LWN.net Weekly Edition for February 11, 2010

Oracle layoffs and GNOME accessibility

In the wake of Sun's acquisition by Oracle, the future of MySQL has attracted the most voluminous (and often, the most heated) debate, but it is far from the only open source project to feel the effects. Linux and open source community members have publicly taken Oracle to task this week for its decision to cut the jobs of developers at Sun's Accessibility Program Office (APO), which contributes heavily to GNOME's accessibility efforts, as well as to accessibility work in Firefox, OpenOffice, and other applications.

Accessibility in open source incorporates assistive technology tools for users with disabilities, including screen readers, magnifiers, speech interfaces, on-screen keyboards and other input mechanisms, but it includes toolkit and application features in the rest of the software stack as well. For example, GNOME's Accessibility Toolkit (ATK) API enables assistive technology applications to read a program's existing GTK+ widget labels. Custom components require additional work than all-stock-GTK+, of course, and any application must take steps to be accessible through associating textual descriptions with all user interface elements, including buttons, canvases, and status indicators.

Cuts and response

Reports were circulating in the first week of February that two APO jobs were being cut, one of which belonged to Will Walker, leader of GNOME's Accessibility Project and the project maintainer for Orca, the open source screen reader. The reaction to Walker's layoff was swift, with members of the Orca and GNOME projects expressing their support and calling for a public display of that support — and concern over what the move said about Oracle's commitment to accessibility.

Several accessibility experts and developers voiced concern through mailing lists and blogs. Orca user Mike Gorse blogged his fear that Orca development would slow down and suffer. Discussion on the Orca list ranged from the pessimistic to the unconcerned, with some confident that the work would continue and others advocating the immediate search for alternate project funding.

Joanmarie Diggs, assistive tech specialist with the Carroll Center for the Blind, published an open letter to Oracle, challenging it to "embrace the opportunity to continue this important work." Fernando Herrera wrote to the GNOME Foundation board urging it to "take this issue very seriously" and approach Oracle representatives for a resolution.

For his own part, Walker assured the Orca and accessibility communities that he would continue to devote as much of his time as he could to the projects as a volunteer, but said that he would have to seek employment regardless of whether or not he found another position that allowed him to contribute to Orca and GNOME full-time. Specifically, Walker said he remains committed to seeing through the upcoming 2.30 release of GNOME. Beyond that is where the future becomes less certain.

APO, accessibility, and GNOME

Over the years, Sun's APO contributed to considerably more than Orca alone. Walker described Sun's support of open source accessibility as the "best in the industry" and said he was lucky to have been part of it. Walker joined APO in 2005, after several years working on accessibility at Sun Labs. Initially his duties focused on Orca, but over time expanded to include accessibility overall.

APO served several purposes, Walker said, including that of a "centralized organization to help guide, consult, etc., all things related to accessibility" in addition to software engineering itself. Much of that work consists of testing, filing bug reports, performing maintenance, and addressing deprecation in GNOME applications and key desktop components like Firefox and OpenOffice. It also includes educating the developer community at large on accessible design, development, and testing as parts of everyday practice.

Since the 3.0 planning process began, one of Walker's most important duties as a GNOME Accessibility lead has been preparing for platform changes. GNOME 3.0 will do away with the CORBA object model, which in turn will require GNOME's implementation of the Assistive Technology Service Provider Interface (AT-SPI) to migrate to a completely new, D-Bus-based backend. In addition, several assistive technologies will undergo major updates, such as the deprecation of gnome-speech in favor of SpeechDispatcher, and moving screen magnification into GNOME Shell.

Over the past two years, however, Walker said that the work has felt "like swimming upstream," thanks to the changes in GNOME, Firefox, and other desktop components, coupled with reductions in the number of programmers available to work on GNOME accessibility. Not only have there been other job reductions at Sun to hit APO, but full-time developers have been cut from other contributors, such as IBM. Mark Doffman cataloged the losses on his blog, estimating that $200,000-worth of annual accessibility developer support has disappeared since 2007.

Nevertheless, Walker said that he has no "sour grapes" about his current situation, and is looking forward to seeing GNOME Accessibility succeed. How best to bring that about remains the topic for discussion among GNOME and other open source developers.

The future

Doffman advocated actively seeking out corporate support for more accessibility development, citing Jonathan Corbet's estimate at linux.conf.au that 75 percent of Linux kernel code is contributed by paid, full-time developers. GNOME's Dave Neary contended instead that the GNOME Foundation should look to government and non-profit grants as a source of income to support accessibility development.

For his part, Walker said that funding from Mozilla, Canonical, Google, Novell, and AEGIS have all provided relief in recent years, but that the contributed funding model risks turning into a "coin operated" development mentality: when the coins stop, the development stops. Instead, he emphasized the need to grow the developer community itself and to spend more energy educating mainstream developers about incorporating accessible design in their work.

Oracle does, indeed, make accessibility a high priority item, highlighting it with policy statements, and providing training and support. As Walker said, success for accessibility efforts in open source software is not limited to the development of stand-alone assistive technologies like Orca, but in building integrated accessible design into every tool and application.

In the near term, the GNOME 3.0 roadmap includes a long list of open tasks, many related to the AT-SPI migration. KDE developer Jeremy Whiting provided a status update of the situation from KDE's point of view. GNOME and KDE have collaborated on the latest AT-SPI work, including the D-Bus backend. Qt provides an accessibility framework, but is lacking a Qt-to-AT-SPI bridge. While the good news is that both major desktops agree on a common framework for accessibility and assistive technology, both have considerable amount of work cut out for them.

Oracle is not closing the Sun APO entirely, nor is GNOME's Accessibility Project shutting its doors. But the impact a single full-time developer can have on an important infrastructure effort like accessibility indicates how under-staffed the effort is — as well as how many open source projects benefited from Sun's investment, despite the grief it sometimes received. The public support shown for Walker demonstrates that the community wants open source accessibility work to receive the attention it deserves, it just needs to solve the funding problem.

Comments (3 posted)

Development project priorities

Development projects are often required to make hard decisions about where to apply their effort; developer and tester time is a scarce resource, so choices must be made. It is not uncommon that those choices will be unpopular with some, perhaps quite vocal, segment of the user community, but users need to recognize that prioritization has to occur. Free software projects, even those backed by foundations or corporations, are obviously not immune to the need for focus. A recent discussion about Mozilla dropping support for Mac OS X 10.4 shows that some users still don't quite understand the issue—especially when it is their platform that will be affected.

It all started with a post by Mozilla's Josh Aas about making a final decision on whether to support Mac OS X 10.4 ("Tiger") in the version of the Gecko rendering engine that will be the basis of the next Firefox release (3.7 or higher). He listed statistics of the number of Mac users that still use 10.4, which was released in 2005, and noted that there were significant hurdles to continuing to support that release in the codebase. Furthermore, he pointed out that there will be a roughly yearlong transition period:

But that didn't sit well with some Mac users. Phillip Jones argued against dropping support because it would require hardware and/or software upgrades—at a substantial monetary cost—for those who still use 10.4. He also claimed to be speaking for lots of others:

Others chimed in to agree with Jones, but anecdotal stories about individuals who are unable to upgrade doesn't really help in the decision. Mozilla's Asa Dotzler points out the kind of information that would be useful:

Dotzler continues by noting that the decision is not being made lightly, nor is it being made in a vacuum, but some kind of prioritization needs to take place:

Many of those who are against the change are making a "not in my backyard" (NIMBY) argument, as Dotzler points out. Others believe that because Mozilla gets millions of dollars in revenue, it should plow some of that money into supporting 10.4. It is not a terribly reasonable argument, as organizations should be able to make their own decisions about staffing and such. It is also a bit ironic that folks claim that Mozilla should support them in ways that Apple will not.

The real problem stems from Apple's decision to only support 10.5 ("Leopard") on some PowerPC Macs, and to only support 10.6 ("Snow Leopard") on Intel Macs. In addition, Apple charges for each upgrade, which potentially leaves those who are financially strapped behind. It is not particularly fair to blame Mozilla for something that has its roots in Apple's upgrade strategy.

Those calling for Mozilla to go the extra mile for 10.4 are really asking for a "disproportionate investment", according to Mozilla's Boris Zbarsky. In addition, they haven't made a good case for why that should be: "No one has cited a good reason why 10.4 users matter more than 10.5 or 10.6 users or Windows or Linux users." There are technical reasons why support for 10.4 is hard, as Aas outlined at the start of the thread, so there needs to be a compelling reason to do it.

Allocating resources is a difficult problem sometimes, but one gets the sense that Mozilla developers are pretty convinced that 10.4 is not a good use of their efforts. Mozilla VP of Engineering Mike Shaver also points out that Apple seems to have left 10.4 behind:

It would be easy to write this off as a problem for folks that have chosen a proprietary operating system, but this same problem is regularly faced by those who run free systems. Projects frequently make decisions on their focus: distributions choose architectures to support, applications choose which features to implement or what desktop to support, and so on. Users need to find a way to make reasoned arguments about what they would like to see happen, while understanding that the project itself gets to make its own decisions. On the flipside, projects need to provide a means for users to give their input, hopefully in a constructive manner.

Advocacy—along with venting—in bug reports was another problem discussed in the thread. "Piling on" to bug reports and feature requests is a common reaction for users who are frustrated with the choices a project is making, as we saw last August for KDE. More recently, the addition of CNNIC to the Mozilla certificate store also had many impassioned users commenting on the bug, but without providing the kinds of information needed by the project to assist its decision making process.

Some kind of balance needs to be found, where users feel like their voice is being heard, without overwhelming the developers and project leaders who are trying to do their jobs. For free software projects, though, there is a potential solution that is not available for those using proprietary systems: the code is available if someone wants to put together a project to go a different direction. While some Apple users will never be able to run more recent versions of Mac OS on their hardware, they most certainly could put together a project to continue supporting Firefox on those older versions. It would be a lot of work, but that's a much better situation than for Mac OS where it would simply be impossible.

Comments (19 posted)

Three short stories, all about Android

Occasionally, your editor will be struck by a series of topics all associated with a common theme. The recent fuss about Android's presence (or the lack thereof) in the mainline kernel ties in well with a couple of other items of notice: the Nexus One phone and the role of free software on the Android platform in general.

New toy

Thanks to some generosity on the part of Google's open source office, your editor is now in possession of a shiny new Nexus One handset. For some, this might not seem to be hugely exciting news; the Nexus One is another Android phone, and Android has been reviewed here before. That said, this device is noteworthy, to that point that its predecessor (an Android Dev Phone 1) has found itself headed toward early retirement.

As hardware goes, the Nexus is a beautiful device. It's less bulky than the ADP1, but it's far more capable. The screen is gorgeous and more responsive to touch than the ADP1 screen. The device has a real headphone jack, making it easy to connect to arbitrary audio systems. (On the other hand, the use of yet another mini-USB connector format for the charger is not appreciated). The camera works well and audio quality is good. Perhaps nicest, though, is the 1GHz processor, which makes this device the fastest and most responsive phone your editor has ever used.

The Android software has progressed somewhat beyond what is currently available for the ADP1. There is a 2.6.29 kernel (sort of - see below) and lots of eye candy. The device now has turn-by-turn navigation built into it - a great feature; it's just too bad that the voice that comes with it is so annoying. Your editor would suggest that anybody wanting a Nexus One, but lacking the resources to purchase one, could simply search alongside busy roads for handsets thrown out the window when their owners realized they simply could not listen to that voice any longer. "Goggles" will perform searches using the camera, which could prove useful for those "WTF is that?" questions. With the recently-pushed update, Google has finally incorporated multitouch into the device, even for those of us living in the USA.

The point of an open Android phone, though, is that one need not live with what the vendor has provided. The Cyanogen builds are the definitive alternative firmware for Android phones. As of this writing, builds for the Nexus are in a rather early state; in fact, only a beta image is available. There is also the obligatory enhanced recovery image out there. For the less adventurous, there is also an add-on image from Cyanogen which adds various command line utilities and an improved kernel to the existing firmware. Your editor hopes to be able to play with all of these in the near future, stay tuned.

Kernel participation

Greg Kroah-Hartman's recent discussion of the removal of the Android code from the staging tree contained little in the way of surprises, but it seemed to surprise enough people anyway to get a wide distribution. The problem here is simple: Google did its Android development work behind closed doors, then threw it out into the world as a fait accompli that was not subject to outside improvements. This code, unsurprisingly, was not seen as fit for immediate inclusion into the mainline kernel, even when non-Google people made the effort. It's a rare patch that doesn't need some sort of change; patches adding strange new features - some of which duplicate existing functionality - have an especially hard time.

Shipping new kernel features to users before being sure that those features will be accepted upstream can be a fundamental mistake, especially where new APIs are involved. Kernel developers tend to be cautious about API additions, since they must be supported forever; any API shortcomings need to be fixed before they can be merged. But if that API has been shipped to customers, the company responsible is faced with the choice of imposing an API change on those customers or maintaining the code as a fork.

Google seems to have taken the fork approach; indeed, recent comments from Google employees suggest that the company sees no problem with long-term forks. It is a little strange to hear that a few months after another Google employee gave a talk on how the company wants to work much more closely with with the kernel community. The kernel has been one of the unifying factors that has helped Linux to avoid the kind of fragmentation which plagued proprietary Unix and which we have seen in the BSD community as well. Google is doing a lot of things right; it has created a Linux-based phone platform which can compete with the best. It would be a shame, though, if Google were to do all this at the cost of bringing unwanted fragmentation to Linux.

Free applications

The Android "Market" gives access to a wide array of applications. Many of those cost money; others are free. There's even a button to select only free applications, for those who are not looking to pull out their credit cards at the moment. But "free," in the Android Market sense, is purely "free beer." Some of the "free" applications are indeed free software, but there is really no way for the user to know that or to look specifically for free/open source programs.

Twenty years ago, many of us were busily installing free applications on top of proprietary kernels and low-level libraries. The arrival of a viable free kernel made it possible to create 100% free systems, and large numbers of people have never looked back. Now, with Android, we have a free kernel which is heavily layered with proprietary applications on top. These applications cannot be changed or fixed, and they can lead to unfortunate situations like the cease-and-desist notice served against the Cyanogen build last year. They can also be loaded with antifeatures; your editor was recently put into the position of having to explain the "Unlimited girls on your G1!" ad helpfully displayed by WeatherBug to his spouse.

There are good free applications out there. The ConnectBot SSH client can be hard to do without. Astrid looks like a useful task manager; Tomdroid can be used in that mode as well. Android-wifi-tether is a hugely useful utility which turns a phone into a wireless access point connected through the cellular network. (Note that use of this tool may well put one at odds with one's cellular carrier; it also requires an enhanced kernel on some platforms). Your editor is not prepared to be quite so enthusiastic about the K9 mail client, but it is improving, slowly. Ringdroid is a good way to make your own special annoying ring tones. And so on.

Clearly, free applications exist for Android. But finding them takes work, which is silly; this is a perfect job for a computer. An ideal solution would be for Google to add a "freely-licensed" option to its (proprietary) market application. Failing that, it should be possible (for somebody with a bit more Android application-level programming experience than your editor) to put together an alternative market application which would focus on the growing body of free software for the Android system. It is an area worthy of encouragement; free software doesn't become less important just because it's running on a machine that fits into a shirt pocket.

Comments (53 posted)

Page editor: Jonathan Corbet

Security

FOSDEM'10: Maemo 6 platform security

One of the keynote speakers at FOSDEM 2010 in Brussels was Elena Reshetova, a senior security engineer at the Nokia Maemo Security team. Last October at the Maemo Summit 2009, she gave a short introduction to Maemo 6 Platform Security, a set of mechanisms and techniques to protect the Maemo 6 platform; at FOSDEM she gave a more technical overview.

Security of a platform depends on a whole "stack" of solutions: at the bottom there are hardware enablers, such as a TPM (Trusted Platform Module) chip in PCs. On top of that, software implements integrity protection, layered above that is access control, and then privacy protection. On each of these levels, the platform needs key management for encryption and signing keys, and all this is coordinated by a particular security policy. For Maemo 6, Nokia is working on this whole security stack.

DRM

It's no secret that Nokia wants to attract a larger commercial offering to its application store for Maemo. Therefore, the security framework of Maemo 6 will enforce DRM (digital rights management or digital restrictions management, depending on the viewpoint) policies. According to Elena, this is needed to be able to attract a larger developer offering: "DRM will enable a lot more use cases for Maemo devices, such as games and commercial applications."

When talking about DRM, most of the time that means locking down the platform. Elena assured the assembled open source audience that Maemo remains an open source platform, even when DRM comes into play. Maemo 6 will have two device modes: one mode has DRM protection, which means that users can't tinker with their platform. But there will also be an open source mode, which will have the same functionality as Maemo 5 on the N900. In this mode, users are free to hack their device, compile and flash their own kernel, define their own security policy, and do low-level platform development. However, they won't be able to run protected software or play protected media files.

The Maemo 6 device's boot process is assisted by a hardware enabler: the ARM TrustZone security extension to the ARM Cortex-A8 processor creates a trusted execution environment (TrEE) with two main keys: a root public key and a root device specific key. The boot ROM of the device checks the integrity of the boot loader and refuses to load it if it has been tampered with. Incidentally, this means that users cannot swap out Nokia's boot loader for another one. However, if Nokia's loader passes the integrity check, then it checks the integrity of the software (including Nokia's kernel). If that doesn't pass (e.g. the user compiled a custom kernel that isn't signed by Nokia) and the device is SIM locked by the carrier, the device refuses to boot. If the integrity check fails and the device is not SIM locked, then it boots an unsigned software image with restricted security functionality: DRM keys are disabled so that content from the closed mode can't be decrypted.

So, in open mode, the user cannot run DRM-protected software purchased from the Ovi Store or play music bought from the Nokia Comes With Music store. It is only if the software verifies as that shipped by Nokia that the boot loader starts the Nokia signed software image (including the kernel root file system and important system components like drivers and Application Manager), which has the DRM keys enabled and thus can decrypt DRM-protected content.

This system gives users a choice. If they want to have full access to their devices, they will continue to be able to do so in Maemo 6 just like now, but without access to DRM-protected services. Users can also switch between the open and closed modes (e.g. between a 'community' kernel and Nokia's kernel), so that after working in the open mode, users can return to the DRM-protected mode to play some music. If the application doesn't use the protected storage but just stores its data as plain files in the file system, like most non-commercial applications will do, those files are accessible in both modes. Switching modes requires rebooting the device, though, because the checks for the integrity of the software are done by the boot loader.

A new kind of access control

Because Maemo is close to a standard Linux distribution, it won't surprise that Nokia has taken a close look at the classical Linux and UNIX access control mechanisms and their extensions. The classical UNIX access control mechanisms are discretionary access controls (DAC) and were created primarily for servers and desktops with multiple users. Nokia's criteria for their Maemo platform, which is essentially a single-user system, are completely different. For starters, Elena mentioned that the platform needs mandatory access control on the process level: processes should be protected from other processes. Moreover, it needs a good level of flexibility and granularity, and all of that should require only minimal changes to the current Linux DAC model Maemo uses.

Nokia's engineers looked at existing security extensions, such as FreeBSD access controls, MLS, Biba, SELinux, RBAC, AppArmor and TOMOYO Linux, but none of them were a good match to Nokia's requirements. For example, SELinux has fine-grained access control, but needs large, complex policies that require filesystem extended attributes to store the metadata. Moreover, most of these mechanisms don't provide protection from off-line attacks, which is crucial for a mobile device.

So the main goal of Nokia's engineers was to create a lightweight system on top of existing Linux security mechanisms, while having to make the smallest possible change to existing applications. The Maemo 6 security system starts from the principle of least privilege: every application should be able to access only a limited set of needed resources. Therefore, there will be a list of protected resources, and any application that wants to use them will have to declare that in an "Aegis Manifest" file. This is an optional XML file (new as part of the Maemo 6 security model) inside a Debian package, generated automatically by the Maemo SDK (Software Development Kit) based on the source code. That means that developers don't have to worry about it and don't have to change their code. According to Elena, the full list of protected resources is not yet finalized, but components like cellular functionality or location information will be on that list. The former should be protected because misuse could harm the device, while the latter should be protected because misuse could cause harm to the user.

Secure software distribution

The Maemo 6 security framework also has a solution for secure software distribution. Each package has a "software source", which can be a software repository or a home page of the software author. Each known software source has an asymmetric key pair: the private key that has been used to sign the package, and the public key used to verify this package. On top of that, each software source is assigned a trust level. Updating a specific package is only possible from the same software source or from a software source with a higher trust level.

All of this is configured in the Aegis security policy, which contains the mapping between software sources and what the software is allowed to do. So while each application can declare the access control rights it needs in its Aegis Manifest file, ultimately the Aegis security policy decides if these access control rights are granted, based on the risk level associated to the software source.

For example, software from the Ovi Store is assigned a different trust level than software from maemo.org or the home page of an arbitrary software package. The Aegis security policy is accessible only to the application installer and can only be changed by an authorized update, meaning that the trust levels cannot be changed by the user but only by Nokia. Users always have the option to run the device in the open mode, which gives them the capability to define their own security policy.

Integrity and privacy protection

Integrity protection is handled by the Aegis Validator. This component ensures the integrity of all executable components, such as binaries and libraries. It not only protects against runtime manipulations, but also against off-line attacks. A kernel module calculates a cryptographic hash, currently SHA-1, of each file. The reference hashes, which come inside the package or can be computed during installation time, are then stored in the Aegis Protected Storage

The Aegis Protected Storage ensures the integrity of data and configuration files after installation. It can not only be used to sign and verify data, but also to protect the user's privacy by encrypting their data with an encryption key that is stored in hardware. However, applications have to explicitly use the Aegis Protected Storage APIs to place files in the protected storage. The Protected Storage APIs can be used in both of the device's modes, but with an obvious caveat: if an application uses the API to encrypt data in the closed mode, it won't be able to decrypt it in the open mode, and vice versa.

Open source

Nokia is doing its best to behave like a good citizen in the open source world. Elena said they are offering their security additions to the upstream D-Bus project. In addition, recently Nokia created a Maemo 6 Platform Security project at gitorious.org, and the first available code is from the libcreds library, which allows getting and setting the credentials of another process in a secure way. The credentials that libcreds can handle include the user id, group id, supplementary groups, and capabilities defined by the kernel. At the end of her talk, Elena said that, over time, it is Nokia's goal to open source most of the Maemo 6 security framework.

However, DRM threatens the open nature of the Maemo 6 platform. In her talk, Elena stressed how simple it is to use Platform Security because the user doesn't have to worry about key management. All encryption and signing keys of the platform are ultimately based on hardware keys of the ARM TrustZone. So if users backup their data by a simple one-to-one copy and lose their Maemo 6 device, they can't read their backup anymore. Moreover, given that the device's private key is carved in hardware in the chip factory, users can't be sure that they are the only one with access to the private key. Users don't have any control over the key, but Nokia is promoting its Maemo platform as an open platform without restrictions.

Those conflicting signals generated a lot of questions from the audience, many of whom had bad memories of the Trusted Platform Module and "Trusted Computing". So all in all, it looks like the Maemo 6 Platform Security will become a challenge for Nokia's relationship with the Maemo community. Luckily, Nokia is clearly listening to these concerns: the Finnish company has opened a wiki page with questions and official answers about the topic, and it welcomes users to add their questions to the discussion page.

Comments (17 posted)

New vulnerabilities

bugzilla: information leak

Package(s):	bugzilla	CVE #(s):	CVE-2009-3989 CVE-2009-3387
Created:	February 9, 2010	Updated:	June 4, 2010
Description:	From the Bugzilla advisory: This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies.
Alerts:	Gentoo 201006-19:02 2010-06-04 Fedora FEDORA-2010-1458 2010-02-05

Comments (none posted)

chrony: multiple vulnerabilities

Package(s):	chrony	CVE #(s):	CVE-2010-0292 CVE-2010-0293 CVE-2010-0294
Created:	February 4, 2010	Updated:	February 10, 2010
Description:	From the Debian alert: CVE-2010-0292: chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for unauthorized hosts. An attacker can abuse this behaviour to force two chronyd instances to play packet ping-pong by sending such a packet with spoofed source address and port. This results in high CPU and network usage and thus denial of service conditions. CVE-2010-0293: The client logging facility of chronyd doesn't limit memory that is used to store client information. An attacker can cause chronyd to allocate large amounts of memory by sending NTP or cmdmon packets with spoofed source addresses resulting in memory exhaustion. CVE-2010-0294: chronyd lacks of a rate limit control to the syslog facility when logging received packets from unauthorized hosts. This allows an attacker to cause denial of service conditions via filling up the logs and thus disk space by repeatedly sending invalid cmdmon packets.
Alerts:	Fedora FEDORA-2010-1539 2010-02-05 Fedora FEDORA-2010-1536 2010-02-05 Debian DSA-1992-1 2010-02-04

Comments (none posted)

dokuwiki: cross-site request forgeries

Package(s):	dokuwiki	CVE #(s):	CVE-2010-0287 CVE-2010-0288 CVE-2010-0289
Created:	February 5, 2010	Updated:	February 10, 2010
Description:	From the Red Hat bugzilla: The DokuWiki BTS identified another security vulnerability in the ACL manager. The plugin does not check against cross-site request forgeries (CSRF) which can be exploited to, for example, change access control rules by tricking a logged-in administrator into visiting a malicious website.
Alerts:	Fedora FEDORA-2010-0800 2010-01-19 Fedora FEDORA-2010-0770 2010-01-19 Gentoo 201301-07 2013-01-09

Comments (none posted)

ejabberd: remote denial of service

Package(s):	ejabberd	CVE #(s):	CVE-2010-0305
Created:	February 5, 2010	Updated:	April 15, 2010
Description:	From the Red Hat bugzilla: Remotely exploitable DoS from XMPP client to ejabberd server via flood of "client2server" messages (causing the message queue on the server to get overloaded, leading to server crash) has been found.
Alerts:	Debian DSA-2033-1 2010-04-15 Fedora FEDORA-2010-1238 2010-02-01 Fedora FEDORA-2010-1281 2010-02-01 Gentoo 201206-10 2012-06-21

Comments (none posted)

gmime22: arbitrary code execution

Package(s):	gmime22	CVE #(s):	CVE-2010-0409
Created:	February 5, 2010	Updated:	August 2, 2010
Description:	From the Red Hat bugzilla: Buffer overflow flaw was reported and fixed in the GMime library, in the code part responsible for calculating the maximum number of output bytes generated by an uuencode operation. If a local user was tricked into running a specially-crafted application, using the library, it could lead to denial of service (supplied application crash) or, potentially, to arbitrary code execution with the privileges of the user running that application.
Alerts:	Debian DSA-2082-1 2010-08-02 SuSE SUSE-SR:2010:006 2010-03-15 Fedora FEDORA-2010-1484 2010-02-05 Fedora FEDORA-2010-1429 2010-02-05

Comments (none posted)

gnome-screensaver: lock bypass

Package(s):	gnome-screensaver	CVE #(s):	CVE-2010-0414
Created:	February 9, 2010	Updated:	February 18, 2010
Description:	From the Fedora advisory: gnome-screensaver currently doesn't deal with monitors getting removed properly. If the unlock dialog is on the removed monitor then the unlock dialog and its associated keyboard grab are not moved to an existing monitor when the monitor removal is processed. This means that users can gain access to the locked system by placing the mouse pointer on an external monitor and then disconnect the external monitor.
Alerts:	SuSE SUSE-SR:2010:004 2010-02-16 Mandriva MDVSA-2010:040 2010-02-17 Ubuntu USN-898-1 2010-02-10 Fedora FEDORA-2010-1556 2010-02-09

Comments (none posted)

HelixPlayer: multiple vulnerabilities

Package(s):	HelixPlayer	CVE #(s):	CVE-2009-4242 CVE-2009-4245 CVE-2009-4247 CVE-2009-4248 CVE-2009-4257 CVE-2010-0416 CVE-2010-0417
Created:	February 9, 2010	Updated:	February 10, 2010
Description:	From the Red Hat advisory: Multiple buffer and integer overflow flaws were found in the way HelixPlayer processed Graphics Interchange Format (GIF) files. An attacker could create a specially-crafted GIF file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened. (CVE-2009-4242, CVE-2009-4245) A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. An attacker could create a specially-crafted SMIL file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened. (CVE-2009-4257) A buffer overflow flaw was found in the way HelixPlayer handled the Real Time Streaming Protocol (RTSP) SET_PARAMETER directive. A malicious RTSP server could use this flaw to crash HelixPlayer or, potentially, execute arbitrary code. (CVE-2009-4248) Multiple buffer overflow flaws were discovered in the way HelixPlayer handled RuleBook structures in media files and RTSP streams. Specially-crafted input could cause HelixPlayer to crash or, potentially, execute arbitrary code. (CVE-2009-4247, CVE-2010-0417) A buffer overflow flaw was found in the way HelixPlayer performed URL un-escaping. A specially-crafted URL string could cause HelixPlayer to crash or, potentially, execute arbitrary code. (CVE-2010-0416)
Alerts:	Red Hat RHSA-2010:0094-02 2010-02-09 CentOS CESA-2010:0094 2010-02-09

Comments (none posted)

kernel: denial of service

Package(s):	kernel	CVE #(s):	CVE-2010-0291
Created:	February 5, 2010	Updated:	July 12, 2010
Description:	From the Ubuntu advisory: Al Viro discovered that certain mremap operations could leak kernel memory. A local attacker could exploit this to consume all available memory, leading to a denial of service.
Alerts:	CentOS CESA-2010:0504 2010-07-02 Red Hat RHSA-2010:0161-01 2010-03-23 Red Hat RHSA-2010:0504-01 2010-07-01 Debian DSA-2004-1 2010-02-27 Debian DSA-1996-1 2010-02-12 Ubuntu USN-894-1 2010-02-05

Comments (none posted)

kernel: denial of service

Package(s):	kernel	CVE #(s):	CVE-2010-0307
Created:	February 5, 2010	Updated:	October 14, 2010
Description:	From the Red Hat bugzilla: Reported by Mathias Krause. The problem seams to be located in fs/binfmt_elf.c:load_elf_binary(). It calls SET_PERSONALITY() prior checking that the ELF interpreter is available. This in turn makes the previously 32 bit process a 64 bit one which would be fine if execve() would succeed. But after the SET_PERSONALITY() the open_exec() call fails (because it cannot find the interpreter) and execve() almost instantly returns with an error. If you now look at /proc/PID/maps you'll see, that it has the vsyscall page mapped which shouldn't be. But the process is not dead yet, it's still running. By now generating a segmentation fault and in turn trying to generate a core dump the kernel just dies.
Alerts:	Red Hat RHSA-2010:0771-01 2010-10-14 CentOS CESA-2010:0398 2010-05-28 Red Hat RHSA-2010:0398-01 2010-05-06 Mandriva MDVSA-2010:067 2010-03-25 Mandriva MDVSA-2010:066 2010-03-24 CentOS CESA-2010:0146 2010-03-17 Red Hat RHSA-2010:0146-01 2010-03-16 Ubuntu USN-914-1 2010-03-17 SuSE SUSE-SA:2010:016 2010-03-08 SuSE SUSE-SA:2010:014 2010-03-03 Fedora FEDORA-2010-1787 2010-02-12 Debian DSA-1996-1 2010-02-12 Fedora FEDORA-2010-1500 2010-02-05

Comments (none posted)

kvm: multiple vulnerabilities

Package(s):	kvm	CVE #(s):	CVE-2010-0297 CVE-2010-0298 CVE-2010-0306 CVE-2010-0309
Created:	February 9, 2010	Updated:	June 4, 2010
Description:	From the Red Hat advisory: The x86 emulator implementation was missing a check for the Current Privilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest could leverage these flaws to cause a denial of service (guest crash) or possibly escalate their privileges within that guest. (CVE-2010-0298, CVE-2010-0306) A flaw was found in the Programmable Interval Timer (PIT) emulation. Access to the internal data structure pit_state, which represents the data state of the emulated PIT, was not properly validated in the pit_ioport_read() function. A privileged guest user could use this flaw to crash the host. (CVE-2010-0309) A flaw was found in the USB passthrough handling code. A specially-crafted USB packet sent from inside a guest could be used to trigger a buffer overflow in the usb_host_handle_control() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to cause a denial of service (guest hang or crash) or possibly escalate their privileges within the host. (CVE-2010-0297)
Alerts:	Ubuntu USN-947-2 2010-06-04 Ubuntu USN-914-1 2010-03-17 Ubuntu USN-947-1 2010-06-03 Debian DSA-2010 2010-03-10 Debian DSA-1996-1 2010-02-12 Red Hat RHSA-2010:0088-02 2010-02-09 Pardus 2010-33 2010-02-14 CentOS CESA-2010:0088 2010-02-09

Comments (none posted)

mysql: arbitrary code execution

Package(s):	mysql	CVE #(s):	CVE-2009-4484
Created:	February 10, 2010	Updated:	March 30, 2010
Description:	From the Ubuntu advisory: It was discovered that MySQL contained a buffer overflow when parsing ssl certificates. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 LTS and the default compiler options for affected releases should reduce the vulnerability to a denial of service. In the default installation, attackers would also be isolated by the AppArmor MySQL profile.
Alerts:	SuSE SUSE-SR:2010:007 2010-03-30 Debian DSA-1997-1 2010-02-14 Ubuntu USN-897-1 2010-02-10 Gentoo 201201-02 2012-01-05 Ubuntu USN-1397-1 2012-03-12

Comments (none posted)

nss: man in the middle attack

Package(s):	nss	CVE #(s):
Created:	February 4, 2010	Updated:	February 10, 2010
Description:	From the Pardus alert: A serious vulnerability was found in TLS/SSLv3 protocol as implemented in nss, which can be used by man-in-the-middle attackers to send arbitrary requests to the server as if legitimate user. The TLS/SSLv3 protocol as implemented in nss prior to this update was not able to associate already sent data to a renegotiated connection. This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed. For example Apache's mod_ssl was vulnerable to this kind of attack because it uses openssl.
Alerts:	Pardus 2010-20 2010-02-04

Comments (none posted)

ocsinventory: multiple vulnerabilities

Package(s):	ocsinventory	CVE #(s):
Created:	February 8, 2010	Updated:	February 10, 2010
Description:	From the Secunia advisory: Hernan Jais has discovered multiple vulnerabilities in OCS Inventory NG, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. 1) Input passed via the "c" parameter to index.php (when "cuaff" is set to any value) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed via the search form for the "BIOS Manufacturer", "BIOS Version", "Computer name", "Description", "Free space", "Gateway", "IP address", "MAC address", "Manufacturer", "Memory", "Model", "Monitor: caption", "Monitor: manufacturer", "Monitor: serial", "Network number", "Processor Speed", "Registry key", "Serial number", "Service pack", "Software", "Tag", or "User" criteria to index.php (when "multi" is set to "1") and via the "All softwares" search form for the "Software name" criteria to index.php (when "multi" is set to "36") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled. 3) Input passed via the URL is not properly sanitised before being returned to the user within the index.php script. This can be exploited to execute arbitrary HTML and script code in a logged-in user's browser session in context of an affected site. The vulnerabilities are confirmed in version 1.02.1. Other versions may also be affected.
Alerts:	Fedora FEDORA-2010-1540 2010-02-05 Fedora FEDORA-2010-1535 2010-02-05

Comments (none posted)

sqlite: unauthorized information access

Package(s):	sqlite	CVE #(s):
Created:	February 4, 2010	Updated:	February 15, 2010
Description:	From the Pardus alert: A vulnerability has been found in sqlite, which can be exploited by malicious people to gather deleted information on sqlite database. Sqlite leaves a trace on the disk when using DELETE query. Although the deleted information cannot be seen with sqlite query, it can be seen with a text editor.
Alerts:	Pardus 2010-18 2010-02-04

Comments (4 posted)

squid: denial of service

Package(s):	squid	CVE #(s):	CVE-2010-0308
Created:	February 8, 2010	Updated:	March 31, 2010
Description:	From the Mandriva advisory: A vulnerability have been discovered and corrected in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15, which allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header (CVE-2010-0308).
Alerts:	Gentoo 201110-24 2011-10-26 Red Hat RHSA-2010:0221-04 2010-03-30 SuSE SUSE-SR:2010:007 2010-03-30 Fedora FEDORA-2010-2434 2010-02-21 Ubuntu USN-901-1 2010-02-16 Mandriva MDVSA-2010:033 2010-02-08

Comments (none posted)

thunderbird: multiple vulnerabilities

Package(s):	thunderbird	CVE #(s):
Created:	February 10, 2010	Updated:	February 11, 2010
Description:	From the Pardus advisory: Security researcher Dan Kaminsky reported an integer overflow in the Theora video library. A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim's computer.
Alerts:	Pardus 2010-30 2010-02-09

Comments (1 posted)

trac-git: remote file execution

Package(s):	trac-git	CVE #(s):	CVE-2010-0394
Created:	February 4, 2010	Updated:	February 10, 2010
Description:	From the Debian alert: Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries.
Alerts:	Debian DSA-1990-1 2010-02-03 Debian DSA-1990-2 2010-02-04

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current development kernel is 2.6.33-rc7 released on February 6. "I have to admit that I wish we had way fewer regressions listed by this time... But we've certainly fixed a few things, and it's been a week, so here's -rc7. I wish I could say that it's the last -rc, but I strongly doubt that, and we'll almost certainly have at least one more." See the full changelog for the details.

Stable updates: 2.6.32.8 was released on February 9. "Sorry for the delay in releasing it, but there were a few crashes that people had reported, combined with verifying that a security problem really was fixed and backported properly, along with travel to and from FOSDEM, all [of] which caused delays." 2.6.27.45 remains as the latest stable update for 2.6.27.

Comments (none posted)

Quotes of the week

-- Al Viro

Comments (7 posted)

Kernel development news

Who wrote 2.6.33

The release of the 2.6.33-rc7 prepatch indicates that this development cycle is headed toward a close, even if Linus thinks that a -rc8 will be necessary. As has become traditional, LWN has taken a look at some statistics related to this cycle and where the code came from.

As of this writing, 10,500 non-merge commits have found their way into 2.6.33 - fairly normal by recent standards. These changes added almost 900,000 lines while deleting almost 520,000 others; as a result, the kernel grew by a mere 380,000 lines this time around. According to the most recent regression list, 97 regressions have been reported in 2.6.33, of which 20 remain unresolved.

Some 1,152 developers contributed code to 2.6.33. The most active of those were:

Most active 2.6.33 developers

By changesets Ben Hutchings 145 1.4% Frederic Weisbecker 145 1.4% Arnaldo Carvalho de Melo 138 1.3% Luis R. Rodriguez 130 1.2% Masami Hiramatsu 128 1.2% Bartlomiej Zolnierkiewicz 124 1.2% Eric Dumazet 108 1.0% Alan Cox 105 1.0% Manu Abraham 102 1.0% Thomas Gleixner 101 1.0% Eric W. Biederman 97 0.9% Roel Kluin 91 0.9% Alexander Duyck 88 0.8% Paul Mundt 87 0.8% Johannes Berg 80 0.8% Wey-Yi Guy 77 0.7% Alex Deucher 76 0.7% Jean Delvare 73 0.7% Al Viro 72 0.7%

By changed lines Bartlomiej Zolnierkiewicz 206468 18.1% Henk de Groot 50355 4.4% Jerry Chuang 49627 4.3% Ben Skeggs 37555 3.3% Philipp Reisner 23182 2.0% Eilon Greenstein 23123 2.0% Tomi Valkeinen 22508 2.0% Mike Frysinger 13116 1.1% Ben Hutchings 12680 1.1% Jakob Bornecrantz 11613 1.0% Wu Zhangjin 11325 1.0% Greg Kroah-Hartman 10468 0.9% Rajendra Nayak 9978 0.9% Manu Abraham 9625 0.8% jack wang 9171 0.8% Masami Hiramatsu 8973 0.8% Alan Cox 7672 0.7% David VomLehn 7331 0.6% Arnaldo Carvalho de Melo 7217 0.6%

While some of the usual names appear at the top of this list, there are some newcomers as well. Ben Hutchings did a lot of work with network drivers, including the addition of the SolarFlare SFC9000 driver (which has several co-authors). Frederic Weisbecker has been active in a number of areas, adding the hardware breakpoints code, removing the big kernel lock from the reiserfs filesystem, and working with tracing and the perf tool. Arnaldo Carvalho de Melo's work is almost all with the perf events subsystem and the perf tool in particular. Luis Rodriguez continues to work all over the wireless driver subsystem, and with the Atheros drivers in particular, and Masami Hiramatsu's largest contribution is the dynamic probing work.

In the "lines changed" column, Bartlomiej Zolnierkiewicz continues to work in fixing up some wireless drivers in the staging tree, deleting a lot of code in the process; he also continues his IDE driver work. Henk de Groot added the Agere driver for HERMES II chipsets, Jerry Chuang added the Realtek rtl8192u driver, and Ben Skeggs added much of the Nouveau driver.

Contributions to 2.6.33 came from 182 employers that your editor was able to identify. The most active of those are:

Most active 2.6.33 employers

By changesets (None) 1535 14.6% Red Hat 1223 11.6% Intel 1011 9.6% (Unknown) 868 8.3% IBM 500 4.8% Novell 390 3.7% Nokia 319 3.0% (Consultant) 316 3.0% Fujitsu 204 1.9% Texas Instruments 199 1.9% Atheros Communications 169 1.6% (Academia) 166 1.6% AMD 165 1.6% Oracle 136 1.3% Analog Devices 130 1.2% Renesas Technology 126 1.2% Pengutronix 125 1.2% HP 124 1.2% Solarflare Communications 123 1.2%

By lines changed (None) 304895 26.7% (Unknown) 109716 9.6% Red Hat 92991 8.1% Broadcom 54272 4.8% Realtek 49951 4.4% Intel 46302 4.1% Nokia 37505 3.3% Novell 27235 2.4% IBM 26783 2.3% (Consultant) 25845 2.3% Texas Instruments 24232 2.1% LINBIT 23247 2.0% Analog Devices 19677 1.7% VMWare 16045 1.4% Samsung 15707 1.4% Solarflare Communications 15054 1.3% JiangSu Lemote Corp. 11439 1.0% AMD 9218 0.8% Universal Scientific Industrial Co. 9194 0.8%

As usual, Red Hat maintains its position at the top of the list, but others are gaining; we may yet see a day when Red Hat is just one of several major contributors. Some readers may be surprised to see Broadcom near the top of the list, given that this company's reputation for contribution is not the best. The truth of the matter is that Broadcom has several developers contributing to various drivers in the networking and SCSI subsystems; it's only in the wireless realm that the trouble starts.

For the fun of it, your editor typed the "changeset percent" numbers for the last ten releases into a spreadsheet and got this plot:

The percentages are surprisingly stable over the course of almost three years. The most obviously identifiable trends, perhaps, are the steady increases in the contributions from Intel and Nokia.

All told, the process continues to function smoothly. The occasional complaint about certain companies not fully participating in the process notwithstanding, the picture is one of hundreds of companies cooperating to a high degree to create the Linux kernel despite their fierce competition elsewhere. The significant percentage of code coming from developers working on their own time shows that Linux is not just a corporate phenomenon, though. We have built a development community which is able to incorporate the interests and work of an astonishingly wide variety of people into a single kernel.

As always, thanks are due to Greg Kroah-Hartman, who has done a great deal of work to reduce the size of the "(Unknown)" entries in the tables above.

Comments (28 posted)

Scripting support for perf

The perf tool for performance analysis is adding functionality quickly. Since being added to the mainline in 2.6.31, primarily as a means to access various CPU performance counters, it has expanded its scope. Support for treating kernel tracepoint events like performance counter events came into the kernel at around the same time. More recently, though, Tom Zanussi has added support for using perl and python scripts with the perf tool, making it even easier to do sophisticated processing of perf events.

The perl support is already in the mainline, but Zanussi added a python scripting engine more recently. Interpreters for both perl and python can be embedded into the perf executable, which allows processing the raw perf trace data stream in either of those languages.

The perl scripting can be used from the 2.6.33-rc series, but the python support is only available by applying Zanussi's patches to the tip tree. Building perf in the tools/perf directory, which requires development versions of various libraries and tools (glibc, elfutils, libdwarf, perl, python, etc.), then gives access to the new functionality.

Multiple different example scripts are provided with perf, which can be listed from perf itself:

    # perf trace -l
    List of available trace scripts:
      syscall-counts [comm]                system-wide syscall counts
      syscall-counts-by-pid [comm]         system-wide syscall counts, by pid
      failed-syscalls-by-pid [comm]        system-wide failed syscalls, by pid
      workqueue-stats                      workqueue stats (ins/exe/create/destroy)
      check-perf-trace                     useless but exhaustive test script
      failed-syscalls [comm]               system-wide failed syscalls
      wakeup-latency                       system-wide min/max/avg wakeup latency
      rw-by-file <comm>                    r/w activity for a program, by file
      rw-by-pid                            system-wide r/w activity

This list is a mix of perl and python scripts that live in the tools/perf/scripts/{perl,python} directories and get installed in the proper location (/root/libexec by default) after a make install.

The scripts themselves are largely generated by the perf trace command. Zanussi's documentation for perf-trace-perl and perf-trace-python explain the process of using perf trace to create the skeleton scripts, which can then be edited to add the required functionality. Adding two helper shell scripts (for recording and reporting) to the appropriate directory will add new scripts to the list produced by perf trace described above.

The installed scripts can then be used as follows:

    # perf trace record failed-syscalls
    ^C[ perf record: Woken up 11 times to write data ]                         
    [ perf record: Captured and wrote 1.939 MB perf.data (~84709 samples) ]   

This captures the perf data into the appropriately named perf.data file, which can then be processed by:

    # perf trace report failed-syscalls
    perf trace started with Perl script \
	/root/libexec/perf-core/scripts/perl/failed-syscalls.pl


    failed syscalls, by comm:

    comm                    # errors
    --------------------  ----------
    firefox                     1721
    claws-mail                   149
    konsole                       99
    X                             77
    emacs                         56
    [...]

    failed syscalls, by syscall:

    syscall                           # errors
    ------------------------------  ----------
    sys_read                              2042
    sys_futex                              130
    sys_mmap_pgoff                          71
    sys_access                              33
    sys_stat64                               5
    sys_inotify_add_watch                    4
    [...]

    # perf trace report failed-syscalls-by-pid
    perf trace started with Python script \
	/root/libexec/perf-core/scripts/python/failed-syscalls-by-pid


    syscall errors:

    comm [pid]                           count
    ------------------------------  ----------

    firefox [10144]
      syscall: sys_read
	err = -11                         1589
      syscall: sys_inotify_add_watch
	err = -2                             4

    firefox [10147]
      syscall: sys_futex       
	err = -110                           7
    [...]

This simple example shows using the failed-syscalls script to gather the data, then processing it with the corresponding perl script as well as a compatible python script (failed-syscall-by-pid) that slices the same data somewhat differently. The first report shows a count of each system call that failed during the few seconds while the trace was active. It shows the number of errors by process, as well as by system call.

The second report combines the two and shows each process along with a which system calls failed for it, and how many times. There are also corresponding scripts that count all system calls, not just those that failed, and report on them similarly. Wakeup latency, file read/write activity, and workqueue statistics are the focus of some of the other provided scripts.

These scripting features will make it that much easier for kernel hackers—or possibly those who aren't—to access the perf functionality. The state of tracing and instrumentation in the kernel has been quick to develop over the last few development cycles. It doesn't look to be slowing down anytime soon.

Comments (3 posted)

USB autosuspend

Introduction

Linux has supported system suspend to RAM and disk for several years now. This valuable feature has a major drawback, however: a system cannot be used while it is suspended. Reducing the power a system consumes while in active use is an even nicer feature. It is called "runtime power management." This can be done by clocking down or switching off components. The current kernel supports this mainly in form of CPU frequency management and USB autosuspend.

The core kernel needs drivers to help it in order to do runtime power management; some support beyond what drivers need to do to support system suspension is necessary. Drivers need to tell the rest of the kernel when a device may be suspended without unduly impacting performance. Furthermore, drivers need to be able to suspend and resume a device in a live system without the process freezer protecting them from races. A driver for an ordinary character device need not worry about suspend() and resume() racing against open(), read(), write() or ioctl(). This is no longer true if a driver uses runtime power management, but techniques to avoid such races will be shown later.

USB was the first subsystem in the kernel to introduce runtime power management in the form of the USB autosuspend feature; its success has led to the generic framework just being merged.

USB 2.0 devices are rather simple in terms of power management. They know just two modes with respect to power management: active or suspended. They also retain all their internal state when suspended. This makes the job of drivers easy in the ideal case. The driver ceases IO to the device and suspends the device when it is no longer needed and reverses the process when it is needed again.

Testing USB autosuspend on a laptop with the average set of built-in USB devices whose drivers all supported autosuspend, I found power savings on order of about 1W. The 6 laptops I tested on drew about 15W of power on average, so USB autosuspend can reduce power consumption by about 7%.

That said, USB autosuspend is not just for laptops. All those single watts saved in a company's desktops will add up to serious power savings. Even the blades in a data center profit a bit as the root hubs are suspended, too.

API

The API for implementing USB autosuspend is based on drivers telling the core USB subsystem whenever a reason for not suspending a device arises or ceases to exist. The subsystem counts the reasons why a device must not be autosuspended; the core USB subsystem may then suspend a device whose counters have reached zero. "Counters" is not a typo: a USB device may consist of a multitude of interfaces, each of which may have its own driver.

The counters are manipulated with "get" and "put" functions which wake or suspend devices according to the state of the counters. They are provided in synchronous and asynchronous versions.

usb_autopm_get_interface(struct usb_interface *);

Increment the counter and guarantee the device has been resumed (may sleep)

usb_autopm_put_interface(struct usb_interface *);

Decrement the counter (may sleep)

usb_autopm_get_interface_async(struct usb_interface *);

Increment the counter, which will wake the device at a later time (safe in atomic contexts).

usb_autopm_put_interface_async(struct usb_interface *);

Decrement the counter (safe in atomic contexts)

The asynchronous versions were recently fixed in commit ccf5b801 for the 2.6.32 release; earlier kernels were buggy. Those stuck with an older kernel for some reason cannot use these functions.

For these manipulations of the counters to have any effect, a driver must tell the USB subsystem that it supports USB autosuspend. It does so by setting a flag in its usb_driver structure. For example, the kaweth driver includes this initialization:

    static struct usb_driver kaweth_driver = {
        /* ... */
        .supports_autosuspend = 1,
    };

The core USB subsystem guarantees drivers that for all its calls to methods of struct usb_driver, except for, of course, resume() and reset_resume(), the device in question has been resumed and won't be suspended while the call is in progress.

Sysfs

Two sysfs attributes are exported pertaining to USB autosuspend for each device.

/sys/$DEVICE/power/level

On for inactive autosuspend, auto for active autosuspend

/sys/$DEVICE/power/autosuspend

The delay between counters reaching zero and autosuspend in seconds.

The delay mentioned in this table serves a double function. Firstly, some devices have a large energy consumption when resuming; disks, for example, have to spin up. Suspending them for a very short time saves no energy. The delay is a heuristic to avoid such situations. Secondly some devices need time to process data even after the host has finished talking to them. So do not set this delay to zero unless you know what you are doing.

Detecting idleness

Most devices are, obviously, idle most of the time. Think about how often one uses the fingerprint sensor or the camera built into most modern laptops. Even an Ethernet adapter is almost always unused while the WLAN is active and vice versa.

User space tells the kernel when it may require services of a device; an application must open a device before it can use it. This is true for any device that maps to a character device node and also for network devices, which are upped and downed. The notable exceptions to this rule are few, mainly framebuffers and input devices. These require considerable work to provide good runtime power savings.

Autosuspend based on open and close

Code which follows this pattern the kernel will not enable autosuspend for a device for which a file descriptor is held open. It can also be used for network devices because they have an equivalent to open() and close() in the form of ifconfig up and ifconfig down.

Let us have a look at a driver that implements this simple form of autosuspend:

From the kaweth driver:

    static int kaweth_open(struct net_device *net)
    {
        struct kaweth_device *kaweth = netdev_priv(net);
        int res;

        res = usb_autopm_get_interface(kaweth->intf);
        if (res) {
                err("Interface cannot be resumed.");
                return -EIO;
        }

The driver calls usb_autopm_get_interface() at the very beginning. This ensures that the device will not be autosuspended after it has returned without an error. The driver may henceforth assume that the device is usable and may ignore the issue of power management until the device is closed again. The driver must just make sure that it does no IO to the device before it calls usb_autopm_get_interface().

A similar pattern is followed when the device is closed:

    static int kaweth_close(struct net_device *net)
    {
        struct kaweth_device *kaweth = netdev_priv(net);

        netif_stop_queue(net);
    	/* ... */
        kaweth_kill_urbs(kaweth);
        usb_autopm_put_interface(kaweth->intf);

The driver finishes all IO to the device, then calls usb_autopm_put_interface(). For a conventional driver waiting for all IO to finish is a very good idea; for a driver using this kind of autosuspend it is mandatory. Strictly speaking one cannot be sure exactly when transferred data has been processed by the hardware. That's why the core USB subsystem introduces a small delay between the counters reaching zero and the first attempt to autosuspend the device.

The normal implementations of suspend() and resume() needed to support system sleep need not be altered much, if at all. The reason they may need to be changed is locking, because resume() can be called directly from usb_autopm_get_interface(). Thus, resume() must not attempt to retake a lock already held when usb_autopm_get_interface(). In theory this restriction is obvious, in practice this is the most common bug in resume().

The resume() function also operates under some restrictions concerning memory allocations. It may use only GFP_NOIO or GFP_ATOMIC to allocate memory. This restriction arises because the kernel might otherwise try to resume another device to launder pages. One should take care to get this right; otherwise this bug will show itself in very rare spurious deadlocks almost impossible to debug.

A driver's little helpers

For some types of devices there's a generic driver for which subdrivers are written; USB serial devices are in that category. For such devices this simple form of autosuspend is already supported in generic code. A subdriver needs only to set supports_autosuspend.

Autosuspend for devices that user space has opened

Some devices are open for most of the running time of the system. For such devices, power saving measures which are active only in the closed mode are futile. The canonical example is the keyboard which is literally always open. To get significant power savings, the detection of idleness must be refined to the point that periods of actual idleness can be detected after user space has informed the kernel that services of a device may be required.

For output this is a comparatively easy task. As user space requests that the kernel perform output to a device, the device ceases to be idle. It becomes idle again when the output has been completed.

Let us look at an example for how output in the simple case is done.

As the open() method is no longer fine-grained enough an instrument to determine idleness, the detection is pushed down into the write() code path.

From the cdc-wdm driver (unrelated code has been removed):

    static ssize_t wdm_write(struct file *file, const char __user *buffer, 
                             size_t count, loff_t *ppos)
    {
        u8 *buf;
        int rv = -EMSGSIZE, r, we;
        struct wdm_device *desc = file->private_data;
        struct usb_ctrlrequest *req;

    	/* ... */
        r = mutex_lock_interruptible(&desc->wlock); /* concurrent writes */
        r = usb_autopm_get_interface(desc->intf);

        set_bit(WDM_IN_USE, &desc->flags);

        rv = usb_submit_urb(desc->command, GFP_KERNEL);
        if (rv < 0) {
                kfree(buf);
                clear_bit(WDM_IN_USE, &desc->flags);
        }

After some preliminaries a lock is taken and usb_autopm_get_interface() is called. Thereafter the driver knows that the device is and will remain active. I/O can be started just as if the driver didn't do runtime power management. However, care must be taken to balance the counters in the error case by calling usb_autopm_put_interface().

As I/O finishes, the counter must be decremented again. This is done in the completion handler using usb_autopm_put_interface_async().

This example from usbhid shows how to do it.

    static void tx_complete (struct urb *urb)
    {
        /* ... */
	usb_autopm_put_interface_async(dev->intf);
	urb->dev = NULL;
	entry->state = tx_done;
	defer_bh(dev, skb, &dev->txq);
     }

It is literally a one-liner.

The PM message and using the return value of the suspend() method

There's another facet of autosuspend that deserves to be mentioned. In case all the counters mentioned here don't help, one can benignly fail an autosuspend returning -EBUSY from suspend(). If this is done during a full system suspend, the whole suspend operation will be aborted. Therefore this should really be limited to autosuspend in rare cases. Automatic suspend can be detected by testing the PM_EVENT_AUTO bit in the event field of the message parameter to suspend().

When suspend is aborted in this way, the core USB subsystem will retry the autosuspension after the above-mentioned delay.

Remote wakeup and spontaneous input

Handling input in the same manner as output hits a fundamental obstacle. The usual semantics of input operations are that input data a device generates is stored in a buffer and handed to user space as the read() system call is executed. A driver cannot normally predict when a device will volunteer input data.

To overcome this obstacle, USB has a feature called "remote wakeup". The feature is optional, but generally supported by devices it makes sense for.

A suspended device using remote wakeup can tell the system that it would like to transfer input data. The system is then required to resume the device. The feature can best be thought of as an analog of interrupts: like interrupts on PCI devices, remote wakeup with a USB device has to be explicitly enabled.

A driver requests that remote wakeup be enabled by setting the aptly-named needs_remote_wakeup flag in struct usb_interface. The core USB subsystem will never autosuspend a device that does not support remote wakeup if any of its interfaces' drivers request that remote wakeup be enabled.

Let us look at an example of how a driver requests that remote wakeup be enabled:

From cdc-acm:

    static int acm_tty_open(struct tty_struct *tty, struct file *filp)
    {
        struct acm *acm;

	/* ... */
        if (usb_autopm_get_interface(acm->control) < 0)
                goto early_bail;
        else
                acm->control->needs_remote_wakeup = 1;

	/* ... */
        usb_autopm_put_interface(acm->control);

Note that a driver has to make sure its device is active when it requests that remote wakeup be enabled. The device will be automatically be resumed as input data becomes ready to be transferred. The driver must take care that remote wakeup is disabled when the device is closed again.

Marking a device busy

Waking up a device has some cost in time and power; it takes about 40ms to wake up the device. Therefore staying in the suspended mode for less than a few seconds is not sensible. As already mentioned, there's a configurable delay between the time the counters reach zero and autosuspend is attempted. When using remote wakeup, however, the counters remain at zero all the time unless they are incremented due to output. Yet a delay after the last time a device is busy, that is, does I/O, and the next attempt to autosuspend the device is highly desirable.

An API is provided for that purpose:

usb_mark_last_busy(struct usb_device *);

Start the delay for the autosuspend anew from now on. Safe in atomic context

This function restarts the delay every time it is called.

Let us look at an example - from cdc-acm:

    static void acm_read_bulk(struct urb *urb)
    {
        struct acm_ru *rcv = urb->context;
        struct acm *acm = rcv->instance;

	/* ... */
        if (!ACM_READY(acm)) {
                dev_dbg(&acm->data->dev, "Aborting, acm not ready");
                return;
        }
        usb_mark_last_busy(acm->dev);
    }

The driver marks the device busy as it receives data and then processes the received data. This way, autosuspend is attempted only if no input or output was performed for the duration of the configurable delay.

Sleepless in the kernel

What is to be done if a driver cannot sleep in its write path? In that case a simple solution can no longer be given. The driver needs to call usb_autopm_get_interface_async() for every call to the write path, just as in the above example. The difference is that the driver cannot be sure that the device is active after the call. Obviously, since it cannot wait for the device to become active, I/O must be queued.

From usbnet's usbnet_start_xmit():

    spin_lock_irqsave(&dev->txq.lock, flags);
    retval = usb_autopm_get_interface_async(dev->intf);
    if (retval < 0) {
	spin_unlock_irqrestore(&dev->txq.lock, flags);
	goto drop;
    }

#ifdef CONFIG_PM
    /* if this triggers the device is still asleep */
    if (test_bit(EVENT_DEV_ASLEEP, &dev->flags)) {
	/* transmission will be done in resume */
	usb_anchor_urb(urb, &dev->deferred);
	/* no use to process more packets */
	netif_stop_queue(net);
	spin_unlock_irqrestore(&dev->txq.lock, flags);
	devdbg(dev, "Delaying transmission for resumption");
	goto deferred;
    }
#endif

The asynchronous API is used and errors handled. After that, if the device is still asleep, I/O is queued. The queued I/O must be actually started in resume().

From usbnet's usbnet_resume():

    spin_lock_irq(&dev->txq.lock);
    while ((res = usb_get_from_anchor(&dev->deferred))) {
    	skb = (struct sk_buff *)res->context;
    	retval = usb_submit_urb(res, GFP_ATOMIC);
    	if (retval < 0) {
	    dev_kfree_skb_any(skb);
	    usb_free_urb(res);
	    usb_autopm_put_interface_async(dev->intf);
    	} else {
	    dev->net->trans_start = jiffies;
	    __skb_queue_tail(&dev->txq, skb);
	}
    }

    smp_mb();
    clear_bit(EVENT_DEV_ASLEEP, &dev->flags);
    spin_unlock_irq(&dev->txq.lock);

Here, I/O requests are taken from the queue and given to the hardware. Care must be taken to handle the counters correctly in the error case.

A driver's not so little helpers

Usbnet implements both forms of autosuspend for its subdrivers. If a subdriver sets supports_autosuspend it gets the simple form of autosuspended. If, instead, it defines

manage_power(struct usbnet *dev, int on);

Manage remote wakeup according to on (may sleep).

This function is supposed to set needs_remote_wakeup based on "on"; it also gets runtime power management while the interface is up.

Conclusion

I've tried to show how, in most cases, significant power savings can be had with little effort. I hope that many coders will find this useful in their work. In runtime power management the whole is more than the sum of the parts. Remember that all a device's interfaces must support autosuspend for a device to be autosuspended and all a hub's children must be suspended for the hub to be suspended. In this case the chain breaks at the weakest link. Thus I hope every driver developer makes at least a small effort to consider runtime power management.

[ The author would like to thank B1-Systems for their support. ]

Comments (5 posted)

Patches and updates

Kernel trees

• Linus Torvalds: Linux 2.6.33-rc7 . (February 6, 2010)

• Greg KH: Linux 2.6.32.8 . (February 9, 2010)

Core kernel code

• Alexander Gordeev: pps: time synchronization over LPT . (February 5, 2010)

• Michael Neuling: Restrict initial stack space expansion to rlimit . (February 9, 2010)

• Suresh Siddha: updated ptrace/core-dump patches for supporting xstate - V2 . (February 10, 2010)

Device drivers

• Jonathan Cameron: Staging: IIO: New ABI V2 . (February 5, 2010)

• Steven King: hwmon: driver for TI tmp102 temperature sensor . (February 5, 2010)

• Sakari Ailus: V4L2 file handles and event interface . (February 8, 2010)

• Bjorn Helgaas: PCI: try "pci=use_crs" again . (February 9, 2010)

• Hans J. Koch: UIO: Add a driver for Hilscher netX-based fieldbus cards . (February 9, 2010)

Filesystems and block I/O

• Joel Becker: ocfs2_dlmfs improvements . (February 5, 2010)

• Joel Becker: ocfs2_dlmfs improvements v2 . (February 10, 2010)

• Dmitry Monakhov: [PATCH 00/11] [RFC] Introduce subtree quota support This patch set introduce subtree and subtree-quota support for ext4 . (February 8, 2010)

• Miklos Szeredi: vfs: add NOFOLLOW flag to umount(2) . (February 10, 2010)

• Christoph Hellwig: XFS status update for January 2010 . (February 10, 2010)

• jim owens: Btrfs: Full direct I/O and AIO read implementation. . (February 10, 2010)

Memory management

• Keiichi KII: pagecache tracepoints proposal . (February 5, 2010)

• Wu Fengguang: 512K readahead size with thrashing safe readahead . (February 7, 2010)

• David Rientjes: oom killer rewrite . (February 10, 2010)

• Tejun Heo: FUSE/CUSE: implement direct mmap support . (February 10, 2010)

• Trond Myklebust: Allow the VM to manage NFS unstable writes . (February 10, 2010)

Networking

• Amerigo Wang: net: reserve ports for applications using fixed port numbers . (February 7, 2010)

• Sridhar Samudrala: packet: Add GSO/csum offload support. . (February 7, 2010)

Architecture-specific

• Masami Hiramatsu: kprobes: Kprobes jump optimization support . (February 7, 2010)

• Stephane Eranian: perf_events: support for Intel bus-cycles/unhalted_ref_cycles events . (February 8, 2010)

• Stephane Eranian: perf_events: AMD event scheduling (v3) . (February 8, 2010)

• Don Zickus: new nmi_watchdog using perf events . (February 8, 2010)

• Yinghai Lu: x86: not use bootmem for x86 . (February 9, 2010)

Virtualization and containers

• Sheng Yang: PV featured HVM(Hybrid) for Xen . (February 8, 2010)

• Avi Kivity: KVM updates for the 2.6.34 merge window (batch 1/4) . (February 10, 2010)

• Dan Smith: Network device and namespace checkpoint/restart (v2) . (February 10, 2010)

Benchmarks and bugs

• Arjan van de Ven: kerneloops.org oops/warning report for the week ending February 7, 2010 . (February 8, 2010)

• Arjan van de Ven: [2.6.33-rc only] kerneloops.org report for the week of Feb 7 2010 for the 2.6.33-rc kernel series . (February 8, 2010)

• Rafael J. Wysocki: 2.6.33-rc7: Reported regressions from 2.6.32 . (February 8, 2010)

• Rafael J. Wysocki: 2.6.33-rc7: Reported regressions 2.6.31 -> 2.6.32 . (February 8, 2010)

Page editor: Jonathan Corbet

Distributions

News and Editorials

Counting users

It is rather difficult for a distribution or software project to get accurate information about how many users it has—at least without potentially violating the privacy of those users. But there are lots of reasons, beyond just having numbers to tout, that a project would like to know more about its users. There are various opt-in tools that have been used by distributions to count their users, but those typically gather a hardware profile of the user's machine, which is something that may be too intrusive to get majority uptake. Much less information is needed for just a count, though, so there may be less intrusive ways to gather that kind of data.

Matt Domsch recently proposed adding a feature to yum to help count users in a message to the fedora-advisory-board mailing list. Domsch wrote the scripts that are used to create the worldwide Fedora user maps and is concerned about the current counting method, which uses information from the yum mirrorlist server:

So, Domsch would like to see yum generate a unique user ID (UUID) that it would transmit with queries to the mirrorlist server. This UUID would be different from the one generated by the smolt hardware profiler to eliminate the possibility of correlating the two sets of data. Unlike smolt, which is opt-in, he would like the yum changes be an opt-out feature—one that is turned on by default.

While counts of UUIDs would be enough to allow counting Fedora users, it wouldn't be enough for Domsch's application. In order to derive the geographic information, IP addresses would also need to be associated with the UUID. As Bruno Wolff III points out, that information could be used to derive travel patterns. That might make it less attractive for users, which in turn might mean that is inappropriate for a "default on" feature. Domsch is aware of the privacy concerns, but doesn't necessarily think it is a showstopper for this feature:

As Luis Villa notes, however, the internet advertising industry is probably not a good model to follow:

But, as Jeff Spaleta points out, exact numbers for users may not be necessary for what Domsch is trying to accomplish. Unless there is reason to believe that practices vary from region to region enough to skew the results, using inexact data doesn't make the map useless. As long as the data is consistently either high or low, it doesn't affect the relative densities of users across the globe. which is how the user maps present the data. Spaleta has done some analysis to try to estimate how accurate the current method is, which came up with a 15% under-count. Given that, "I'd be more interested in standing up a correction factor with an error bar that can be used in a statically significant way to get from the numbers we do have to an estimate of active userbase."

Measurements of users, especially those that come with some additional information, can be an invaluable tool for projects. Those kinds of metrics can help steer the project focus, provide feedback on changes in direction, and help planning for expansion among other things as a Fedora web page describes. But there are legitimate privacy concerns that need to be addressed.

Some kind of group effort to define best practices, as Villa described, would be a great thing for distributions and other projects to collaborate on. There is clearly a balance that needs to be struck, but if there is more information that can be gathered in ways that are protective of users' privacy, it would certainly be a boon for all. It's a matter of coming up with privacy and data retention policies that clearly spell out what data is collected, how it can be used, and, importantly, how it can't be used.

Proprietary companies are generally able to force fairly intrusive reporting on their users—who often have no real recourse. Their privacy policies "protect" the data from being distributed outside of the company, but typically the company itself can use it in various less-than-desirable ways. With luck and some hard work, it would seem possible for free software to find the right balance. In the end, though, free software users have the last word—if a solution is too intrusive, it will be quickly, and widely, disabled.

Comments (17 posted)

New Releases

Debian Edu 5.0.4+edu0 (Skolelinux 5.0) released

The Debian Edu/Skolelinux 5.0 release is out. "This is first Debian Edu release which has been merged with the highly successful LinEx GNU/Linux based educational project from the region of Extremadura in Spain. The most visible result being the GNOME desktop now being supported in addition to KDE." Numerous other enhancements have been made; see the announcement (click below) for details.

Full Story (comments: none)

Fedora 12 re-spins Released

The Fedora Unity Project has announced the release of new ISO Re-Spins of Fedora 12. "These Re-Spin ISOs are based on the officially released Fedora 12 installation media and include all updates released as of February 2nd, 2010."

Full Story (comments: none)

Mandriva Linux 2010 Spring Alpha2

The second alpha of Mandriva Linux 2010.1 is available for testing. "As this is an early pre-release, the major changes are mostly in the area of included third-party software."

Comments (none posted)

MINIX release 3.1.6

MINIX 3.1.6 has been released. This release includes new drivers, VirtualPC Network Support, System Event Framework, experimental APIC support, and more.

Comments (none posted)

openSUSE Build Service 1.7 released

The openSUSE Build Service team released version 1.7 of the openSUSE Build Service. "The openSUSE Build Service allows developers to create packages, software stacks or even a whole distribution as well as use and integrate them with other open source components." Click below for a list of key features in this release.

Full Story (comments: none)

Pre-release version of Red Hat Enterprise Linux 5.5 (The H online)

The H online reports on the availability of pre-release version of Red Hat Enterprise Linux 5.5. "As well as bug fixes released since RHEL 5.4, at this stage of the RHEL life cycle the next incarnation of RHEL5 also includes extensive new functionality and numerous drivers for supporting newer hardware. The Linux distributor has, for example, made various enhancements to KVM, now Red Hat's preferred virtualisation solution, introduced in RHEL 5.4. These allow more flexible allocation of the amount of memory available to guest systems at runtime and better pass through of PCI devices to guest systems. The new RHEL beta also includes support for a number of recently, or soon to be released, AMD, IBM and Intel processors and their associated chip-sets."

Comments (4 posted)

Distribution News

Debian GNU/Linux

Bits from the release team: Release schedule; the RT needs YOU

The Debian release team reports that the March freeze is looking unlikely due to a high number of release critical bugs. Click below for more information.

Full Story (comments: none)

Fedora

Rawhide changes coming

The Fedora "no frozen Rawhide" scheme is about to go into operation. That means there will be two independent development repositories in operation: one will be frozen for the Fedora 13 release, while the other continues to offer the full Rawhide experience with new and scary packages. Rawhide users will want to look at their repository configurations to be sure they're tracking the version they want.

There are also changes to library linking going into Rawhide which could create minor problems for people building packages. There is some concern about the timing of this change (right before the F13 freeze), but the change is going forward regardless; more information can be found on this page.

Comments (14 posted)

Fedora Board Recap

Click below for a recap of the February 4, 2010 meeting of the Fedora Advisory Board. Topics include regional localized spins, and Community Q&A.

Full Story (comments: none)

Notice: dnssec-conf updates in Fedora 11 and 12

The Fedora Project found a problem with a recent update to the dnssec-conf package for Fedora 11 and 12. "A new update is being prepared to address this problem for Fedora 11 and 12 users, and will be pushed to our mirrors as soon as possible. Users who are not running BIND nameservers (named) on their Fedora 11 and 12 can safely disregard this notice."

Full Story (comments: none)

SUSE Linux and openSUSE

openSUSE Survey 2010

openSUSE is looking for information from its users about the distribution by way of a survey, which runs through the end of February. The survey is meant to "give feedback to the openSUSE project about the distribution, the openSUSE tools environment and the project in general. Let us know where things are in good shape and areas where improvement is needed." Click below for the full announcement.

Full Story (comments: none)

Call for Volunteering: Wiki Reviewing Process in German Wiki

The openSUSE project is cleaning up the German wiki and is asking for volunteers to help with the process.

Full Story (comments: none)

Ubuntu family

Ubuntu Opportunistic Developer Week: Call For Participation!

Jono Bacon has announced an online learning event: Ubuntu Opportunistic Developer Week, happening online March 1 - 6, 2010. "So, I am looking for volunteers. If you feel you could give a tutorial about a given Python module or associated technology (e.g. Glade, Launchpad, Bazaar etc), please drop me an email at jono AT ubuntu DOT com and I will liaise with you to get it scheduled. I am also look for some showcase sessions: stories about how you put together an application, how it scratched your itch and what tools you used. Thanks to everyone who contributes to leading a session!"

Comments (none posted)

Minutes and resolutions from the Technical Board meeting

Click below for the minutes of the February 9, 2010 meeting of the Ubuntu Technical Board. Topics include a discussion about the approval process for new MOTUs.

Full Story (comments: none)

Minutes from the Developer Membership Board meeting

The minutes from the February 2, 2010 meeting of the Ubuntu Developer Membership Board are available. Topics include the future of the MOTU team, and more.

Full Story (comments: none)

Distribution Newsletters

DistroWatch Weekly, Issue 340

The DistroWatch Weekly for February 8, 2010 is out. "On the occasion of the forthcoming release of PC-BSD 8.0, a major new update of the desktop-oriented FreeBSD system, DistroWatch talks to Kris Moore, the project's founder and lead developer. What is the relationship between FreeBSD and PC-BSD like? Which are the new features in version 8.0? What are the project's future plans? Read on to find out more. In the news section, we link to an interesting article investigating the history of FreeBSD and also to a guide whose goal is to get newcomers to Linux up and running with the latest release of Fedora. Further down in the news, the first issue of BSD magazine is now available for free download, Canonical's Jane Silber talks about the role of women in the world of open-source development, and Kongoni announces the end of its Slackware-based distribution. Finally, we are pleased to announce that the recipient of the DistroWatch.com January 2010 donation is Qimo 4 Kids, a charity project that develops a free Ubuntu-based distribution for children. Happy reading!"

Comments (none posted)

Fedora Weekly News #212

The Fedora Weekly News for February 7, 2010 is out. "In this week's issue, a few outage notices and notice of last week's Fedora Board IRC meeting kick us off. In the Fedora Planet beat, details on setting up an automatically imaged and administered computer lab with Fedora and CentOs, more Inkscape @ Boston middle schools, musings on the continuing need for password security, and details on The Open Source Way. In news from the Quality Assurance team, coverage of this past week's Test Day on he introduction of NFSv4 by default in Fedora 13, much detail on the QA weekly meeting activities, an update on the driver availability for Nouveau 3D, and details on the first Fedora 13 bug blocker review meeting. In news from the Translation/Localization team, a brief update on the Transifex 0.7 upgrade for translate.fedoraproject.org, and announcement of new members on the localization teams for Ukranian, German, Brazilian Portuguese and Hungarian. The Security Advisories beat lists security patches for Fedora 11 and 12 last week, and our issue rounds out with tasty details from the KDE SIG, including KDE SC 4.4 hitting rawhide and kde-redhat/unstable repos last week, upcoming virtuoso changes in kde-redhat, and the availability of KDE SC 4.4rc2 live images available for testing. That rounds out FWN 212 -- read on!"

Full Story (comments: none)

openSUSE Weekly News/109

This issue of the openSUSE Weekly News covers * Its here! openSUSE 11.3 Milestone 1, * Sirko Kemter: First Art-Team meeting, * ars technica/Joe Brockmeier: Video editing in Linux: a look at PiTiVi and Kdenlive, * Jeffrey Stedfast: Weird bugs due to gcc 4.4 and strict aliasing, * KDE SC 4.4 RC3 Released, and more.

Comments (none posted)

Ubuntu Weekly Newsletter #179

The Ubuntu Weekly Newsletter for February 6, 2010 is out. "In this issue we cover: Open source industry veteran Matt Asay joins Canonical as COO, Lucid Translations now open, Ubuntu Developer Week Re-Cap, Ubuntu 8.04.4 LTS Maintenance release, Lucid Ubuntu Global Jam Announced, Project Awesome Opportunity, New Ubuntu Review Team: Reviewing bug with patches, Jane Silber Interview, Dustin Kirkland Interview: Encryption in Ubuntu, Nicaraguan LoCo Team's Third Anniversary, Report on Launchpad down-time of 4th Feb 2010, January Team Meeting Reports, and much, much more!"

Full Story (comments: none)

Newsletters and articles of interest

The Top 7 Best Linux Distributions for You (Linux.com)

Brian Proffitt lists his choices for "best distribution" in seven categories. "To help users discover the Linux distribution that's best for them, this resource will definitively list the best candidates for the various types of Linux users to try. The use-case categories will be: * Best Desktop Distribution * Best Laptop Distribution * Best Enterprise Desktop * Best Enterprise Server * Best LiveCD * Best Security-Enhanced Distribution * Best Multimedia Distribution".

Comments (none posted)

Five Brilliant Ubuntu-based Distros You Never Knew Existed (Linux Magazine)

Linux Magazine takes a look at Ubuntu-based distributions DEFT, Element, Jolicloud, moonOS and wattOS. "It turns out, there are quite a number of simply fantastic distributions based on Ubuntu that you probably never even knew existed. Generally these are geared towards a specific niche, but that doesn't mean that they aren't useful - quite the contrary!"

Comments (none posted)

Interviews

An Interview With Jono (Joe Blog's)

Joe Barker interviews Jono Bacon, the Ubuntu Community Manager. "My primary involvement in Ubuntu at the beginning was getting to the know the community, contributing bug reports and feedback and co-writing The Official Ubuntu Book. At the time I was spending most of my spare time knee-deep in the GNOME project and working with local Linux communities in the West Midlands, and my interest in Ubuntu grew from there."

Comments (none posted)

Distribution reviews

Fresh Version of Linux Mint Offers Tweaks and Updates (Linux Planet)

Linux Planet reviews Linux Mint 8. "When last we looked at Linux Mint we gave it high marks on the user-friendly scale for administration and productivity applications. The latest release takes the distro to new heights of the same with a few new added touches to boot. Linux Mint 8 (Helena) is based on Ubuntu 9.10 and delivers all the basic capabilities you would expect in an Ubuntu distribution."

Comments (5 posted)

The Greatest KDE Distro Ever: An Early Look at openSUSE 11.3 (Linux Magazine)

Linux Magazine has a review of KDE 4.4 on openSUSE 11.3. "Finally, we have a distribution which has a universal feel, looks great from start to end, integrates seamlessly with every component. There's really only one word to describe this, "sleek." No other distro integrates GTK applications into KDE4 like openSUSE does out of the box. Of course, this is nothing new, openSUSE had already achieved this in their previous release. Thanks to the polish of KDE 4.4 however, this release is even better. Make no mistake, openSUSE is the benchmark for KDE distributions. Nothing else even comes close."

Comments (none posted)

Inside CloudLinux's New Linux-Based Cloud OS (Web Host Industry Review)

Web Host Industry Review takes a look at CloudLinux. "The proprietary isolation technology provides a range of benefits for shared hosts, including increasing the number of accounts per server, as well as reducing hardware, electricity, data center space and management costs. As for data centers, it provides customers with a well tested, commercially supported and maintained OS, better security reduces churn and the costs associated with security support issues, and drives extra revenue via upsell to commercially supported distribution that was optimized for Web."

Comments (6 posted)

Page editor: Rebecca Sobol

Development

Ride the Lightning: Mozilla's calendar finally approaches 1.0

It seems appropriate when talking about a calendaring application to note just how long it has been in development. In the case of the Mozilla Lightning extension for Thunderbird, it's taken more than five years to get from the announcement of the project in late 2004 to a 1.0 beta. The Sunbird project has been in the works even longer.

It's been a long, slow trip, but the projects seem to finally be making their way to the home stretch. Lightning 1.0 beta 1 was released in mid-January only 16 months after the 0.9 release. To be fair, the Lightning project has been trying to hit a moving target because it needs to support Thunderbird 3.0. Now that 3.0 is out and Lightning is nearly finished, we decided to take it for a spin to see how it's doing.

For this overview, we looked at Lightning 1.0 beta1 and Sunbird nightly build 1.0pre2. Lightning requires Thunderbird 3.0 or SeaMonkey 2.0 and Sunbird is a standalone application. For the most part, Lightning and Sunbird provide the same features, but Sunbird (obviously) doesn't integrate with an address book or send mails to confirm event invites. Some distros have released packaged versions of Sunbird, but users who want the most recent releases will probably want to get them directly from Mozilla.

Setting up a new calendar is very straightforward. Out of the box, they offer a default "home" calendar. Setting up a new local calendar is as simple as specifying the name of the calendar and choosing a color (if one wishes) for the calendar to be displayed in. The process is slightly more involved for remote calendars, but mostly because finding the URL that points to the remote calendar will usually take some digging.

Lightning and Sunbird support CalDAV, iCal, and the Sun Java System Calendar Server. We didn't have a Sun calendar system to test against, but did try out the iCal and CalDAV support for our remote calendars. Sunbird choked on a public iCal file containing U.S. holidays, but otherwise handled most of the iCal files we threw at it pretty well. When working with Google Calendar via CalDAV, it was possible to sync events but not tasks. A Provider for Google Calendar is also available, but it isn't compatible with the recent builds of Sunbird and Lightning.

Overall, the Lightning and Sunbird interfaces are pleasant and easy to navigate. Some groupware solutions are clunky and unpleasant to use, but Lightning and Sunbird have a nice layout and are mostly intuitive. They also have the advantage of being keyboard driven for many operations. Want to create a new task? Just use Ctrl-d. Want to create a new event, use Ctrl-i. (Ctrl-e is already reserved in Thunderbird for edit message as new.)

Typically, one thinks of Web applications as the slower and less convenient cousins of desktop apps. However, while working with Lightning and Sunbird, we compared with Google Calendar running in Firefox and Google Chrome. When clicking on the calendar on Google Calendar it spawns a new event dialog almost immediately. Each time we started a new event in Lightning or Sunbird it had a lag of a second or two to pop up the event dialog.

The Mozilla dialog is a bit more complete, but doesn't support a natural language event description, whereas Google Calendar can interpret "Beer on Friday at 8pm" and create an event automatically. The Mozilla calendars desperately need a "quick add" feature for tossing in an event. One can add tasks quickly, however, by just throwing in the task description in the Tasks text field.

Creating recurring events is easy enough, unless the event is sporadic. There's not a good way to create an event by just selecting days, or by specifying specific days of the week. So, for instance, if a user wants to add an event for going to the gym or a class on Monday, Wednesday, and Friday then it'll be necessary to create separate events on Monday, Wednesday, and Friday that repeat.

The interface also supports busy searching for attendees, but doesn't seem to offer much in the way of syncing with groupware that would provide the free/busy information needed for other users. It can suggest times that work for the local user, but doesn't give much information for others.

We also missed having the ability to display multiple time zones in the daily view. For users who work remote teams in other time zones, it's extremely useful to be able to see at a glance the time difference between local time and UTC or another time zone where the home office is located. It is possible to specify the local timezone in the Lightning preferences, but we'd like to be able to see a second time zone in the daily display.

Overall, Lightning and Sunbird are competent apps with some room for improvement. Sunbird is pretty limited, since it doesn't integrate with email, address book, etc. That limits it quite a bit in terms of sending event invitations, since it doesn't know who your contacts are or have a method for actually sending invites. Users who need a calendar or task manager without coordinating with others should find it suitable, but it probably won't do for professionals who need to coordinate meetings and so on.

For Thunderbird users, Lightning is a serviceable calendar and task manager add-on. It doesn't have the same range of features that one finds in professional groupware suites like Outlook or GroupWise (which is twice as painful to use, but more full-featured nonetheless) but it's a good choice for individuals who don't need enterprise-level calendaring.

The Lightning and Sunbird projects are moving ahead, but not very quickly. The team recently announced that it would only support builds for Thunderbird 3.1 due to lack of developer resources. The team has also had problems keeping up with builds of Sunbird due to problems with all of the supported locales because the developers have been too busy with upcoming Thunderbird releases. To put it another way, the teams working on Lightning and Sunbird are stretched thin. While it doesn't seem likely the projects will go by the wayside entirely, it would be more comforting if they were not suffering from a lack of development resources.

One hopes that this will change once the 1.0 releases are out and the projects receive some additional attention. But it could be that with many users moving to services like Google Calendar, the demand for Lightning and Sunbird has passed.

Comments (6 posted)

System Applications

Audio Projects

Rockbox 3.5 released

Version 3.5t of Rockbox, a free music player operating system, has been announced. "Read up on the most [noticeable] changes in 3.5: http://www.rockbox.org/wiki/ReleaseNotes35 And above all, enjoy!"

Full Story (comments: none)

Database Software

cx_Oracle 5.0.3 released

Version 5.0.3 of cx_Oracle has been announced, it includes new features and bug fixes. "cx_Oracle is a Python extension module that allows access to Oracle and conforms to the Python database API 2.0 specifications with a few exceptions."

Full Story (comments: none)

Firebird 2.5 Release Candidate 2 is available

Version 2.5 rc2 of the Firebird DBMS has been announced. "The Firebird team is pleased to announce that kits for field-testing the second release candidate for Firebird 2.5 are now available. Both 32-bit and 64-bit kits are available for Linux, Windows and MacOSX/Darwin Intel platforms. Please test well and report any bugs directly to the firebird-devel list."

Comments (none posted)

Virtualization Software

virt-manager 0.8.3 and virtinst 0.500.2 released

virt-manager 0.8.3 and virtinst 0.500.2 been announced. "virt-manager 0.8.3: virt-manager is a desktop application for managing KVM and Xen virtual machines via libvirt. virtinst 0.500.2: virtinst is a collection of command line tools for provisioning libvirt virtual machines, including virt-install and virt-clone."

Full Story (comments: none)

Web Site Development

Django 1.2 beta 1 released

Version 1.2 beta 1 of the Django web platform has been announced. "As part of the Django 1.2 release process, tonight we've released Django 1.2 beta 1, a preview/testing package that gives a little taste of some of the new features coming in Django 1.2. As with all alpha and beta packages, this is not for production use, but if you'd like to try out some of the new goodies coming in 1.2, or if you'd like to pitch in and help us fix bugs before the final 1.2 release (due in April), feel free to grab a copy and give it a spin."

Comments (none posted)

lighttpd 1.4.26 released

Version 1.4.26 of lighttpd, a light weight web server, has been announced. "There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect, HUP detection and an OOM/DoS vulnerability)".

Comments (none posted)

Miscellaneous

upstart 0.6.5 released

Version 0.6.5 of upstart, an event-based replacement for the /sbin/init daemon, has been announced. "Haven't quite followed the original release plan here, but I thought it was important to get a new Upstart release out sooner rather than later for the stable crowd. The main change here is that the libnih library has been separated out into its own source tree (you can get it from Launchpad), along with some merging of patches that had lived in the Ubuntu branch of Upstart for a while back into the trunk."

Full Story (comments: none)

Desktop Applications

Accessibility

GNOME accessibility developers concerned about Oracle's commitment

There are concerns in the GNOME accessibility development community about what the Oracle takeover of Sun means for the efforts led by Sun's Accessibility Project Office (APO). Orca project lead Willie Walker has been laid off and is looking for work, possibly in areas that will not allow him to continue contributing to Orca. In addition, assistive technology specialist Joanmarie Diggs has published an open letter to Oracle concerning the future of the APO and its work. "Last week, Oracle laid off two more members of Sun's already-decimated APO. One of those let go happened to be both the Orca project lead and the GNOME Accessibility project lead, Willie Walker. I truly hope this was an oversight on Oracle's part, and one that will be rectified very soon. Because if it is not, and if no other company steps forward to continue this work, the accessibility of the GNOME desktop will become the open source equivalent of an unfunded mandate, doomed ultimately to fail."

Comments (19 posted)

Desktop Environments

New GNOME Journal articles

The GNOME Journal has posted a new set of articles, including an interview with Jonathan Thomas (OpenShot video editor creator), a Banshee update, a summary of the 2009 Boston Summit, an overview of PiTiVi, and a look at writing multimedia applications with Vala.

Comments (17 posted)

GNOME Software Announcements

The following new GNOME software has been announced this week:

• at-spi 1.29.90 (change of default and translation work)
• AT-SPI2 0.1.6 (bug fixes and code cleanup)
• Brasero 2.29.90 (bug fix and translation work)
• Clutter-Gst 1.0.0 (bug fixes and translation work)
• Eye of GNOME 2.29.90 (new features, bug fixes and translation work)
• Giggle 0.4.96 (bug fixes, code cleanup and translation work)
• GLib 2.23.3 (new features, bug fixes and translation work)
• Glom 1.13.3 (bug fixes and code cleanup)
• gnome-control-center 2.29.90 (bug fixes and translation work)
• gnome-keyring 2.29.90 (bug fixes and translation work)
• gnome-settings-daemon 2.29.90 (bug fixes, code cleanup and translation work)
• GNOME System Tools 2.29.90 (new features, bug fixes and translation work)
• GTK+ 2.19.5 (new features, bug fixes and translation work)
• libgweather 2.29.90 (translation work)
• Liboobs 2.29.90 (new features and bug fixes)
• mm-common 0.9.2 (new features)
• MonoDevelop 2.2.1 (new features and bug fixes)
• mousetweaks 2.29.90 (translation work)
• Orca 2.29.30 (new features, bug fixes and translation work)
• osm-gps-map 0.6.0 (new features)
• python-gudev 147.1 (new features)
• seahorse 2.29.90 (bug fixes, code cleanup and translation work)
• tracker 0.6.96 (new features, bug fixes and translation work)
• tracker 0.7.19 (new features, bug fixes and translation work)
• Vala 0.7.10 (new features and bug fixes)
• Vala Toys for gEdit 0.7.0 (new features and bug fixes)

You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE 4.4.0 Released

The KDE project has announced the availability of the KDE Software Compilation 4.4. "Major new technologies have been introduced, including social networking and online collaboration features, a new netbook-oriented interface and infrastructural innovations such as the KAuth authentication framework. According to KDE's bug-tracking system, 7293 bugs have been fixed and 1433 new feature requests were implemented."

Full Story (comments: 84)

KDE Software Announcements

The following new KDE software has been announced this week:

• IMDboid 1.0 (unspecified)
• IOSSHy 1.0 (unspecified)
• KBubbleSaver 1.0a (unspecified)
• KMid2 0.2.1 (new features and bug fixes)
• KMyGLCubeSaver 1.0a (unspecified)
• KTorrent 3.3.4 (bug fixes)
• Soprano 2.4.0 (new features and code cleanup)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• luit 1.0.5 (bug fixes and code cleanup)
• pixman 0.16.6 (bug fixes)
• util-macros 1.6.0 (documentation work)
• xf86-input-vmmouse 12.6.6 (bug fixes and code cleanup)
• xf86-video-qxl 0.0.11 (build fix and code cleanup)
• xf86-video-qxl 0.0.12 (bug fixes)
• xorg-server 1.7.4.902 (new features, bug fixes and documentation work)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Electronics

XCircuit 3.6.165 released

Stable version 3.6.165 of XCircuit, an electronic circuit drawing program, has been announced. See the release notes for more information.

Comments (none posted)

GUI Packages

PyGUI 2.2 released

Version 2.2 of PyGUI, a cross-platform GUI toolkit with a highly Pythonic API, has been announced. "Highlights of this version: - TextEditor component with tabs, scrolling and word wrap - Classes for laying out components in rows, colum[n]s and grids - Printing support".

Full Story (comments: none)

Imaging Applications

Hands-on: new single-window mode makes GIMP less gimpy (ars technica)

Ryan Paul takes a look GIMP 2.8. "The venerable GNU Image Manipulation Program (GIMP) is undergoing a significant transformation. The next major release, version 2.8, will introduce an improved user interface with an optional single-window mode. Although this update is still under heavy development, users can get an early look by compiling the latest source code of the development version from the GIMP's version control repository."

Comments (29 posted)

Interoperability

Wine 1.1.38 announced

Version 1.1.38 of Wine has been announced. Changes include: "- Better support for memory allocations debugging. - Improved MIDI support. - A wide range of Direct3D fixes. - OLEDB fixes (should fix Clipart in Office). - Improved debugger support on x86-64. - Many MSI fixes. - Various bug fixes."

Comments (none posted)

Mail Clients

Lanikai Alpha 1 released

The alpha 1 release of Thunderbird Lanikai has been announced. "Lanikai Alpha 1, an early version of our next release of Thunderbird, is now available for download. Lanikai is built on top of the Gecko 1.9.2 platform. While this alpha version is considered to be stable, it is intended for developers and members of our testing community to use for evaluation and feedback. Users of this latest alpha version of Thunderbird should not expect all of their add-ons to work properly with this milestone."

Full Story (comments: none)

Math Applications

PARI/GP stable release 2.3.5 released

Version 2.3.5 of PARI/GP has been announced, it includes bug fixes. "PARI/GP is a widely used computer algebra system designed for fast computations in number theory (factorizations, algebraic number theory, elliptic curves...), but also contains a large number of other useful functions to compute with mathematical entities such as matrices, polynomials, power series, algebraic numbers etc., and a lot of transcendental functions. PARI is also available as a C library to allow for faster computations."

Full Story (comments: none)

Web Browsers

Mozilla developer preview tests Gecko 1.9.3

A new Mozilla developer preview is available "A Mozilla Developer Preview of improvements in the Gecko layout engine is now available for download. This is a pre-release version of the Gecko 1.9.3 platform, which forms the core of rich Internet applications such as Firefox. Please note that this release is intended for developers and testers only. As always, we appreciate any feedback you may have and encourage users to help us by filing bugs."

Full Story (comments: none)

Miscellaneous

Roundup Issue Tracker 1.4.12 released

Version 1.4.12 of Roundup Issue Tracker has been announced. "I'm proud to release version 1.4.12 of Roundup which fixes a number bugs. This release includes fixes for some potential security holes."

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The February 9, 2010 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

Python

Python 2.7 alpha 3 released

Version 2.7 alpha 3 of Python has been announced. "Python 2.7 is scheduled (by Guido and Python-dev) to be the last major version in the 2.x series. Though more major releases have not been absolutely ruled out, it's likely that the 2.7 release will an extended period of maintenance for the 2.x series. 2.7 includes many features that were first released in Python 3.1."

Full Story (comments: none)

execnet 1.0.5 released

Version 1.0.5 of execnet has been announced. "execnet is a small and stable pure-python library for working with local or remote clusters of Python interpreters, with ease. It supports seamless instantiation of and interaction with remote interpreters through the 'ssh' command line tool. It supports Python 2.4-3.1, Jython-2.5.1 and pypy-c. The 1.0.5 release is a minor backward compatible release with these changes..."

Full Story (comments: none)

gevent 0.12.0 released

Version 0.12.0 of gevent, a coroutine-based Python networking library, has been announced. "The major new feature is a gevent.ssl module, that provides cooperative implementation of the standard ssl module. It does not require any additional extensions on Python ? 2.6. It also works on 2.4 and 2.5 if ssl package is installed."

Full Story (comments: none)

mpmath 0.14 released

Version 0.14 of mpmath, a Python library for arbitrary-precision floating-point arithmetic, has been announced. "For a brief summary, the new features in 0.14 include support for using a Cython-based backend soon to be added to Sage (giving a large speedup of mpmath in Sage); support for 3D plotting; fast low-precision functions (using Python's builtin float/complex types); an implementation of the Riemann-Siegel expansion for the Riemann zeta function; many improvements to evaluation of hypergeometric functions; miscellaneous new special functions; matrix functions; and several bugfixes and optimizations."

Full Story (comments: none)

PyBindGen 0.14 released

Version 0.14 of PyBindGen has been announced, it adds a number of new capabilities. "PyBindGen is a Python module that is geared to generating C/C++ code that binds a C/C++ library for Python. It does so without extensive use of either C++ templates or C pre-processor macros. It has modular handling of C/C++ types, and can be easily extended with Python plugins."

Full Story (comments: none)

Python-URL! - weekly Python news and links

The February 9, 2010 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: 1)

Tcl/Tk

Tcl-URL! - weekly Tcl news and links

The February 5, 2010 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Editors

Marave 0.1 released

Version 0.1 of Marave has been announced. "Marave is a text editor in the style of Ommwriter or DarkRoom: a full- screen minimalistic interface (most of the time: no interface at all). It's multi-platform and based on PyQt, licensed under the GPL."

Full Story (comments: none)

Test Suites

pylib/py.test 1.2.1 released

Version 1.2.1 of pylib/py.test has been announced. "py.test is a mature, advanced automated testing tool working with Python2, Python3 and Jython versions on all major operating systems. It has a simple plugin architecture and can run many existing common Python test suites without modification. It offers some unique features not found in other testing tools. See http://pytest.org for more info. py.test 1.2.1 brings bug fixes and some new options and abilities triggered by user feedback".

Full Story (comments: none)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Defective by Design delivers iPad anti-DRM petition to Steve Jobs

The Free Software Foundation has sent a petition to Steve Jobs regarding the iPad. "The Free Software Foundation's (FSF) Defective by Design campaign against Digital Restrictions Management (DRM) delivered its "iPad is iBad for Freedom" petition to Apple CEO Steve Jobs today, demanding that he drop DRM on all Apple devices. The petition was launched at <http://defectivebydesign.org/ipad> to coincide with the iPad debut event in San Francisco. Within 24 hours, over 5,000 people had signed the petition."

Full Story (comments: none)

Commercial announcements

Matt Asay becomes Canonical's COO

Canonical has announced that its new chief operating officer will be Matt Asay. "'As more companies and people are embracing Ubuntu for their day-to-day computing, we felt it critical to bring in a person who knew not just open source, but has a long experience in making Linux relevant to businesses and users alike,' said Jane Silber, current COO and upcoming CEO, Canonical. 'We think Matt brings to Canonical the perfect blend of industry, executive and community savvy'"

Comments (37 posted)

Ksplice Uptrack is available

Ksplice Uptrack (commercial software) is available with a 30 day free trial. "Wanted to make sure you were aware of the Ksplice Uptrack general availability today -- eliminating the need to reboot Linux servers once a month to apply security updates. The service is based on new technology out of MIT that lets the Linux kernel be updated live, without restarting or disrupting running applications. On the coolness scale, this is like changing out a car's engine while speeding down the highway."

Full Story (comments: 1)

Legal Announcements

EFF fights for cell phone users' privacy

The EFF has issued a media release concerning cell phone privacy. "The Electronic Frontier Foundation (EFF) will be arguing this Thursday before the U.S. Court of Appeals for the 3rd Circuit in Philadelphia, urging the court to block a government attempt to seize telephone company records detailing a cell phone user's past locations without first getting a search warrant."

Full Story (comments: none)

UK.gov tweaks open source policy small print (The Register)

The Register reports on changes to the UK government's open source policy. "The UK government has rejigged its open source and open standards software procurement policy, following pressure from OSS vendors last autumn. Early last year the Cabinet Office revised its rules on public sector open source software purchases, but many OSS players complained that the policy amendments didn’t go far enough. Others grumbled that the government was failing to police its own rules." (Thanks to Paul Sladen).

Comments (none posted)

New Books

Language Implementation Patterns--New from Pragmatic Bookshelf

Pragmatic Bookshelf has published the book Language Implementation Patterns by Terence Parr.

Full Story (comments: none)

Metaprogramming Ruby--New from Pragmatic Bookshelf

Pragmatic Bookshelf has published the book Metaprogramming Ruby by Paolo Perrotta.

Full Story (comments: none)

Resources

FSFE Newsletter

The January, 2010 edition of the FSFE Newsletter is online with the latest Free Software Foundation Europe news. Topics include: "1. Fellowship elections, introducing the candidates: Julia Klein and Björn Schießle 2. Ongoing website restructuring 3. Standards and patents at WIPO, Geneva, Switzerland, 25-29 Jan 4. Fellowship Jabber meeting: "What does it mean to be a candidate for the GA seat?", 06 Jan 5. December Fellowship grants.."

Full Story (comments: none)

Contests and Awards

Lantronix launches global Linux design contest

Lantronix has announced a global design contest for its XPort Pro. "XPort Pro the world's smallest 's smallest Linux computer and provides a powerful engine for deploying advanced applications at the network edge. The leading-edge architecture, 32-bit processing power and ample memory allows resource-intensive applications to be deployed on a single platform. Lantronix will award prizes of $6,000 and $3,000 to the two top entries for Best Linux Design, and a separate prize of $3,000 for the Best Student Linux Design. Entries must be submitted by August 6, 2010, and the winners will be announced at ESC Boston."

Full Story (comments: none)

2009 LinuxQuestions.org Members Choice award winners announced

The winners of the 2009 LinuxQuestions.org Members Choice awards have been announced. "The polls are closed and the results for the 2009 LinuxQuestions.org Members Choice Awards are in. Ubuntu, Debian, MySQL, Firefox, Wordpress, VirtualBox and Gnome are among the winners."

Full Story (comments: none)

Education and Certification

Call For Community Input: Linux Professional Institute "Job Task Analysis"

The Linux Professional Institute has sent out a call For Community Input on its Job Task Analysis program. "The Linux Professional Institute (LPI) issued a call for volunteers to assist in the development of its world leading Linux certification program (http://www.lpi.org). Volunteers are sought for participation in a Job Task Analysis (JTA) survey for the organization's new specialty exam LPI-304 (High Availability and Virtualization)."

Full Story (comments: none)

Novell and LPI partner on Linux training and certification

Novell and LPI have announced a training partnership. "Novell Inc. and The Linux Professional Institute (LPI) today announced an international partnership to standardize their entry-level Linux certification programs on LPIC-1. Under this program, Linux professionals who have earned their LPIC-1 status will also satisfy the requirements for the Novell® Certified Linux Administrator (CLA) certification. In addition, Novell Training Services has formally agreed to include required LPIC-1 learning objectives in its CLA course training material."

Full Story (comments: none)

Calls for Presentations

ACM CCS 2010: Call for Workshop Proposals

A call for proposals has gone out for ACM CCS 2010, submissions are due by February 15. "Proposals are solicited for workshops to be held in conjunction with ACM CCS 2010. Each workshop provides a forum to address a specific topic at the forefront of security research. A workshop must be one full day in length."

Full Story (comments: none)

Call for participation, registration now open for LinuxCon 2010

A call for participation has gone out for for LinuxCon 2010, the submission deadline is March 31. "LinuxCon 2010 August 10-12, 2010 Renaissance Boston Waterfront Boston, MA. After its inaugural year, LinuxCon has emerged as the premiere annual conference for Linux developers, IT administrators and executives in North America. The event brings together technical and business leadership for unmatched opportunities to collaborate and learn about all matters Linux."

Full Story (comments: none)

Linux Storage and Filesystems Summit cfp

James Bottomley has announced this year's Linux Storage and Filesystems Summit, which will be held just prior to LinuxCon in Boston on August 8 and 9. It will be held in conjunction with the Virtual Memory (VM) summit, so there will be three tracks (storage, filesystems, VM) as well as joint meetings for all participants. Proposals for discussion topics and requests for invitations are being solicited; click below for the full announcement. "Presentations are allowed to guide discussion, but are strongly discouraged. There will be no recording or audio bridge, however written minutes will be published as in previous years."

Full Story (comments: none)

X Developers' Summit 2010 call for papers

A call for papers has gone out for XDS 2010, it will take place on September 16-18 in Toulouse, France. "If you would like to present a talk on on-going work on X development, or presenting innovative uses of the X.Org technology, please submit your proposal on the wiki <http://www.x.org/wiki/Events/XDS2010/Program>, under 'Ideas', before July 31th."

Full Story (comments: none)

Upcoming Events

Registration now open for DebConf10

DebConf10 registration is now open. "Registration is now open for DebConf10! DebConf10 will take place in New York City, USA from Sunday August 1st through Saturday Aug 7th, 2010, with arrivals at our group lodging permitted as of 3 PM on July 31 and departures required by 11 AM on August 8. The conference is preceded by DebCamp from July 25-31 including the arrival day"

Full Story (comments: none)

PyCon 2010 brings speed enhancement to Python 3

PyCon 2010 will be held in Atlanta, GA on February 17-25. "Python 3 will zoom forward at PyCon 2010 with the incorporation of Unladen Swallow, a performance-boosting branch of Python initiated by engineers from Google. First made public at PyCon 2009, Unladen Swallow is already accelerating Python applications at several companies. Now the Unladen Swallow team plans to merge their code into Python 3's codebase, promising big speed improvements to Python 3 and a major new incentive for Python programmers to adopt the next-generation version of the Python language."

Full Story (comments: none)

SCALE call for Lightning Talks

The Southern California Linux Expo has posted a call for lightning talks. "LOS ANGELES - Attendees at the Southern California Linux Expo (SCALE) will be able to go "UpSCALE" on Friday, Feb. 19, as the expo provides a series of lightning talks that evening. Based on the O'Reilly Media "Ignite" talks which have occurred at OSCON, the UpSCALE talk is a presentation in which participants are given five minutes to talk on a subject, accompanied by 20 slides which are displayed for 15 seconds each."

Full Story (comments: none)

Registration now open for Texas Linux Fest 2010

Registration is now open for the first ever Texas Linux Fest. It will be held at the Monarch Event Center in Austin on Saturday April 10. There will also be evening social events on Friday and Saturday. "Exhibit space is filling up quickly, but if your company, organization, or open source project would like to reserve a booth, you can do so by visiting www.texaslinuxfest.org/sponsorship. There is still time for interested parties to submit a talk for consideration before the February 15 deadline." Click below for the full announcement.

Full Story (comments: 1)

UbuCon, FAD and Keysigning at SCALE

For those attending the Southern California Linux Expo (SCALE) there are some events that might be of interest. Ubuntu will hold a UbuCon and Fedora will hold a Fedora Activity Day (FAD) both on February 19, 2010. There will also be a keysigning party on February 20.

Full Story (comments: none)

Events: February 18, 2010 to April 19, 2010

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
February 15 February 18	ARES 2010 Conference	Krakow, Poland
February 17 February 25	PyCon 2010	Atlanta, GA, USA
February 19 February 20	GNUnify	Pune, India
February 19 February 21	SCALE 8x - 2010 Southern California Linux Expo	Los Angeles, USA
February 20 February 21	FOSSTER '10	Amritapuri, India
February 22 February 24	O'Reilly Tools of Change for Publishing	New York, NY, USA
February 27 February 28	The Debian/GNOME bug weekend	Online, Internet
March 1 March 5	Global Ignite week	Online, Online
March 2 March 4	djangoski	Whistler, Canada
March 2 March 5	FOSSGIS 2010	Osnabrück, Germany
March 2 March 6	CeBIT Open Source	Hannover, Germany
March 5 March 6	Open Source Days 2010	Copenhagen, Denmark
March 7 March 10	Bossa Conference 2010	Recife, Brazil
March 13 March 19	DebCamp in Thailand	Khon Kaen, Thailand
March 15 March 18	Cloud Connect 2010	Santa Clara, CA, USA
March 16 March 18	Salon Linux 2010	Paris, France
March 17 March 18	Commons, Users, Service Providers	Hannover, Germany
March 19 March 20	Flourish 2010 Open Source Conference	Chicago, IL, USA
March 19 March 21	Panama MiniDebConf 2010	Panama City, Panama
March 19 March 21	Libre Planet 2010	Cambridge, MA, USA
March 22	OpenClinica Global Conference 2010	Bethesda, MD, USA
March 22 March 26	CanSecWest Vancouver 2010	Vancouver, BC, Canada
March 23 March 25	UKUUG Spring 2010 Conference	Manchester, UK
March 25 March 28	PostgreSQL Conference East 2010	Philadelphia, PA, USA
March 26 March 28	Ubuntu Global Jam	Online, World
March 30 April 1	Where 2.0 Conference	San Jose, CA, USA
April 9 April 11	Spanish DebConf	Coruña, Spain
April 10	Texas Linux Fest	Austin, TX, USA
April 12 April 14	Embedded Linux Conference	San Francisco, CA, USA
April 12 April 15	MySQL Conference & Expo 2010	Santa Clara, CA, USA
April 14 April 16	Linux Foundation Collaboration Summit	San Francisco, USA
April 14 April 16	Lustre User Group 2010	Aptos, California, USA
April 16	Drizzle Developer Day	Santa Clara, CA, United States
April 16 April 17	R/Finance 2010 Conference - 2nd Annual	Chicago, IL, US

If your event does not appear here, please tell us about it.

Mailing Lists

Closing of support@gnome.org

The GNOME mailing sysadmin contact lists are being reorganized. "The following has been discontinued: support@gnome.org, helpdesk@gnome.org, etc Uses Request Tracker 3 on the background. Receives loads of spam and non-sysadmin related requests (distribution problems, jhbuild, etc)." Click below for the new contact info.

Full Story (comments: none)

Audio and Video programs

Linux Foundation Announces 2010 "We're Linux" Video Contest

The Linux Foundation has announced the 2010 edition of the "We're Linux" video contest. "The contest is calling all community members and amateur filmmakers to share with the public what a 30-60 second Linux-focused spot for the Super Bowl might look like. This theme is not a requirement for entry; however, videos that can demonstrate the benefits of Linux to the general public are likely to receive more community votes. The submissions should aim to inspire people to use Linux, create conversations among the public, and convey the power and ideals of Linux."

Comments (none posted)

Miscellaneous

Linux Conf raises $33,000 for charity (ComputerWorld)

ComputerWorld reports on the outcome of the charity auction at linux.conf.au. "A $12,750 donation from Linux Australia on the night brought the total funds raised for the air rescue service to more than $33,000. [...] 'Free open source software is founded on generosity and these supporters have certainly taken that value to heart,' Life Flight Trust CEO David Irving said in a statement. 'The funds raised will enable 13 people to receive emergency flights, which is a great outcome for the community.'"

Comments (3 posted)

Page editor: Forrest Cook