spatch.

As our example, say we have program with a lot of calls to alloca() that we would like to replace with malloc(). alloca() allocates space on the stack and can be more efficient and convenient than malloc(), but it is also compiler-dependent, non-standard, easy to use incorrectly, and has undefined behavior on failure. (Replacing alloca() with malloc() isn't enough, we also have to check the return value — but that will come later.)

Here is the C file we are working on:

    #include <alloca.h>

    int
    main(int argc, char *argv[])
    {
            unsigned int bytes = 1024 * 1024;
            char *buf;

            /* allocate memory */
            buf = alloca(bytes);

            return 0;
    }

We could make the replacement using a scripting language like sed:

$ sed -i 's/alloca/malloc/g' test.c

But this will replace the string "alloca" anywhere it appears. The resulting diff:

    --- test.c
    +++ /tmp/test.c
    @@ -1,4 +1,4 @@
    -#include <alloca.h>
    +#include <malloc.h>
 
     int
     main(int argc, char *argv[])
    @@ -6,8 +6,8 @@
             unsigned int bytes = 1024 * 1024;
             char *buf;
 
    -        /* allocate memory */
    -        buf = alloca(bytes);
    +        /* mallocte memory */
    +        buf = malloc(bytes);
 
             return 0;
     }

We can tweak our script to handle 90% of the cases:

    $ sed -i 's/alloca(/malloc(/g' test.c

But this script doesn't handle the case where a second function name has the first as a suffix, it depends on a particular coding style in which no white space comes between the function name and the open parenthesis, etc., etc. By now our simple sed script is a hundred-character monster. It can be done, but it's a pain.

In Coccinelle, we'd use the following semantic patch:

    @@ expression E; @@

    -alloca(E)
    +malloc(E)

Put the C file in test.c and the above semantic patch in test.cocci and run it like so:

    $ spatch -sp_file test.cocci test.c

It should produce the following diff:

    --- test.c
    +++ /tmp/cocci-output-17416-b5450d-test.c
    @@ -7,7 +7,7 @@ main(int argc, char *argv[])
             char *buf;
 
             /* allocate memory */
    -        buf = alloca(bytes);
    +        buf = malloc(bytes);
 
             return 0;
     }

Let's look at the semantic patch line by line.

    @@ expression E; @@

This declares the "metavariable" E as a variable that can match any expression — e.g., 1 + 2, sizeof(x), strlen(name) + sizeof(x) * 72. When spatch processes the input, it sets the value of E to the argument to alloca(). The "@@ @@" syntax is chosen to resemble the line in a unified diff describing the lines to be patched. I don't find the resemblance particularly helpful, but the intention is well-taken.

    -alloca(E)

This line says to remove any call to the function alloca(), and to save its argument in the metavariable E for later use.

    +malloc(E)

And this line says to replace the call to alloca() with a call to malloc() and use the value of metavariable E as its argument.

Now, we also want to check the return value of malloc() and return an error if it failed. We can do that too:

    @@
    expression E;
    identifier ptr;
    @@

    -ptr = alloca(E);
    +ptr = malloc(E);
    +if (ptr == NULL)
    +        return 1;

The resulting diff:

    --- test.c
    +++ /tmp/cocci-output-17494-22a573-test.c
    @@ -7,7 +7,8 @@ main(int argc, char *argv[])
             char *buf;
 
             /* allocate memory */
    -        buf = alloca(bytes);
    +        buf = malloc(bytes);
    +        if (buf == NULL)
    +                return 1;
 
             return 0;
 }

Semantic patches can be far more complex. One of my favorite examples is the move of reference counting of the Scsi_Host structure out of drivers. Changing this required adding an argument to the function signature and removing a declaration and several other lines from each SCSI driver's proc_info function. The semantic patch, explained in detail in their OLS 2007 slides [PPT] [ODP], does all of this automatically. I recommend reading and re-reading this example until it sinks in.

Experience

My first experience with Coccinelle was mixed. In theory, Coccinelle does exactly what I want — automate complex changes to code — but in practice the implementation is beta quality. I successfully used Coccinelle to make hundreds of lines of changes with less than a hundred lines of semantic patches, but only after working directly with the developers to get bug fixes and help figuring out SmPL features. Coccinelle is one of those schizophrenic projects situated on the boundary between academic research and practical software development.

One of the first hurdles I had to overcome was teaching Coccinelle about the macros in my code. Coccinelle has to do all its own parsing and pre-processing — you can't just run the input C code through cpp because then you'd have to map the post-processor output back to the original code. Macros will sometimes confuse it enough that it gives up parsing a function until it reaches the next safe grammatical starting point (e.g., the next function) — which may mean that it doesn't process most of the file. To get around this, you can create a list of macros and feed them to spatch with the -macro_file option. (Yes, that's one dash — one of my pet peeves about Coccinelle is the non-standard command-line option style.) For example, here are a few lines from the macro file I used for e2fsprogs:

    #define EXT2FS_ATTR(a)
    #define _INLINE_ inline
    #define ATTR(a)

You can build the list of macros by hand, but spatch has a feature that helps find them automatically. The -parse_c option makes spatch list the top ten parsing errors, which will include the macro name. For example, some of the output from running spatch -parse_c on e2fsprogs:

    EXT2FS_ATTR: present in 85 parsing errors
    example:

          static int check_and_change_inodes(ext2_ino_t dir,
                                      int entry EXT2FS_ATTR((unused)),
                                      struct ext2_dir_entry *dirent, int
                                      offset,
                                      int  blocksize EXT2FS_ATTR((unused)),

Coccinelle has improved significantly in the past few weeks. The 0.1.2 release had a number of bugs that made spatch unusable for me. The next release, 0.1.3, fixed those bugs and with it I was able to make practical, real-world patches. The 0.1.4 release will be out shortly. The developers wrote and released more documentation, including a description of all the command-line options [PDF] and a grammar for SmPL. Many more example spatch scripts are available now. The best reference for learning Coccinelle continues to be the slides from their 2007 OLS tutorial and the associated paper [PDF]. White space handling is improving; originally Coccinelle didn't care much about white space and frequently mangled transformations involving it, which is a problem if you want to take the hand out of hand-editing. One of my semantic patches left a dangling semi-colon in the middle; the developers sent me a patch to fix it within a few days.

One thing I am absolutely certain of: learning Coccinelle and writing semantic patches was way more fun than making the changes by hand or using regular expressions. I also had much greater confidence that my changes were correct; it is remarkably pleasant to make several hundred lines of changes and have the result compile cleanly and pass the regression tests the first time.

Related work

If you really want to, you can do everything Coccinelle can do by writing your own scripts — after all, code is code. But you have to deal with all the little corner cases — e.g., to C, white space is all the same, generally speaking, but regular expressions care intensely about the difference between a space, a newline, and a tab. Use the right tool for the job — if you're just replacing a variable name and your first script works, great. If you're changing a calling convention or moving the allocation and freeing of an object to another context, give a tool like Coccinelle a try.

In terms of power and flexibility, Coccinelle is similar to the Stanford compiler checker [PDF] (commercialized by Coverity). While the compiler checker is far more mature and has better flow analysis and parsing, Coccinelle can generate code to fix the bugs it finds. Most importantly, Coccinelle is open source, so developers can find and fix bugs themselves.

Some IDEs include tools to automatically refactor code, which is one aspect of what Coccinelle does. I have never personally used one of these IDE refactoring tools and can't compare it with Coccinelle, but my friends who have report that their stability leaves something to be desired. Xrefactory is a refactoring tool available on *NIX platforms which is fully integrated with Emacs and XEmacs. It is not open source and requires the purchase of a license, although one version is available for use free of charge.

Conclusion

Coccinelle is an open source tool that can analyze and transform C code according to specified rules, or semantic patches. Semantic patches are much more powerful than patches or regular expressions. The tool is beta quality right now but usable for practical tasks and the developers are very responsive. It's worth learning for any developer making a non-trivial interface change.

Comments (62 posted)

Patches and updates

Kernel trees

• Linus Torvalds: Linux 2.6.29-rc2. (January 17, 2009)

• Greg KH: Linux 2.6.28.1. (January 18, 2009)

• Greg KH: Linux 2.6.27.11. (January 14, 2009)

• Greg KH: Linux 2.6.27.12. (January 18, 2009)

Core kernel code

• Gerd Hoffmann: Add preadv & pwritev system calls.. (January 17, 2009)

Development tools

• Paul Mackerras: perf_counter: Add counter enable/disable ioctls. (January 16, 2009)

• Arnaldo Carvalho de Melo: ftrace interface for blktrace. (January 17, 2009)

• Frederic Weisbecker: ftrace based hard lockup detector. (January 21, 2009)

• Frederic Weisbecker: tracing/ftrace: handle more than one stat file per tracer. (January 21, 2009)

• Chuck Lever: Page lock stack trace instrumentation. (January 17, 2009)

• Steve Dickson: NFS: trace points added to mounting path. (January 17, 2009)

• Joerg Roedel: DMA-API debugging facility v3. (January 21, 2009)

• Greg Banks: activate & deactivate dprintks individually and severally. (January 21, 2009)

• Grant Erickson: Add Alternative Log Buffer Support for printk Messages. (January 21, 2009)

• Ingo Molnar: Performance Counters for Linux, v6. (January 21, 2009)

Device drivers

• Jaya Kumar: gpiolib: add set/get batch v4. (January 17, 2009)

• Brandon Philips: uio: add the uio_aec driver. (January 21, 2009)

• Adam Baker: Add support for sq905 based cameras to gspca. (January 21, 2009)

Documentation

• Michael Kerrisk: man-pages-3.17 is released. (January 21, 2009)

• Hans Verkuil: Merger of v4l2 spec into v4l-dvb. (January 21, 2009)

Filesystems and block I/O

• Eric Sandeen: Allow SysRq emergency thaw to thaw frozen filesystems. (January 17, 2009)

• Mike Waychison: Deferred dput() and iput() -- reducing lock contention. (January 17, 2009)

• Theodore Ts'o: Ext4 tree backports for 2.6.27.10 and 2.6.28. (January 17, 2009)

• Jan Kara: [PATCH] vfs: Call filesystem callback when backing device caches should be flushed. (January 21, 2009)

Networking

• Patrick Ohly: net: new user space API for time stamping of incoming and outgoing packets. (January 21, 2009)

Architecture-specific

• Huang Ying: AES-NI: Add support to Intel AES-NI instructions for x86_64 platform. (January 17, 2009)

• Yu Zhao: ATS capability support for Intel IOMMU. (January 19, 2009)

• Philipp Zabel: power: add optional OTG transceiver and voltage regulator support to pda_power. (January 21, 2009)

• Nick Piggin: x86: optimise page fault entry. (January 21, 2009)

Security-related

• Amon Ott: Announce: RSBAC 1.4.0 released. (January 16, 2009)

• Samir Bellabes: snet - Security for NETwork syscalls. (January 21, 2009)

Virtualization and containers

• Serge E. Hallyn: posix mqueue namespace (v14). (January 17, 2009)

• Sukadev Bhattiprolu: Container-init signal semantics. (January 17, 2009)

• Nikanth Karthikesan: [PATCH] Cgroup based OOM killer controller. (January 21, 2009)

Benchmarks and bugs

• Rafael J. Wysocki: 2.6.29-rc2-git1: Reported regressions from 2.6.28. (January 21, 2009)

• Rafael J. Wysocki: 2.6.29-rc2-git1: Reported regressions 2.6.27 -> 2.6.28. (January 21, 2009)

Miscellaneous

• Edward Shishkin: Reiser4progs-1.0.7. (January 17, 2009)

• Stephen Hemminger: iproute2 v2.6.28. (January 17, 2009)

Page editor: Jake Edge

Distributions

News and Editorials

The shape of FUDCons to come

The Fedora Board Recap for January 13, 2009 included a lengthy discussion of FUDCon 11 and how to make future FUDCons better. FUDCon (Fedora Users and Developers Conference) provides a chance for developers to get together, hack and learn, have some beer and some laughs and generally get to know one another. This is important in a culture that encourages global participation. DebConf and the Ubuntu Developer Summit (UDS) serve a similar purpose.

DebConf takes place annually and provides a chance for Debian Developers to get together, meet and talk about common interests. Both UDS and FUDCon are held every six months and are venues to hash out new features and define the next version of their OS. UDS and DebConf are held in different places around the world, which allows a different subset of developers a better chance to attend. FUDCons are typically held in the U.S., usually near a Red Hat office. This is convenient for many developers, especially Red Hat employees who work on Fedora either full or part time. Many Fedora volunteers live in other countries and have little chance of attending, especially since FUDCons have a very limited budget for sponsoring users and developers. FUDCon is the shortest of these events, at least in part because of their limited budget. Red Hat funds FUDCon while other events find many corporate sponsors.

FUDCon 10 was held in conjunction with a Red Hat Summit, but FUDCon 11 went much better without the added distraction of a Summit. Other things that make FUDCon successful include lots of BarCamp talks, easy access to public transportation, and streaming audio and video.

In order to make FUDCon useful for the maximum number of people there is a post event survey that attendees, or want-to-be attendees, can fill out. Surveys such as this can make the next FUDCon a better experience for others.

Things that help make a conference successful include reliable wireless connections, good food, and as previously mentioned good quality audio and streaming video. The latter is useful not only for people who missed a session, but also for review by people who were there.

The future of FUDCon currently seems uncertain. Since scheduling FUDCon with Red Hat Summit proved not to work well, there will be no FUDCon at the Red Hat Summit in Chicago, in September 2009. Funding for a 2010 FUDCon in Boston is uncertain, although there may be a Fedora Activity Day (FAD) instead. More of the three day FUDCons may be shortened to a FAD. Fedora is becoming more independent from Red Hat, even though there will always be a strong connection. As part of that independence perhaps some additional sponsors for FUDCon would help preserve a vital event.

Comments (1 posted)

New Releases

Jaunty Alpha 3 released

Ubuntu has released the third alpha for v9.04 (Jaunty Jackalope). Click below for download information for Ubuntu, Kubuntu, Xubuntu, Edubuntu, UbuntuStudio and Mythbuntu.

Full Story (comments: none)

Red Hat Enterprise Linux 5.3 Now Available

Red Hat has released Red Hat Enterprise Linux 5.3, the third update to the current stable version. "In the third update to Red Hat Enterprise Linux 5, customers will receive a wide range of enhancements, including significantly increased virtualization scalability, expanded hardware platform support and incorporation of OpenJDK Java technologies. Customers with a Red Hat Enterprise Linux subscription will receive the Red Hat Enterprise Linux 5.3 update, which is available for immediate download from Red Hat Network." More information is available here. (Thanks to Rahul Sundaram)

Comments (1 posted)

Mandriva Linux 2009 Spring Alpha 2

Mandriva Linux 2009 Spring Alpha 2 has been released. See the release notes for more information and errata.

Full Story (comments: none)

KDE Four Live CD

The KDE Four Live CD contains KDE 4.2 RC 1 and Amarok, Digikam, K3b, KOffice2 development releases, bundled with openSUSE 11.1. A live CD with KDE 4.1.3 is also available.

Comments (none posted)

GNUmed Live CD 0.3.9 released (LinuxMedNews)

LinuxMedNews has an announcement for the newest version of the GNUmed live CD. "With the help of this CD one can test drive GNUmed without altering the currently running environment such as operating system. No installation necessary."

Comments (none posted)

Distribution News

Debian GNU/Linux

Bits from the Policy Team, call for volunteers

This report from the Debian Policy Team looks at Policy 3.8.1 which will be released shortly after Lenny, and a call for volunteers.

Full Story (comments: none)

Fedora

Announcing the Moksha Project and Fedora Community Project!

The Moksha Project and Fedora Community Project have been announced. Moksha is a generic platform for creating live collaborative web applications. Fedora Community is a website portal built on top of the Moksha platform.

Full Story (comments: none)

Announcing the Fedora Geo Spin

The Fedora Geo spin gathers a collection of mapping tools that run on Fedora. This includes tools for map making, integration into OpenStreetMap, and components that can be run on a GPS enabled device.

Full Story (comments: none)

Trademark guidelines. (The Grand Fallacy)

Paul Frields has an update on the preparation of Fedora's trademark guidelines. "Did you know there's a set of trademark guidelines for the Fedora brand and mark? They're getting less restrictive as we work through some details with Red Hat Legal. We're trying to help our community spread the Fedora message without burdening them too much with legal hoops, like you'd find in a traditional trademark situation. US law can make this sort of thing tricky but worthwhile when you consider the return on the time invested."

Comments (none posted)

Migration of the Fedora Mailing Lists

A movement is underway to migrate the Fedora mailing lists away from redhat.com. "Over the last several years, there has been some contention over why our mailing lists are @redhat.com instead of @fedoraproject.org, and there are also some concerns over the process of requesting new lists and so on. As a result, we ([Jon Stanley] and Dennis Gilmore) are beginning an effort to migrate fedora-*@redhat.com to lists.fedoraproject.org."

Full Story (comments: none)

SUSE Linux and openSUSE

openSUSE Project Opens Feature Tracking with openFATE

The openSUSE Project has announced that feature tracking and requests are now available to the larger openSUSE Community. The openSUSE feature tracking system, openFATE, is now live and accessible to anyone with an openSUSE account.

Full Story (comments: none)

Wanted: Build Service Contributors

openSUSE's Build Service is looking for contributors. "Have you ever wanted to join Build Service development, but you had no idea what to implement? Would you like a real opportunity to learn Ruby on Rails? This is a great time to start! The OBS developers have collected smaller projects on this wiki page. These projects are ideal for anyone new to OBS development. All you need is a local copy of the Web Client, which can easily be deployed on your development system."

Comments (none posted)

Ubuntu family

Proceedings from UDS for Ubuntu 9.04

Notes from the Ubuntu Developer Summit covering Ubuntu 9.04 (Jaunty Jackalope) are available, with a section for each track (community, server, foundations, QA, kernel, mobile and desktop).

Full Story (comments: none)

New Distributions

CrunchBang Linux

CrunchBang Linux (#!) is an Ubuntu based distribution featuring the lightweight Openbox window manager and GTK+ applications. The distribution is developed from a minimal Ubuntu install and has been designed to offer a good balance of speed and functionality. CrunchBang 8.10.02 is available as builds of CrunchBang Linux, CrunchBang Linux "Lite" and CrunchEee. #! joins the list at version 8.10.02, released January 18, 2009.

Comments (none posted)

Distribution Newsletters

DistroWatch Weekly, Issue 286

The DistroWatch Weekly for January 19, 2009 is out. "In this issue we take a look at Arch Linux, the minimal Linux distribution that packs a big punch. In the news section, openSUSE puts out a call for build developers and opens their feature tracker to the community, Fedora updates its artwork guidelines for Fedora 11 'Leonidas', Gentopia closes its doors, and Android Fanatic releases a Debian installer for Google's mobile device. Also in this issue, Ubuntu comments on the reasons behind the unavailability of restricted software in the distribution, while Singapore airlines rolls out Red Hat Linux to every one of its seats. Finally, we include a link to an article comparing three of the most popular mini distributions - Damn Small Linux, Puppy Linux and TinyMe. Happy reading!"

Comments (none posted)

Fedora Weekly News #159

The Fedora Weekly News for January 19, 2009 is out. "This week's issue reveals the code name for Fedora 11 and provides coverage from the latest FUDCon in announcements. News abounds from around Fedora Planet, including musings on the reduction of the OLPC dev team, thoughts on what it means to contribute to Fedora from several contributors, and much more. Development reports on several discussions from the recent FUDCon on the possible future of comps.xml, new packages to Rawhide coming, and more. More depth of discussion on the need for a Fedora Project CMS is offered in the Docs beat, and Translations has lots more to report on new members of various internationalization teams. The Art beat has a wonderful in-depth look at approaches for themes for Fedora 11, and security advisories brings us up to date with recent updates there. We complete the issue with news from virtualization developments, including two items regarding sVirt, a project to add security labeling support to Linux-based virtualization, and other focused discussions with libvirt."

Full Story (comments: none)

openSUSE Weekly News, Issue 55

This issue of the openSUSE Weekly News covers: openSUSE Project Opens Feature Tracking with openFATE, openSUSE forums has reached 20K members, Wanted-Build Service Contributors, Joe Brockmeier: What happens with KDE with Qt license shift?, Katarina Machalkova: A fairytale about brave wizard QSplitter and evil ancient screen resolution from the last century.

Comments (none posted)

Ubuntu Weekly Newsletter #125

The Ubuntu Weekly Newsletter for January 17, 2009 covers: Jaunty Alpha 3 released, Ubuntu Developer Week, Fridge Mockups, Technical Board Run off, UDS Jaunty Proceedings, Awards: Ubuntu Forums, Ubuntu, and Canonical, Dutch LoCo bringing it home, How Launchpad will open source, What's new with Launchpad API, Ubuntu-UK podcast #20, Ubuntu Podcast #17, Technical Board Meeting Minutes, Server Team Meeting Minutes, Desktop Team Meeting Minutes, and much more.

Full Story (comments: none)

Distribution meetings

FUDCon F11 Barcamp Session Video Available

Videos from the FUDCon 11 barcamp sessions are available here. "These videos are in unedited .ogg/.ogv format and are under a CC-BY-SA 3.0-US license."

Full Story (comments: none)

Interviews

Interview with Tom "spot" Callaway (hardware.no)

As seen in his blog, Fedora engineering manager Tom "spot" Callaway was recently interviewed by "one of Norway's largest online computer magazines". In it, he answers questions about various aspects of Fedora, including competition, both free and proprietary, what's coming in Fedora 11, the relationship with Red Hat, and more. "The structure of Fedora helps to minimize the pain of merging new technology and features. We were able to merge perl 5.10.0 during a single release window during the Fedora 9 timeline, and we did it in a way that most people were unaware that we had made any changes. We've already moved to Python 2.6 in our development tree (which will become Fedora 11), which puts us in a much better position for Python 3.0. Our kernel team keeps the latest kernel version in our development tree, so we have a pretty good idea of where we are with regards to functionality well before we branch off for the final release."

Comments (none posted)

Distribution reviews

Linux Mint 6.0 Felicia - Minty and sweet (Dedoimedo)

Dedoimedo reviews Linux Mint 6.0 aka Felicia, with lots of screen shots "Linux Mint 6.0 Felicia is a fabulous distro. It's complete, well-polished, fast, simple, rich in features, and offering solid hardware support. It worked well with both my Nvidia and ATI cards and even loved my web camera. There were some small issues with a Wireless drivers and some mundane Windows media formats, but other than that, the performance was spotless."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Common Wine Myths

Wine is one of the best known, but least understood open source projects. It is a mystic application that everyone knows about, many use, but few truly understand. Reading forum posts, blog entries and tutorials about Wine show that Wine is surrounded by many myths and half truths. In this article, we will attempt to clear up some of the misconceptions about the project.

Myth: Wine doesn't run any program well: There are currently 1863 applications with a Platinum rating (applications which install and run flawlessly on an out-of-the-box Wine installation) in Wine's Application Database (AppDB). Additional applications are receiving a Platinum rating at a rapid rate. Popular Windows applications such as Adobe Photoshop CS3, World of Warcraft and Microsoft Office 2007 all run under Wine.

Myth: Wine requires native Direct3D support: Wine implements the Direct3D libraries already. Direct3D 9 and earlier has been implemented for the most part. There are of course implementation bugs, but those are being worked on. The Direct3D runtime is a slow work in progress, and so may be missing some features. Direct3D 10 is unimplemented, but the core infrastructure is in place and future implementation is in the planning stages. Native Direct3D should not be used in Wine, except for the DirectX runtime library (d3dx9_*.dll), to work around missing features in Wine.

Myth: Wine requires native Internet Explorer 6: Wine comes with its own version of Internet Explorer based on Mozilla's Gecko layout engine for applications that use IE for rendering. See the Wine Gecko project for details. There is a ton of work being put into this area of Wine since it covers such a large area of code. As a result, many applications depending on Internet Explorer rendering may not run well. For those applications, using native Internet Explorer serves as a workaround. This is neither required nor recommended because Internet Explorer's license does not allow people without a Windows license to use it.

Myth: Wine is only for Linux: Wine should run on any POSIX system that has kernel threading. However, since most Wine developers are using some version of Linux, these other operating systems don't enjoy the same level of support or compatibility. Wine currently builds and runs applications on Linux, Mac OS X, FreeBSD, Solaris and OpenSolaris. Work is also being done to get Wine to work on NetBSD and OpenBSD, the effort is progressing well.

Myth: Wine is only 32-bit capable: This is partially true, but the situation is changing. Wine has the capability of running 64 bit applications, (see this December, 2008 thread), but it is not yet enabled by default. A ton of work is being put into making the internals of Wine 64 bit compatible. Checking the Wine commit log, one can see frequent additions of patches aimed at 64 bit Wine. Running 64-bit Wine currently requires the use of a special GCC compiler from SVN to compile, so it's mostly for developers at this point. It is worth pointing out though that about two thirds of the internal Wine conformance tests already pass.

This is, of course, different from running Wine as a 32-bit application on 64-bit hardware. Doing so works fine as long as your operating system has the 32-bit compatibility libraries installed. Wine is commonly used for playing games on 64-bit Linux distributions. In fact, most packagers already build 32-bit binaries for 64-bit operating systems.

Myth: Wine stole code from Microsoft! It's illegal to use! Wine is a clean room implementation of the Microsoft Windows API. Wine developers have never used leaked Windows source code or disassembled its output. The implementation is made and tested using a suite of conformance tests, ensuring that Wine has the same behavior as Windows. The conformance tests are built daily and tested on various versions of Windows and Wine. Results can be seen on the Wine Test Runs page.

Wine is a very complex piece of software that has come a long way in the past 15 years of development. Releasing its first stable version (1.0) this past year is a testament to the complexity and size of this program that took thousands of hours of development to implement what Microsoft did with many times the resources. While Wine does not yet have perfect compatibility with all Microsoft Windows applications, the Wine team is working hard to change this. Wine is a very mature, fast-moving and complex piece of software. There's no better time than now to try Wine. Binaries and source code are available here.

Comments (20 posted)

System Applications

Audio Projects

ALSA 1.0.19 released

Version 1.0.19 of ALSA has been announced. "I released ALSA 1.0.19 packages (except alsa-oss and alsa-python - no changes)." See the change log for more information.

Full Story (comments: none)

PulseAudio 0.9.14 released

Version 0.9.14 of PulseAudio, a cross-platform sound server, has been announced. This release includes some new capabilities and many bug fixes, see the Change Log for more information.

Comments (none posted)

Database Software

buzhug 1.4 announced

Version 1.4 of buzhug has been announced. "buzhug is a fast, pure-Python database engine, with a syntax based on list comprehensions for queries instead of SQL The new version 1.4 adds the boolean type for fields, and the capacity to define a default value for each field on base creation".

Full Story (comments: none)

Firebird 2.1.2 RC1 released

Version 2.1.2 RC1 of the Firebird DBMS has been announced. "This is the first release candidate of the Firebird version 2.1.2 patch release. It is a BETA whose purpose is for FIELD TESTING. It is recommended that you test it before deploying it into production."

Comments (none posted)

MySQL 6.0.9 alpha released

Version 6.0.9 alpha of the MySQL DBMS has been announced. "A new algorithm that uses both index access to the joined table and a join buffer has been implemented. It's called Batched Key Access (BKA) Join algorithm. The algorithm supports inner join, outer join and semi-join operations, including nested outer joins and nested semi-joins. Block Nested Loops Join algorithm previously used only for inner joins has been amended and now can be employed for outer join and semi-join operations, including nested nested outer joins and nested semi-joins."

Full Story (comments: none)

PostgreSQL Weekly News

The January 18, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

SQLite Release 3.6.10 announced

Version 3.6.10 of the SQLite DBMS has been announced. "Changes associated with this release include the following: * Fix a cache coherency problem that could lead to database corruption."

Comments (none posted)

Sqlkit 0.8.5 released

Version 0.8.5 of Sqlkit, software that provides Mask and Table widgets for editing database data, has been announced. "In this release localization has been added. I'd be very pleased if someone would like to contribute localization file for any language (but italian)."

Full Story (comments: none)

Interoperability

Samba 3.0.34 maintenance release announced

Maintenance release 3.0.34 of Samba has been announced. "This is the latest bug fix release for Samba 3.0 and is the version recommended for all production Samba servers running this release series."

Comments (none posted)

Web Site Development

Apache Jackrabbit 1.5.2 released

Version 1.5.2 of Apache Jackrabbit is out with security and bug fixes. "Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). A content repository is a hierarchical content store with support for structured and unstructured content, full text search, versioning, transactions, observation, and more."

Full Story (comments: none)

Apache-SSL 1.3.41/1.60 released

Version 1.3.41/1.60 of Apache-SSL has been announced. "For some reason I switched on renegotiation, which broke things. For now, switched back off."

Full Story (comments: none)

Miscellaneous

OpenSIPS: 1.4.4 released (SourceForge)

Version 1.4.4 of OpenSIPS has been announced. "OpenSIPS is an GPL implementation of a multi-functionality SIP Server that targets to deliver a high-level technical solution (performance, security and quality) to be used in professional SIP server platforms. After another month from 1.4.3 release, OpenSIPS improves itself with a new minor release, 1.4.4. Thanks to hard testing and fixing of a several people, new issues (critical and minor) were fixed on the OpenSIPS 1.4 branch. It is highly recommended to upgrade to this release, as it provides important stability improvements".

Comments (none posted)

Desktop Applications

Data Visualization

PLplot 5.9.2 has been released

Development release version 5.9.2 of PLplot has been announced. "PLplot is a cross-platform, scientific graphics plotting library."

Full Story (comments: none)

rrdtool 1.3.6 released

Version 1.3.6 of rrdtool, a data visualization tool for displaying time series data, has been announced. In addition to bug fixes, this release adds: "many small updates to the POD documents. improved win32 source. OSX compilation fixes".

Comments (none posted)

Desktop Environments

GNOME 2.24.3 released

Version 2.24.3 of the GNOME desktop has been announced. "This is the third update to GNOME 2.24. It contains many fixes for important bugs that directly affect our users, documentation updates and also a large number of updated translations. Many thanks to all the contributors who worked hard on delivering those changes in time."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

• Accerciser 1.5.5 (bug fixes and translation work)
• Alacarte 0.11.7 (new features and translation work)
• Anjuta 2.25.5 (new features and bug fixes)
• at-spi 1.25.5 (bug fixes)
• Banshee 1.4.2 (bug fixes)
• Brasero 0.9.1 (bug fixes and translation work)
• Clutter 0.8.6 (new features and bug fixes)
• Deskbar-Applet 2.25.5 (bug fixes and translation work)
• GCalctool 5.25.5 (translation work)
• Glade 3.5.6 (new features, bug fixes and translation work)
• GLib 2.19.5 (bug fixes and translation work)
• gnome-applets 2.24.3.1 (bug fixes)
• gnome-applets 2.25.4 (translation work)
• GNOME DVB daemon 0.1.1 (new features and bug fixes)
• gnome-games 2.25.5 (new features, bug fixes and translation work)
• gnome-keyring 2.25.5 (new features, bug fixes and translation work)
• GNOME Power Manager 2.24.3 (bug fixes and translation work)
• GNOME Scan 0.7.1 (new features and code rewrite)
• GOK 2.25.3 (bug fixes and translation work)
• Libgda 3.99.9 (bug fixes, code cleanup and translation work)
• mousetweaks 2.25.5 (bug fixes, code cleanup and translation work)
• Orca 2.25.5 (bug fixes and translation work)
• Rygel 0.2 (new features and bug fixes)
• Vala 0.5.6 (new features and bug fixes)
• Vala Toys for gEdit 0.3.2 (update for API change)

You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Commit-Digest (KDE.News)

The January 11, 2009 edition of the KDE Commit-Digest has been announced. The content summary says: "More parts of the Oxygen-based "Air" visual identity enters KDE SVN in time for the KDE 4.2 release, including KDM background images. Better integration of the new "NetworkManager" Plasma applet with KWallet. Initial work on a new "Welcome" Plasmoid. Support for more units added to the "Conversion" runner in Plasma, including "pressure", "currency", and "energy"..."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

• amaroK Web Collection 1.0.6 (bug fixes)
• eric4 4.2.5 (bug fixes)
• German Radio Streams Service 0.9 (new stations)
• Kadoom 1.00 (unspecified)
• kAnyRemote 5.6 (new feature)
• KBasic 1.87 (unspecified)
• kdebluetooth4 0.3 (new features and bug fixes)
• kdesvn 1.2.3 (bug fixes)
• KNDISWrapper 0.3.9 (new feature)
• MameExecutor 0.9beta2 (new features and bug fixes)
• plasmoid2deb 0.2 (unspecified)
• 'Q' DVD-Author 1.7.0 (new features and bug fixes)
• Social Networks Visualiser 0.49 (new features and bug fixes)
• Speaker-Phone Plasma Applet 0.20 (new features and bug fixes)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xfce 4.6 Beta 3 released

Version 4.6 Beta 3 of Xfce, a light weight desktop environment, has been announced. "Just like with the previous BETA, this release comes with a lot of bugfixes but is not expected to be 100% stable. This is why we want to encourage you to test this release to it's limits and tell us what breaks."

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• libdrm 2.4.4 (bug fixes and code cleanup)
• xf86-video-intel 2.6.0 (branch merge and bug fixes)
• xinput 1.4.0 (new features and code cleanup)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Games

FreeCol: 0.8.0 released (SourceForge)

Version 0.8.0 of FreeCol has been announced. "FreeCol is an open version of Colonization. It is a Civilization-like game in which the player has to conquer the new world. Version 0.8.0 of FreeCol, a turnbased strategy game, has now been released. The largest change introduced by this release is the ability to define gameplay mechanics using XML-files. You can easily change the rules you don't like or create a different game similar to FreeCol."

Comments (none posted)

Interoperability

Wine 1.1.13 announced

Version 1.1.13 of Wine has been announced. Changes include: "Freedesktop.org-compliant startup notifications. Many fixes for 64-bit application support. Improved graphics support in Internet Explorer. Various Richedit improvements. Better certificate manager dialog. Various bug fixes."

Comments (none posted)

Music Applications

lv2dynparam1-2 announced

Version 1-2 of lv2dynparam has been announced. "lv2dynparam is LV2 extension for dynamic parameters. The extension consists of a header describing the extension interface and libraries, one for plugins and one for hosts, to expose functionality in more usable, from programmer point of view, interface. Changes since version 1: * host library: API is refactored, the new API is NOT compatible with the version 1 API * host library: support for dynparam automation * host library: support for dynparam parameter save/restore".

Full Story (comments: none)

Minicomputer 1.3 released

Version 1.3 of Minicomputer has been announced. "This version features better envelope generators with exponential behaviour and compiles now with newer versions of GCC. Minicomputer is a standalone Linux softwaresynthesizer for creating experimental electronic sounds as its often used in but not limited to Industrial music, IDM, EBM, Glitch, sound design and minimal electronic."

Full Story (comments: 1)

nekobee 0.1.7 released

Version 0.1.7 of nekobee, a Roland TB-303 Bassline synthesizer clone, has been announced. "Yes, it finally happened, I got off by backside and fixed the accent to work properly."

Full Story (comments: none)

QJackMMC: a new Qt0based JACK application

The initial release of QJackMMC has been announced. "In brief, QJackMMC is a Qt based program that can connect to a device or program that emits Midi Machine Code (MMC) and allow it to drive JACK transport, which in turn can control other programs. JackCtlMMC is a slightly simpler command-line version of QJackMMC. You might need such a tool if you have hard-disk recorders (HDRs) or other external MIDI compliant devices that are capable of sending out MMC to keep other devices in sync. You might have a multi-track recorder and you want to be able to start, stop, or fast-forward JACK-based programs such as Rosegarden, Hydrogen, and Ardour."

Full Story (comments: 1)

zynjacku 3 announced

Version 3 of zynjacku has been announced, a number of new capabilities have been added. "zynjacku is JACK based, GTK (2.x) host for LV2 synths. It has one JACK MIDI input port (routed to all hosted synths) and one (two for stereo synths) JACK audio output port per plugin. Such design provides multi-timbral sound by running several synth plugins."

Full Story (comments: none)

Office Suites

KOffice 2.0 Beta 5 released (KDE.News)

KDE.News has announced the release of KOffice 2.0 Beta 5. "Moving towards the 2.0 release with almost monthly beta releases, the KOffice team has once more honoured its promise to bring out beta releases of KOffice until the time is right for a release candidate. So today we bring you this beta with many, many improvements across the board. Incremental as it is, this beta is an important step towards a final release."

Comments (none posted)

Video Applications

h264enc: 8.7.0 released (SourceForge)

Version 8.7.0 of h264enc has been announced. The software is an: "Advanced shell script for encoding DVDs or video files to the H.264 format using the encoding utility MEncoder from MPlayer. Supports all the useful options an end-user would need to make a successful encode. The script is a CLI front end to MEncoder." This release adds a new capability and bug fixes.

Comments (none posted)

Miscellaneous

PyAMF 0.4 released

Version 0.4 of PyAMF has been announced, it includes numerous bug fixes. "PyAMF is a lightweight library that allows Flash and Python applications to communicate via Adobe's ActionScript Message Format."

Full Story (comments: none)

Languages and Tools

C

GCC 4.3.3 Status Report

The January 17, 2009 edition of the GCC 4.3.3 Status Report has been published. "The GCC 4.3 branch is now frozen in preparation for a release candidate for the GCC 4.3.3 release. When the branch is unfrozen again I will send a message stating so. All checkins to the branch require approval by a release manager now."

Full Story (comments: none)

Caml

Caml Weekly News

The January 20, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

JSP

pyjamas 0.4p1 released

Version 0.4p1 of pyjamas has been announced. "This is a minor patch release of pyjamas 0.4p1, the Python-to-Javascript compiler and Python Web UI Widgets Toolkit. What is Pyjamas for? Pyjamas allows a developer to create U.I applications in python as if the Web Browser was a Desktop Widget Set toolkit platform (like pygtk2, pywxWidgets and pyqt4, only much simpler, and more powerful)."

Full Story (comments: none)

Python

The History of Python

Greg Stein and Guido van Rossum have written an online document entitled The History of Python. "Later blog entries will dive into the gory details of Python's history. However, before I do that, I would like to elaborate on the philosophical guidelines that helped me make decisions while designing and implementing Python. First of all, Python was originally conceived as a one-person “skunkworks” project – there was no official budget, and I wanted results quickly, in part so that I could convince management to support the project (in which I was fairly successful). This led to a number of timesaving rules..."

Comments (none posted)

Evoque Templating v0.4 for Python 3.0

Version 0.4 of Evoque Templating is out with Python 3.0 support and other improvements. "Evoque Templating -- the generic full-featured text template engine with state-of-the-art features such as: exclusively unicode, dynamic overlays, format-extensible automatic quoting, in-process sandbox, caching, small (992 SLOC), simple, fast, etc."

Full Story (comments: none)

pycairo release 1.8.2 is now available

Version 1.8.2 of pycairo, the Python bindings for the cairo 2D graphics library, has been announced. "Pycairo 1.8.0 resulted in crashes for some applications using threads. So upgrading to 1.8.2 is recommended for threaded applications."

Full Story (comments: none)

XML

JCAM Engine: version 1.6.3.1 (SourceForge)

Version 1.6.3.1 of JCAM Engine has been announced. "JCAM Engine with XML Editor / Validator: XML Processor & Template Editor. Java implement of OASIS CAM Standard of XML validation & assembly + visual Eclipse editor. Includes XSLT tools for ingesting XSD Schema, creating HTML docs, XSD subset, XML test case examples + dictionary(uses Saxon XSLT) A new version of the editor has been released, which now includes the correct Java Run-time Environment, to allow it to work. this does increase download time, but significantly reduces installation problems."

Comments (none posted)

XSLTdoc: Bugfix Release 1.2.1

Version 1.2.1 of XSLTdoc, a Javadoc-like tool for all versions of XSLT, has been announced. Changes include: "Changed output format from XML to XHTML. Changed output encoding to UTF-8. Fixed a bug where xd:detail was not printed. xml:xd inline tag supports an href attribute which allows to include external XML markup. Enabled the Forum on sourceforge. "

Comments (none posted)

Miscellaneous

SWIG: 1.3.37 released (SourceForge)

Version 1.3.37 of SWIG has been announced. "SWIG is a software development tool that reads C/C++ header files and generates wrapper code to make C/C++ code accessible from other languages including Perl, Python, Tcl, Ruby, PHP, Java, Ocaml, Lua, C#, Modula-3, R, Octave and Scheme & Lisp variants. Apart from the usual round of bug fixes and minor new features there are a couple of big new features in this release."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

The Perpetual Peril of Open Platforms (Freedom to Tinker)

Here's a column on Freedom To Tinker stating that people worry too much about the future of open platforms. "But open technologies have a kind of secret weapon: the flexibility and power that comes from decentralization. The success of the iPhone is entirely dependent on Apple making good technical and business decisions, and building on top of proprietary platforms requires navigating complex licensing issues. In contrast, absolutely anyone can use and build on top of an open platform without asking anyone else for permission, and without worrying about legal problems down the line. That means that at any one time, you have a lot of different people trying a lot of different things on that open platform. In the long run, the creativity of millions of people will usually exceed that of a few hundred engineers at a single firm."

Comments (none posted)

The Evolution of Linux (TechRepublic)

Over at TechRepublic, Jack Wallen laments the loss of Linux configuration files. He went to edit his xorg.conf file on Fedora 10, finding, to his dismay, that there wasn't one. "Don’t get me wrong, I understand the 'why'. For large-scale adoption Linux needs to be as simple to use as the competition. One way to make this so is to take the guess work out of setting up such things as video. And I think it’s safe to say we all know that configuring video has, in the past, been a nightmare on certain chipsets. And to that end I can fully understand why the developers would want to go this route. And if they can create a fool-proof system that will be able to successfully configure X Windows with zero user intervention, more power to them. But I think this is a sign of things to come, and that sign looks like a Merge with Linux and Windows."

Comments (60 posted)

Trade Shows and Conferences

Camp KDE Takes off in Jamaica (KDE.News)

KDE.News covers Camp KDE. "In a warm Jamaica some thirty KDE developers have gathered for the first Camp KDE. The healthy growth of the KDE community created the need for a combined North/South American meeting. The release event showed it is possible. It has been a year since the KDE 4.0 release event by San Fransisco, and we see many of the faces we saw back then at Google headquarters."

Comments (none posted)

Companies

The facts behind Microsoft's anti-Linux 'Get the Facts' campaign (cnet)

Over at cnet, Matt Asay looks at recently revealed information about the infamous "Get the Facts" anti-Linux campaign from Microsoft. "What facts? 'Facts' about Windows alleged superiority as a preemptive kernel and asychronous I/O, facts that demonstrate that 'Linux is old unix.' Facts about Windows alleged security superiority over Linux. Facts that go to the heart of Red Hat and IBM's patent indemnification offerings and, frighteningly, Allchin seems to be foretelling Microsoft's later patent FUD against Linux [...]".

Comments (none posted)

Linux Adoption

Mortal OS Kombat: Linux versus Windows 7 (MaximumPC.com)

MaximumPC.com discusses the upcoming battle between Linux and Windows 7, which is out in a beta release. "Windows 7 is also catering to admins with its tough little PowerShell utility--a souped-up version of the command line that now allows administrators to remotely mess with machines via a powerful console-based scripting environment. But really, the fight is in the netbook space. IT World's Preston Gralla puts it clearly: if Linux gains traction on netbooks, people will become more familiar with using the OS (already a significant issue plaguing Linux-based netbooks). If people become more familiar with Linux as a whole, they might consider adopting it on their desktop platform as well."

Comments (31 posted)

Calls for open source government (BBC)

Sun co-founder Scott McNealy is advocating open source for governments according to a BBC article. McNealy has been asked to prepare a paper on the subject for the Obama administration. "Mr McNealy told the BBC he wants to ensure the government does not get 'locked in' to one specific vendor or company. [...] 'The government ought to mandate open source products based on open source reference implementations to improve security, get higher quality software, lower costs, higher reliability - all the benefits that come with open software.'"

Comments (10 posted)

Legal

LGPL 2.1, Qt 4.5 and C++ templates

George Makrydakis investigates some potential problems in using the LGPL v2.1 license with C++ libraries. "But I have not seen in the FAQ, so far, a series of licensing issues related to the unmodified LGPLv2.1 license proposed. One of these issues has to do with C++ templates for starters. While it is true that Qt 4.4 right now, does not use templates for signals and slots, it does have templates in container classes. Does an unmodified LGPLv2.1 - I assume that this is their intent, from what comes out of the current FAQ and republished by all other websites - take into consideration the use of C++ templates and template metaprogramming techniques by third party code, when instantiating these LGPLv2.1 templates in a non LGPLv2.1 license model (even OSI compliant)? C++ template instantiation is known for actually nesting code inside the end user code in ways that transcend the wording of an unmodified LGPL 2.1 license." (Thanks to Martin Langsjoen).

Comments (22 posted)

Interviews

Interview: Dann Washko, The Linux Link Tech Show (Montana Linux)

Scott Dowdle talks with Dann Washko of the Linux Link Tech Show. "ML: Who have been some of your most interesting guests? Dann: We have had so many great guests along the way. In fact, I am often quite surprised that some well known people come on our show and have actually listened to or do listen to us on a regular basis. Probably the biggest guest for me was Patrick [Volkerding], the creator and maintainer of Slackware; that was an awesome show. Other notable include Richard Stallman, Eric Raymond, Jeremy Allison, Bruce Perens, Dean Haglund (of Lone Gunman fame), Bil Herd (former Commodore engineer) and more recently Scott Sigler. As you can see, not all our guests are strictly Linux related, but most are. There have been so many wonderful people who have taken the time to share with us and the community."

Comments (2 posted)

Fellowship interview with Enrico Zini (FSFE)

The Fellowship of Free Software Foundation Europe has an interview with Enrico Zini. "Enrico Zini is a long time Fellow of the FSFE and a prominent Debian developer. He has been involved in many different projects relating to Free Software and is deeply concerned about social issues. I had a nice chat with Enrico and asked him about some of his favourite causes."

Comments (none posted)

Resources

Enable high availability for composite applications (IBM developerWorks)

Mahesh Viswanathan and Suraj Subramanian show how to set up high availability systems on IBM developerWorks. "This article describes an implementation of high availability for a composite application using Linux-HA. Delivering high availability to composite applications can be challenging. Because composite applications consist of several distinct applications, each with different availability requirements, configuration is complex. In this article, the authors describe how they designed and implemented a high availability prototype for Tivoli® Maximo®, a composite app. Their configuration script shows how you can provide high availability to a heterogeneous cluster of related applications using a systematic and prioritized failover schedule."

Comments (none posted)

Holiday Cheer, Holiday Uncheer - Part 2 (Linux Journal)

Dave Philips continues his Linux Journal series on 2008 audio software releases with part two. "Continuing my holiday machine maintenance saga I move on to some notable trials and tribulations with Ubuntu, but not before I report on a little more holiday cheer."

Comments (none posted)

Setting Up the Ideal Linux Desktop (It Management)

There are many ways to set up the ideal desktop. In this article Bruce Byfield shares some thoughts on the subject. "After years of authorized and -- I admit -- the occasional unauthorized but non-tampering snooping, I'm overdue to offer reciprocity. I'm not naive enough to throw open my machine for everyone to examine online, but, over the years, I have developed several pages of hard-earned notes that I follow and revise whenever I buy and set up a new computer."

Comments (14 posted)

Installing SugarCRM Community Edition On Ubuntu 8.10 (HowtoForge)

HowtoForge has published a tutorial about installing SugarCRM on Ubuntu. "SugarCRM is a webbased CRM solution written in PHP. SugarCRM is available in different flavours called "Editions" ("Community" (free), "Professional", and "Enterprise"). For a detailed overview of the different editions, have a look at the SugarCRM website. In this tutorial I will describe the installation of the free Community Edition on Ubuntu 8.10. With the modules My Portal, Calendar, Activities, Contacts, Accounts, Leads, Opportunities, Cases, Bugtracker, Documents and Email, SugarCRM Community Edition offers everything that can be expected from a CRM solution."

Comments (none posted)

Tribler: BitTorrent and Beyond (Linux Journal)

Doc Searls looks at peer to peer acceptance and the Tribler client. ""Everything we're doing is based on open source", says Johan Pouwelse, PhD, scientific director of P2P-Next and Assistant Professor of Computer Science at Delft. The good doctor also runs P2P-Next's first trial application: Tribler (pronounced "tribe-ler"), a BitTorrent-based client with no servers and a "zero-cost" business model. Tribler provides an all-in-one way to find, consume and share media."

Comments (4 posted)

Miscellaneous

Obama Inauguration shines on Linux too with Moonlight (ars technica)

ars technica reports on efforts to get Moonlight to be able to display video streams of the Obama inauguration. Moonlight currently supports Silverlight 1.0, but the streams required Silverlight 2.0. "Several developers on Novell's Mono team leaped into action and worked late into the night so that Linux users will be able to watch the stream with Moonlight, an open source implementation of Silverlight 1.0. Their efforts, which were undertaken in collaboration with Microsoft, have ensured that the PIC stream will be accessible to Linux users who download the Moonlight browser plugin from the project's web site, as well as to PPC Mac users who rely on Microsoft's Silverlight 1.0 plugin."

Comments (57 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

EFF Kicks Off Campaign to Free Your Phone

The Electronic Frontier Foundation has announced a launch of the FreeYourPhone.org campaign. "Hundreds of thousands of cell phone owners have modified their phones to connect to a new service provider or run the software of their choosing, and many more would like to. But the threat of litigation under the Digital Millennium Copyright Act (DMCA) has driven them underground. The DMCA prohibits "circumventing" technical protection measures used to protect copyrighted works. But many cell phone manufacturers and service providers build these software locks to protect their business models instead of copyrighted material."

Full Story (comments: 19)

FSFE on EU Web browser interoperability decision

The Free Software Foundation Europe congratulates the European Union on a web browser interoperability decision. "On the 16th of January the European Commission DG Competition reported that it had issued a statement of objections regarding Microsoft's tying of Internet Explorer (IE) to the Windows Operating System product family. This action builds on a complaint originally submitted by Opera, a European company involved in web browser development. Free Software Foundation Europe welcomes the European Commission's decision and offers its support in the coming anti-trust investigation."

Full Story (comments: none)

New Friends of GNOME program launched (GnomeDesktop)

GnomeDesktop.org has announced a new Friends of GNOME program. "Now supporters can sign up to help the GNOME Foundation with recurring $10/month donations. Friends of GNOME is a way for individuals to support the GNOME project's mission of providing a free and open source desktop for everyone regardless of ability. With no advertising or outreach, we've raised anywhere from $6,000 to $20,000 a year from generous individuals.That money has contributed to the funds for hackfests, local events and programs which in turn have enabled the GNOME project to create an internationalized, accessible and easy to use desktop software for both traditional desktops and for mobile devices."

Comments (none posted)

Gandhian Approach to Promoting Free Software

During the Freedom Walk a team of 4 people walked the entire length of Kerala, India, more than 1200 kilometers, on foot to spread the message of Free Software. This was recently covered by the Free Software Foundation.

Full Story (comments: none)

Commercial announcements

Fixstars reduces price of the PowerStation Cell Workstation

Fixstars has announced new pricing on their PowerStation Cell Workstation. "Fixstars is pleased to now offer the PowerStation for just $1250, a reduction of $645 from the original $1895. The PowerStation offers: - Quad-core 2.5GHz IBM 970MP CPUs. - Up to 32GB RAM and 4 hot-swap SAS drive bays. - ATI X1650 Pro graphics card. - Dual Gig-e and 5 USB 2.0 ports. - DVD/CD-RW and YDL v6.1 pre-installed."

Full Story (comments: none)

Jaspersoft announces new advisory board

Jaspersoft has announced that it has created a new advisory board for guiding its business intelligence software direction. "The Jaspersoft Advisory Board members are Matt Asay, vice president of business development at Alfresco and Chairman of the Open Source Business Conference (OSBC); Bob Bickel, consultant and former executive vice president at JBoss; Mark Burton, vice president, MySQL Global Software Practice, Sun Microsystems; Barry Klawans, co-founder of Jaspersoft and current consultant for a variety of open source companies; and Lawrence Rosen, open source software expert, attorney and author, and founding partner of Rosenlaw & Einschlag."

Full Story (comments: none)

New Books

Active Directory Cookbook, Third Edition - New from O'Reilly

O'Reilly has published the book Active Directory Cookbook, Third Edition by Laura E. Hunter and Robbie Allen.

Full Story (comments: none)

CJKV Information Processing - New from O'Reilly

O'Reilly has published the book CJKV Information Processing by Ken Lunde.

Full Story (comments: none)

Head First Rails--New from O'Reilly

O'Reilly has published the book Head First Rails by David Griffiths.

Full Story (comments: none)

Contests and Awards

KDE voted Free Software Project of the Year (KDE.News)

KDE.News has announced the that they have won the Linux Format Free Software Project of the year award. "Linux Format magazine has unveiled its annual Reader Awards (PDF) for 2008 and KDE won a 'landslide' victory in the category of Free Software Project of the year in recognition of the 'incredible' work done with KDE 4. Amarok, Qt, Konqueror and the KDE-based Asus Eee PC were also recognised in the awards. Read on for more details of the KDE related successes."

Comments (none posted)

Education and Certification

UKUUG/O'Reilly presents - Perl Tutorials

UKUUG and O'Reilly have announced two Perl tutorials in Buntingford Herts, UK. "Early bird rates apply for just a few more days... UKUUG (in conjunction with O'Reilly) presents: Introduction to Perl - 25th February 2009 Advanced Perl Techniques - 26th February 2009 Tutor: Dave Cross".

Full Story (comments: none)

Event Reports

Brookings Conference on Software and Business Method Patents Highlights Need for Reform (Red Hat News)

Red Hat News has a posting from Rob Tiller, VP and assistant general counsel for IP, about a recent conference on software and business method patents. "Some of the harm from software patents is obvious. Do they provide any compensating benefit? There was little, if any, evidence that they encourage innovation. Although the number of software patents has exploded in recent years, one panelist expressed doubt that success in the technology area was associated with patent ownership. He observed that had the young Bill Gates been confronted at the outset with the litigation risks of tens of thousands of software patents, he might have chosen to exercise his entrepreneurial skills in a field other than software. The point, of course, is that the current system to some extent discourages innovation and entrepreneurship – a travesty of its intended purpose." (thanks to Rahul Sundaram)

Comments (3 posted)

Calls for Presentations

Registration and CFP open for Linux Foundation Collaboration Summit

A call for papers has gone out for the 2009 Linux Foundation Collaboration Summit. "The Linux Foundation is pleased to announce the opening of registration and call for participation for the 3rd Annual Collaboration Summit which will take place April 8-10, 2009 in San Francisco." Submissions are due by February 15.

Full Story (comments: none)

CfP: ACM Conference on Computer and Communications Security

A call for papers has gone out for the 2009 ACM Conference on Computer and Communications Security (CCS). The event takes place in Chicago, IL on November 9-13, 2009, submissions are due by April 20.

Full Story (comments: none)

LAC2009: Paper deadline extended

The paper deadline for LAC2009 has been extended to January 29, 2009. "The LAC (Linux Audio Conference) is an annual event where developers, users and composers from all around the world come together for 4 days to present current developments, new compositions and other news to the public, listen to concerts, and generally have a good time together. The LAC2009 is taking place at the Casa della Musica in Parma, Italy, from April 16th to 19th, 2009."

Full Story (comments: none)

OSCON 2009: Call For Participation

A call for participation reminder has gone out for the 2009 OSCON. "The O'Reilly Open Source Convention has opened up the Call For Participation -- deadline for proposals is Tuesday Feb 3. OSCON will be held July 20-24 in San Jose, California."

Full Story (comments: none)

PGCon 2009 RFP

A request for papers has gone out for PGCon 2009. "PGCon 2009 will be held 21-22 May 2009, in Ottawa at the University of Ottawa. It will be preceded by two days of tutorials on 19-20 May 2009." Submissions are due in the near future.

Full Story (comments: none)

Upcoming Events

Events: January 29, 2009 to March 30, 2009

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
January 25 January 29	Ruby on Rails Bootcamp with Charles B. Quinn	Atlanta, GA, USA
January 31	Greater London Linux Users Group meeting	London, UK
January 31 February 3	Black Hat Briefings DC	Arlington, VA, USA
February 4 February 5	DC BSDCon 2009	Washington, D.C., USA
February 4 February 6	Money:Tech 2009	New York, NY, USA
February 5 February 9	German Perl Workshop	Frankfurt, Germany
February 7	Frozen Perl 2009	Minneapolis, MN., USA
February 7 February 8	FOSDEM 2009	Brussels, Belgium
February 9 February 11	O'Reilly Tools of Change for Publishing	New York, NY, USA
February 15	Free Software Awards 2009 Deadline	Soissons, France
February 16 February 18	Open Source Singapore Pacific-Asia Conference	Singapore, Singapore
February 16 February 19	Black Hat DC Briefings 2009	Washington, D.C., USA
February 20	Demonstrating Open-Source Health Care Solutions	Los Angeles, CA, USA
February 20 February 22	Southern California Linux Expo	Los Angeles, CA, USA
February 24 February 26	VMworld Europe 2009	Cannes, France
February 25 February 27	German Perl Workshop	Frankfurt Main, Germany
February 27	PHP UK Conference	London, UK
February 28	Belgian Perl Workshop	Leuven, Belgium
February 28	uCon Security Conference	Recife, Brazil
March 1 March 4	Global Ignite week	Online,
March 3 March 8	CeBIT 2009	Hanover, Germany
March 4 March 7	DrupalCon DC 2009	Washington D.C., USA
March 6	Dutch Perl Workshop	Arnhem, The Netherlands
March 7	Ukrainian Perl Workshop 2009	Kiev, Ukraine
March 8 March 11	Bossa Conference 2009	Recife, Brazil
March 9 March 13	Advanced Ruby on Rails Bootcamp with Charles B. Quinn	Atlanta, GA, USA
March 9 March 12	O'Reilly Emerging Technology Conference	San Jose, CA, USA
March 12 March 15	Pingwinaria 2009 - Polish Linux User Group Conference	Spala, Poland
March 14	OpenNMS User Conference (Europe) 2009	Frankfurt Main, Germany
March 14 March 15	Chemnitzer Linux Tage 2009	Chemnitz, Germany
March 16 March 20	Android Bootcamp with Mark Murphy	Atlanta, USA
March 16 March 20	CanSecWest Vancouver 2009	Vancouver, BC, Canada
March 18	Linuxwochen Österreich - Klagenfurt	Klagenfurt, Austria
March 21 March 22	Libre Planet 2009	Cambridge, MA, USA
March 23 March 27	iPhone Bootcamp	Atlanta, Georgia, USA
March 23 April 3	Google Summer of Code '09 Student Application Period	online, USA
March 23 March 27	ApacheCon Europe 2009	Amsterdam, The Netherlands
March 24 March 26	UKUUG Spring 2009 Conference	London, England
March 25 March 29	PyCon 2009	Chicago, IL, USA
March 27 March 29	Free Software and Beyond The World of Peer Production	Manchester, UK
March 28	Open Knowledge Conference 2009	London, UK

If your event does not appear here, please tell us about it.

Mailing Lists

Migration of the Fedora Mailing Lists

The Fedora project has announced a migration of its email lists to a new domain. "Over the last several years, there has been some contention over why our mailing lists are @redhat.com instead of @fedoraproject.org, and there are also some concerns over the process of requesting new lists and so on. As a result, we (myself and Dennis Gilmore) are beginning an effort to migrate fedora-*@redhat.com to lists.fedoraproject.org."

Full Story (comments: none)

Page editor: Forrest Cook