LWN.net Logo

LWN.net Weekly Edition for July 24, 2003

The new Red Hat Linux

It's official: the Red Hat Linux product is no more. The changes announced by the company can be found discussed, in detail, on the Red Hat Linux Project page. In summary, the changes that have been announced are:

  • The Red Hat Linux product will no longer be available as a box on store shelves. Not even in virtual stores. The various Red Hat enterprise products remain, but the low-end distribution as a commercial product from Red Hat is done.

  • Development of Red Hat Linux will continue, but the company is trying to move the development of the distribution into a more community-oriented mode. The internal development mailing lists will be opened up, and there will eventually be a way for external maintainers to contribute fixes and packages.

  • Red Hat Linux will become more volatile. There will be a six-month release cycle, with no real distinction between major and minor releases. Red Hat will stop backporting security fixes to the version of the relevant package shipped with the distribution release; instead, applying a security fix will mean upgrading to the latest version of the affected program. Red Hat will also work harder at pushing fixes back "upstream," rather than carrying patches themselves.

There are a few implications of this change for Red Hat Linux users. Essentially, if you use Red Hat Linux, you will have to pay more. Either you pay more cash by moving up to the enterprise offerings, or you pay more in effort by finding bugs in the distribution, and, if you can, helping to fix them. A Red Hat Linux box has traditionally been a great bargain: a relatively small amount of money for a stable, well-engineered distribution containing millions of dollars worth of software. Red Hat Linux will remain a good deal, but the terms of the bargain are changing a bit.

For high-clue users who would like to be a part of the distribution development process, the changes will certainly be a good thing. Red Hat has traditionally been developed in a relatively closed mode. Every now and then a new release would show up, but the process by which the development came together was distant and opaque. This distance is one of the reasons why many hackers have preferred more community oriented distributions, such as Debian, Mandrake, or, more recently, Gentoo. Red Hat clearly hopes to tap into the development community by opening things up in this way. If things go well, the result could well be a better, more quickly evolving distribution.

Other users will have to think about whether they want to download and manage new releases themselves, buy a boxed copy from some other retailer (the number of such products is certain to increase), or switch to a different distribution. All three are good options, including the last one. One of the great benefits of using Linux is that you can switch to a different vendor if you don't like where your current vendor is going.

This change is a big step for Red Hat; the company did, after all, get its start by selling boxed Linux distributions at retail. As Linux and the market have evolved, it has become clear that the retail channel is not where the real money is to be made. Red Hat, being a public company needing to bring in serious revenue, is focusing on the markets that, it hopes, will keep it going. So retail sales are out. But Red Hat cannot afford to lose its base distribution and the many people who help test it. Thus the Red Hat Linux Project. With luck, Red Hat can have it both ways: serious revenue from the enterprise market while building a larger development community.

Comments (19 posted)

SCO's new offensive

[This article was contributed by Joe 'Zonker' Brockmeier]

As expected, SCO trotted out a new licensing program today that would give Linux users a license from SCO to what SCO claims is their intellectual property in the Linux kernel from 2.4 on. SCO also announced that they had received copyrights for the Unix System V source code.

I sat in on the teleconference that SCO held to announce the new licensing program. McBride did most of the talking during the call, with David Boies adding just a few comments and clarifications, and answering a few questions that were directly addressed to him. I tried to get in the queue to ask a few questions about the impact of the GPL on their plans to offer a license relating to the Linux kernel, but I was not called on. Don Marti, of Linux Journal did get a question in about whether SCO would offer any additional evidence to substantiate their claims, but it was mostly ducked by McBride, though he did affirm that they were not talking about code coming from BSD.

During the call, McBride claimed that "hundreds" of files related to SMP, NUMA and read-copy update (RCU) were infringing on SCO IP either directly or indirectly. According to McBride, if the Linux community were to remove the offending code there would be "little non-infringing code" left in the areas that SCO is claiming rights to. Essentially, SCO seems to be basically claiming ownership of most of the advancements in scalability whether they are directly taken from SCO's codebase or not. Also, McBride noted that some of the code that they claim infringes on their IP was not contributed by IBM, though he did not specify which vendor(s) he believed to be responsible.

Other than announcing the new plan and the copyright registration, very little information was forthcoming. Essentially, they intend to offer a license of some kind that would idemnify companies from possible suits for copyright violations. Pricing was not disclosed, though McBride hinted that it would be equitable or similar to UnixWare 7.1.3 licensing. It will also likely be a per-server, per-CPU situation.

Though SCO did not disclose all of the license terms today, it doesn't seem possible that the company would be able to abide by the terms of the GPL while charging for licenses to run their IP in conjunction with Linux. Even if SCO actually legitimately holds claim over code that's being used in the kernel, the voluntary act of licensing that code should require SCO to allow distribution of the same code under the GPL. According to Section 2b of the GNU GPL:

You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

And, if that weren't enough, Section 4 enjoins anyone from sublicensing programs under the GPL:

You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

Even "hundreds of files" would still be considered a derivative of the Linux kernel -- the majority of which is still uncontestedly free and clear of SCO's IP. If you take the folks from SCO at their word, and assume that they really do own claim to these "hundreds of files," they're ultimately useless without the remainder of the Linux kernel -- which is still under the GPL.

And it's far from clear that SCO has legitimate claim over any code being used in the Linux kernel. Unfortunately, but not surprisingly, SCO did not directly address the issue of how they could license code that's already been distributed as part of the Linux kernel as a separate component that would not fall under the terms of the GNU General Public License.

McBride also made a point of emphasizing that the SCO license would be for "binary format." Which is puzzling, since SCO does not seem to be offering to distribute any kind of new code or new kernel -- simply a license that would give SCO's blessing to using code already available in the Linux kernel. McBride made the point several times that SCO would not be offering source code licenses.

While SCO's antics have most of the Linux community seeing red, someone out there is responding well. SCO's share price has jumped more than a dollar today, and looks likely to close above $13 for the first time in a year.

On the IBM front, Boies was asked whether there were any new developments in SCO's case against IBM. Boies said that he had "nothing to add" and that "as a litigator, I assume cases are going to court resolution." Boies also noted that a lack of resolution in the IBM case will not stop SCO from going forward with other plans based on claiming IP infringement in Linux.

In a nutshell, SCO is formalizing a plan to try to charge companies for the privilege of using Linux or sue them for not doing so. Whether companies will be willing to do so remains to be seen. If they do so, it will basically be on SCO's say-so that they own the rights that they are trying to sell.

Comments (50 posted)

The end of the road revisited

It has now been one year since we posted, in the July 25, 2002 Weekly Edition, the notice that LWN.net was to be shut down as a result of its financial problems. The staff had been working without salaries for months, and nothing we had tried seemed to work. It was a hard thing to face, but the only option we seemed to have was to pull the plug. As we said:

This has not been an easy decision to make, to say the least. But, barring some sort of last minute miracle (do contact us if you have one, please!), we do not see any alternative.

What happened then, of course, can only be described as a last-minute miracle. LWN readers started making donations at levels we had never seen before, and we decided to rethink things one more time. What we came up with is the subscription scheme which has supported LWN over the last year.

It is hard not to feel good about how far LWN has come. It is paying its bills (as long as we keep the bills small), and we are answerable directly to our readers. We have managed to make a number of improvements to our content and to the site; traffic is at an all-time high. In some ways, LWN looks more healthy than it has ever been. Certainly, we are glad that LWN did not shut down after all.

That said, it is important to note that the problem is still not completely solved. Salaries remain low, and money for things like travel to trade shows (important in this line of work) remains scarce. We also very much need to bring in one more editor to fill out the content and make it possible for the rest of us to take an occasional vacation. That editor remains a distant dream for now, however.

What we need to do, of course, is bring in more subscriptions. Recent changes have helped in that regard; the number of subscribers has been going up after a few months of little change. We are working at actively promoting the site - for the first time in its history - as a way of bringing in more readers. We'll get there. Meanwhile, we are glad to still be here. Many thanks to all of LWN's readers; your support for us over the last five and a half years has been amazing. Miraculous, even.

Comments (19 posted)

Page editor: Jonathan Corbet

Security

Brief items

Honeytokens

A "honeypot" is a digital system whose purpose is to attract and identify illegal activity. Traditionally, honeypots are sacrificial computers placed on a network. The honeypot system serves no useful purpose; no legitimate user will have any reason to access it. As a result, any accesses which actually happen are likely to be somebody attempting something nasty. The honeypot can thus serve as a sort of early warning system, as well as a laboratory in which cracker techniques can be studied in real time.

A new paper by Lance Spitzner points out that the honeypot concept can be applied in other contexts. One such application is "honeytokens," a bit of information which should never be accessed. An example might be login information placed in a message in a senior manager's mail spool; anybody attempting to actually log in using that information is almost guaranteed to be an attacker. A properly setup system could initiate a trace and catch the attacker before he gets into something truly useful.

This idea is not particularly new; direct (physical) mail companies have long embedded special addresses in their lists to track the use of those lists, for example. The security community has not, until now, made much use of this technique, however. Properly used, honeytokens could become a valuable part of intrusion detection and other security-related systems. Stolen information may not bite, but it may yet manage to strike back at thieves anyway.

Comments (7 posted)

New vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 24, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 2003-12-19
Gentoo 200308-01 2003-08-14
Debian DSA-358-4 2003-08-13
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-2 2003-08-05
Debian DSA-358-3 2003-08-04
Debian DSA-358-1 2003-07-31
EnGarde ESA-20032407-018 2003-07-24
Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:October 1, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 2003-07-22

Comments (none posted)

gnupg: gpg setgid

Package(s):gnupg CVE #(s):
Created:July 21, 2003 Updated:July 23, 2003
Description: gpg needs to be setuid to make use of protected memory space, however the setgid bit allowed the gpg user to overwrite files owned by the group root.
Alerts:
Gentoo 200307-06 2003-07-19

Comments (none posted)

Updated vulnerabilities

apache: multiple vulnerabilities in Apache HTTP server

Package(s):apache CVE #(s):CAN-2003-0192 CAN-2003-0253 CAN-2003-0254
Created:July 11, 2003 Updated:September 22, 2003
Description: The Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:
  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192]

  • Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

  • Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254]

  • The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
Alerts:
Red Hat RHSA-2003:243-01 2003-09-22
Red Hat RHSA-2003:240-01 2003-09-04
Mandrake MDKSA-2003:075-1 2003-08-28
Mandrake MDKSA-2003:075 2003-07-21
Conectiva CLA-2003:698 2003-07-21
Trustix 2003-0025 2003-07-11

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

CUPS: vulnerability in the CUPS IPP implementation

Package(s):cups CVE #(s):CAN-2003-0195
Created:May 27, 2003 Updated:July 22, 2003
Description: Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
Conectiva CLA-2003:702 2003-07-22
Gentoo 200306-09 2003-06-14
Debian DSA-317-1 2003-06-11
SuSE SuSE-SA:2003:028 2003-06-06
Yellow Dog YDU-20030602-3 2003-06-02
Mandrake MDKSA-2003:062 2003-05-29
Slackware ssa:2003-149-01 2003-05-29
Red Hat RHSA-2003:171-01 2003-05-27

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
SCO Group CSSA-2003-030.0 2003-11-07
Yellow Dog YDU-20030718-2 2003-07-18
Red Hat RHSA-2003:203-01 2003-07-03
Gentoo 200306-13 2003-06-25
Conectiva CLA-2003:662 2003-06-25
Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 16, 2003 Updated:November 18, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 2003-11-17
Conectiva CLA-2003:694 2003-07-11
Yellow Dog YDU-20030602-4 2003-06-02
Mandrake MDKSA-2003:061 2003-05-22
Slackware ssa:2003-141-04 2003-05-22
Red Hat RHSA-2003:175-01 2003-05-20
Gentoo 200305-04 2003-05-16
OpenPKG OpenPKG-SA-2003.029 2003-05-16
EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

kernel 2.4 - two new vulnerabilities

Package(s):kernel CVE #(s):CAN-2003-0244 CAN-2003-0246
Created:May 14, 2003 Updated:July 25, 2003
Description: The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
  • The ioperm() system call doesn't perform proper checking, allowing a local user to manipulate arbitrary I/O ports.

  • The networking code contains a remotely exploitable denial of service condition; see the May 24 Security Page for details.

Alerts:
Mandrake MDKSA-2003:066-2 2003-07-25
Conectiva CLA-2003:701 2003-07-22
Mandrake MDKSA-2003:066-1 2003-07-21
Mandrake MDKSA-2003:074 2003-07-15
Slackware SSA:2003-168-01 2003-06-17
Mandrake MDKSA-2003:066 2003-06-11
Debian DSA-312-1 2003-06-09
Debian DSA-311-1 2003-06-08
Red Hat RHSA-2003:187-01 2003-06-03
Red Hat RHSA-2003:145-01 2003-05-27
EnGarde ESA-20030515-017 2003-05-15
Red Hat RHSA-2003:172-00 2003-05-14

Comments (2 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
Debian DSA-386-1 2003-09-18
Gentoo 200302-01 2003-02-02
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200211-001 2002-11-06
SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

Mozilla: heap-based buffer overflow in Mozilla-based browsers

Package(s):Mozilla CVE #(s):CAN-2002-1308
Created:July 15, 2003 Updated:July 21, 2003
Description: A heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL referencing a malformed .jar file, which overflows a buffer during decompression.

This has been fixed in Mozilla 1.0.2.

Alerts:
Red Hat RHSA-2003:162-02 2003-07-21
Red Hat RHSA-2003:162-01 2003-07-15

Comments (none posted)

mpg123 - buffer overflow

Package(s):mpg123 CVE #(s):CAN-2003-0577
Created:July 16, 2003 Updated:September 30, 2003
Description: The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file.
Alerts:
Gentoo 200309-17 2003-09-30
Mandrake MDKSA-2003:078 2003-07-23
Conectiva CLA-2003:695 2003-07-15

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

PHP: Cross site scripting vulnerability

Package(s):PHP CVE #(s):CAN-2003-0442
Created:July 2, 2003 Updated:August 13, 2003
Description: In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack.
Alerts:
Mandrake MDKSA-2003:082-1 2003-08-12
Mandrake MDKSA-2003:082 2003-08-04
Yellow Dog YDU-20030710-2 2003-07-10
Debian DSA-351-1 2003-07-16
Conectiva CLA-2003:691 2003-07-08
OpenPKG OpenPKG-SA-2003.032 2003-07-07
Red Hat RHSA-2003:204-01 2003-07-02

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:October 1, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Debian DSA-365-1 2003-08-05
Conectiva CLA-2003:703 2003-07-23
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:697 2003-07-16

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian DSA-159-2 2002-09-09
Debian DSA-159-1 2002-08-28

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

semi: insecure temporary file

Package(s):semi, wemi CVE #(s):CAN-2003-0440
Created:July 7, 2003 Updated:October 1, 2003
Description: semi, a MIME library for GNU Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and semi, potentially with contents supplied by the attacker.

wemi is a fork of semi, and contains the same bug.

CAN-2003-0440

Alerts:
Gentoo 200308-02 2003-08-14
Yellow Dog YDU-20030723-2 2003-07-23
Red Hat RHSA-2003:234-01 2003-07-23
Debian DSA-339-1 2003-07-06

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

teapop: SQL injection

Package(s):teapop CVE #(s):CAN-2003-0515
Created:July 9, 2003 Updated:October 1, 2003
Description: teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.

CAN-2003-0515

Alerts:
Gentoo 200309-18 2003-09-30
Debian DSA-347-1 2003-07-08

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

traceroute-nanog: integer overflow

Package(s):traceroute-nanog CVE #(s):CAN-2003-0453
Created:July 16, 2003 Updated:July 16, 2003
Description: There is an integer overflow vulnerability in traceroute-nanog (an enhanced version of traceroute) which may be exploited to execute arbitrary code.
Alerts:
Debian DSA-348-1 2003-07-11

Comments (none posted)

ucd-snmp - heap overflow

Package(s):ucd-snmp CVE #(s):
Created:July 16, 2003 Updated:July 16, 2003
Description: The snmpnetstat tool (part of the ucd-snmp package) contains a heap overflow vulnerability which, when confronted with a hostile server, can be exploited to run arbitrary code.
Alerts:
Conectiva CLA-2003:696 2003-07-15

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):unzip CVE #(s):CAN-2003-0282
Created:July 1, 2003 Updated:November 13, 2003
Description: A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:
SCO Group CSSA-2003-031.0 2003-11-07
Debian DSA-344-2 2003-08-26
Slackware SSA:2003-237-01 2003-08-25
Mandrake MDKSA-2003:073-1 2003-08-19
Conectiva CLA-2003:724 2003-08-18
Red Hat RHSA-2003:199-02 2003-08-15
Yellow Dog YDU-20030710-1 2003-07-10
Gentoo 200307-02 2003-07-11
OpenPKG OpenPKG-SA-2003.033 2003-07-10
Debian DSA-344-1 2003-07-08
Mandrake MDKSA-2003:073 2003-07-07
Conectiva CLA-2003:672 2003-07-02
Immunix IMNX-2003-7+-017-01 2003-07-02
Red Hat RHSA-2003:199-01 2003-07-01

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

vixie-cron: Local vulnerability

Package(s):vixie-cron CVE #(s):CVE-2001-0559
Created:April 17, 2003 Updated:October 3, 2003
Description: From the ISS advisory: "Vixie Cron is a scheduling daemon that ships with several Linux distributions. Vixie Cron version 3.0pl1 could allow a local attacker to gain root privileges. Crontab fails to properly drop privileges in certain cases after a crontab modification operation. A local attacker could exploit this vulnerability to gain root privileges on the system since crontab is installed setuid root."

Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.

Alerts:
Conectiva CLA-2003:758 2003-10-03
Conectiva CLA-2003:757 2003-10-03
Conectiva CLA-2003:628 2003-04-17

Comments (none posted)

webmin: session ID spoofing

Package(s):webmin CVE #(s):CAN-2003-0101
Created:June 13, 2003 Updated:November 18, 2003
Description: miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges.
Alerts:
SCO Group CSSA-2003-035.0 2003-11-17
Debian DSA-319-1 2003-06-12

Comments (none posted)

wget:directory traversal bug

Package(s):wget CVE #(s):CAN-2002-1344
Created:December 10, 2002 Updated:October 1, 2003
Description: Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious FTP server to create or overwrite files anywhere on the local file system.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Alerts:
Immunix IMNX-2003-7+-011-01 2003-06-03
OpenPKG OpenPKG-SA-2003.007 2003-01-23
SCO Group CSSA-2003-003.0 2003-01-16
Gentoo 200212-7 2002-12-20
Trustix 2002-0089 2002-12-19
Conectiva CLA-2002:552 2002-12-13
Debian DSA-209-1 2002-12-12
Mandrake MDKSA-2002:086 2002-12-11
Red Hat RHSA-2002:229-10 2002-12-04

Comments (none posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SCO Group CSSA-2002-048.0 2002-11-18
Debian DSA-144-1 2002-08-06
SuSE SuSE-SA:2002:029 2002-08-01

Comments (none posted)

xinetd: Memory leak in xinetd 2.3.10

Package(s):xinetd CVE #(s):CAN-2003-0211
Created:May 13, 2003 Updated:November 13, 2003
Description: Xinetd is a 'master server' that is used to to accept service connection requests and start the appropriate servers.

Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable.

In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations.

All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues.

Alerts:
Conectiva CLA-2003:782 2003-11-12
Yellow Dog YDU-20030602-1 2003-06-02
Gentoo 200305-08 2003-05-19
Mandrake MDKSA-2003:056 2003-05-14
Red Hat RHSA-2003:160-01 2003-05-13

Comments (none posted)

Xpdf - command execution vulnerability

Package(s):Xpdf CVE #(s):CAN-2003-0434
Created:June 18, 2003 Updated:July 24, 2003
Description: Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters.
Alerts:
Mandrake MDKSA-2003:071-1 2003-07-23
Yellow Dog YDU-20030723-1 2003-07-23
Red Hat RHSA-2003:196-02 2003-07-17
Conectiva CLA-2003:674 2003-07-04
Mandrake MDKSA-2003:071 2003-06-27
Gentoo 200306-11 2003-06-25
Yellow Dog YDU-20030620-1 2003-06-20
Red Hat RHSA-2003:196-01 2003-06-18

Comments (none posted)

Resources

Linux Security Week

The LinuxSecurity.com Linux Security Week for July 21, 2003 is available.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.6.0-test1; Linus has been busy and has released no new development kernels over the last week.

Linus has put a few things into his BitKeeper tree, including some ACPI fixes, an ia-64 update, a PPC32 update, a number of USB tweaks, a new local_t for cpu-local atomic variables, and various other fixes and updates.

The current stable kernel is 2.4.21. The current 2.4.22 prepatch is 2.4.22-pre7, released by Marcelo on July 18; it includes a Super-H architecture merge, some I/O scheduler work, and various fixes and updates. Marcelo promises the first release candidate within a couple of weeks.

Comments (none posted)

Kernel development news

A slow week for the kernel page

Things have been relatively slow in the kernel development world due to the fact that many kernel hackers are on the road to attend the kernel summit and OLS. Your editor is also on the road, so this week's Kernel Page will be small. For those who haven't yet seen it, our 2003 Kernel Summit coverage will, hopefully, provide a sufficient kernel news fix for the week. This page will return to its regular size next week.

Comments (none posted)

Patches and updates

Kernel trees

Core kernel code

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Miscellaneous

  • Philippe Gerum: Adeos m3. (July 19, 2003)

Page editor: Jonathan Corbet

Distributions

News and Editorials

A Look at Arch Linux

[This article was contributed by Ladislav Bodnar]

Arch Linux is one of those quiet and little-known distributions, rarely figuring in the headlines of major Linux news publications. This does not mean that their developers are not hard at work - in fact, the continuously evolving changelog and the release of Arch Linux 0.5 earlier this week are a proof that the distribution is alive and well. Let's take a brief look at the project's history and its latest release.

Arch Linux (not to be confused with Ark Linux, which is a distribution for novice Linux users currently in early development) is a Linux distribution originally based on ideas from CRUX and optimized for the i686 architecture. Its development was initiated by a Canadian programmer and musician Judd Vinet in 2001 and the first product, Arch Linux 0.1, code name "Homer", was released in March 2002. New developers have been joining the project at regular intervals and a small team is now responsible for the ongoing development and product releases. Arch Linux is a free distribution released under GPL.

Unlike the CRUX distribution, which achieves its goal of being fast and light-weight by excluding KDE and GNOME, the two resource-hungry desktop environments, the Arch Linux developers leave this decision up to each individual user. This philosophy becomes immediately apparent during the product deployment. While the installation program provides helpful hints and useful guidelines within all configuration files, it does not attempt any hardware auto-detection and knowledge of the names of required kernel modules is essential.

The installation is a straight-forward 6-step process consisting of hard disk partitioning (ext3 and ReiserFS are the only two supported journaled file systems), package selection, package installation, kernel installation (which offers a selection of pre-compiled kernels or the opportunity to compile a custom kernel), system configuration and bootloader installation. The system configuration is divided into several sub-steps, which allow direct editing of configuration files, interspersed with helpful comments. This is where the user can configure networking, decide on which modules to load at startup and choose between lilo and grub as the preferred bootloader. The text-mode installation program is logical and easy to follow.

All Linux distributions are basically collections of free software, plus some in-house enhancements, so what differentiates Arch Linux from the rest? The main feature of Arch Linux is its GPL-ed package manager, called "pacman". Its man page tells us that pacman is a package management utility that tracks installed packages on a Linux system. It has simple dependency support and the ability to connect to a remote FTP server and automatically upgrade packages on the local system. Similarly to Debian's apt-get, pacman is capable of installing or upgrading a package and resolve all of its dependencies with a single command.

As an example, pacman -Syu synchronizes the local package database with the one on a central repository, while pacman -S <packagename> downloads and installs <packagename> and all its dependencies. Another useful command is pacman -Su, which upgrades all packages that have newer versions available. Besides installing and removing packages, pacman has many other useful features, including the ability to search packages, display information about them, list individual files within a given package, a download only option, an option to clean the download cache and other features. Pacman's configuration is stored in a configuration file located in /etc/pacman.conf.

Packages for Arch Linux are maintained in a central repository (and its mirrors), which has two branches - stable and current. As the names indicate, the stable branch contains release quality, well-tested packages, while the current branch is a highly up-to-date repository for those users who prefer to install the latest, but potentially less stable software. There is also an unofficial repository of user contributed packages, which brings the overall total number of available packages to around 1,000.

This is of course a far cry from the number of packages one finds in any Debian or Gentoo branch, so what options do you have if your preferred software has not yet made it to the official repository? Besides compiling your own package manually, Arch Linux also provides a so-called "Arch Build System" or ABS for short, which is capable of building an Arch package from source or rebuilding an existing binary package with specific customizations. This is done with a makepkg command and the relatively simple script-based process is covered in detail in its man page. The main advantage of this approach, at least in the majority of cases, is that the script needs to be built once and all subsequent version upgrades are a simple matter of running the makepkg command against the source code of a new package version.

Those who have used Arch Linux before might be interested to know that, besides package version updates, Arch Linux 0.5 has a number of new features. Among the more interesting ones are MD5 password and PAM support, the availability of two pre-compiled kernels for IDE and SCSI hard drives, LVM support in initscripts and improvements in the installer, especially the package selection and package installation screens. The option to compile a custom kernel and introduction of grub as the default bootloader are also new in this release.

Arch Linux is an interesting Linux distribution for tinkerers and developers. Its small and friendly community, highly up-to-date software repository and superior package management are its biggest draw cards. The project provides the usual range of support services, including user forums, mailing lists, and an IRC channel, together with documentation in English, German and French, FAQs and third-party collections of various tips and tricks. A CVS repository and a bug tracker are also available to developers.

Next time you find yourself in the mood to install a new distribution, give Arch Linux a try. It will provide you with a fast and lean system, while leaving control of all of its aspects firmly in your hands.

Comments (4 posted)

A new Red Hat beta and distribution changes

Red Hat has announced a new beta release (called "SEVERN"); click below for the details. Perhaps more of interest, however, is the new way in which Red Hat Linux will be managed. The retail box releases of Red Hat Linux will no longer exist; instead, the distribution will exist as "the Red Hat Linux Project" on the net. There will be an effort to increase the level of outside participation in the development of Red Hat Linux. This distribution will not have much in the way of support offerings, but Red Hat will be issuing security updates. More information can be found on the Red Hat Linux Project page.

Full Story (comments: 7)

Distribution News

Debian GNU/Linux

The Debian Weekly News for July 22, 2003 is out. This week there is a look at the 2.6 kernel; LinuxTag; ServerBeach Debian GNU/Linux Servers; and much more.

Debian Planet looks at Aptitude for package management. "I'm continually amazed by aptitude, a wonderful and worthy replacement for the venerable dselect. With all of the "installing Debian" articles out there, it's amazing we don't see aptitude mentioned more often. If more of those writers knew about it, perhaps they would complain less about boot-floppies."

Branden Robinson writes "db.debian.org is down because samosa.debian.org died. A replacement is being prepared, but it might take a few days."

Comments (none posted)

Gentoo Weekly Newsletter -- Volume 2, Issue 29

The Gentoo Weekly Newsletter for the week of July 21, 2003 is out. This week looks at the upcoming release of Gentoo Linux 1.4.

Full Story (comments: none)

MontaVista Linux

MontaVista Software has announced that MontaVista Linux Professional Edition 3.0 (Pro) will support Motorola's MPC5200 embedded processor.

Full Story (comments: none)

The Essence of OpenBSD (O'ReillyNet)

Here's an O'ReillyNet interview with several core OpenBSD developers. "deraadt [Theo De Raadt]: Well, the history of when I started OpenBSD might be well-known by most. Early on, the first team members were people who were unhappy with NetBSD. In particular, quite a few Swedish people joined ... about a year later a security focus started in the project, as some people from a Calgary company called Secure Networks started helping, and then ... after that I have kind of lost track, since it has been almost eight years...."

Comments (none posted)

Slackware Linux

Things have been fairly quiet at Slackware Linux. A small flurry of activity happened on July 17, the distribution's 10th birthday (covered last week), including upgrades to the Gimp, Slacktrack and distcc. Also, clisp is back. See the changelog for the details.

Comments (none posted)

Trustix Secure Linux

Trustix has new upstream version of cyrus-sasl and cyrus-imapd available. Some users reported some problems getting these packages to cooperate with each other and with mysql. These new upstream versions should fix the issue.

Full Story (comments: none)

Yellow Dog Linux

Terra Soft Solutions has released updated redhat-config-printer packages for YDL 3.0 that fix a number of bugs.

Full Story (comments: none)

Minor distribution updates

Arch Linux

Arch Linux has released v0.5 with major feature enhancements. "Changes: MD5 password support, PAM support, and a new drop-in /etc/conf.d daemon config area have been added. There are two stock kernels now (ide and scsi), and there is LVM support in the initscripts. The installer has also been improved: it has the option to build a kernel from source, better package selection, grub support (now default), and a better package install screen. A ton of package updates were also made."

Comments (none posted)

BG-Rescue Linux

BG-Rescue Linux has released v0.4 with minor feature enhancements. "Changes: This version adds devfsd 1.3.25 and with it, support for devfs."

Comments (none posted)

Familiar

The Familiar distribution has released v0.7 with major feature enhancements. "Changes: The kernel has been updated, ipaq h3900 added, GPE updated to 2.0, OPIE updated to 0.99, many bugs fixed, and the installer improved."

Comments (none posted)

LinuxInstall.org

LinuxInstall.org has released v1.4 with major feature enhancements. "Changes: In this version, Mozilla 1.4 RPM packages have been re- compiled to make sure they are fully compatible with existing plugins. The QuickTime movies can now be played in Mozilla with help with MPlayer. There are Evolution 1.4.3 RPM packages, OpenOffice.org 1.1RC RPM packages, Scribus 1.0 RPM packages, and the USBMount script has been added to the GNOME panel to mount USB keys/thumb/floppy drives with one single click."

Comments (none posted)

PXES Linux Thin Client

PXES Linux Thin Client has released v0.6-1 with major feature enhancements. "Changes: In this version, the kernel was upgraded to 2.4.20- 5pxes including devfs support. The DHCP client was changed to udhcpc with more recognized options. Remote management has been greatly improved. Options to remote manage the thin clients include a telnet server, Web management interface, and session shadowing. ICA Client 7.00 is now supported as are LTSP Sessions. Rdesktop was upgraded to 1.2.0. NBD server configuration is included for local devices sharing."

Comments (none posted)

MoviX

MoviX has released MoviX2 0.3.0 with minor bugfixes. "Changes: Since no big problem was reported for 0.3.0rc2 in the past 3 weeks, the final stable 0.3.0 was released after a few minor bugfixes."

Comments (none posted)

Rock Linux

Rock Linux has released v2.0.0-beta7 with minor bugfixes. "Changes: Many package build errors got fixed and many packages updated. ROCK Linux now includes the first version of scripts/Emerge-Pkg to build and download a package, including its dependencies, into the system."

Desktop Rock v2.0.0-beta7 is also out. "Changes: This release added many package security fixes and updates, including Linux 2.4.21+ACPI and 2.6.0-test1,and the latest XFree86, Mozilla, and GNOME. Some new packages were included for Bluetooth, Sony laptops, MIPS adaptations, the Epiphany browser, Galeon 2, along with many more. Some bugs with Memtest86 with gcc3, non-x86 architectures, and ROCK Plug were fixed. A new scripts/Emege-Pkg tool was included to build a package including its dependencies on a running system."

Comments (none posted)

Salvare

Salvare has released v0.1.1 with minor feature enhancements. "Changes: NFS can now be mounted. ncftp is included, and there are two new commands, "telnetd" and "sshd", to start the respective remote access servers. There are also minor bugfixes."

Comments (none posted)

Slackware Live CD

Slackware Live CD has released v2.9.0.20 with major bugfixes. "Changes: This version fixes a problem with booting on some systems."

Comments (none posted)

stresslinux

stresslinux has released v0.2.1 with major feature enhancements. "Changes: Temperature of SCSI disks is now displayed on TTY11. The hard disk benchmark bonnie++ and the hardware lister lshw were added to the distribution. A package with sample PXE configuration files is now also available. Various other minor changes and fixes were made."

Comments (none posted)

Zool Linux

Zool Linux has released v4. Zool4 supports better networking, has newer utilities and it's got a more user friendly enviroment, and more file system utils. This version is based on Kernel 2.4.21.

Comments (none posted)

Distribution reviews

SuSE 8.2: More Desktop Progress (OfB.biz)

Open for Business begins the 2003 Penguin Shootout with a look at SuSE Linux 8.2. "In all, SuSE 8.2 doesn't bring a lot to the table that SuSE 8.1 users don't already enjoy, but it does continue to polish the distribution into something serious desktop users will find comfortable and well designed. While earlier in its history, SuSE's distributions often suffered from a lack of refinement, this is certainly not the case any longer."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Samba 3.0.0 Beta 3

The Beta 3 release of the open-source, Microsoft-compatible file and printer server software Samba, has been announced.

While we are significantly closer to the final release, you should be reminded that this is a non-production release provided for testing only. If all goes well, we will move onto a series of Release Candidate (RC) snapshots next.
[Samba]

The What's New document for this release has a quick summary of the changes: "There have been significant additions to winbindd's functionality in this release as well as changes to Samba's SID<->UNIX id mapping features."

A more detailed list of changes includes:

  • Active Directory support with LDAP/Kerberos authentication.
  • Unicode support and support for multi-byte character sets.
  • A rewritten, more configurable authentication system.
  • A new filename mangling system.
  • A new "net" command that is similar to the Windows equivalent.
  • NT style status32 code negotiation for better error handling.
  • Improved Windows 2000/XP/2003 printing capabilities.
  • Support for loadable RPC modules.
  • A faster dual-daemon winbindd process.
  • Support for migrating from Windows NT 4 domains to Samba domains.
  • Support for negotiating trust relations with NT 4 domain controllers.
  • Preliminary support for a distributed Winbind architecture.
  • Major documentation updates.
Despite the difficulties involved in reverse-engineering black-box software, the Samba development team continues to make major steps forward.

Comments (none posted)

System Applications

Audio Projects

Two new releases of JACK

Two new releases of JACK, the Jack Audio Connection Kit, are out this week. Version 0.74.0 features include new documentation, a new --dither=none option, and code rearrangement. Version 0.74.1 fixes one compile bug.

Comments (none posted)

Database Software

MySQL 4.0.14 has been released

Version 4.0.14 of the MySQL database has been released. "This is a maintenance release for the current production version."

Full Story (comments: none)

PostgreSQL Weekly News

The PostgreSQL Weekly News for July 16, 2003 is out. This issue looks at the 2003 Linux Journal Editors Choice Award (PostgreSQL won best database); also news on the feature freeze and the upcoming 7.4 beta.

Full Story (comments: none)

Mail Software

QmailAdmin 1.0.24 released (SourceForge)

Version 1.0.24 of QmailAdmin, a web interface for managing qmail virtual domains, has been announced. "This release includes more cleanup as we get closer to a stable release. Functional changes: works with non-idx version of ezmlm again, updated Japanese translation."

Comments (none posted)

Networking Tools

wlandscape 1.0 build 0461 released (SourceForge)

A new build of wlandscape is available. "Wlandscape is a tool for collecting and visualizing access point data of public wireless networks in order to share it with anyone. The collected data is shown in really good maps and of course all for free."

Comments (none posted)

Printing

LinuxPrinting.org news

The latest news on the LinuxPrinting.org site includes the integration of manufacturer-supplied PostScript PPD files into the printer database, and support for Samsung's "gdi" driver.

Comments (none posted)

Security

Secure Cooking with C and C++ (O'ReillyNet)

O'Reilly has published an excerpt from the book Secure Programming Cookbook for C and C++. "In this first in a three-part series of sample recipes from Secure Programming Cookbook for C and C++, the authors offer nine basic rules for proper data validation, which they recommend all system administrators follow. From their first rule: "Assume all input is guilty until proven otherwise" to their last: "The better you understand the data, the better you can filter it,""

Comments (none posted)

Web Site Development

Issue Handler 0.9.0 released (ZopeMembers)

Version 0.9.0 of Issue Handler has been released. "The Issue Handler is a simple product for managing (structuring, editing, prioritizing, categorizing) issues." Changes include UI improvements, new quick and multiple edit buttons, and bug fixes.

Comments (none posted)

phpWebSite 0.9.3 released (SourceForge)

A new release of phpWebSite, a web site content management system, has been announced. "phpWebSite version 0.9.3 addresses stability problems from 0.9.2. There have also been many updates to resolve usability issues. Included with this release is a docbook user manual for end-users and a skeleton module for developers."

Comments (none posted)

TextIndexNG 2.0 final released (ZopeMembers)

Zope Members News covers the release of TextIndexNG 2.0 final, a fulltext index for the Zope web development platform. New features include relevence ranking for search results, speed improvements, search for suffix support, auto-expansion support, and more.

Comments (none posted)

Zope 2.6.2 Beta 4 Released (ZopeMembers)

Version 2.6.2 Beta 4 of the Zope web development platform has been announced. "Zope 2.6.2b4 represents a development step in the next Zope release formed with a large number of community contributions." Python 2.1.3 is now required for this version.

Comments (none posted)

Zope 2.7.0 Beta 1 Released (ZopeMembers)

Zope Members News reports on the release of Zope 2.7.0 Beta 1. "Zope 2.7.0 represents a concentration on software configuration and installation improvement over older versions. It requires Python 2.2.3."

Zope Newbies has converted to this version of Zope. "What has me grinning tonight is the support for Python 2.3. It means Zope for once works with the latest’n’greatest version of Python. And it means a big performance boost – Python 2.3 on my box is 25% faster than Python 2.2.3. That translates into a much snappier Zope."

Comments (none posted)

Standards

New LSB beta runtime test suite

A new LSB beta runtime test suite candidate is available. Changes include li18nux2k.l1 updates, removal of unnecessary FHS /dev/ tests, prototype fixes for IA64 realloc, and locale installation modifications.

Full Story (comments: none)

Miscellaneous

decr-f 0.2.4 released

Version 0.2.4 of decr-f, a package information utility, is available. "decr-f means 'Description file'. It is designated to provide information about a specific package. The mirror of the decr-f files allows you simply to search for a specific program/lib/software/doc."

Comments (none posted)

Desktop Applications

Audio Applications

amSynth 1.0 rc3 released

Version 1.0 rc3 of amSynth, the Analogue Modelling SYNTHesizer, is available. Changes include a revised GUI, new on-the-fly controls, bank loading and saving, bug fixes, and more.

Full Story (comments: none)

BEAST/BSE v0.5.4 released

Version 0.5.4 of BEAST/BSE, a music composition, synthesis, and sampling library and GUI, is available. "This new development series of BEAST comes with a lot of the internals redone, many new GUI features and a sound generation back-end separated from all GUI activities."

Full Story (comments: none)

gmorgan 0.05 released

Version 0.05 of gmorgan, a rhythm station with auto-accompaniment, has been released. Changes include bug fixes, more chords and patterns, a clear pattern function, and more.

Full Story (comments: none)

MusE 0.6.1 released

Version 0.6.1 of MusE, a MIDI sequencer/editor, has been released. "This release fixes some bugs and has some small usability enhancements. In addition there are new translations for spain and russian."

Comments (none posted)

PyTone 2.0.0 released

Version 2.0.0 of PyTone, an mp3 music jukebox application, has been released. "Besides a huge code reorganisation, many new features are included: A new config file format, list of songs and albums, show most recently played songs, first steps towards a network fnctionality, currently played song is highlighted in playlist (thanks to Iñigo Serna), support ossaudiodev contained in Python 2.3, support for transparent background (needs a patched Python curses module)."

Comments (none posted)

Desktop Environments

GNOME Summary

The July 7-18, 2003 edition of the GNOME summary is out. "In an effort to prove that the GNOME summary comes around more often than Christmas here is a new one. This week we cover topics such as the new look of gnome.org, a status report from the Welsh translation team, SMIL source released, a Dashboard update and more."

Comments (none posted)

100% Arabic support in GNOME (GnomeDesktop)

An Arabic translation of GNOME 2.2 has been announced. "After Months and Months of Hard work, me Arafat Medini the Arabic gnome maintainer and the Arabeyes team (which I am part of) are proud to present to you a fully Arabic supported GNOME 2.2 desktop."

Comments (none posted)

KDE-CVS-Digest

The July 18, 2003 KDE-CVS-Digest is out. The summary says: "Lots of new features: Kig python scripting support, Kpilot Palm generic db viewer, an action menu in Konqueror to print files, Dvd burning in K3b, RDP support completed in Krdc and an httpmail protocol ioslave. Plus many ARts bugfixes, Kdevelop and Quanta fixes and improvements."

Comments (none posted)

KDE Traffic #59

The July 22, 2003 issue of KDE Traffic has been published. Topics include: Music Manager Konqueror Plugin, Re:For All Non Profit Organizations, and Marc Priorities Winner.

Comments (none posted)

Kolab 1.0 released

Version 1.0 of Kolab has been announced. "The goal of the Kolab Project is to maintain and enhance a Free Software groupware solution called Kolab. It builds on software and concepts developed during the Kroupware Project, in particular the Kolab Server and KDE Kroupware Client." Thanks to Marc Mutz.

Comments (none posted)

XFce4 RC2 released

Release candidate 2 of the XFce4 desktop environment has been announced. "We expect that this will be the final Release Candidate. We hope to release 4.0 on 27th July 2003 if all goes well."

Full Story (comments: none)

Financial Applications

GNUe Traffic

Issue #90 of GNUe Traffic is out with the latest GNU Enterprise development news.

Comments (none posted)

Games

World Forge Game developments

Several new games are under development at World Forge. The following releases are now available: Panthera 0.0.1, Sear 0.4.6, Gaudi 0.1.5, and Sage 0.1.0.

Comments (none posted)

GUI Packages

GPL'ed Qt on DirectFB!

The first release of the Qt library for DirectFB is available. DirectFB "is a thin library that provides hardware graphics acceleration, input device handling and abstraction, integrated windowing system with support for translucent windows and multiple display layers on top of the Linux Framebuffer Device. It is a complete hardware abstraction layer with software fallbacks for every graphics operation that is not supported by the underlying hardware."

Comments (1 posted)

SPTK 2.0 beta 1 is available

Version 2.0 beta 1 of SPTK, the Simply Powerful ToolKit, is available. "This is the first beta version. It means that I consider the library generally working. I have two applications ported into SPTK2, and so far they work more or less stable. At this point, the new feature development is frozen and project goes into testing stage."

Comments (none posted)

Interoperability

Wine Traffic

Issue #179 of Wine Traffic is out. The following topics are included: Interview with Jukka Heinonen, MacOS X Success, Running Commandline Apps, Winegcc and Shared Libraries, API Tracking, Internet Explorer Trivia, and CAB Update.

Comments (none posted)

Office Applications

AbiWord Weekly News

The July 20, 2003 edition of the AbiWord Weekly News is out. The summary says: "OTS 0.3.0 released, lots of Mac OS X chatter, Win32 gets a Menu Make over and the HackDown for 2.0 gets a revamp, bug-wise. QNX users might want to take the time to wake up and give a few things a try. Meantime, if you have someone who hasn't tried anything other than the 1.x series or earlier, you can give them an update yourself!"

Comments (none posted)

Bluefish 0.10 Released (GnomeDesktop)

GnomeDesktop.org covers the release of version 0.10 of Bluefish, an HTML editor. "Changes in 0.10 include many bugfixes and speedups, many user interface improvements, more translations, and a very nice function reference interface. Currently included function reference files are for PHP and HTML. After version 0.11, version 1.0 will come out."

Comments (none posted)

GNUe Traffic #90

The July 19, 2003 edition of GNUe Traffic is online. Topics include: Pre-query on a data source, Possible release of Forms/Common without Designer, SKUs and GNUe Small Business, on-startup and other triggers in Forms, Query returning no results creates a new blank record, Merging arias code into GNUe Small Business CVS, and popy and psycopg as alternative python drivers for PostgreSQL.

Comments (none posted)

Mozilla Sunbird Standalone Calendar Project Launches (MozillaZine)

A standalone version of the Mozilla Calendar, known as Mozilla Sunbird, has been announced.

Comments (none posted)

Velocity v0.1 Beta is finally out (GnomeDesktop)

Version 0.1 beta of Velocity, a GNOME 2 file manager, has been announced. "Notable changes include many major bugfixes, speed fixes, UI improvements, semi-working desktop background image, a new "Open With -> Other..." dialog, a "Send to" system, a burn:/// support plugin, moved Desktop to ~/Desktop, moved Trash to ~/.Trash, and more..."

Comments (none posted)

Web Browsers

Epiphany 0.8.0 Released (MozillaZine)

Version 0.8.0 of Epiphany, a Gecko-based browser, has been announced. "Version 0.8.0 is the first release of Epiphany known to work with Mozilla 1.4."

Comments (none posted)

Galeon 1.3.6 Released (GnomeDesktop)

Version 1.3.6 of the lightweight Galeon web browser has been released. "Shiny new galeon release, largely provoked by the release of mozilla 1.4 final, although strangely enough, 1.3.5 is source compatible with 1.4; the first time that's ever happened since before mozilla 1.0."

Comments (none posted)

Mozilla 1.5 Alpha Released (MozillaZine)

MozillaZine covers the release of Mozilla 1.5 Alpha. "New in 1.5a are a number of Composer enhancements, tab browser clean up, and the usual crash and performance fixes."

Comments (none posted)

Independent Status Reports (MozillaZine)

The Mozilla Independent Status Reports for July 21, 2003 are out. "The latest set of status reports includes updates from JS Console, GooglebarL10N, HON, mozdev, MozWho, wmlbrowser, StumbleUpon and TagZilla."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

MozillaZine points to the July 14, 2003 mozilla.org staff meeting minutes. "Issued discussed include Mozilla 1.5 Alpha, Mozilla Firebird 0.6.1 and the Mozilla Foundation."

Comments (none posted)

Miscellaneous

Gaim 0.65 is out (GnomeDesktop)

Version 0.65 of Gaim, an instant messaging client, has been announced. This release includes a few new features, improved translations, and bug fixes.

Comments (none posted)

Gaim 0.66 Released (GnomeDesktop)

Version 0.66 of Gaim has been released. "Gaim 0.66 has been released, fixing bugs from the previous release."

Comments (none posted)

LilyPond 1.7.26 released

Version 1.7.26 of LilyPond, the GNU project music typesetter, is out. "This release should be considered as a first 1.8 release candidate. Relative to 1.7.25, it contains a few small fixes and an update of the manual."

Full Story (comments: none)

Desktop Framework/Daemon (GnomeDesktop)

GnomeDesktop.org covers Philip Van Hoof's proposal for the creation of a network transparent daemon and plugin framework. The aim of the system is the integration of desktop information services. "The proposition suggests a secure XML-based framework providing the ability to module writers to create data-shifting operations that can bring application integration to the level where independently developed applications utilising this framework are able to communicate in an integrated manner without any hassle to the user."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The July 15-22, 2003 edition of the Caml Weekly News is out with the latest Caml language development news.

Full Story (comments: none)

Java

PMD updates

PMD is a Java source-code analyzer package. "It finds unused variables, empty catch blocks, unnecessary object creation, and so forth." A new version of the pmd-jbuilder component is available.

Comments (none posted)

Java theory and practice: Concurrent collections classes (IBM developerWorks)

Brian Goetz covers Concurrent collections classes in Java on IBM's developerWorks. "In addition to many other useful concurrency building blocks, Doug Lea's util.concurrent package contains high-performance, thread-safe implementations for workhorse collection types List and Map. This month, Brian Goetz shows you how many concurrent programs will benefit from simply replacing Hashtable or synchronizedMap with ConcurrentHashMap."

Comments (none posted)

Lisp

CL-WHO 0.1.0 released

CL-WHO 0.1.0 is available. "CL-WHO is a Lisp markup language that makes it possible to convert S-expressions intermingled with code into (X)HTML, XML or other representations. CL-WHO is written in portable Common Lisp and is distributed with a BSD-style license."

Full Story (comments: none)

Perl

State of the Onion 7 (use Perl)

UsePerl reports that Larry Wall's State of the Onion 7 talk from OSCON 2003 is now online. "Since this is a State of the Union speech, or State of the Onion, in the particular case of Perl, I'm supposed to tell you what Perl's current state is. But I already told you that the current state of Perl is just fine. Or at least as fine as it ever was. Maybe a little better."

Comments (5 posted)

This Week on perl5-porters (use Perl)

The July 14-20, 2003 edition of This Week on perl5-porters is out. "One week after the second release candidate of perl 5.8.1, and as expected, problems were found, and bugs fixed. Meanwhile, development continues. Read all details in this week's summary."

Comments (none posted)

This week on Perl 6 (O'Reilly)

The July 20, 2003 edition of This week on Perl 6 is out. Topics include: The State of the Onion, A Small Perl Task for the Interested, env.pmc, Dan on threading, Event handling, IMCC sub names are not labels, More on targeting GCC, Parrot_sprintf not recognizing 7 in precision, Problems with new object ops, The big core.ops split, Copyrights, and more.

Comments (none posted)

Overloading (O'Reilly)

Dave Cross introduces operator overloading in Perl on O'Reilly's Perl.com.

Comments (none posted)

PHP

PHP Weekly Summary for July 21, 2003

The PHP Weekly Summary for July 21, 2003 is out. Topics include: HPUX threading, XSLT on Solaris, File upload status inclusion, LinuxTag photos, CFP extended, SNMP documentation cleanups.

Comments (none posted)

Python

Python 2.3 release candidate 1

The first release candidate for the long-awaited Python 2.3 release is now available. If you have an interest in Python 2.3, now is the time to test out your applications and make sure everything works. For a description of the changes in this release, see A.M. Kuchling's What's New in Python 2.3 document.

Full Story (comments: 11)

Dr. Dobb's Python-URL!

The July 21, 2003 edition of Dr. Dobb's Python-URL! is out with a week's worth of Python language news and links.

Full Story (comments: 1)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The July 21, 2003 edition of Dr. Dobb's Tcl-URL! is out with another roundup of Tcl/Tk news and information.

Full Story (comments: none)

XML

Start Here to learn about XML

IBM's developerWorks has published an introductory article on XML. "The developerWorks XML zone contains literally hundreds of articles, tutorials, and tips to help a developer make the most of XML-related applications, but for users trying to find their way in a new topic, all of that information can be overwhelming. This page provides an overview for readers who would like to learn about XML but don't know where to start. It places all of the basics of XML technology into their proper context and ties together relevant developerWorks articles, tutorials and tips, IBM learning services education, webcasts, workshops, and IBM products for further investigation."

Comments (none posted)

IDEs

The PyDev Python Developent Platform

A new Eclipse-based Python development platform called PyDev has been launched. "Pydev is a project to create a complete python development environment for eclipse: syntax highlighting, outline view, code navigation, debugger integration. I am doing it because Eclipse is so fun, and there are no Python IDEs I am happy with."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

SCO readies new Linux licensing program (InfoWorld)

InfoWorld speculates on SCO's new Linux licensing scheme which may or may not be announced at Monday's press conference. "While the majority of Linux customers probably would not participate in a SCO licensing program, [analyst Gordon] Haff predicted some companies might be willing to pay SCO for the security of knowing they would not be sued. SCO is 'hoping that even if 99 percent of Linux customers laugh in their face, that there will be sufficient large companies who, for what is presumably going to be a relative drop in the bucket of their IT budgets, can potentially eliminate a cloud over their heads,' he said."

Comments (36 posted)

Windows device development faster, cheaper than Linux? (Register)

The Register has a reasonable look at the recent "embedded Linux costs more" study. "Essentially, innovation, differentiation and building on new platforms ought to cost more, and we should not be surprised when they do. Krasner's figures are certainly interesting, and flag some areas of concern (the tools issue being one of the more obvious of these), but they do not provide adequate reason for Linux developers to flee the battlefield and sign on with Satan instead."

Comments (11 posted)

Saving the Net (Linux Journal)

Linux Journal looks at how to get past the intellectual and political logjams that threaten Linux and the Net. "Who Owns What? That's the fundamental question, and it's going to get more fundamental as we roll toward the next presidential election here in the US. Much is at stake, including Linux and its natural habitat: the Net. Both have been extraordinarily good for business. Its perceived "threat" to Microsoft and the dot-com crash are both red herrings. Take away Linux and the Net, and both technology and the economy would be a whole lot worse."

Comments (none posted)

Trade Shows and Conferences

No glass ceiling to Linux, says Torvalds (vnunet)

Vnunet covers a panel debate at Computer Associates' CA World in Las Vegas. "Sam Greenblatt, senior vice president of CA's Linux technology group, felt too many companies approached Linux as a novel operating system rather than as a serious business tool."

Comments (none posted)

OSCON 2003 Impressions

Python creator Guido van Rossum has posted his impressions on the OSCON 2003 convention. "Tim O'Reilly's keynote pointed out a new class of "desktop applications" that run as well on Linux as on Windows: Google, Amazon, Ebay. Think about it. What these have in common is not just that they are websites that use open source and dynamic languages to access a huge database: As Tim points out, their success in a large part comes from how they track what *people* do."

Comments (none posted)

LinuxTag 2003: A Great Success

KDE.News looks at LinuxTag from a KDE perspective. "As usual, the KDE booth in the exhibition area was crowded. There, both KDE 3.1 and CVS HEAD were shown on four machines. As a special feature, KDE was shown on an Opteron which was made available by AMD. There were almost no problems getting it to compile, and it worked great. Many people dropped by to see the latest developments and were fascinated by the whole range of promising new features and applications such as Kontact, KDE's future Groupware suite and Kexi, a database management system for office users. Many users also used the opportunity to talk directly to the developers in order to provide feedback and suggestions. KDE developers used the hacking area to jointly develop new ideas and hack on KDE."

Comments (none posted)

USENIX 2003

Dustin Puryear covers this year's USENIX Annual Technical Conference on O'Reilly. "The USENIX ATC offers attendees an interesting mix of papers and talks by academia, well-known industry professionals, and researchers working for companies across the world."

Comments (none posted)

The Truth Behind The Curtain (use Perl)

Use Perl mentions a movie on Open-Source Software that is now available online. "Ask (via Robrt) writes "The OSCON 2003 movie, The Truth Behind The Curtain -- What happens behind the curtain in Open Source? What do they really think? -- is now available online. It has been slightly updated from the version we showed before the last keynote in Portland. We also added an explanation of the jokes.""

Comments (none posted)

Linux Adoption

Linux reaches Afghanistan (BBC News)

The BBC News reports that Linux is helping to rebuild Afghanistan. "The United Nations is training civil servants in the intricacies of the software to help them get government computer systems up and running. The first civil servants to complete their training in Linux went back to work earlier this month." (Thanks to miah)

Comments (none posted)

Europe picks Penguin to link government IT (vnunet)

Vnunet covers a working paper from the European Commission on linking national government IT systems across Europe. "The paper, Linking up Europe: the Importance of Interoperability for E-government Services, stressed that the planned European interoperability framework should be "based on open standards and encourage the use of open source software"."

Comments (none posted)

Koha is taking off in France

Koha Labs has posted a report on the adoption of the Koha open-source library system in France. "Serge Renaux, an IT engineer at Group ESIEE, thinks that Koha is a good fit for them. "All of our servers run on FreeBSD or Linux and we've been using free software like Apache, Samba, and OpenLDAP for several years, so a free library system seemed right.", said Serge. They were having problems with their existing library system, a commercial system, so they started looking for a replacement." The article is also available in German and French. Thanks to Pat Eyler.

Comments (none posted)

Open Asia: Japan and Korea embrace open source (NewsForge)

NewsForge takes a look at Free Software in Asia. "Niibe Yutaka, who works for the Japanese Ministry of Economy, Trade and Industry, says, "There are many domestic Linux users groups (I think more than 20). The central one is Japan Linux Association.""

Comments (1 posted)

Interviews

Python and the Tipping Point (Artima.com)

Artima.com has an interview with Bruce Eckel on typing efficiency and Python. "Bruce Eckel talks with Bill Venners about how Python's minimal finger typing allows programmers to focus on the task, not the tool, generating a productivity that makes more projects feasible."

Comments (none posted)

Resources

Graphics tricks from the Linux command line (IBM developerWorks)

IBM developerWorks shows how to perform image manipulation using command-line tools. "The command line tools discussed in this article are part of the excellent ImageMagick suite, which ships with Red Hat Linux and is freely available online. ImageMagick can also be accessed via C, C++, Perl, Python, Java, and several other languages, which Linux programmers will appreciate."

Comments (9 posted)

Linux IPSec Overview

Nico Schottelius has assembled an overview of a number of IPSec implementations that run on Linux.

Comments (none posted)

SVG: A Sure Bet

Paul Prescod has written an article on Scaleable Vector Graphics (SVG) that was derived from his keynote address at SVG Open 2003. "If you mention Scalable Vector Graphics language (SVG) in a crowd of web developers they will immediately gravitate to the question of whether it can "beat" Flash. Recently SVG Print has focused attention on the question of whether SVG can compete with PDF and Postscript. These are exciting possibilities: it would be great to unify these domains under a standardized, XML-based syntax. But it is ultimately quite limiting to define SVG by its success in replacing these existing technologies. SVG is much more than a Flash and PDF-killer."

Comments (none posted)

ZopeMag Issue 5 is now out! (ZopeMembers)

Zope Members News has the announcement for Issue #5 of ZopeMag. "Coming this quarter we have even more Zope Documentation you can't find anywhere else -- including an 18 page article on how the State of Hawaii Governor’s Website was converted to Plone, Zope and SOAP, and lots more!"

Comments (none posted)

Reviews

4-in-1: Mini Book Reviews (Linux Journal)

Linux Journal has mini reviews of Linux TCP/IP Network Administration, Open Source Web Development with LAMP, A Practical Guide to Red Hat 8 and The Practice of System and Network Administration".

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Announcing the launch of the Desktop Linux Consortium

The Desktop Linux Consortium has announced (click below) that it is ready to finalize its corporate structure and begin accepting members. Before things are finalized, they are asking for some feedback from the community.

Full Story (comments: 2)

The Future: The Mozilla Foundation and the End of Netscape (MozillaZine)

MozillaZine has a clarification of AOL's disbanding of the Netscape project and the creation of the Mozilla Foundation. "Firstly, while a major loss, the end of Netscape does not mean the end of Mozilla. There is no way that AOL can revoke the Netscape and Mozilla Public Licenses and make the code proprietary. The Mozilla code will continue to be available to all. AOL has also agreed to transfer the Mozilla trademark and other intellectual property (much of it dating back to when Mozilla was Netscape's mascot) to the new Mozilla Foundation. Netscape-owned hardware (such as the mozilla.org servers) will also be transferred to the new organisation. AOL will continue to employ some Netscape staffers, such as Asa Dotzler, for a couple of months to help with the transition. The Mozilla Foundation marks the first time that the Mozilla project actually has a legal existence (mozilla.org was always just a more informal group)."

Comments (none posted)

Mozilla Marketing Project Launches (MozillaZine)

MozillaZine has an announcement for the new Mozilla Marketing Project. "Think of these initiatives as experiments. We also have more private forums to pursue marketing-related projects, but we want to see if we can get a broader community of people involved in what we hope will evolve into an "open marketing" effort."

Comments (none posted)

Mozilla Foundation Accepting Donations (MozillaZine)

Along with all of the other Mozilla news this week, the Mozilla project is now accepting donations from individuals and groups. Support your favorite browser.

Comments (none posted)

Commercial announcements

Open Source Victoria files ACCC complaint against SCO regarding Linux

Open Source Victoria (OSV) has filed a complaint with the Australian Competition and Consumer Commission, asking the ACCC to investigate The SCO Group's activities in light of their unsubstantiated claims and their extortive legal threats.

Full Story (comments: 12)

Free Version 1.3 of icoya OpenContent released (ZopeMembers)

Struktur AG has announced the availbility of a free version of its commercial icoya OpenContent web content management system. "Enterprises, public authorities, and private users have now the possibility to download the starter version 1.3 of icoya OpenContent at no charge for immediate and unrestricted use. This free version of icoya OpenContent Management System is not limited in any way and can be used with an unlimited number of editors and users. The starter version 1.3 is also available on CD for the nominal price of EUR 10."

Comments (none posted)

Linux Financial Summit Makes West Coast Debut at LinuxWorld San Francisco

IDG World Expo has announced the agenda for the Linux Financial Summit. The summit is sponsored by Technology For Finance and will take place Tuesday, August 5, 2003 at the LinuxWorld Conference & Expo.

Comments (none posted)

New Books

"GNU Bash Reference Manual" published

A new book, the "GNU Bash Reference Manual", has been published. "For each copy of this manual sold, $1 will be donated to the Free Software Foundation." Thanks to Brian Gough.

Comments (none posted)

Resources

LDP Weekly News

The July 15, 2003 edition of the Linux Documentation Project Weekly News is out with the latest documentation change news.

Full Story (comments: none)

LDP Weekly News

The July 22, 2003 edition of the Linux Documentation Project Weekly News is out. Take a look for the latest documentation updates.

Full Story (comments: none)

Contests and Awards

The 2003 Active Award Winners

The winners of the 2003 ActiveAwards have been announced. "The Active Awards are held annually to honor members of the open source community who *actively* contribute to open languages and display excellence in their programming efforts. The categories include each of ActiveState's key technologies: Perl, PHP, Python, Tcl, and XSLT."

Comments (none posted)

Event Reports

O'Reilly Open Source Convention Wrap-Up

O'Reilly has published a wrap-up review of the 2003 Open Source Convention (OSCON).

Full Story (comments: none)

PerlBugathon Results (use Perl)

UsePerl covers the results of the 2003 PerlBugathon event. "Around 150 bugs were closed by volunteers at OSCON and around the world. OnyxNeon has doubled their bug-bounty to $2, and will be making a donation of $300 to The Perl Foundation."

Comments (none posted)

Upcoming Events

Damian in Chicago (Sept. 15-26) (use Perl)

According to Use Perl, Perl guru Damian Conway will be teaching Perl classes in Chicago, Illinois from September 15-26, 2003.

Comments (none posted)

Kastle: Conference Program Released

The conference schedule for the KDE Contributor Conference 2003, to be held in Nové Hrady, Czech Republic on September 22-30, 2003, has been announced. "Conference registration for all attendees is still possible until 29th July."

Comments (none posted)

First Plone Conference (ZopeMembers)

The first conference on the Plone web development platform has been announced. The event will take place in New Orleans, Louisiana on October 15-17, 2003.

Comments (none posted)

Events: July 24 - September 18, 2003

Date Event Location
July 24 - 26, 2003Ottawa Linux SymposiumOttawa Canada
July 24 - 25, 2003YAPC::Europe 2003(CNAM Conservatory)Paris, France
July 25 - 27, 2003Fifth Annual Linux Festival in Kaluga Region(bank of the river Protva)Kaluga region, Russia
July 29 - August 2, 2003The 10th Annual Tcl/Tk ConferenceAnn Arbor, Michigan
July 31 - August 3, 2003UKUUG Linux Developers' Conference(LINUX 2003)(George Watson's College)Edinburgh Scotland
August 4 - 7, 2003LinuxWorld Conference and Expo 2003(Moscone Convention Center)San Francisco, CA
August 5 - 7, 20035th Annual CERT Conference(NEbraskaCERT)(Scott Conference Center)Omaha, NE USA
August 7 - 10, 2003Chaos Communication Camp 2003Paulshof, Altlandsberg, Germany
August 18 - 21, 2003New Security Paradigms Workshop 2003(NSPW 2003)(Centro Stefano Francini)Ascona, Switzerland
August 22 - 30, 2003KDE Developers' Conference(Zamek Castle)Nove Hrady, Czech Republic
August 27 - 29, 2003International Conference on Principles and Practice of Declarative Programming(PPDP 2003)(Uppsala University)Uppsala, Sweden
September 3 - 4, 2003LinuxWorld Conference & Expo (Cancelled)(The NEC)Birmingham, UK
September 11 - 12, 2003Python for Scientific Computing Workshop(SciPy'03)(CalTech)Pasadena, CA
September 15 - 18, 2003LogOn Web DaysAcross Europe
September 15 - 18, 2003Embedded Systems Conference(ESC)(Hynes Convention Center)Boston, Mass

Comments (none posted)

Web sites

GNOME.org gets a makeover (GnomeDesktop)

GnomeDesktop.org mentions the newly redesigned gnome.org web site. "Our favourite place on the web (after gnomedesktop.org) has got a makeover. The long overdue overhaul of gnome.org is underway with both the main and subsites in the middle of the move to the new look. Check out www.gnome.org to see its splendor."

Comments (none posted)

Introducing www.kdedevelopers.org

KDE.News has the announcement for the new KDE Developers Web Log site. "This weblog is intended to be for KDE developers to journal their thoughts in a community atmosphere. This is not meant to really compete with things like http://dot.kde.org/ or the http://www.kde-forum.org/. This is meant to be an area exclusively for KDE developers to share their thoughts about KDE or anything else for that matter. It's an incubator for ideas and an area to let the community see what the KDE developers are thinking."

Comments (none posted)

Lindows Project Steers Open Source Faithful To 'Linux-Friendly' Retailers (TechWeb)

TechWeb takes a look at a new Lindows web site. "Lfriendly.com will offer shoppers links to Linux hardware, software and service, the San Diego-based company said."

Comments (none posted)

RubyForge site launches

The new RubyForge site provides a home for Ruby language projects and discussions.

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Regarding SCO: What are we waiting for.

From:  anandsr@hss.hns.com
To:  letters@lwn.net
Subject:  Regarding SCO: What are we waiting for.
Date:  Tue, 22 Jul 2003 19:36:04 +0530
Cc:  moglen@columbia.edu



Hi,

It is funny that SCO Group has proposed to sell UnixWare Licenses for
Linux.

GPL strictly prohibits relicensing of GPL code without the permission
of all authors of a body of code.

TSG is trying to sell a different license than GPL for Linux. This is as
good as relicensing. I think they have opened themselves up for a
class action lawsuit covering all developers contributing code to
all Free Software code.

What is the opinion of FSF on this? I think their legal cousels should
take a go at this. Because if they sell a License for a Linux Distribution
they are covering everything, including FSF code as well.

At least the FSF should give a press release that they will SUE TSG if
TSG manage to sell their license to anybody who is using Linux, without
clearly stating that this license does not cover any GPL code.

If they don't do this, then FSF can sue, or get support from the aggrieved
author for sueing.

In this case the really problematic part is that one side is continuously
shouting and there is a deafening silence on the other side. Anybody
will obviously think that the shouting party is correct and the silent
party
is wrong.

regards,
-anandsr

Comments (3 posted)

What to do about the RIAA

From:  Chris Moore <zmower@ntlworld.com>
To:  letters@lwn.net, andrew.orlowski@theregister.co.uk, bob@cringely.com
Subject:  What to do about the RIAA
Date:  Sat, 19 Jul 2003 21:33:18 +0100

Hi,

Boycotting them is too much and not enough.  It's too much because it 
implies abstinance and it's not enough because they deserve so much 
more.  There's a much better way to stiffle them; swapping CDs in 
meat-space.  Since there is no copying taking place and no re-sale then 
it's entirely legal.  It removes the abstinance part, it's fun, hits 
them where it hurts the most and there's the obvious analogy with what 
happens online.

Finished with a CD?  Take it down to the swap meet.  An ideal place to 
meet is probably in front of the court house. Even if RIAA aren't 
prosecuting file swappers there, it's kind of symbolic and who knows, 
maybe the judge has some CDs he's finished with?

Chris Moore
Portsmouth, UK

-- 
Sig pending!


Comments (2 posted)

Page editor: Jonathan Corbet

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds