LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Announcements
->Multipage format
This page
Previous weekFollowing week
Recent Features
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for November 5, 2009Courgette meets a dangerous (Red) BendBack in July, your editor stumbled across Google's Courgette announcement and promptly added it to the LWN topic slush pile. He then promptly let it sit for three months or so. The news that this software is now the subject of a patent suit brought Courgette back to the foreground; here we'll look at what Courgette is for, how it works, and how it relates to the patent being asserted.As most LWN readers will know, Google is working on its own web browser, called Chrome. The Chrome developers seem to be focusing on speed, but they are also clearly putting significant thought into the security of the browser. That is a good thing: web browsers are a large, complex body of code which are directly exposed to whatever a web server might choose to throw at them. The complexity makes security-related bugs inevitable; the exposure makes them highly exploitable. Chrome's developers have come to the conclusion that, when security problems are found, they must be fixed as quickly as possible. Prompt patching of bugs requires that they be identified and repaired as quickly as possible. But the repairs are not useful unless they get to the browser's users - all of them, or as close to that as possible. The Chrome developers worried that the sheer size of browser updates would make that goal harder to achieve. Massive updates take longer to download and install, are more likely to be interrupted in the middle, and greatly increase the strain on server bandwidth. Pushing out a fix for a severe zero-day problem might even tax the bandwidth resources of a company like Google, leaving users exposed for longer than they should be. If the size of browser updates could be reduced significantly, it should become possible to update far more systems in less time. After looking at various ways to compress patches, the Chrome developers decided to create their own algorithm; the result was Courgette. This algorithm is based on the key observation that small changes at the source level tend to cascade into big changes in binary code; by taking a small step back toward the source, many of those changes can be abstracted back out. In particular, Courgette tries to eliminate irrelevant changes to static pointers. Consider a simple example:
if (some_condition)
goto error_exit;
/* ... */
error_exit:
return -EYOULOSE;
As the program is built, error_exit turns into a specific location in the code. An irrelevant change elsewhere in the file can cause the location of error_exit to change; that, in turn, will change the final compiled form of the goto line even though that line has not changed. That changed address looks like a difference in the binary file; when this happens thousands of times over, the binary patch will become severely bloated. Courgette works by finding static pointers in the code and turning them back into something that looks like a symbolic identifier. The new identifiers are generated in a way that ensures that they do not change if the underlying code has not changed. New versions of the binary (both before and after patching) are built using the replaced pointers; these reworked binaries can then be compared with a utility like bsdiff. Since addresses with unimportant changes have been replaced with consistent identifiers, the two binaries should be a lot closer to each other and the resulting diff should be much smaller. How much smaller? In an example cited on chromium.org, a full update weighed in at some 10MB. Using bsdiff (which already shrinks binary diffs considerably) yielded a 700KB change, already a significant improvement. With Courgette, though, the diff is 78,848 bytes. In other words, the size of the update has been dropped to less than that of the unpleasant flash ad which probably decorates this article. That seems like an improvement worth having. It also seems like a technology that projects like deltarpm (which is bsdiff-based at its core) might want to take a look at. Enter Red Bend Software and patent #6,546,552. For the curious, here is the first independent claim from that patent:
A method for generating a compact difference result between an old
executable program and a new executable program; each program
including reference entries that contain reference that refer to
other entries in the program; the method comprising the steps of:
(a) scanning the old program and for substantially each reference entry perform steps that include: (i) replacing the reference of said entry by a distinct label mark, whereby a modified old program is generated; (b) scanning the new program and for substantially each reference entry perform steps that include: (i) replacing the reference of said entry by a distinct label mark, whereby a modified new program is generated; (c) generating said difference result utilizing directly or indirectly at least said modified old program and modified new program. Even for patentese, this language tends toward the impenetrable. But once one realizes that "reference entries that contain reference that refer to other entries" means "addresses," it starts to become a little clearer. To your editor's overtly non-lawyerly, not-legal-advice reading, this claim does appear to describe what Courgette is doing. Google is not dealing with a typical patent troll here; Red Bend is a company which manages over-the-air firmware updates for mobile carriers. The patent was applied for in 1999, and granted in 2003. This company may well be in a position to tell a sob story where its bread-and-butter patent is being stepped on by Google - a company which is now getting into the business of supplying firmware for mobile phones. On its face, this could certainly be made to look like just the sort of situation the patent system was created to deal with. Of course, there may be prior art which invalidates this patent. But Google may well find that it's cheaper and easier to just settle with Red Bend, especially if, as Richard Cauley argues, the amount of the settlement could be quite small. Defeating a patent in court is a lengthy, expensive, and risky enterprise; it would not be surprising if Google decided that it had better things to do. The real question, in that case, is what sort of terms Google would negotiate. If Google takes a page from the Red Hat playbook, it will seek to get this patent licensed for all free software implementations. That outcome would remove this patent from consideration in the free software community and keep Courgette free software. A back-room deal with undisclosed terms, instead, could leave this useful technique unavailable for the next ten years.
AbiWord 2.8 features expanded collaborationThe multi-platform, open source word processor AbiWord was updated to version 2.8 last week, debuting several new editing features, most notably expanded real-time collaboration support. AbiWord's collaboration capabilities are designed to work on top of a variety of underlying transport mechanisms, but the project is highlighting its AbiCollab.net web service, which not only allows peer-to-peer collaboration, but group membership and other social networking features. AbiWord is a standalone word processor, and thus has significantly lower disk and memory footprints than OpenOffice.org, which bundles word processor, spreadsheet, presenter, and several other office applications together. In fact, it is the word processor shipped by the One Laptop Per Child project on its modestly-powered XO laptops. It is built using GTK, but like most modern applications runs on all Linux desktop environments. The new release was made on October 27, for Linux, Windows and Mac OS X. Linux users are encouraged to get binaries through their distribution's package manager, or consult the wiki for finding third-party packages. What's new: vector graphics, annotations, and punctuation education![[Multi-page view]](/images/abiword-multipage-sm.png)
Version 2.8 introduces annotation support, with which users can attach comments to portions of document text. The annotations are visible as pop-ups when the cursor moves over the annotated text, and can also be optionally displayed in the footer of each page. It also adds a flexible multi-page view, allowing the user to see as much of his or her document as fits on screen — not as a preview image, but as an open, editable session. AbiWord also supports the use of SVG and WMF graphics inside a document, and now uses the Cairo rendering engine for greatly increased quality — on screen as well as printed. Previous releases converted SVG images on import, resulting in quality degradation. Similarly, according to the release notes, previous versions of AbiWord had a broken implementation of "educating quotes" — the process to automatically convert basic, straight "dumb quotes" into aesthetically curved "smart quotes" — but the feature has finally been fixed for 2.8. Import and export of other file formats has also improved, including TeX, ODT, the S5 presentation format, and Microsoft DOCX — a project which the AbiWord team mentored a student during this year's Google Summer of Code. The code clean-up that included the aforementioned Cairo support also replaced the now deprecated gnome-print printing library with the preferred GTK Print. In spite of its goal to remain a lean word processor, AbiWord does support some cross-application features common to full office suites. AbiWord documents can be embedded into other applications with the GTK AbiWidget, and AbiWord can now embed Gnumeric spreadsheets within its own documents. Both features received updates in this release. ![[Collaboration]](/images/abiword-collaboration-sm.png)
Finally, the most talked-about change in 2.8 is the substantial update to AbiWord's collaborative editing feature. Collaborative editing was introduced in the 2.6.x code base, with the ability for two AbiWord instances to directly connect to each other over TCP for a shared editing session, or to connect through an XMPP server. 2.8 marks the debut of a free web service called AbiCollab.net, which functions as a connecting point for AbiWord sessions, and as an online document storage service. Collaborating with AbiCollab.net![[AbiCollab.net]](/images/abicollab-tagging-sm.png)
AbiCollab.net provides free user accounts that come with 25M of document storage. In addition to storing the contents, the site retains a full version history that can roll back the document to a previous state. It also supports export to the AbiWord, ODT, RTF, PDF, HTML, plain text, and DOC formats, has a tagging system intended to help users more easily find their documents, and password-protected RSS feeds for monitoring changed files. Users can create a blank document on the site, upload an existing document, or activate AbiCollab.net sharing on an open document from AbiWord's Collaborate menu. Those features amount to an online storage service, though; AbiCollab.net's real advantage is that it allows real-time collaborative editing without the hassle of directly connecting two applications by IP address. Site users can share documents with other users or make them globally-accessible. Sharing includes a read-only option as well as full read-write permission, on a document-by-document basis. There are two ways to connect to other users on the site — adding them individually as friends in traditional social networking style, and by group. Users can set up their own groups at will, and group owners can manage group membership and set administration privileges for members. The site is still structured around the documents, however — there are no status updates, profile pages, or other social elements. Preserving privacy is also important; potential friends can only be found through searching as a logged-in user, and every user can mark their account as invisible to searches. Friend requests must be approved by both parties. The AbiCollab.net server relays changes between two users of a shared document using its own synchronization protocol, not the HTTP connection. Developer Martin Sevior described the protocol as very bandwidth-friendly, and said it was akin to a distributed version control system. As useful as it is, though, there are some limitations. AbiWord cannot simultaneously share a document via AbiCollab.net and over a peer-to-peer (TCP or XMPP) connection. CompetitionSevior has said that online office suites like Google Office and Zoho are AbiCollab.net's main competition, but he believes that integrating sharing into the local desktop application offers a far superior work experience than that provided by an in-browser editor. AbiWord offers advanced editing features not found in any web application, such as control over margins, tabs, table positioning, footnotes, outlines, and math, he said. Also, its standard menus and dialogs offer a better user experience than the JavaScript-created menus and dialogs implemented in a web editor — which are often modal, block user input, and can be difficult to activate with the mouse. Finally, he added, AbiWord can handle significantly larger documents without suffering from performance problems, while web browsers begin to struggle with 20 pages or more. Some free software advocates criticized the AbiCollab.net site launch last week because the source code to the site is not free. Sevior and fellow developer Marc Maurer acknowledged the concern, but pointed out that the service was new. The team would like to find a way to make the site code free, but they also want to investigate ways to use it to raise funds to help support further development. Ideas include offering larger storage space for a fee and building a custom server for business use, but all of the ideas are just brainstorming at present. In the meantime, it is still possible to use AbiWord to collaboratively edit documents with a peer-to-peer TCP or XMPP connection. The application does not know or care what network transport mechanism is being used; in fact work is well underway to use Telepathy as yet another editing session transport in a future release. AbiWord has long been a solid word processing choice on the desktop, while Google Docs and other web suites get away with offering fewer editing and formatting features by making document sharing simple. AbiWord 2.8 with built-in real-time editing through AbiCollab.net is an attempt to do both. Whether it will catch on to the degree that in-browser editors have is anybody's guess, but one must not forget that AbiWord has the advantage of being completely cross-platform, which makes it an option for every computer, just like the web browser.
Gerrit: Google-style code review meets gitGerrit, a Git-based system for managing code review, is helping to spread the popular distributed revision control system into Android-using companies, many of which have heavy quality assurance, management, and legal processes around software. HTC, Qualcomm, TI, Sony Ericsson, and Android originator Google are all running Gerrit, project leader Shawn Pearce said in a talk at the October 2009 GitTogether event, hosted at Google in Mountain View. The Gerrit story starts with the progressive escape of an in-house Google process and tool. Google requires code review for any change to company code or configuration files; there are a few exceptions, but those are subject to review after deployment. The code review process started out using lots of email, but for the past several years it has been automated. When Guido van Rossum, creator of the Python language, began working at Google in 2005, he started developing a tool, in Python naturally, to coordinate code reviews. The result, called Mondrian, lets users view the proposed change as a side-by-side comparison, and participate in comment threads attached anywhere in the code under review. An overview page shows a to-do list of incoming changes to review and reviewers' comments. Van Rossum presented Mondrian at a public talk in 2006. (video). Mondrian has been a huge success inside Google, Pearce said. "Almost every engineer uses this as their daily thing." But Mondrian is heavily dependent on Google's internal infrastructure, including the in-house Bigtable non-relational table store and the proprietary Perforce revision control system. Google is a huge Perforce shop, and has built its own highly-customized IT infrastructure, including Perforce-dependent tools. The first step in making a Mondrian-style tool available to a wider audience was van Rossum's 2008 release of Rietveld, which uses Subversion instead of Perforce, and the public interfaces of Google App Engine instead of Google internals. It's named for modern architect Gerrit Rietveld. As Google began the Android project, though, developers demanded a Mondrian-like tool for their codebase, tracked with Git. Google App Engine was a deal-breaker, because mobile hardware vendors working on Android-based products maintain internal repositories, and won't rely on an outside service. Shawn Pearce, who previously reimplemented git in Java as JGit, and is now at Google, took on the project; the result is Gerrit Code Review, now used to track public proposed changes to Android. Android's applications are written in Java, so writing the new tool in that language should make it more accessible to would-be contributors among Android developers. Gerrit runs a copy of the Mina SSH daemon, along with JGit, which is now maintained as part of the Eclipse EGit project. Although the combination is slower than original git over OpenSSH, it's fast enough for the Android developers. "The entire Android team uses this as their interface to Git," Pearce said. The server-side dependencies are Tomcat and an SQL database, which so far can be either MySQL, PostgreSQL, or H2. Gerrit uses OpenID for authentication by default, but can be configured to use HTTP basic (or digest) authentication, or Siteminder, a single-sign-on system from Computer Associates. On the UI side, Gerrit uses Google
Web Toolkit, an Apache-licensed project that
compiles Java to JavaScript with AJAX functionality.
The UI has a few tiny Flash widgets for convenience,
- to copy Git command lines to the clipboard, for example - but Flash
is not required. A user who prefers not to use the
web interface can also ssh to the Gerrit server to
execute commands. Gerrit doesn't enforce any particular processes
to make git look more like the centralized revision
control systems that spawned Mondrian and Rietveld. A
Gerrit-using developer has a full git install and
can still do distributed revision control tricks,
such as cherry-picking from a newer upstream release.
To propose a change for approval through Gerrit,
a developer must start a branch in git for that
change. Each change, and each iteration of a
reworked change, becomes a new branch. In order to
preserve information among successive versions of
the same work, Gerrit includes a git hook to apply a
"Change-Id" line to commit messages. After doing
a Once a reviewer is lined up, Gerrit starts sending email, giving both the URL for the Gerrit page and a git command line for the reviewer to pull the change. On the change page, a reviewer can see the change side-by-side with the original or as a diff, and add review comments anywhere in the code along with a "cover sheet" message. Approval has multiple levels, with configurable access to the range that a reviewer can apply. Typically, an individual developer would be able to apply -1 or +1, which are "prefer you don't submit this" and "I like it," and some would have access to the -2 "do not submit" and +2 "Approved" levels. The web interface is not required--a reviewer can ssh to the Gerrit server to approve or reject a change. A rejected and reworked change with a proper "Change-Id" line preserves Gerrit metadata, and the reviewer can see his or her original comments and the submitter's replies, join an existing comment thread on the previous, rejected version, or start new comment threads anywhere in the new version. If the change is not accepted, the new version has to be a new branch. Kernel developer David Brown, at the Qualcomm Innovation Center, uses Git and Gerrit with his team. "The biggest complaint people have so far about Gerrit is people have to be constantly rebasing their changes," he said. However, the company has an extensive review process in order to make anything available under a free software license, and Gerrit streamlines the process of approving changes for the people who are authorized to check outgoing code. "The biggest thing that's changed since last year is Gerrit. The second biggest thing that's changed since last year is Gerrit," Brown said. But, he added, doing things the Gerrit way does work. "Most people learn a really small subset of git, I mean a really really small subset of git," he said. Gerrit can be set up to automatically enforce some policies. "There's a lot of different work models people want," Pearce said. For example, Gerrit can be set up to enforce a check for a signed contributor agreement. The public Gerrit instance for Android enforces the contributor agreement requirement for all modules except the kernel, where only a "Signed-off-by" line is required. Gerrit can be integrated with a bug tracking system (BTS), but the integration is still based on site-specific tricks, since everyone is on a different bug tracker and nobody seems to like theirs very much. Besides better BTS integration, Pearce is looking at ways to store Gerrit metadata in git. "We'd like to do all the things that Gerrit does, offline," he said. "The fact that it doesn't work offline is a bug." The Android developers are still figuring out how to connect with upstream. Staging maintainer Greg Kroah-Hartman plans to drop Android drivers from drivers/staging as of 2.6.33, as "no one wants to maintain them and help get them merged into the kernel," he said in email. Behind the apparent driver slowness are substantial corporate culture changes, though, with both Qualcomm and TI starting programs to manage outgoing code. Qualcomm is the lead sponsor of Code Aurora Forum, and TI is behind OmapZoom.org. In the potential minefield that is the mobile industry, with considerations such as not offending carrier partners, securely supporting third-party applications, deploying codecs and GUI code without patent troubles, and complying with radio regulations, Gerrit seems to be a needed focus for gatekeeping efforts.
Security Chrome reflective XSS protectionCross-site scripting (XSS) is one of the biggest problems on the web today. There are daily reports of XSS problems in various web sites and web applications (including LWN, see below). So, it is not surprising that browser makers are looking at ways to combat the problem. Previously, we looked at Mozilla's Content Security Policy (CSP), which is one approach, but the Chrome browser team has come up with something different: reflective XSS protection. There are two basic types of XSS, persistent and reflected (or non-persistent). Persistent XSS is an attack that gets stored at the site, in a comment or some other user-generated content, that can then attack any user viewing that content. Reflected attacks, instead, have the payload stored in the HTTP request itself (as GET parameters or FORM submission values). These attacks are generally disguised and the victim is tricked into submitting them. Reflected XSS flaws well outnumber persistent flaws, so it makes some sense to concentrate on those. The basic idea behind Chrome's reflective protection is to examine each script before it is run to see if it also exists in the request that was sent. If the page contents contain scripts that were sent in the request, it is likely that it is a reflected XSS attack. For example, if a link or form submission contains a parameter foo with the value:
<script>alert("XSS!")</script>
then the browser can recognize it in the response and refuse to run the script.
It isn't quite as simple as a direct string comparison, of course, as there are any number of tricks used by XSS attacks to obfuscate their intent. By using HTML entity encodings, XSS attacks can often slip by naïve tests. Things like:
javascript
may elude simple tests that are meant to prevent XSS, so the browser must
convert the request into a canonical form before doing the comparison.
In fact, a thread on sla.ckers.org shows various types of obfuscation that eludes the Chrome XSS filter. The participants, eventually including Chrome developer Adam Barth, keep attempting—mostly succeeding—to find ways around the filter. Those were then added to a WebKit bugzilla entry and many were fixed. Some of the more complicated cases are not yet handled. Several comparisons to the Internet Explorer 8 XSS filter were made in the thread, generally unfavorably to Chrome's, but the Chrome filter is still relatively new. Certainly, the Chrome developers can learn from IE8's filter. Barth looked at the IE8 algorithm (by extracting it from the binary) and compared the two:
The IE8 filter is based on a dozen or so regular expressions that are
applied to the HTTP response before parsing. Our filter works a bit
differently. It watches the scripts that are being executed after
parsing. That means we're pretty robust to tricky parsing issues (like the
/ thing mentioned above). The trade-off is that we have to be more careful
when matching the script with the request because it's been transformed by
the parser a bit. That's why you get issues like the double-encoded iframe
JavaScript URL issue above. It's being run through the parser twice, which
tripped us up.
The whole thread is worth a read for anyone interested in XSS and the various tricks used by those attacks. While the Chrome reflective protection is fairly recent, with bugs to squash and features to add, it will provide some added protection for users against XSS. It is a much simpler solutions than CSP—and doesn't require web developers to change the way they use Javascript—but it also only handles a subset of the full XSS problem. Both techniques likely have their place, but filtering reflected attacks is something that can be done more quickly than fundamentally changing the Javascript landscape as CSP requires. It seems likely that Mozilla could pick up this technique to add to its XSS protection, while still pushing CSP in the longer term. Given the "popularity" of XSS attacks, it is great to see the browser makers looking at multiple ways to reduce the risk.
Cross-site scripting here at LWNWe would like to thank Marti Raudsepp for letting us know about a security hole in the comment submission code for the site. We believe it is now fixed and, in general, that we have tightened up our HTML handling for comments. As part of that, we removed support for many attributes on HTML tags by whitelisting a small set of attributes. We might very well have been over-zealous and removed support for legitimate attributes. Please let us know at lwn@lwn.net if that is the case. We would also like to remind folks that we encourage anyone who finds a security problem with the site to contact us (lwn@lwn.net works for that too). We give prompt attention to such things and thank anyone reporting them—rather than, say, turning them over to law enforcement.
Brief items Strandboge: AppArmor sVirt security driver for libvirtJamie Strandboge writes about work he has done to add AppArmor support to sVirt on his blog. "Since virtualization is becoming more and more prevalent, improving the security stance for libvirt users is of primary concern. It was very natural to look at adding an AppArmor security driver to libvirt, and as of libvirt 0.7.2 and Ubuntu 9.10, users have just that. In terms of supported features, the AppArmor driver should be on par with the SELinux driver, where the vast majority of libvirt functionality is supported by both drivers out of the box."
Wheeler: Fully Countering Trusting Trust through Diverse Double-CompilingDavid Wheeler announces the defense of his PhD dissertation on countering the classic "Reflections on Trusting Trust" attack, which Ken Thompson spoke about in 1984. That attack subverts compilers to continuously re-infect binaries produced by that compiler (including the compiler binary itself) with some kind of malicious payload (a login back door was Thompson's example). The attack is impossible to detect, except by using Wheeler's technique, which was originally described in a 2005 Annual Computer Security Applications Conference (ACSAC) paper [PDF]. His dissertation expands on that work, and the defense of it is open to the public on November 23 at George Mason University in Fairfax, Virginia. "This 2009 dissertation significantly extends my previous 2005 ACSAC paper. For example, I now have a formal proof that DDC is effective (the ACSAC paper only had an informal justification). I also have additional demonstrations, including one with GCC (to show that it scales up) and one with a maliciously corrupted compiler (to show that it really does detect them in the real world). The dissertation is also more general; the ACSAC paper only considered the special case of a 'self-parenting' compiler, while the dissertation eliminates that assumption."
New vulnerabilities expat: buffer overflow
firefox, xulrunner: multiple vulnerabilities
kernel: null pointer dereference
kernel: null pointer dereference
kernel: denial of service
libhtml-parser-perl: denial of service
mahara: multiple vulnerabilities
proftpd-dfsg: certificate spoofing
rt3: JavaScript injection
squidGuard: buffer overflows
wireshark: multiple vulnerabilities
wireshark: denial of service
Page editor: Jake Edge Kernel development Brief items Kernel release statusThe current development kernel is 2.6.32-rc6, released on November 3. Linus says:
There's been a number of other nasty regressions since 2.6.31 that
got fixed too (largely drivers, several of them suspend/resume related or
in some cases apparently most easily triggered that way), so I'm hoping the
delay resulted in a better -rc all around. And I'm obviously hopeful that
we didn't introduce any major new regressions.
The short-form changelog is in the announcement, or see the full changelog for all the details. There have been no stable kernel updates in the last week.
Quotes of the week
Unfortunately, our biggest competitors are our previous kernels,
and we (were?) really good at writing really fast kernels. And most
of our users who are running the competition are completely
satisfied with all the features it has, so an "upgrade" that
causes a slowdown does not go down well. A feature that 0.01% of
people might use but causes a 0.1% slowdown for everyone
else... may not actually be a good idea. Performance is a feature
too, and every time we do this, we trade off a little bit of that
for things most people don't need.
-- Nick Piggin
The fact is, maintainership does _not_ mean ownership. It means
that you should be _responsible_ for the code, and you get credit
for it, but if problems happen you do NOT "own" it. Not at all.
-- Linus Torvalds
If you don't understand that, you shouldn't be a maintainer.
It looks like the Linux kernel maintainers are frowning on the
FatELF patches. Some got the idea and disagreed, some didn't seem
to hear what I was saying, and some showed up just to be rude.
-- Ryan
Gordon
I didn't really expect to be walking into the buzzsaw that I did. I imagined people would discuss the merits and flaws of the idea and we'd work towards an agreeable solution that improves Linux for everyone. It sure seemed to be going that way at first. Ultimately, I got hit over the head with package management, the bane of third-party development, as a panacea for everything.
If anyone wants a choice quote from me about the recent Linux
holes, this is what I have to say: Linus is too busy thinking about
masturabating [sic] monkeys, he doesn't have time to care about
Linux security.
-- Theo de Raadt
Another null pointer exploitBack in mid-October, Earl Chew reported a null pointer crash in the kernel pipe code. Initial response to his report was somewhat slow, partly because the kernel he was running was based on 2.6.21. Earl took the time to dig through the code and identify the problem, though; it turns out to be an old vulnerability which is still present in current kernels.What it comes down to is that there is a race condition in the pipe code. Prior to 2.6.32-rc6, the code which opens a pipe (for write-only access, in this case) looks like:
static int
pipe_write_open(struct inode *inode, struct file *filp)
{
mutex_lock(&inode->i_mutex);
inode->i_pipe->writers++;
mutex_unlock(&inode->i_mutex);
return 0;
}
The problem is that if the final close of this pipe slips in at the wrong time, inode->i_pipe may have been set to null. So this is yet another null pointer vulnerability; the rest is just a matter of writing the exploit. That exploit must face the challenge that the window of opportunity is quite short, but computers are very good at continually trying things until something works. The fix makes the code much more careful about checking the current status of the pipe and refusing new opens if the final close has already happened. Distributors are shipping updates. This particular bug is attracting attention because it is in the core kernel and (relatively) straightforward to trigger. But it is far from unique. A quick look at commits since 2.6.31 turns up no fewer than 34 which explicitly fix null pointer dereference bugs. Quite a few more fix things that could be null pointer bugs, and there's no telling how many more were fixed without an explicit mention in the commit title. Null pointer bugs are common, and are likely to remain so for quite some time. What is surprising about this bug is that some distributions are still vulnerable to it. We have had the ability to keep null pointer bugs from being exploitable for some time, but certain distributions - generally of the "enterprise" variety - disable that protection by default. Sites running such distributions might want to be sure that they have the vm.mmap_min_addr knob set to a reasonable value; either that or expect to be vulnerable to more null pointer exploits in the future.
Deprecating IDE?The IDE drivers have been a relative backwater for a while now; most distributions have made the transition to the newer libata-based PATA driver set. But IDE remains in the kernel with no indication that it's no longer the preferred way of doing things. This can be a problem because, among other things, it encourages developers to submit new IDE-based drivers, only to be told that such drivers are no longer being accepted.To help head off such problems, Robert Hancock has submitted a patch to mark IDE as deprecated. David Miller has accepted the patch for 2.6.33, but it might not yet actually get there. David sees a couple of things which need to be fixed first:
Alan has also suggested that IDE will die of its own accord, and that there is no need for additional pressure for users to move from it. The warning may go in anyway, though, just for those who don't get the message in other ways. If it prevents one developer from spending time on a new IDE driver, it's probably worthwhile.
Kernel development news JLS: Increasing VFS scalabilityIt can be tempting to dismiss scalability work as being of interest mainly to companies running massive server systems; most "ordinary" Linux users are not running into the kind of problems that scalability-oriented developers are trying to fix. But, of course, the truth of the matter is that those users haven't encountered those problems yet. The past work of scalability-oriented developers is what makes our current desktop and laptop systems work as well as they do; their current work will enable next year's consumer-level systems. So Nick Piggin's Japan Linux Symposium talk on virtual filesystem scalability will be of interest to anybody who anticipates using Linux in the future.That said, one of the key constraints on scalability work is that it must not worsen performance on current systems. So Nick is taking care that his VFS work will improve scalability with no impact on single-threaded performance. Beyond that, he is aiming to improve scalability within a single filesystem - forcing system administrators to split their filesystems to get better performance would be cheating. To get there, he has identified five specific bottlenecks which must be addressed. The first of those is files_lock; it is, he says, the easiest to fix. This global lock protects a per-superblock list of open files; it is needed by the file open and close paths. As the number of threads grows, this lock limits the scalability of filesystem-oriented workloads. The lock itself is only part of the problem; the real issue is that a single list_head is never going to be scalable in multiprocessor situations. In this case, it turns out that the kernel almost never needs to read the full list of open files; that only happens at unmount time. So turning the single list into a per-CPU list is a viable option; it eliminates the locking altogether and makes the management of the list scalable. The only tricky part is when files are removed; that requires cross-CPU access to the list. Next on the list is vfsmount_lock, which is used when finding mounts from directory entry ("dentry") structures. This lock is taken when crossing mount points in the path lookup process; it is also used at mount and unmount time. Pathname lookup is clearly a performance-critical path in the kernel, so getting rid of a global lock can only be a good thing. Nick considered using read-copy-update (RCU) for pathname lookup, but he found it to still be too slow. Part of the problem is the need to block all readers at unmount time, something that RCU cannot do on its own. The solution is to go to per-CPU locks. Nick has introduced a variant on per-CPU locks called brlocks, or "big reader locks." These locks share the name and goal of the 2.4.x brlocks which were removed in the 2.5 development cycle, but the implementation is different. Essentially, a brlock is per-CPU for read access, but write access excludes all other users on all CPUs. Since pathname lookup is a read-only operation, brlocks will be fast where the kernel needs them to be; unmounts will be slow, but those are relatively rare operations.
mnt_count is a per-filesystem reference count, incremented
for each open and decremented for each close. Like the global list
described above, this
global counter limits the scalability of opens and closes. Once again,
going per-CPU is the obvious solution here, with the minor problem that a
The hardest one to fix is dcache_lock. Most VFS operations need it, with the sole exception of name lookup, which has used RCU for a while now. Some operations - LRU scanning and reclaim in the dentry cache in particular - can hold the lock for a long time. And the lock covers a whole bunch of different - and sometimes unknown - things. The exporting of dcache_lock to filesystems has not helped here; individual filesystems are using it for their own, not always clear, ends. So a developer trying to bring dcache_lock under control must start by trying to figure out what it is being used to protect. Nick has done his best to split apart the various locking cases; these include the dentry cache hash, the dentry LRU list, the inode dentry alias list, various statistics, etc. Some of this stuff is moved under the protection of the per-dentry spinlock (d_lock); other things, like the dentry hash and LRU, get new locks. There are a lot of problems still, starting with lock-ordering challenges. Nick is working around some of these using non-blocking "trylock" operations, but that kind of code tends to be hard to merge. The various locking cases are still not truly independent from each other; among other things, that imposes more ordering requirements. And walking up the directory tree (trying to determine a path name from a dentry, usually) becomes much harder in the absence of a global lock. In summary, cleaning up dcache_lock looks like a long and messy project. This is just the lock which is showing up as the worst bottleneck in some situations, though, so the work needs to be done. Finally, there is the matter of inode_lock, which is needed by most inode operations (lookup, creation, destruction, writeback, sync, etc). As with dcache_lock, Nick has split the locking into a number of independent classes - the inode itself, the inode hash, the LRU list, and so on. Some of these classes are moved under the per-inode lock, while specific locks have been added for some cases. The per-superblock inode list has been made into a per-CPU variable, as have the counters used to generate statistics. Nick has also made the allocation of inode numbers into a per-CPU operation by assigning a range of numbers to each processor. This means that inode numbers are no longer allocated sequentially; it's not clear whether that will be a problem or not. So what comes of all this work? Nick claims "great" open/close scalability, and "good" create/unlink scalability. He showed the results of running a microbenchmark which just did close(open(path)) repeatedly; with current mainline, he was able to get 450 operations/second on each of 64 CPUs. With the scalability patches added, that rate went up to over 300,000 operations/second - a significant improvement. Running unlink(creat(path)) shows better scalability even with two CPUs - but it does, for some reason, impose a cost on single-threaded workloads on the ia-64 architecture. The VFS scalability work is clearly worth doing; we'll all be glad that these problems have been ironed out someday. But there's still some messy things to clean up, so this patch set (or the gnarlier parts of it, anyway) may take a while on their way into the mainline.
Relicensing tracepoints and markersSharing code where it is possible is normally considered a good thing, but there are some limits to what can be shared. One of the limiting factors is often license compatibility; GPL code, in particular, often cannot be combined with code under other licenses and then distributed. The kernel is licensed under the GPL, but, since it's rare that anyone wants to combine its code with user-space applications, license incompatibilities have not been much of a problem. There is, however, some kernel tracing infrastructure that could be shared with user-space tracing applications—likely benefiting both—if those parts of the kernel were available under more permissive licenses. Mathieu Desnoyers, who has developed much of that infrastructure, has set out to try to relicense some fairly small portions of the kernel under dual licenses, so that the code can be shared. Essentially, Desnoyers would like to be able to use the kernel tracing infrastructure in the Linux Trace Toolkit Next Generation (LTTng) user-space tracer (UST). He describes the need as follows:
The intent is to allow the tracer code developed both on the kernel-side
as part of Ftrace and LTTng and on the userspace side within UST to be
shared when appropriate. As a result, we can consider userland-only
solutions to user-space tracing without rewriting all the kernel
tracing infrastructure from scratch.
All of the files are currently licensed under the GPLv2, but Desnoyers would like to see the C files available under a dual GPLv2/LGPLv2.1 license, and the header files under a dual GPLv2/BSD license. In order to do that—at least under the most inclusive interpretation of copyright—he must get permission for the relicensing from each contributor to those files. His message to linux-kernel listed the few remaining contributors that he had not yet heard from. The files of interest are kernel/marker.c and kernel/tracepoint.c, along with the corresponding header files in include/linux. For 2.6.32, kernel markers have been removed, with all users converted over to use trace events, but marker.[ch] are still used by UST. The idea is that the C files could be turned into a user-space library that could be dynamically linked to applications that required it, while the header files (with an even more permissive license) could be used to add static tracepoints to any application, proprietary or free. For the most part, the relicensing has been met with approval from the developers who responded, with several saying that they didn't think their contributions warranted requiring their approval, but they gave it anyway. Steven Rostedt ran the C file relicensing by Red Hat's legal department and was granted permission for all of the Red Hat contributions to be dual licensed under the GPLv2/LGPLv2.1. The header file GPLv2/BSD dual licensing is still pending with Red Hat, according to Desnoyers. There are still a few developers who have not responded, but their contributions are quite small, and could be rewritten rather easily if necessary. A bigger stumbling block may be opposition from Ingo Molnar, who seems to consider the relicensing process to be legally dubious: "the legality of such relicensing is questionable as that code was never developed outside of the kernel but as part of the kernel". In addition, he has technical concerns:
But i also disagree with it on a technical level: code duplication is
_bad_. Why does the code have to be duplicated in user-space like that?
I'd like Linux tracing code to be in the kernel repo. Why isn't this done
properly, as part of the kernel project - to make sure it all stays in
sync?
So for those two grounds i cannot give my permission for this relicensing, sorry. Whether Molnar's permission is actually required is something of an open question as his employer (Red Hat) has already given permission for his work to be relicensed. But, if there are serious concerns that lead to a "nack" from him on the relicensing patch, things get rather murky. It may be that there is a disconnect between Desnoyers and Molnar such that Desnoyers's intent is not clear. As Pierre-Marc Fournier points out, not relicensing the code leads to code duplication as well:
So the GPL code will have to be rewritten. And this will result in the
exact same drawbacks you are trying to avoid by being against
dual-licensing. The goal of dual-licensing is to make it possible to
keep the code in sync between kernel and userspace, not the opposite!
Essentially, Desnoyers wants user-space applications to be able to contain tracepoints that are based on the same code that is used now in the kernel. Those applications may be under a variety of free or proprietary licenses, but the tracepoints are just a static instrumentation technique that could be shared. As Rostedt puts it:
But what I think is trying to be done here is to use the same types of
MACROS that we have in the kernel to do tracing in userspace. That a
userspace program can add their own "TRACE_EVENT" and that the headers
there will create a tracepoint for them the same way we currently do in
the kernel.
Molnar has gone quiet on the topic, as has the thread, but the idea, overall, seems reasonable. While it does expose a kernel interface to user space, it doesn't tie the kernel to any ABI/API for the future. If the kernel needs to change, either the user-space libraries will change right along with it, or there will be a fork. Given that the players involved work on both the kernel and user-space sides of the problem, that seems somewhat unlikely to happen, but it certainly doesn't seem like that split need happen now.
Toward a smarter OOM killerThe Linux memory management code does its best to ensure that memory will always be available when some part of the system needs it. That effort notwithstanding, it is still possible for a system to reach a point where no memory is available. At that point, things can grind to a painful halt, with the only possible solution (other than rebooting the system) being to kill off processes until a sufficient amount of memory is freed up. That grim task falls to the out-of-memory (OOM) killer. Anybody who has ever had the OOM killer unleashed on a system knows that it does not always pick the best processes to kill, so it is not surprising that making the OOM killer smarter is a recurring theme in Linux virtual memory development.Before looking at the latest attempt to improve the OOM killer, it is worth mentioning that it is possible to configure a Linux system in a way which all but guarantees that the OOM killer will never make an appearance. OOM situations are caused by the kernel's willingness to overcommit memory. As a general rule, processes only use a portion of the address space they have allocated, so limiting allocations to the total amount of RAM and swap space on the system would lead to underutilization of system memory. But that limitation can be imposed on systems which can never be allowed to go into an OOM state; simply set the vm.overcommit_memory sysctl knob to 2. Individual processes are much more likely to see allocation failures in this mode, but the system as a whole will not overcommit its resources. Most systems will allow overcommitted memory, though, because the alternative is too limiting. Overcommit works almost always, but the threat of a day when the Firefox developers add one memory leak too many always looms. When that sad occasion comes to be, it would be nice if the OOM killer would target that leaky Firefox process instead of, say, the X server and PostgreSQL. Many attempts have been made to add smarts to the OOM killer over the years; there's also a means by which the system administrator can steer the OOM killer toward or away from specific processes. But manual configuration is only suitable for certain, relatively static workloads; for the rest, the OOM killer often proves less discriminating than one would like. The latest attempt to fix the OOM killer comes from Hiroyuki Kamezawa. This patch makes a number of fundamental changes to the selection of OOM victims. The result is an OOM killer which is smarter in some ways, but which takes a somewhat different approach to the selection of its victims. One of the factors that the current OOM killer takes into account, naturally, is the amount of memory being used by each process. But the measure used (mm->total_vm) is somewhat crude: it penalizes processes using a lot of shared memory and says little about how much physical memory the process is using. Hiroyuki's patch tries to move away from total_vm in most situations, looking at the actual resident set size (RSS) and possibly taking into account the amount of swap space used as well. Figuring in swap usage is controversial. A program which is using a lot of swap is clearly putting pressure on memory, but, if that program has been mostly swapped out, killing it will not immediately free much RAM. Eventually other processes can be shifted into the newly-freed swap space, but it might make more sense to just do away with those other processes at the outset. Even so, Hiroyuki's patch, for now, will figure in swap space if specific constraints do not force the use of other criteria. One constraint which can change the calculation is when the memory shortage is specific to low memory - the region of memory which can be directly addressed by the kernel. When a low-memory allocation is required, nothing else will do, so there is little value in killing processes which are not hogging low-memory pages. With Hiroyuki's patch, the VM subsystem tracks how much low memory each process is using as a separate statistic. If the OOM situation is caused by an attempt to allocate low memory, the OOM killer's "badness" function will focus on processes holding large amounts of low memory. [PULL QUOTE: Killing gnome-session is likely to free substantial amounts of memory, but the user's gratitude may be surprisingly limited. END QUOTE] The current OOM killer makes an attempt to target "fork bomb" processes by adding half of each child's "badness" value to its parent. A process with a lot of children will thus have a high badness and will thus come under the OOM killer's baleful gaze sooner. The problem here, of course, is that some processes legitimately have lots of children - the session manager for the user's desktop environment is a good example. Killing gnome-session is likely to free substantial amounts of memory, but the user's gratitude may be surprisingly limited. The patch changes the fork bomb detector significantly. The new code counts only the child processes which have been running for less than a specific amount of time (five minutes in the posted patch). If one process has newborn children which make up at least 1/8 of the processes on the system, that process is deemed to be a fork bomb; it is duly rewarded with a spot at the top of the OOM killer's short list. Finally, the current OOM killer tries to kill newly-created processes, while allowing long-running processes to continue. Hiroyuki feels that this approach creates a loophole for long-running processes which slowly leak memory. That web browser may have been running for a long time and is thus a high-value process, but it has been dropping memory on the floor for that long time and is also the cause of the problem. So the new code changes the calculation to look at how long it has been since the process has expanded its virtual memory size. A process which has been running for a long time, but which has not grown in that time, will look better than one which has been expanding. There seems to be little disagreement with the idea that the OOM killer needs a rework, but not everybody is sold on this approach yet. It looks like a very large change, which makes some people nervous. It also shifts the focus of the OOM killer's attention in a significant way: the current heuristics were designed to be as unsurprising to the user as possible, while the new ones are focused more strongly on freeing RAM quickly. But, given that the existing heuristics are still clearly producing plenty of surprises, perhaps a more goal-oriented approach makes sense. (Naturally, no article on the OOM killer is complete without a link to this 2004 comment from Andries Brouwer).
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Architecture-specific
Security-related
Virtualization and containers
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials Monitoring Fedora's hallsLike many development projects, Fedora would like for its mailing lists to be a nicer place. Hostile and flame-filled lists can only drive away potential contributors who do not have the stomach (or the email-reading bandwidth) for that kind of discussion. Fedora's approach to this problem is the "hall monitor policy," which empowers certain community members to act to suppress conversations which are deemed to be counterproductive. The monitors (Josh Boyer, Tom "Spot" Callaway, and Seth Vidal) recently made use of their power on fedora-devel-list; as a result, we can see what kind of discussion the project would rather do without.The policy tasks the hall monitors this way:
They will be subscribed to and monitor the selected mailing lists
for instances of posts that are out of line with the "be excellent
to each other" motto. This includes, but is not limited to:
personal attacks, profanity directed at people or groups, serious
threads [sic] of violence, or other things seen by the monitor as to be
purposefully disrespectful.
Should they encounter this kind of stuff, they can send warnings to specific participants in the discussion, force their email to go through moderators for a day or two, and issue "thread closure" notices to try to halt out-of-control conversations. The thread which brought on the monitors seemed to start innocently enough - though many observers could have predicted what was going to happen. Ankur Sinha posted a help request noting that wodim was failing to burn DVDs correctly. Your editor can hear the forehead-slapping from here: any such post is well known, by now, to be an open invitation for Jörg Schilling to show up and complain about the existence of wodim (and its parent package cdrkit) when distributions should, of course, be shipping his cdrtools package. Show up he did, with predictable results. This particular issue has been covered here before; there is really nothing new to report about it. But that did not stop Jörg from repeating his arguments on the list - lots of times. After a while, Tom served notice that the thread was "now covered under the hall-monitor policy" and that future posts would elicit formal warnings. It took a few of those warnings, but the intervention had the desired effect: the thread has pretty well died out. One could see this action as a victory for those trying to improve the mailing list environment. Cdrtools-related threads, wherever they appear, tend to go on for a very long time and to accomplish very little. Doubtless there are plenty of fedora-devel-list subscribers who do not regret this thread's truncation. But one should always question the suppression of conversation, and there are things to question here. The thread seemed to be profanity-free, and there were no threats of violence. Some messages could, perhaps, be seen as a "personal attack" or "disrespectful" against Jörg, but they were on the mild side; fedora-devel-list has seen far worse. Serious flames were all but lacking here. The discussion, while treading on the edge of what policy allows, did not clearly go beyond it. So one might speculate that the real reason this thread was shut down was (1) the monitors had good reason to believe that it was about to escalate into clearly policy-infringing territory, or (2) they just didn't want to endure yet another interminable cdrtools argument. Either way, the shutdown could be seen as a little troubling. Distributors should think twice before silencing developers who are unhappy about how their software is being distributed (in all fairness, Red Hat and Fedora have given Jörg several opportunities to express his view on this matter). Some participants were trying to talk about the poor state of cdrkit, which is an increasingly serious problem. Many of us burn fewer disks than we used to, but there is still a need for a good program for the writing of optical media. Cdrkit works for a lot of people, but it has clear problems and does not seem to be under any sort of active development. Suppressing discussions will not make that problem go away. This intervention may well have been justified; certainly it's unlikely that anything useful was going to come from that particular discussion. But the use of repressive power should always be reviewed. It would be a shame if, someday, an important development project came to have very polite "halls" where people were afraid or unable to talk about important issues.
New Releases ALT Linux releases Platform Five productsALT Linux has announced the release of new Platform Five products. "ALT Linux announces public availability of two products based on Platform Five: ALT Linux 5.0 Ark, a suite designed for making integrated solutions, and ALT Linux 5.0 School, a suite that is [targeted] at secondary and high schools."
Mandriva 2010.0 availableThe Mandriva 2010.0 release is available. New features include KDE 4.3, GNOME 2.28, a 2.6.31 kernel, a full Moblin environment, and more. See the release notes and the release tour for details.
openSUSE 11.2 final release candidate announcedThe final release candidate for openSUSE 11.2 is available. "This is it folks! We're almost there for openSUSE 11.2. Time to grab the final 11.2 release candidate and shake out any remaining bugs to get the lizard ready for release. This release includes an updated kernel, Samba, Firefox, and more. This release should be almost ready for the gold master stamp, but there's still time to shake out remaining bugs."
Toorox 10.2009 releasedVersion 10.2009 of Toorox has been announced. "The content: - The Kernel 2.6.31-gentoo - The KDE 4.3.2 as desktopenvironment - Xorg-Server version 1.6.5 - OpenOffice 3.1.1 - Amarok 2.2 as the KDE Mulimediaplayer - The mediaplayer VLC 1.0.2 - IceCat 3.5.3 - and much more ..."
Ubuntu 9.10 ("Karmic Koala") releasedThe Ubuntu 9.10 release is out. Actually, several releases are out: the desktop edition, the server edition, a UEC (cloud) image, Kubuntu, Xubuntu, Edubuntu, Mythbuntu, Ubuntu Studio, and an ARM version. See the overview for a summary of what's new in this release.
Distribution News Debian GNU/Linux New Debian on NSLU2 documentation availableMartin Michlmayr has announced some new Debian documentation. "I wrote several new guides about Debian on the Linksys NSLU2 this weekend. The new guides cover the following topics: - Troubleshooting: common problems and their solutions - Internals about the boot process of Debian on the NSLU2 - Modifying a NSLU2 firmware image - Cloning a NSLU2 - Migration guide: how to move your Debian installation from your NSLU2 to a SheevaPlug. "
Bits from the ftp-teamThe Debian ftp-team has released a short status report. "Just a quick update on goings on in ftpmaster after the meeting last week. We'll be sending out a full report as soon as we've finished writing it, but we wanted to make people aware of a few things."
Fedora Reminder: Fedora Board IRC meeting November 5The next Fedora Board IRC meeting has been announced. "The Board is holding its monthly public meeting on Thursday, November 5, 2009, at 1700 UTC on IRC Freenode. For this meeting, the public is invited to do the following:..."
Announcing Fedora-Medical SIGThe Fedora-Medical SIG has been launched. "Simply put, the goal of the SIG is going to be: 1. Working on identifying the various workflows / needs of the medical or healthcare community in terms of software. 2. Bring together and package the software those fitting in the workflow. 3. Composing a spin to get a out-of-the-box solution. 4. At a later stage, developing any crucial app that may be lacking. To make it a success, we need volunteers. So please join, if you feel that it is a worthy cause. Once a few more people are there, we can discuss and take it forward."
Gentoo Linux Gentoo Optimizations Benchmarked (Linux Magazine)Linux Magazine looks at benchmarks for Gentoo using different levels of GCC optimization. Testing -O2, -O3, and -Os (the latter being "optimize for size") for Gentoo, as well as adding Ubuntu 9.04 into the mix, they run the Phoronix test suite and graph the results. As one might guess, the results are mixed: "These tests show that when it comes to optimizing with GCC, there is not a huge amount of difference between them. If there had to be a winner, it would probably be -O2. It was often on par with -O3 while sometimes leading and sometimes trailing by a small margin. The fact that -O2 will also result in lower memory usage probably helps to tip the scales in its favour."
Ubuntu family Ubuntu Lucid Lynx is open for developmentDevelopment on the next release of Ubuntu, Lucid Lynx, is underway. "We do not recommend that users upgrade to Lucid at this time; it is likely to be in very considerable flux until the initial round of merges is complete. As ever, any developers wishing to take the plunge at this early stage should ensure that they are comfortable with recovering from anything up to complete system failure. Automatic syncs from Debian will begin shortly. Because Lucid is an LTS, autosyncing will track the Debian testing series for this cycle, rather than Debian unstable as we normally do."
Other distributions TurnKey Linux release 40 virtual appliances into the cloud (LinuxPR)TurnKey Linux has announced the addition of 40 cloud-based virtual appliances. "TurnKey Linux has announced its largest release to date, which includes 25 new additions to its free virtual appliance library featuring some of the world's best open source software. Support has been added for Amazon EC2 cloud and the OVF virtual appliance format. The project which already supported many popular open source applications including WordPress, Joomla, Drupal, Ruby on Rails, LAMP and Django has expanded its virtual appliance library..."
Distribution Newsletters Fedora Weekly NewsIssue #200 of the Fedora Weekly News has been published. "Welcome to FWN issue 200, an impressive milestone! This week's issue starts off with news and views from the Fedora community, including further work on libguestfs, examination of several new features in Fedora 12, and work on a new tool for ICC color management in Gnome. In Quality Assurance, details from last week's Test Day on internationalization support in Fedora, and great updates on the various QA weekly meetings as we get closer to Fedora 12. In Translation news, several updates pertinent to Fedora 12 GA release, as well as details on Publican 1.0, which the Docs and Transaltion teams use for publishing books, articles, papers and multi-volume sets with DocBook XML."
OpenSUSE weekly News #95Issue #95 of the OpenSUSE weekly News is online. "In this week's issue: * openSUSE News: Announcing the Second openSUSE Board Election * Sneak Peeks (Preview 11.2) * nixCraft/Vivek Gite: 20 Linux Server Hardening Security Tips * Joe Brockmeier: openSUSE 11.2 final release candidate ready! * openSUSE Forums: openSUSE 11.2 the Perfect KDE Distribution".
Ubuntu Weekly Newsletter #166Issue #166 of the Ubuntu Weekly Newsletter is out. "In this issue we cover: Ubuntu 9.10 released, Ubuntu Open Week, Ubuntu One Blog: File sync status update, Canonical Blog: Landscape 1.4 Adds UEC Support, Asia Oceania Membership Board - 27 Oct 09, New MOTU, Ubuntu LoCo News, Meet Francis Lacoste, Accessing Git, Subversion and Mercurial from Bazaar, Commenting on questions, The Planet, Full Circle Magazine #30, Ubuntu Rescue Remix, and much, much more!"
Newsletters and articles of interest Welte: Android Mythbusters (Matt Porter)Harald Welte has issued a scathing opinion of Android on his blog. He bases it on Matt Porter's presentation at the Embedded Linux Conference Europe, called "Android Mythbusters" [PDF]. Porter outlined what he learned while porting Android to PowerPC and MIPS architectures. Welte characterizes Android as Google having "thrown 5-10 years of Linux userspace evolution into the trashcan and re-implemented it partially for no reason. [...] Executive summary: Android is a screwed, hard-coded, non-portable abomination."
Distribution reviews Review: Ubuntu 9.10 first look (The Globe and Mail)Canada's Globe and Mail reviews Ubuntu 9.10. "The Ubuntu Linux menagerie has birthed a new creature, the Karmic Koala, with the release last week of Ubuntu Linux 9.10. The successor to the release code named Jaunty Jackalope (aka version 9.04) boasts a herd of changes and enhancements that are so far making testers smile." (Thanks to Philip Webb).
Review: 3 free Linux alternatives for your netbook (ComputerWorld)ComputerWorld presents a review of three netbook distributions. "In this round-up, I take a look at three alternative netbook operating systems: Ubuntu Netbook Remix (from Canonical Ltd.), Moblin (from The Linux Foundation) and Jolicloud (an upcoming spin-off of UNR which, as of this writing, has yet to be officially released). I evaluate their ease of installation, usefulness, and whether they might breathe new life into your netbook."
Page editor: Rebecca Sobol Development NLUUG: The Open WebAt the end of October, NLUUG held its Fall Conference with the theme The Open Web. Steven Pemberton, researcher at the Centre for Mathematics and Computer Science in Amsterdam and involved with the web since the beginning, set the stage with his keynote about the different dimensions of openness. ![[Steven Pemberton]](/images/conf/nluug-fall-09/nluug-pemberton-sm.jpg)
On a conference that focuses on an open web, it's natural to sit back first and think about what we mean by "open". Pemberton gave some obvious examples of technologies that are bad for openness on the web, such as proprietary media formats, Flash, and so-called "Web 2.0" sites, which lock your own data in silos. On the other side, there are technologies such as XML, CSS, and RDFa that promote openness. Device-independenceThe discussion is not so much about technology as it is about how people are (ab)using it. Pemberton showed an example of the web site of the Dutch national airline KLM, which blocks browsers they don't "support". Other web sites block users if their screen size is "too small", or they redirect the user to a mobile version of the web site, even if the user wants to browse the full site on his smartphone with a high-resolution screen. So these web developers decide how, or if, a certain class of users sees the web site, just because they are too lazy to implement their web site in a device-independent way. According to Pemberton, we have all the technology to design device-independent web sites at our disposal. For example, with XForms the designer can describe what a form control is meant to do instead of implementing it, e.g. as a radio button. The form description can then be mapped to specific controls dependent on the device, such as different controls for a desktop browser or a cell phone, or even a voice menu on a phone call. Web 2.0 walled gardensAnother challenge for the open web are the myriad of Web 2.0 sites that have entered our lives during the last five years or so. Since the monetary value of a Web 2.0 site comes from advertising sales targeting its user-generated content, these web sites tend to lock-in their users. This places an immediate burden on the user: does he choose LinkedIn, Xing, or Plaxo for his professional social network? Or does he have to use them all because some of his contact use LinkedIn and other ones Xing? According to Metcalfe's law, the value (or utility) of a network is proportional to the square of the number of nodes. This means that when you split a network (social network, instant messaging network, e-mail distribution system, etc.) in half, each part only has one quarter the value of the combined network and the total value is halved. Looking at the case of LinkedIn and Xing, this makes sense: fragmentation is not good for the users. Moreover, without standards for migrating data between services, users that value their freedom of choice face a nightmare. What if the social network goes out of business? What if the web site crashes and has no backup? Without data portability, you lose your data in both situations. The web site's owners can impose terms of use that cause other significant problems for users: Pemberton told the story of someone's Facebook account that was deleted because he used screen scraping to download all the email addresses of his friends. A web site for every homeThe solution to these walled gardens sounds simple: "Publish your data yourself and let others aggregate it." According to Pemberton, we already have all the technology at our disposal to achieve data portability. Mark your site up with RDFa, an extensible way to embed rich metadata within web documents, and a W3C recommendation since October 2008. "RDFa is CSS for meaning", Pemberton summarized. "This is also why you should have your own web site. APIs and XML feeds are just poor substitutes for having your data right on your own web site." Drupal, a leading open source content management system, already has RDFa support. As an example of what is possible with RDFa, take Flickr. It hosts a lot of photos for its users, and it is a convenient web site. If everyone starts publishing their photos on their own web site, a lot of this convenience gets lost. However, if these web sites use RDFa, someone can write an aggregator that can be a "Flickr killer" yet remains open. Pemberton concluded his talk by admitting that there is still a lot to be done before the open web is user-friendly enough that users can take control from locked-in social networks. Creating your own web site is still not an easy task for John Doe, let alone creating a Facebook-like web site on your own server. Moreover, there are still some technical challenges. For example, how do we control who can see which information from our web site? A possible solution is a distributed social network using OpenID for authentication, which is a work in progress. ![[Beer
mug]](/images/conf/nluug-fall-09/nluug-mugs-sm.jpg)
Another case of lock-in in social networks are the countless "social applications", widgets on a social network that give the user some information or are just for fun. A MySpace application will not work on LinkedIn. However, Google is working on a solution. Chris Chabot, Developer Advocate at the search giant, talked about OpenSocial, a set of open APIs to create applications for social networks. Applications implementing the OpenSocial APIs are interoperable with any social network that supports them. Among the supported social networks are MySpace, Plaxo, and LinkedIn. Today's technology for the future open webApart from this "holistic" topic of openness, the conference also had a fair number of strong technical talks. For example, Henri Bergius talked about location-aware applications with GeoClue. Now that computing is becoming more and more mobile, location is becoming an important parameter for applications. The GeoClue project is a D-Bus service that applications can use to become geo-aware. GeoClue supports a lot of flavors of location: GPS, GSM, Wi-Fi, IP addresses, and so on. On the KDE front, Sebastian Kügler talked about freeing the web from the browser and gave a demo of Project Silk, while Frank Karlitschek talked about the Social Desktop integration of web communities into desktop applications. Both KDE developers talked about their respective projects to LWN in mid-October. A nice real world example of the advantages of open APIs came from Karl Vollmer, the developer of Ampache, a web-based audio and video streaming solution. In 2002, the previous developer of the project added an XML-RPC API, but never documented it. Moreover, it was an "ad hoc" format with custom date encoding. The result: for over four years there were no other implementations of the API. Vollmer replaced the old XML-RPC API in November 2007 by a documented and simple-to-use REST (representational state transfer) API. After two years, nine successful implementations of the API have appeared: Amarok 2 has it, there is an Android implementation, a Python GTK interface (Quickplay), a plug-in for SqueezeCenter, a Rhythmbox plug-in, a WebOS plug-in, support in the UPnP media center Coherence, and even an iPhone application (Amphone). The example of Ampache is a good reminder that we don't get an open web by using undocumented and ad hoc formats. From Flash to HTML 5Gnash developer Bastiaan Jacques talked about the role of Flash in the open web. But why do free software proponents have to care about Flash? "Because it has nearly 100 percent market penetration," Jacques says. Indeed, over the last few years, Adobe Flash has become so ubiquitous that it is difficult to imagine the web without it. However, with the proprietary Flash technology in its current state, the web will never be a truly open web. The Gnash developers reverse engineered parts of the Flash technology to create a free software Flash player, and this works relatively well. Gnash has even some better security and privacy features than Adobe Flash. For example, it blocks Flash cookies by default. In the meantime, the Gnash project is facing some challenges. The Open Media Now! foundation was started in 2008 to fund Gnash development, but, because of the economic crisis, the four full-time developers were cut back to zero. Another challenge is that proprietary codecs cannot be distributed with Gnash, which may affect the end-user's experience. To conclude his talk, Jacques stressed that Flash is not a part of the open web, but that we are stuck with it. Moreover, "Gnash is a relevant project because existing content must remain accessible and people are notoriously slow to transition to new (read: open) technologies." For new content, Jacques recommends HTML 5. This brings us neatly to the last speaker, Paul Rouget, who is Technology Evangelist at Mozilla. He gave a bunch of demos of new technologies in Firefox 3.5 and HTML 5. His take-home message: Today the web is full of sexy and fun stuff. With
HTML (5), CSS, SVG and JavaScript we have a very powerful platform to
implement nearly everything you find in Adobe Flash and Microsoft
Silverlight. And contrary to the proprietary competitors, these are not
black boxes and they work on nearly all modern browsers.
ConclusionWhat the NLUUG conference showed clearly is that we already have almost all building blocks for the open web. XML, CSS, SVG, RDFa, XForms, OpenID, OpenSocial, and HTML 5 are all existing or emerging standards in the open web toolbox, although it still is a technical challenge to build a user-friendly open web upon them. An equally interesting evolution can be seen in KDE projects like Project Silk or the Social Desktop, that are doing their best to bring the web to the desktop. However, ultimately the openness of the web depends on the people that are creating the content. Pemberton made it clear that this not only means the web masters, but also the users: the ubiquity of user-generated content on the current web brings power to the users, who can choose to remain locked in a comfortable walled garden or to be free and boldly go where no one has gone before.
System Applications Cloud Computing PiCloud Beta releasedA beta release of PiCloud has been announced. "PiCloud is a cloud-computing platform that integrates into the Python Programming Language. It enables you to leverage the compute power of Amazon Web Services without having to manage, maintain, or configure virtual servers."
Database Software An Introduction to CouchDB (Linux Magazine)Here's an overview of CouchDB in Linux Magazine. "Youll often see the word 'relax' associated with CouchDB. Thats because CouchDB tries to solve a lot of the 'hard problems' associated with building a scalable distributed document-oriented database. It does a lot of heavy lifting for you so that you can focus on building your application without worrying too much about administration or weird corner cases."
PostgreSQL Weekly NewsThe November 1, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Embedded Systems CE Linux Forum NewsletterThe October, 2009 edition of the CE Linux Forum Newsletter is out with the latest news from the embedded Linux software development community. Topics include: * ELC Europe 2009 Report: The Butterfly Effect of CELF * CELF Project BoF and Plenary Meeting * Kernel Summit In Tokyo * 30th Japan Technical Jamboree * 5th Korea Technical Jamboree.
Interoperability Samba 3.4.3 is availableVersion 3.4.3 of Samba has been announced. "This is the latest stable release of the Samba 3.4 series."
LDAP Software python-ldap 2.3.10 releasedVersion 2.3.10 of python-ldap has been announced. "python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAPURLs and LDAPv3 schema)."
Mail Software Exim 4.70 RC2 releasedVersion 4.70 RC2 of Exim, a mail transfer agent, has been announced. "Before releasing 4.70, we'd like interested parties to test another Release Candidate (RC2)." (Thanks to Neil Youngman).
Networking Tools New release of PacketFenceVersion 1.8.5 of PacketFence has been announced. "PacketFence is a fully supported, Free and Open Source network access control (NAC) system that runs on Linux. It can be used to effectively secure networks - from small to very large heterogeneous networks. PacketFence has been deployed in production environments where thousands of users are involved - on wired and wireless networks."
Package Management stdeb 0.4.2 releasedVersion 0.4.2 of stdeb has been announced, it includes bug fixes. "stdeb produces Debian source packages from Python packages via a new distutils command, sdist_dsc. Automatic defaults are provided for the Debian package, but many aspects of the resulting package can be customized via a configuration file. An additional command, bdist_deb, creates a Debian binary package, a .deb file."
Telecom Open source Skype client under developmentSkype has announced that an open source Linux client is under development. Skype is a popular voice over IP (VoIP) application. "Yes, there's an open source version of Linux client being developed. This will be a part of larger offering, but we can't tell you much more about that right now. Having an open source UI will help us get adopted in the 'multicultural' land of Linux distributions, as well as on other platforms and will speed up further development. We will update you once more details are available." (Thanks to Nicola Soranzo)
Virtualization Software Red Hat Rolls Out Virtualization Platform for Heterogeneous Servers and CloudsRed Hat has announced a new virtualization platform. "Red Hat, Inc., the world's leading provider of open source solutions, today announced the general availability of Red Hat Enterprise Virtualization for Servers, the newest product set in the Red Hat Enterprise Virtualization portfolio. Red Hat Enterprise Virtualization for Servers is designed to enable pervasive adoption of virtualization, with a comprehensive end-to-end solution combining a standalone hypervisor and powerful virtualization management." (Thanks to Scott Dowdle).
Desktop Applications Audio Applications Sonic Visualiser 1.7.1 is availableVersion 1.7.1 of Sonic Visualiser has been announced. "This release contains a small number of enhancements and bug fixes."
Data Visualization RRDtool 1.4 releasedVersion 1.4 of RRDtool, a data logging and graphing system, has been announced. "RRDtool 1.4 comes with a much anticipated RRDcache Daemon, elevating the system to new performance levels it also contains a host of new and improved features."
Desktop Environments GNOME 2.29.1 releasedVersion 2.29.1 of GNOME has been announced, this version is a development snapshot release. "We're only a few days after 2.28.1, and 2.29.1 is already there! We have some brave people who did some amazing work for this release, with new features in various modules. And of course, the numerous bug fixes that we're all used to. It's really exciting to already be able to play with some nifty new features: it announces some great fun during the next few months."
Requests for comment about GNOME 3.0 release dateA request for comments has been sent regarding the GNOME 3.0 release date. "The release team is gathering comments from various teams to get a proper idea of which of March or September 2010 is more appropriate for the release of GNOME 3.0. The decision for the release date is following what we set in the 3.0 planning document: we want 3.0 to be out in 2010, but we also want to make sure that 3.0 is rock-solid; your input will help us take an informed decision."
GNOME Software AnnouncementsThe following new GNOME software has been announced this week:
Kubuntu 9.10 release adds Plasma Netbook Preview (KDE.News)KDE.News takes a brief look at Kubuntu 9.10. "KDE-based distribution Kubuntu has released version 9.10 which adds a new variant showcasing the up and coming Plasma Netbook setup. The release also adds OpenOffice KDE 4 integration and extra installer beauty thanks to artwork from KDE's Oxygen team."
KDE 4.3.3 releasedVersion 4.3.3 of KDE has been announced. "Like the ticking of a Swiss watch, every month the KDE team brings you a new release. November's edition of KDE is a bugfix and translation update to KDE 4.3. With the KDE 4 series picking up in popularity, we're happy to encourage even more people to give KDE 4 another spin -- or just upgrade your existing KDE to KDE 4.3.3."
KDE Software AnnouncementsThe following new KDE software has been announced this week:
Xorg Software AnnouncementsThe following new Xorg software has been announced this week:
Fonts and Images Web Open Font Format backed by Mozilla, type foundries (ars technica)ars technica looks at Web Open Font Format (WOFF), which has come about from a collaboration of two separate web font efforts. Mozilla's Jonathan Kew and two type designers, Tal Leming and Erik van Blokland, had both been working on font formats for the web. They have now joined forces on WOFF. "WOFF combines the work of Leming and Blokland had done on embedding a variety of useful font metadata with the font resource compression that Kew had developed. The end result is a format that includes optimized compression that reduces the download time needed to load font resources while incorporating information about the font's origin and licensing. The format doesn't include any encryption or DRM, so it should be universally accepted by browser vendorsthis should also qualify it for adoption by the W3C."
Imaging Applications IMGCrush 0.4.0 and IMGCrush_GUI 0.4.0 releasedVersion 0.4.0 of IMGCrush and IMGCrush_GUI have been announced. "Announcing IMGCrush 0.4.0 and IMGCrush_GUI 0.4.0, a new release bringing new features and bugfixes, as well as considerable speedup (even though it's still quite slow). IMGCrush is an image compressor capable of compressing files to user specified size or quality using common web image formats particularly well suited to optimize images for web sites."
Mail Clients Sylpheed 3.0beta1 releasedDevelopment version 3.0beta1 of the Sylpheed mail client has been announced. "Multi-threading was introduced. This will reduce the situation where user actions are blocked. (can be disabled by --disable-threads configure option)..."
Music Applications probability sequencing language 1.04 releasedVersion 1.04 of probability sequencing language has been announced. "probability sequencing language is a text based piano roll type programming language for csound. some may refer to it as a pre processor for csound. For version 1.04 a bug has been fixed al[l]owing floating point numbers for the step number macros are now available loaded from external files. frequencies can now have drift where they change on every pass."
Office Applications SyncEvolution 0.9.1 releasedVersion 0.9.1 of SyncEvolution, a personal information management sychronizer, has been announced. "Mobical and Memotoo are now officially supported. Memotoo uses vCard 2.1 with several Evolution specific extensions. It uses iCalendar 2.0, however, without actually supporting the advanced features of it. Times are converted to UTC and meeting information are lost."
Office Suites KOffice 2.1 release candidate (KDE.News)KDE.News has announced a release candidate for KOffice 2.1. "As usual, the team worked diligently to remove all release blocker bugs leading up to this candidate. See the full changelog for the details. This is the last chance to test before the final release of KOffice 2.1. We ask that all of our users who wish to help us make KOffice 2.1 the best it can be try out this pre-release and report any remaining bugs."
Digital Photography F-Spot and photo metadataF-Spot users may want to have a look at this strongly-worded post from Daniel Bartholomew; it seems that F-Spot has a habit of silently changing timestamps in EXIF metadata. "As can be seen, F-Spot has decided that the users are idiots and to update the fields with the values it thinks are best without telling anyone. It decided to set the DateTime field to the time when the photo was imported into F-Spot (as if that date is so important it needs to be saved for posterity). For DateTimeOriginal F-Spot decided that the appropriate time is the UTC time when the picture was taken (conveniently deciding that since my computer is currently in U.S Eastern Daylight Time, I must have been in the same timezone when I took the picture and that my camera was set to the correct time for my timezone at the time I took the picture)." The problem has been in F-Spot's bug tracker for some three years now.
Video Applications Blizzard: bringing theora to youtube (the hard way)On his blog, Christopher Blizzard writes about using Greasemonkey to turn YouTube's Flash videos into Ogg Theora before playing them. The result is Theoratube. "Anyway, I decided to try and make it so that I could easily play Youtube videos without having to use Flash. (Flash — in many ways — is the weak link in the chain. In this case its because I cant fix/hack it, although Im happy to not have it because my browser is a lot more reliable.)"
Web Browsers Google Chrome Beta 4.0 Sports Bookmark Sync (eWeek)eWeek reports on the new capabilities of Google Chrome Beta 4.0. "Google has a lot riding on its Google Chrome Web browser. The search engine Nov. 2 added bookmark sync for its latest build of Chrome to let the browser's 30 million users to keep their favorite Web pages up to date across multiple computing devices. The Chrome 4.0 beta is also 30 percent faster from the current stable release. Speed is a big deal for Chrome and Google's forthcoming Chrome Operating System, which will be the Linux-based launching platform for the Chrome browser and Web applications. Google Co-founders Larry Page and Sergey Brin recently gave the Chrome team a multi-million-dollar stock bonus for creating the browser."
Firefox 3.6 Beta 1 available for downloadVersion 3.6 Beta 1 of Firefox has been announced. "This beta version of the next version of Firefox is built on the Gecko 1.9.2 web rendering engine, containing many improvements for web developers, Add-on developers, and users. The Mozilla community appreciates your feedback and assistance in testing this preview of the next version of Firefox. Your beta software will update itself periodically, and eventually will be updated to the final release itself."
Languages and Tools Caml Caml Weekly NewsThe November 3, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.
Python blist 1.0.2 releasedVersion 1.0.2 of blist has been announced, it adds some bug fixes. "The blist is a type that looks, acts, and quacks like a Python list, but has better asymptotic performance when inserting or deleting elements (O(log n)). For small lists, blists and the built-in list have very similar performance. The blist also features copy-on-write behavior, so copying or taking large slices from a list is inexpensive."
CodeInvestigator 0.18.0 releasedVersion 0.18.0 of CodeInvestigator, a tracing tool for Python programs, has been announced. "It mainly deals with bug fixes: - Simple statements all on the one line separated by a semicolon. - Generators and yield. It has one enhancement: - An Entry Point filter was added. It allows you the leave out the entry points you're not interested in."
Distribute 0.6.7 releasedVersion 0.6.7 of Distribute has been announced, it adds some new capabilities. "Distribute is a fork of the Setuptools project, and the 0.6.x series a drop-in replacement for Setuptools. Distribute is intended to replace Setuptools as the standard method for working with Python module distributions, on the top of Distutils."
Python-URL! - weekly Python news and linksThe November 3, 2009 edition of the Python-URL! is online with a new collection of Python article links.
The Python: RagThe November, 2009 edition of the The Python: Rag has been published. The Python: Rag is: "A magazine in pdf format, meant to be printed and left lying around where it can be picked up by the unwary, and stun them into becoming devotees of the Python programming language. Aimed at beginners and veterans alike; if you are a newcomer to Python; please contribute, other newcomers will be interested in your discoveries!"
Tcl/Tk Tcl-URL! - weekly Tcl news and linksThe October 28, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Profilers Sysprof 1.1.4 releasedVersion 1.1.4 of Sysprof, a CPU profiler, has been announced. "This is a development release leading up to a stable 1.2.0 release. Sysprof is a sampling system-wide CPU profiler for Linux. This version is based on the perf counter interface in 2.6.31 kernels and will not work with earlier kernels."
Version Control Bazaar 2.0.1 and 2.1.0b1 releasedVersions 2.0.1 and 2.1.0b1 of the Bazaar version control system have been announced. "Our first post-2.0 releases of Bazaar have finally become official. Now that we are at 2.0, we decided to split a stable releases series and a development series. As such, 2.0.1 has only bugfixes relative to the 2.0 release, while new features and potential compatibility changes are contained only within 2.1.0b1. All of the changes in 2.0.1 are available in 2.1.0b1."
Page editor: Forrest Cook Announcements Non-Commercial announcements GNOME Q3 2009 Quarterly reportThe GNOME Q3 2009 Quarterly report [PDF] has been published. "Q3 is always a big quarter for the GNOME Foundation and this one was bigger and better than usual. During Q3 we had our annual GUADEC, and GNOME 2.28 was released with lots of preparation work for GNOME 3.0. OSiM Mobile was well attended by GNOME Mobile member companies and products that use GNOME Mobile technologies like Moblin 2.0 and the Nokia N900 were released. We've raised $23,415 through Friends of GNOME so far this year! Our Advisory Board members have been very generous as well and we have many hackfests planned for Q4!"
One hundred million downloads of OOo 3The OpenOffice.org project has announced reaching 100M downloads of its version 3 office suite. "Yesterday, Wednesday 28th., the one hundred millionth person clicked on the "Download OpenOffice.org" button since version 3 of the software was announced just over one year ago. What makes the statistics impressive is that we only record downloads via the OpenOffice.org website, and exclude for example large numbers of Linux users who generally download software from their own distributor. In addition, many users obtain OpenOffice.org via other mirrors, peer-to-peer networks, CDs, or other media."
Commercial announcements MIPS Technologies submits code for Tamarin ProjectMIPS Technologies has announced a release of their ActionScript virtual machine. "With this announcement, MIPS has released an optimized version of the ActionScript virtual machine (accessible via the Tamarin open source project)- a key component in optimizing Adobe's Flash Player for running on the MIPS architecture. In addition, MIPS' optimized VM executes twice as fast on the 74K CPU core relative to the optimized VM for ARM running on an ARM Cortex A8 CPU."
Premier Farnell acquires CadSoftCadSoft, maker of the Eagle printed circuit CAD application, has announced its acquisition by Premier Farnell. "You may have heard that CadSoft Computer GmbH and our business in the USA has been bought by Premier Farnell plc, one of the world's leading high-service distributors of electronic components and industrial products. We are delighted to confirm this exciting opportunity for the business and the EAGLE software. Becoming part of the Premier Farnell Group provides CadSoft with a great opportunity to improve on what we can offer going forward."
Symantec releases Linux version of Backup Exec System Recovery (SearchDataBackup.com)SearchDataBackup.com reports that Symantec has released a Linux version of its BESR utility. "Symantec Corp. released a new version of its bare-metal restore software that adds support for Linux servers and tightens integration for centralized management of server backups. Backup Exec System Recovery (BESR) 2010 will ship this week, but new support for backing up and restoring entire server images including operating system or individual files from Red Hat or SUSE Linux servers won't be generally available until December. Once that happens, it will be the first non-Windows operating system support to be available for BESR, said senior product marketing manager Susie Spencer."
TI announces low power IP cameraTexas Instruments has announced a new low power IP camera that includes a complete Linux application software reference design package. "Texas Instruments Incorporated (TI) today announced a new Internet Protocol (IP) camera reference design that provides low power, high definition (HD) video processing for the video surveillance market. The DM368IPNC-MT5 IP camera reference design with H.264 main profile 1080p at 30 frames per second (fps) offers industry-leading compression in a full HD solution, with the complete camera utilizing only three Watts."
Zend and Oracle partner on Linux/PHP web applicationsZend has announced a collaboration with Oracle. "Zend Technologies, the PHP Company, today announced that it is working with Oracle to deliver an integrated and optimized enterprise-class Linux and PHP solution for deploying and managing business-critical Web applications. To extend access to Zend Server -- Zend's complete, enterprise-ready Web application server - it is now available through the Oracle Unbreakable Linux Network (ULN). Building on a history of integration between Zend solutions and the Oracle Database, Zend Server also includes out-of-the-box enterprise-grade connectivity to Oracle® Database."
Articles of interest Stories Swirling About Skype's Source (Linux Journal)A Linux-compatible open-source Skype VOIP client is in the works, according to this article on Linux Journal. "Some have questioned why the move should be of particular import, given the variety of Linux-compatible VOIP options already available. The most obvious is, fittingly enough, the news itself: Skype will have an Open Source client. Regardless of the market, number of users, or general usefulness, any time the makers of a proprietary product choose to embrace Open Source, that in itself is an important event. Adding allies to our community is as important as adding products to our systems."
New Books Beautiful Testing--New from O'ReillyO'Reilly has published the book Beautiful Testing by Tim Riley and Adam Goucher.
Resources Second draft of Free Music Player Specifications readyThe second draft of the Free Music Player Specifications have been released. "It was suggested that instead of both integer and float values, one or the other should be picked. It made sense to have floats in all but one instance (user playcounts), so floats is what I went with. Overall this decreases the spec's complexity a good amount."
Linux Gazette #168 is outLinux Gazette #168 has been released. This issue contains articles on GNU Screen "revisited", setting up a MySQL cluster, handing 404 errors off to another server, and more. The usual columns and multiple comics are also in the mix. "Linux Gazette is a volunteer-run monthly web magazine dedicated to two simple ideas: making Linux a little more fun, and sharing ideas and discoveries."
Reduce Linux power consumption (IBM developerWorks)IBM developerWorks presents a three part series by Jenifer Hopper on reducing Linux power consumption, see part 1, part 2 and part 3. "This three-part series is your starting point for tuning your system for power efficiency. In Part 1, get up to speed on the components and concepts you need to fine-tune a Linux-based System x server for power efficiency. Learn how to enable the Linux CPUfreq subsystem, get instruction on C and P states, and determine which of the five in-kernel governors you need to boost power efficiency on your system."
Three For O (Linux Journal)Dave Phillips looks at the Smasher and Linuxsampler 1.0 applications and reviews The Loadbang Book in a Linux Journal article. "The O is for October, harvest time here in NW Ohio USA. A beat-slicer, a book review, and a milestone release compose this trio of reviews for the Fall season in Linux audio fashion."
Interviews Negroponte: XO-1.75 goes ARM, XO-2 is canceled (OLPC News)OLPC News has a report about plans for the next revisions of the XO hardware from an interview with Nicholas Negroponte at Xconomy. One of the changes is that the XO-2 has been canceled, with an ARM-based XO-1.75 planned, and an XO-3 scheduled for 2012. "I've been following the ongoing x86 vs. ARM race quite closely and it's my understanding that they're now closely matched when it comes to the all-important price / performance / power-consumption metrics. What I however cannot estimate is how much engineering by OLPC, Sugar Labs and Fedora it takes to make the current software run, and run well, on an ARM platform. It also remains to be seen when OLPC plans to release the XO-1.75 but I'd be very surprised if it happened within the next 12 months."
Education and Certification Herrera: GNOME and KDE development courseOn his blog, Fernando Herrera announced an online course in GNOME and KDE development that is ready to be reviewed by the community. "Recently we have finished creating the materials for the Application development for GNOME and KDE course we have been working on for CENATIC. It is a modular course, so for example you can take only the modules for GNOME programming or KDE programming. It has been designed for on-line training (using e-learning systems that support SCORM format, as moodle), presential learning or mixed combination of both."
Event Reports NLUUG Conference on Open Web (KDE.News)KDE.News covers the October 29 NLUUG Conference and has also conducted an interview with the NLUUG keynote speaker Steven Pemberton. "The Open Web and started with a keynote about 'Walled Gardens' by Steven Pemberton. Steven, a researcher at CWI in Amsterdam (Center for Mathematics and Information Technology), has been involved with the web since the 80's. He spoke about the dangers the web faces. One of the major problems he sees is what he calls 'Walled Gardens' - the lack of connections between various (social) networking sites."
Calls for Presentations NLUUG spring conference 2010 - Call for AbstractsA call for abstracts has gone out for NLUUG spring conference 2010, submissions are due by January 5. "This NLUUG spring conference will be held May 6, 2010 in De Reehorst in Ede (Netherlands). Although the main language at the conference will be Dutch, we welcome English lectures and tutorials. There is room for lectures and a limited number of tutorials or demonstrations. During a lecture, the speaker will present their topic to the audience in about 40 minutes. A tutorial will be given for a select public and lasts about 90 minutes."
QuahogCon Call for PapersA call for papers has gone out for QuahogCon, the event takes place on April 23-25 in Providence, RI and submissions are due by December 15. "QuahogCon is a new regional conference for the hacker culture in all forms. Hardware, Software, Security, Social, Eco Hacking, Zero Impact Living. Like most hacker cons, it will run Friday to Sunday. We'll have two tracks: one for InfoSec topics and the other track will be a mix of all the other topics with a bit of an emphasis on hardware hacking and DIY electronics. Besides our perennial InfoSec favorites, we want to hear from some new voices on a wider range of topics."
UKUUG - Spring 2010 - Call For PapersA call for papers has gone out for the UKUUG Spring 2010 conference, submissions are due by November 15. "UKUUG's annual Large Installation Systems Administration (LISA) conference will take place in Manchester from 23-25 March 2010."
Upcoming Events DebConf10 to take place in New York City, USA in August 2010Debian has announced the location and dates for DebConf10. It will be held August 1-7, 2010 at Columbia University in New York City. This is the first time DebConf has been held in the US. "Every year, DebConf allows new and existing Debian project participants from around the world to assemble, share knowledge, make collaborative contributions to Debian, and build tighter community bonds. Conference costs are largely funded by corporate sponsors who find significant value in enabling Debian's success."
GOSCON to analyze new DoD Open Source Guidance documentGOSCON, which takes place on November 5 in Washington D.C., will feature discussions of recently released government documents regarding open-source software. "Late Breaking News: Two significant newly released documents providing federal agencies guidance and common questions will be discussed in depth at GOSCON DC this week. David M. Wennergren, Deputy Assistant Secretary of Defense for Information Management and Technology / Deputy Chief Information Officer US Department of Defense is expected to used his conference Key Note address to discuss that agency's "Clarifying Guidance Regarding Open Source Software (OSS)" released one week ago.This much-anticipated document is said to have the potential to change the IT landscape with the federal government."
Events: November 12, 2009 to January 11, 2010The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it. Web sites Announcing Pyfora, a Python forumA new Python forum has been launched. "I am proud to announce the release of Pyfora (http://pyfora.org), an online Python forum to supplement comp.lang.python and #python. Please feel free to register and post any questions or tips you may have!"
Audio and Video programs ApacheCon 2009 Free Live Stream (Linux Pro Magazine)Live streaming video from ApacheCon 2009 will be available starting at 9am US Pacific time (UTC -8) on November 4th. "Linux Pro Magazine Online in partnership with Collabnet and The Apache Foundation will live stream from ApacheCon US 2009 November 4-6. The ASF selected the Hadoop track on Wednesday, November 4 for the first live transmission. Among the speakers on the Hadoop open source Java framework is Apache co-founder Brian Behlendorf and developers Owen O'Malley and Tom White. Alan Gates will speak on 'Becoming a Pig Developer.'" The full schedule of video streams is also available.
Miscellaneous Hudson: Corporate lobbying against free softwareOn his blog, Alex Hudson looks at a FUD-filled brochure from SirsiDynix, which is a company that sells software for libraries. In addition to saying nice things about LWN, Hudson points out some of the "highlights" in this brochure that is meant to warn libraries away from free software. The brochure first showed up at WikiLeaks. "As well as the relatively malicious falsehoods being perpetrated against those specific library projects, there are also vague allegations about open source in general – from accusations of Red Hat being 'proprietary' to the highly entertaining argument that the US Department of Defense 'restrict the use of open source software for fear that it could pose a terrorist opportunity'." (Thanks to Colin Campbell for pointing us at the WikiLeaks page).
Page editor: Forrest Cook
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Android workflow]](/images/ns/android-workflow-sm.png)
![[Nick Piggin]](/images/conf/ks-jls-09/nick-piggin-sm.jpg)