LWN.net Weekly Edition for July 17, 2003 [LWN.net]

RFCs - insufficiently free?

Debian bug 92810 has the distinction of being one of the oldest release-critical bugs in the entire distribution. It was first reported on April 3, 2001, and has been the subject of occasional debate for over two years. Its resolution at the end of June, 2003 has left few people happy. Bug 92810, it seems, embodies an issue which remains unresolved in the free software community: how documentation should be licensed.

The issue at hand is how the Internet Society Request For Comments (RFC) documents are licensed. The RFCs are the core of the design of the Internet; they are the standards the describe the protocols, formats, algorithms, and conventions that make the net work. There are RFCs covering everything from the basic network protocols (i.e. for IP and TCP), email headers (RFC 2822) and HTML (RFC 1866) to netiquette (RFC 1855), avian datagram protocols (RFC 1149), and the Y10K problem (RFC 2550). Without the RFC series, the standards-based, interoperable Internet would not exist.

For anybody implementing or otherwise working with a network protocol, the relevant RFCs are required reading. So it is not surprising that a project like Debian would package up the RFC collection and include it with its distribution. The doc-rfc package is useful for Debian developers and its presence would not be questioned, except for a bit of a licensing problem. RFCs, it turns out, are required to carry a specific copyright notice (as specified in RFC 2223) which includes the following text:

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

This license, of course, does not allow the free creation of derived versions of the RFCs except in certain circumstances. That restriction violates the Debian Free Software Guidelines (DFSG). Most distributors would not be overly concerned about this problem; the license does allow them to distribute the RFC collection, after all. But the Debian Project takes its social contract seriously, and that contract requires that the distribution be "100% free software." Since the RFCs do not meet the DFSG (though there is not a complete consensus on that point), they have been evicted from the Debian distribution. Debian users wanting to install the doc-rfc package will have to look for it in the non-free area.

To many, Debian's uncompromising stance on licensing seems like a pedantic exercise carried out by people with nothing better to do with their time. But Debian is serving an important role in the community by serving as its conscience and early warning system. As recent events have shown, licensing is important. Every set of bits comes with its own copyright and its own restrictions. Failure to pay attention to those restrictions can lead to unwanted contact with lawyers, and is best avoided. Debian's high sensitivity to licensing problems brings those problems out into the open before somebody gets burned, and often leads to licensing changes which make the problems go away. Even when nothing changes, the Debian process points out where the open issues are.

The open issue in this case is that there is still no consensus on what free licensing means when applied to documentation. As a general rule, those who write text tend to want to maintain more control over their works than those to write code. Consider, for example, the Free Software Foundation's Free Documentation License, which includes a vast number of restrictions on modification and redistribution. (Debian, incidentally, is the group that has done the most to point out the non-free aspects of the FDL).

The Internet Society wants to retain enough control so that copies of a particular standard (and that's what the RFCs are) reflect the standard. A modified version of an RFC no longer reflects the standard, so such modifications are not allowed. The motivation is understandable and reasonable, but there is an important question which must be kept in mind. What happens if, sometime in the future, the Internet Society is coopted over to the Dark Side and starts moving the network standards in a proprietary or repressive direction? With the current licensing, there is no right to fork the RFCs and attempt to maintain a free, interoperable net. The RFC collection, thus, is truly not free. This result is almost certainly not what the Internet Society had in mind when it adopted its copyright notice, but that is the way it has turned out.

Five years or so ago, new software releases often were accompanied by new, one-off licenses that, as often as not, turned out to not be free. In more recent times, a relatively small set of well-known licenses has been adopted by most developers. Documentation, however, remains in the "roll your own license" stage. With luck, this area, too, will soon evolve toward a reasonable set of truly free licenses which reflect the needs and interests of writers.

Comments (26 posted)

Graphics programs for Linux

[This article was contributed by Joe 'Zonker' Brockmeier]

With the 1.0 release of Scribus this week, we thought we'd take a look at the state of open source graphics applications. There's a wide variety of these applications, and they are rapidly maturing, though maybe not quite as quickly as some might like. The most popular, and most mature in terms of features and polish, open source graphics application is The GNU Image Manipulation Program, better known as the GIMP. For those who are unfamiliar with the GIMP, it's very similar to Adobe Photoshop in nature, and offers much of the functionality of Photoshop though it still lacks some features that make Photoshop attractive to folks working with high-quality print publications. The GIMP has been around for quite some time, but the open source community has lacked a full-featured desktop publishing (DTP) programs like QuarkXPress, Adobe InDesign or PageMaker, Adobe Illustrator and CorelDraw.

The 1.0 release of Scribus may help fill that gap. While it still needs some work, Scribus is similar to Adobe InDesign and QuarkXPress. Unlike Quark or InDesign, though, Scribus is available under the GNU GPL and runs on Linux. I've tried Scribus on and off for some time now, and it definitely shows promise. After downloading the 1.0 release, I was impressed by how far Scribus has come in a fairly short time. It offers all the features you'd need to produce a decent company newsletter or flyer, allows you to prepare a document for printing or convert to PDF for electronic publishing. Scribus saves documents in an XML-type format, and can export projects to PDF, Encapsulated PostScript (EPS) and/or Scalable Vector Graphics (SVG) format.

There are a few glitches; some of the tools don't act quite as you might expect, and there are a few features that you'd definitely want in desktop publishing application that aren't in Scribus just yet. For example, the "text chain" feature doesn't seem to work predictably, and it doesn't seem possible to create a text box with multiple columns for text. But, a few shortcomings aside, Scribus is definitely a boon for folks who want to see Linux succeed on the desktop. While it may not be perfect, it should be good enough to attract a strong audience that will help to see it move forward in much the same way the GIMP has over the years.

Sodipodi is vector-based drawing application that looks very promising. Sodipodi is similar to Adobe Illustrator or CorelDraw, though it's not quite in the same league as those applications just yet. Judging by the images in the Sodipodi gallery, however, it has plenty to offer. Right now, Sodipodi is at the 0.32 release. It has quite a few features, and it's very usable, but it still needs to mature a bit before it's ready for "prime time." For example, Sodipodi only saves in the SVG format, and exports to PNG. It doesn't handle EPS or PDF right now, though EPS is on the tasks list. However, it has a full enough feature set, and is stable enough, that it can be used to create some really nice graphics.

Another GPL'ed Illustrator-like application that's been coming along nicely is Sketch. Sketch is also at a very usable stage, though it, too, has a ways to go before it will give Illustrator a run for its money. Like Sodipodi and Scribus, Sketch seems to be maturing at a fairly steady pace. Sketch is implemented mostly in Python, and is very stable. Sketch does write to EPS and Adobe Illustrator format, and reads XFig files, Adobe Illustrator files, Corel CMX, SVG and its own format, though it lacks support for TrueType fonts which may be a drawback for some users.

If you're interested in older graphics apps for Linux, there's Xfig. Xfig has quite a few features, though it doesn't seem to be under active development and it isn't the most user-friendly application.

OpenOffice.org's Draw is a suitable replacement for applications like Microsoft Publisher. It doesn't do all the fancy text-wrangling and so-forth that you'll find in Sodipodi or Scribus, but it's a nice and simple application for folks who want to create a office flyer, flowcharts and similar projects. Dia is another good application for producing diagrams for print or electronic publishing.

If your tastes are a little more simple, there are a few apps that are aimed at less complex projects. KPaint is a straightforward application that can be used to create very simple graphics, much like the Microsoft Windows Paint program. For those looking for programs for small kids, Tux Paint is a kid-oriented drawing program with a simple interface, sound effects and a restricted file interface that prevents users from accessing the host filesystem. As much as professional-quality graphics apps are necessary for Linux to succeed on the desktop, the low-end graphics apps need to be there as well. After all, who would want to deny their five-year-old the ability to mouse around and create pictures to e-mail to grandma?

The good news is that Linux graphics applications are starting to mature to the point that they're suitable for a fair range of uses. They're certainly good enough for home use, creating Web graphics and low-end DTP. The bad news is that open source graphics apps still need some work before they'll be ready to replace programs like QuarkXPress or Adobe Illustrator. Given enough attention, though, open source graphics applications could start finding their way into professional publishing houses within a few years.

Comments (20 posted)

SCO insider trading watch

Things have been relatively quiet on the SCO front recently; one gets the sense that, perhaps, the company's lawyers were finally able to convince management that a bit of discretion might be helpful. Silence does not mean that nothing is going on, however. Among other things, SCO's executives continue to slowly cash in their stock to take advantage of its current, inflated price. Here's the latest insider trading roundup:

Who	Role	Shares	Income	Filings
Opinder Bawa	VP Global Services	22,916	$142,200	1
Robert Bench	CFO	25,100	$174,100	1, 2, 3
Reginald Charles Broughton	VP International Sales	15,000	$161,600	1, 2, 3
Jeff Hunsaker	VP Worldwide Marketing	10,000	$103,500	1, 2
Michael Olson	VP Finance	14,000	$135,900	1, 2
Michael Sean Wilson	VP Corporate Development	6000	$64,800	1

That's a total of 93,000 shares sold since the suit was filed, for a net of $782,000. This sum is a small down payment on the bonanza that SCO hopes to eventually enjoy as a result of its actions. The big payoff may remain in the future, but one could understand if even the most confident SCO executive feels the need to collect a little now, on the off chance that things fail to go as planned.

It's worth noting that Opinder Bawa has quietly left the company, shortly after selling all shares in his possession.

Finally, it has emerged that - as many had speculated - the "mystery licensee" is none other than Sun Microsystems. The Unix license purchased by Sun came with a nice bonus: an option to buy 210,000 shares of SCO stock for $1.83 per share. Neither company has yet made any statements about why things were done this way. Most software license agreements do not include stock options, after all. A high level of paranoia is not yet called for, but it is natural to wonder just what Sun is up to here.

Comments (5 posted)

Conference season

The Ottawa Linux Symposium will be held July 23 to 26 in the Ottawa Conference Center. As always, OLS looks to be a strong, technical conference with a special emphasis on kernel development. Once again, LWN editor Jonathan Corbet will be there; be sure to get up early (10:00 AM) on Wednesday to catch his talk on driver porting.

OLS will be preceeded by a two-day kernel developers' summit, same as last year. The draft agenda includes a number of VM topics, "killing off devfs," power management, SCSI, asynchronous I/O, and numerous other topics. Once again, stay tuned to LWN for information from the meeting.

The LinuxWorld Conference and Expo takes place August 4 to 7 in San Francisco. LWN hasn't made it to LinuxWorld for a little bit, so we are pleased to note that Rebecca Sobol will be there this time around. It will be nice to be back.

LWN.net Weekly Edition for July 17, 2003

apache: multiple vulnerabilities in Apache HTTP server

Mozilla: heap-based buffer overflow in Mozilla-based browsers

mpg123 - buffer overflow

nfs-utils xlog() off-by-one bug

phpgroupware - cross-site scripting and other exploits

traceroute-nanog: integer overflow

ucd-snmp - heap overflow

bind buffer overflow vulnerability in DNS resolver libraries

Canna server: exploitable buffer overrun

CUPS: vulnerability in the CUPS IPP implementation

ethereal: security problems in Ethereal 0.9.12

Filename disclosure vulnerability in fam

fetchmail: buffer overflow

glibc: DNS stub resolvers contain buffer overflow vulnerability

gnupg: key validation

gtkhtml: malformed messages cause crash

gtksee: buffer overflow

imagemagick: insecure temporary file

kernel 2.4 - two new vulnerabilities

kernel-utils: setuid vulnerability

libpng, libpng3: buffer overflow

lynx: CRLF injection vulnerability

perl-MailTools: remote command execution

mikmod: buffer overflow

Nessus NASL scripting engine security issues

nethack: buffer overflow

net-snmp: denial of service vulnerability

openssh: timing attack leads to information disclosure

pam_xauth: root exploit

PHP: vulnerability in mail function

PHP: Cross site scripting vulnerability

PostgreSQL - more buffer overflows

Local arbitrary code execution vulnerability in Python

radiusd-cistron: possible remote system compromise

Multiple-use vulnerability in Safe.pm

semi: insecure temporary file

File overwrite vulnerability in tar and unzip

tcptraceroute: problems dropping root privileges

teapop: SQL injection

Multiple vendor telnetd vulnerability

unzip: directory traversal vulnerability

vim - modeline vulnerability

vixie-cron: Local vulnerability

webmin: session ID spoofing

wget:directory traversal bug

Wwwoffle remote privilege escalation vulnerability

xbl: buffer overflows

xinetd: Memory leak in xinetd 2.3.10

Xpdf - command execution vulnerability

ypserv: denial of service