[This article was contributed by Joe 'Zonker' Brockmeier]
Every time there's a trade show, there's also a flurry of predictable
press releases. New products, product upgrades, new partnerships and so
on. But sometimes, a company manages to sneak in a surprise. Novell
managed to throw the community a curve during the first day of
LinuxWorld Expo by announcing
that it had acquired Ximian. Novell executives have also hinted that
the company may stop developing
NetWare to focus on Linux in the future.
Earlier this year, Novell announced that it would be expanding its Linux
offerings, but the announcement was met with some skepticism and concern
that Novell's committment to Linux was half-hearted, particularly after
an early flub where Novell
CEO Jack Messman called Linux "immature." Messman soon apologized, and it would
appear that Novell is quite earnest in its committment to Linux.
On Tuesday, I spoke to Miguel de Icaza of Ximian about the acquisition
and plans going forward. De Icaza said that Ximian and Novell had
already been working together as partners on some projects before Novell
made the offer to buy Ximian.
For the time being, expect Ximian to pretty much stay the same course as
it was on before the acquisition was announced. De Icaza says that
Ximian will operate as an independent subsidiary of Novell and continue
with its existing schedule, and deliver the products that were in the
pipeline before the acquisition. Evolution, Ximian Connector, Red
Carpet, Mono and Ximian Desktop will continue to be developed. Long
term, he indicated that there would be tighter integration between
Novell's offerings and Ximian's.
Though it wasn't mentioned in Novell's press release, de Icaza says that
Novell will also be developing its own Linux distribution in addition to
making its products available for other Linux distributions. Few details are
available about this new Linux distribution, and de Icaza said
that they had not yet established a timeline for the first release.
Obviously, users can expect to see the Ximian desktop and tight
integration with Ximian's Red Carpet, but details about the remainder of
the distribution are sketchy at the moment.
According to de Icaza, one advantage of a Novell Linux distribution is
that it would give Ximian the opportunity to delve deeper into the
operating system. He noted that Ximian has been somewhat limited in the
features they could implement, since Ximian Desktop and other Ximian
products had to integrate with other distributions whose development
wasn't under Ximian's control. Making modifications to the kernel, for
example, wasn't really an option.
Novell will also give Ximian's product line a shot with customers that
the company found it difficult to reach before teaming with Novell. The
enterprise channel is tough to break into, and de Icaza indicated that
Ximian had previously found that larger companies to be nervous about
deploying Ximian solutions. As part of Novell, Ximian's products are now
considered less risky because customers know Novell.
The fact you have a company the size of Novell that's going to be
around, from that perspective that's what gets a lot of people
interested. You have a great product, the problem is getting the product
into the hands of people...getting access to that channel is very
important to us.
Overall, the merger looks to be a good deal for Ximian, Novell and the
Linux community as a whole. While Novell's influence has been waning,
the company still maintains a respectable presence in the enterprise
market. The addition of Novell services to Linux's bag of tricks will
definitely help spur Linux adoption on both the desktop and the server
in larger companies.
On the other side, the acquisition of Ximian may help give Novell a
little more credibility with the existing Linux community and help them
to get up to speed with Linux more quickly.
Comments (7 posted)
Last week, we wrote that SCO's anti-Linux
campaign was not just IBM's problem, and that others needed to get into
the fight. Red Hat, clearly, was thinking along the same lines; on
August 4 the company
announced
the filing of a lawsuit against SCO in U.S. District Court in Delaware.
Also announced was the creation of a fund (with a $1 million
contribution from Red Hat) to defend Linux developers against infringement
suits.
Red Hat, seeing a threat to its business, decided to act. SCO, indeed, is
not just IBM's problem.
The lawsuit alleges unfair competition, trade libel, deceptive trade
practices, false advertising, and interference with business
opportunities. It asks for a declaratory judgement that Red Hat has not
violated SCO's copyright or trade secrets, and asks for an unspecified
amount of damages. LWN has published a look at
Red Hat's complaint; for those wanting to go to the source, the complaint
itself is available in small,
easily-read text format or huge,
hard-to-read PDF format.
There is one interesting omission from the complaint. SCO continues to distribute
a 2.4 kernel. This action is a clear violation of the GPL (SCO claims that
kernel cannot be redistributed, or even run without a special license - see
below), and thus an infringement of the kernel developers' copyrights. Red
Hat (along with its employees) holds copyrights to a substantial amount of
kernel code, but no allegations of infringement appear in Red Hat's
complaint. Red Hat told us it was "unable to comment" about this
omission. The GPL and SCO's continued distribution of the disputed code
(whatever it is) under a GPL license will almost certainly play a role in
this whole affair before it is done, but the time has apparently not yet
come.
SCO's response
to Red Hat's suit was unyielding, to say the least.
SCO has not been trying to spread fear, uncertainty and doubt to
end users. We have been educating end users on the risks of
running an operating system that is an unauthorized derivative of
UNIX. Linux includes source code that is a verbatim copy of UNIX
and carries with it no warranty or indemnification. SCO's claims
are true and we look forward to proving them in court.
The response includes a letter sent back to Red Hat; quoting from there:
Of course, we will prepare our legal response as required by your
complaint. Be advised that our response will likely include
counterclaims for copyright infringement and conspiracy.
I must say that your decision to file legal action does not seem
conducive to the long-term survivability of Linux.
Remember, as you read the above, that SCO "has not been trying to spread
fear, uncertainty, and doubt."
If things go well, Red Hat's suit has the potential to force SCO to put
its cards on the table and point out the code that, it claims, infringes
upon its copyrights. At that point, it would be possible to actually
evaluate those claims and determine the true origins of the disputed code.
If SCO has no real claim to that code, the issue can be put to rest. If
SCO's copyrights have truly been violated, the parties responsible can be
identified and the stolen code excised. Of course, SCO has no interest in
either of those scenerios, and will continue to fight any sort of public
disclosure. It would not be possible, after all, for SCO to try to collect
a tax on a system known to be free of its copyrights. But that's the
subject for the next article...
Comments (4 posted)
SCO did not content itself with threatening the "long-term survivability of
Linux" after Red Hat filed suit. The following day, the company
announced
its latest product: an "intellectual property license for Linux" (
license text here). Why, one
might ask? From
the SCO License
FAQ:
Customers have come to SCO asking what they can do to respect and
help protect the rights of the SCO intellectual property in
Linux. SCO has created the Intellectual Property License for Linux
in response to these customer needs.
It is encouraging that SCO is such a concerned, customer-oriented company.
In fact, the company is even kind enough to offer a special "promotional"
pricing arrangement for those who buy their licenses before October.
Prices vary; a "desktop" license is $199, for a single-CPU server it's
$699; for eight processors it goes up to $4999. Embedded devices get a
special $32 price - but that's still enough to hurt when added to your
wireless access point or video recorder.
After the promotional period ends, prices will double.
Of course, certain questions come to mind. Questions like "why the hell
should I pay off a company to use my nicely GPL-licensed software when that
company refuses to show me any proof that it has any claim on said
software?" Strangely enough, this question does not appear in the SCO
licensing FAQ.
For what it's worth, even the Gartner Group has
been quoted as
recommending that potential licensees not bother until the Red Hat suit
plays out.
SCO, perhaps, thinks it is sitting on some sort of gold mine. All it
has to do is make a tax on every Linux installation stick, and enough gold
will flow to Utah to fill Canyonlands. There's only one little
problem: if it were ever to become clear that Linux users actually had to
pay this tax, all distribution of Linux would have to immediately stop.
Distribution of a non-free Linux kernel would be a clear GPL violation, and
there is little doubt
that some holders of Linux copyrights would sue, if necessary, to prevent
their code from being distributed as part of a proprietary product. Even
SCO acknowledges this fact in its FAQ:
The IP License for Linux does not grant distribution rights, nor
does it grant any rights associated with source code. SCO
doesn't offer a license to cure the infringement on the part
of the Linux distributor because SCO's source license
agreement directly conflicts with the GPL.
So, if SCO somehow makes its license stick, it kills the whole game. Linux
distribution would cease, and companies, seeing no future in Linux, would
switch to something else rather than pay exorbitant fees for a dead-end
system. Given that scenario, it is hard to come up with reasons why SCO
would attempt this licensing program in the first place. With the
application of sufficient imagination, however, a few possibilities can be
found:
- The purpose of the licensing program may just be to attract attention
and, with luck, a bit of short-term cash. Perhaps it is not expected
to last very long.
- Perhaps SCO thinks that the momentum and installed base of Linux are
big enough that a way around the GPL problems would have to be found.
- Or, perhaps, the death of Linux is the real goal.
In the short term, however, it's a fairly safe prediction that this
licensing program will not go very far. Most users are far from convinced
by SCO's claims, to say the least. And SCO has very limited resources to
direct toward new legal battles; the company is, after all, fighting two
high-profile cases already. Of course, if you are concerned about
the issue, you should get your advice from a lawyer, not from web
publications like LWN.
Comments (10 posted)
SCO has, in recent days, made a big issue out of the fact that IBM and Red
Hat do not indemnify their customers against any sort of intellectual
property infringement committed by use of Linux. This refusal is, it is
said, is a clear indication that these companies know they are on thin
legal ice. Indemnification is a distraction from the main issue (being
that SCO claims its code was stolen and put into Linux), but it deserves a
closer look anyway.
A number of articles in the press have portrayed the refusal to indemnify
as a strange thing, out of line with usual software industry practice. The
authors of those articles clearly have not read the license agreements for
the software they used to do their writing. It is a rare product indeed
that comes with an indemnity agreement. Consider Sun, for example. This
company has made indemnity an issue, but if you go read the Solaris
binary code license agreement, you find this text:
UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT
THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
(Emphasis added). Sun clearly is not interested in exposing itself to
infringement claims. Microsoft's licenses are just as explicit, as are
just about everybody else's. In fact, SCO's intellectual property compliance license for
Linux contains the following language:
ALL WARRANTIES, TERMS, CONDITIONS, REPRESENTATIONS, INDEMNITIES AND
GUARANTEES WITH RESPECT TO THE SOFTWARE, WHETHER EXPRESS OR
IMPLIED, ARISING BY LAW, CUSTOM, PRIOR ORAL OR WRITTEN STATEMENTS
BY ANY PARTY OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO ANY
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR
ANY IMPLIED WARRANTY OF NON-INFRINGEMENT OF THIRD PARTY
INTELLECTUAL PROPERTY RIGHTS) ARE HEREBY OVERRIDDEN,
EXCLUDED AND DISCLAIMED.
SCO, it seems, is even more explicit than Sun in this regard. When SCO
criticises another company for refusing to indemnify its customers, its
behavior can only be described as cynical and hypocritical.
So why the big push on indemnification? The issue is clearly a useful
distraction from the main issue: SCO's refusal to provide evidence for its
claims. There is also a darker possibility, however. Imagine, for a
moment (and the following is pure speculation), that SCO's pressure
convinces one or more deep-pocketed companies
to offer indemnity for its increasingly nervous customers. If SCO were
then to put those customers at the top of its lawyers' "to hassle" list,
said customers would go immediately to their vendor, asking for relief
under the promised indemnity. SCO could then, perhaps, collect a hefty sum
from the company involved; said company, under pressure from its customers,
may well capitulate in that situation.
In SCO's teleconference this week, CEO Darl McBride said "IBM and Red
Hat have painted a Linux liability target on the backs of their
customers." (Do remember, hard though it may be, that SCO is not
trying to spread fear, uncertainty, and doubt). A real possibility exists
that the customers who are targeted first will be those whose vendor has
been pushed into offering some sort of indemnity. Linux users may well be
better off with the standard "no warranty" language.
Comments (1 posted)
LWN first
reported on UCC-2B, a
proposal for a uniform law on software licensing (and other intellectual
property issues), over five years ago. UCC-2B proposed to legitimize
"shrink-wrap" licenses - even if the license is hidden within the box and
unavailable to the customer until after the product is purchased. Some of
the worst abuses of software licensing, such as prohibitions on the
publication of benchmark results or "unauthorized" product reviews and bans
on reverse engineering, would
have, in theory, been legalized by UCC-2B.
Things got more interesting in 1999, when UCC-2B evolved into UCITA. At
this point,
the drafting committee added nice features like the (legal) ability to disable
software remotely, non-transferability of licenses, and more. UCITA was
eventually passed (in modified form) in two U.S. states, but appeared to
stall otherwise. It was, after all, not a very good law.
In 2002, the UCITA folks tried
again with a series of amendments to the law. Remote shutdowns were
taken out, and the provisions allowing the prohibition of public criticism
of the software were watered down slightly. But the new version also
changed the terms on warranties, to the point that it would be impossible
for a free software product to ship with a warranty disclaimer. UCITA
remained a bad law.
Things took a turn for the worse (from the point of view of those backing
UCITA) in early 2003, when the American Bar Association (the professional
association for lawyers in the U.S.) refused to endorse UCITA.
Versions of the law were introduced into several state legislatures, but
made no real progress. UCITA, it seemed, wasn't going anywhere.
This week, it would appear that UCITA has hit the end of the road: the
National Conference of Commissioners on Uniform State Laws has voted to shut down the UCITA
committee. UCITA has ceased to be an active effort in the U.S.
There is a worthwhile lesson in this development: it is possible to
defeat bad laws, at least some of the time. We should not forget another,
hard-learned lesson, however: this sort of proposal tends to come back,
over and over again. Consider the words of the NCCUSL president:
Clearly our efforts to find consensus and to bring all of the
interested parties together has been extraordinary. Unfortunately
in the real world, sometimes doing the right thing at the right
time is not enough.
The clearest thing here is that the people behind UCITA have learned little
from its defeat; UCITA is "the right thing at the right time." UCITA is
gone for now, but it shall certainly be back.
Comments (3 posted)
Page editor: Jonathan Corbet
Security
Brief items
One of the more highly hyped LinuxWorld announcements this week has been
this press release from IBM and SuSE. It seems
that the two have worked together to achieve Common Criteria "Evaluation
Assurance Level 2+" certification for SuSE Linux Enterprise Server 8
running on the IBM eServer xSeries server. This is a significant
development - it is the first Common Criteria certified Linux
distribution. Obtaining this certification is said to be expensive
(several hundred thousand dollars), but it should make it easier to sell
Linux solutions to certain kinds of customers.
An EAL2 certification, however, does not actually mean a whole lot. The
Common Criteria is an extensive standard; those who are curious can find it
documented on
commoncriteria.org; bear in mind that it's several hundred pages of
grim technical text in PDF format; print it out and take it to bed.
Those documents describe seven evaluation assurance levels. EAL1 is the
lowest, described by
Jonathan Shapiro as "the vendor showed up for the meeting." EAL7
requires formal designs, proofs that the implementation match the design,
independent verification of all test results, etc. EAL2, the level
achieved by IBM and SuSE, is described as follows:
EAL2 requires the cooperation of the developer in terms of the
delivery of design information and test results, but should not
demand more effort on the part of the developer than is consistent
with good commercial practice. As such it should not require a
substantially increased investment of cost or time.
EAL2 is applicable in those circumstances where developers or users
require a low to moderate level of independently assured security
in the absence of ready availability of the complete development
record. Such a situation may arise when securing legacy systems, or
where access to the developer may be limited.
In other words, EAL2 requires the developers to have actually thought a
little bit about security, but "should not require a substantially
increased investment of cost or time." It does require that the system be
tested (by the developer) against known vulnerabilities. But, in the end,
EAL2 certification says that the developers thought about security,
generated a big pile of paper, and spent a chunk of money. Not much more.
IBM and SuSE are aiming for EAL3 certification later this year. The
requirement for EAL3 is:
EAL3 permits a conscientious developer to gain maximum assurance
from positive security engineering at the design stage without
substantial alteration of existing sound development practices...
An EAL3 evaluation provides an analysis supported by "grey box"
testing, selective confirmation of the developer test results, and
evidence of a developer search for obvious vulnerabilities.
For what it's worth, some versions of Windows and most proprietary Unix
systems are certified at EAL4. Red Hat (with Oracle's help) submitted
Red Hat Enterprise Linux AS 2.1 for EAL2 certification last February.
According to the press release, they planned to be the first CC-certified
Linux. Looks like SuSE won that race.
Comments (1 posted)
New vulnerabilities
atari800: buffer overflows
| Package(s): | atari800 |
CVE #(s): | CAN-2003-0630
|
| Created: | August 1, 2003 |
Updated: | September 2, 2003 |
| Description: |
Steve Kemp discovered multiple buffer overflows in atari800, an Atari
emulator. In order to directly access graphics hardware, one of the
affected programs is setuid root. A local attacker could exploit this
vulnerability to gain root privileges. |
| Alerts: |
|
Comments (none posted)
gallery: cross-site scripting
| Package(s): | gallery |
CVE #(s): | CAN-2003-0614
|
| Created: | July 31, 2003 |
Updated: | September 2, 2003 |
| Description: |
Larry Nguyen discovered a cross site scripting vulnerability in gallery,
a web-based photo album written in php. This security flaw can allow a
malicious user to craft a URL that executes Javascript code on your
website. |
| Alerts: |
|
Comments (none posted)
man-db: buffer overflow, command execution
| Package(s): | man-db |
CVE #(s): | CAN-2003-0620
CAN-2003-0645
|
| Created: | August 5, 2003 |
Updated: | August 18, 2003 |
| Description: |
man-db 2.4.1 and earlier contains two separate vulnerabilities. There are several buffer overflows which could perhaps be locally exploited, and some directives in ~/.manpath are executed when they should not be. These vulnerabilities only matter if the package has been installed in the setuid mode. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
wget: buffer overflow
| Package(s): | wget |
CVE #(s): | CAN-2003-1565
|
| Created: | August 5, 2003 |
Updated: | December 10, 2003 |
| Description: |
The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. |
| Alerts: |
|
Comments (1 posted)
wu-ftpd: off-by-one bug
| Package(s): | wu-ftpd |
CVE #(s): | CAN-2003-0466
|
| Created: | July 31, 2003 |
Updated: | October 5, 2003 |
| Description: |
An off-by-one bug has been discovered in versions of wu-ftpd up to and
including 2.6.2. On a vulnerable system, a remote attacker would be able
to exploit this bug to gain root privileges. See this advisory for more details. |
| Alerts: |
|
Comments (none posted)
xconq: buffer overflows
| Package(s): | xconq |
CVE #(s): | CAN-2003-0607
|
| Created: | July 31, 2003 |
Updated: | August 5, 2003 |
| Description: |
Steve Kemp discovered a buffer overflow in xconq, in processing the
USER environment variable. In the process of fixing this bug, a
similar problem was discovered with the DISPLAY environment
variable. This vulnerability could be exploited by a local attacker
to gain gid 'games'. |
| Alerts: |
|
Comments (none posted)
xfstt: remote exploits
| Package(s): | xfstt |
CVE #(s): | CAN-2003-0581
CAN-2003-0625
|
| Created: | August 1, 2003 |
Updated: | August 5, 2003 |
| Description: |
xfstt, a TrueType font server for the X window system was found to
contain two classes of vulnerabilities:
-
CAN-2003-0581: a remote attacker could send requests crafted to
trigger any of several buffer overruns, causing a denial of service or
possibly executing arbitrary code on the server with the privileges
of the "nobody" user.
-
CAN-2003-0625: certain invalid data sent during the connection
handshake could allow a remote attacker to read certain regions of
memory belonging to the xfstt process. This information could be
used for fingerprinting, or to aid in exploitation of a different
vulnerability.
|
| Alerts: |
|
Comments (none posted)
xtokkaetama: buffer overflows
| Package(s): | xtokkaetama |
CVE #(s): | CAN-2003-0611
|
| Created: | July 31, 2003 |
Updated: | August 8, 2003 |
| Description: |
Steve Kemp discovered two buffer overflows in xtokkaetama, a puzzle
game, when processing the -display command line option and the
XTOKKAETAMADIR environment variable. These vulnerabilities could be
exploited by a local attacker to gain gid 'games'. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 24, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache |
CVE #(s): | CAN-2003-0192
CAN-2003-0253
CAN-2003-0254
|
| Created: | July 11, 2003 |
Updated: | September 22, 2003 |
| Description: |
The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
- Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak ciphersuite to
a strong one could result in the weak ciphersuite being used in place of
the strong one. [CAN-2003-0192]
- Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]
- Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket. [CAN-2003-0254]
- The server would crash when going into an infinite loop due to too
many subsequent internal redirects and nested subrequests. [VU#379828]
|
| Alerts: |
|
Comments (none posted)
Apache: denial of service vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2003-0460
|
| Created: | July 24, 2003 |
Updated: | July 30, 2003 |
| Description: |
The Apache Software Foundation and The Apache Server Project
released
a new version of the Apache webserver which addresses the
following security vulnerabilities:
Denial of service
(VU #379828)
Ryan O'Neill reported that it is possible to make the httpd server
enter infinite loops and crash under certain circumstances. A new
configuration directive has been created (LimitInternalRecursion) to
avoid these infinite loops and abort the request which caused them if
the configured limit has been reached.
File descriptor leak
Leaks of several file descriptors to child processes, such as CGI
scripts, were fixed. |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | October 1, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 16, 2003 |
Updated: | November 18, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
konqueror: information disclosure vulnerability
| Package(s): | kde konqueror |
CVE #(s): | CAN-2003-0459
|
| Created: | July 30, 2003 |
Updated: | August 11, 2003 |
| Description: |
All versions of Konqueror through KDE 3.1.2 contain a vulnerability wherein
the browser could (in rare situations) send authentication information on
an unrelated web site. See this advisory
for details. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mnogosearch: Remote buffer overflow vulnerabilities
| Package(s): | mnogosearch |
CVE #(s): | CAN-2003-0436
CVE-2002-0789
|
| Created: | July 28, 2003 |
Updated: | July 30, 2003 |
| Description: |
Buffer overflow in the "ul" variable
(CAN-2003-0436) pokleyzz <pokleyzz -at- scan-associates.net> reported a
buffer overflow vulnerability in mnoGoSearch which can be exploited
remotely to execute arbitrary commands with the privileges of the
webserver.
Buffer overflow in the query variable ("q")
(CVE-2002-0789)
qitest1 <qitest1 -at- bespin.org> reported a buffer overflow
vulnerability in the query variable ("q") which can be exploited remotely
to execute arbitrary commands with the privileges of the webserver. |
| Alerts: |
|
Comments (none posted)
mpg123 - buffer overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0577
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PHP: Cross site scripting vulnerability
| Package(s): | PHP |
CVE #(s): | CAN-2003-0442
|
| Created: | July 2, 2003 |
Updated: | August 13, 2003 |
| Description: |
In PHP version 4.3.1 and earlier, when transparent session ID support is
enabled using the "session.use_trans_sid" option, the session ID is not
escaped before use. This allows a Cross Site Scripting attack. |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | October 1, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
semi: insecure temporary file
| Package(s): | semi, wemi |
CVE #(s): | CAN-2003-0440
|
| Created: | July 7, 2003 |
Updated: | October 1, 2003 |
| Description: |
semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug.
CAN-2003-0440 |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
Comments (none posted)
sup: insecure temporary file
| Package(s): | sup |
CVE #(s): | CAN-2003-0606
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
sup, a package used to maintain collections of files in identical
versions across machines, fails to take appropriate security
precautions when creating temporary files. A local attacker could
exploit this vulnerability to overwrite arbitrary files with the
privileges of the user running sup.
CAN-2003-0606 |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
teapop: SQL injection
| Package(s): | teapop |
CVE #(s): | CAN-2003-0515
|
| Created: | July 9, 2003 |
Updated: | October 1, 2003 |
| Description: |
teapop, a POP-3 server, includes modules for authenticating users
against a PostgreSQL or MySQL database. These modules do not properly
escape user-supplied strings before using them in SQL queries. This
vulnerability could be exploited to execute arbitrary SQL under the
privileges of the database user as which teapop has authenticated.
CAN-2003-0515 |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
unzip: directory traversal vulnerability
| Package(s): | unzip |
CVE #(s): | CAN-2003-0282
|
| Created: | July 1, 2003 |
Updated: | November 13, 2003 |
| Description: |
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
vixie-cron: Local vulnerability
| Package(s): | vixie-cron |
CVE #(s): | CVE-2001-0559
|
| Created: | April 17, 2003 |
Updated: | October 3, 2003 |
| Description: |
From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in
LWN on the May 10,
2001 security page. |
| Alerts: |
|
Comments (none posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 13, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
Events
The Sixth International Symposium on Recent Advances in Intrusion Detection
will be held in Pittsburgh, PA on September 8 to 10.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current development kernel is 2.6.0-test2; Linus has not
released any development kernels over the last week.
Linus has been busy, however; his BitKeeper tree contains a substantial
pile of patches, including a merge of the SELinux security module, a new
print_dev_t() function which is portable across architectures (and
dev_t size changes), some power management and software suspend
fixups, an ALSA update, some disk readahead changes (avoiding work if the
drive is too busy to do readahead anyway), and, of course, a vast number of
fixes.
The current stable kernel is 2.4.21, but 2.4.22 is getting closer:
Marcelo announced the first release
candidate on August 5. The time has come for those with a serious
interest in 2.4.22 to do some real testing and shake out the remaining
problems.
Comments (2 posted)
Kernel development news
Your editor recently replaced his venerable Sony 505-FX laptop. That
machine had a nice feature - hitting a certain magic function key sequence
would cause the APM BIOS to take over, save the contents of memory to disk,
and suspend the system. The Linux APM code would let the kernel trap the
events and do things like flush out disk buffers (before suspending) or
reset the system clock (after). It all "just worked."
The new laptop has the same little "suspend" symbol on the same key, but it
doesn't work. In the modern, ACPI world, it is the operating system which
is responsible for suspending and resuming the system. This change is,
somehow, presented as progress. The version of Windows shipped with the
laptop is able to perform this operation, of course. Strangely, Sony does
not support Linux to the same level. Your editor, it seems, was doomed to
head off to the Kernel Summit and
OLS with a non-suspending
laptop.
Then came the announcement that software
suspend for 2.4, v1.0, was available. LWN has covered the swsusp patch before, but swsusp has
long been in the "almost works" category. For a long time, it appeared
that not much was being done in that area. More recently, the swsusp
effort has picked up steam (as more kernel hackers get new laptops,
perhaps). Thus, the 1.0 release.
The swsusp tarball yielded a series of patches; the user has to decide
which ones to apply depending on what other patches are of interest. For
example, if the target (2.4.21) kernel has the ACPI patches in it (pretty
much mandatory for many laptops), a separate swsusp "option" patch must be
applied as well. The swsusp "Applying" file covers the necessary patches
(and required order) reasonably well - for somebody who is comfortable
messing with highly patched kernels.
The patch also comes with a "hibernate" script which is used to actually
kick off a software suspend operation. This (lengthy) script tries to get
everything into shape for a graceful suspend; in many ways, it behaves like
a partial shutdown. Certain processes are killed off, as many modules as
possible are unloaded, etc. On resume it restores the clock, reconfigures
network interfaces, and, perhaps, engages in some complicated gymnastics in
an effort to get X and the video hardware back in sync.
The bottom line is: it works. On your editor's laptop, an invocation of
hibernate saves state and takes the system to a power-off state in
16 seconds. Returning to a full X display takes a little longer: 34
seconds, after the BIOS finishes its power-on ablutions. To say the
least, this is a nice functionality to have in a laptop, especially when
one is attempting to cover a conference.
The one bit of remaining difficulty is the laptop's Radeon video hardware,
which refuses to come back into any sort of reasonable, useful state.
There is, evidently, a patch for XFree86 which makes this problem go away.
But your editor, who has no trouble with patching a kernel to a pulp, shies
away from patching and installing XFree86. It was far simpler to tell X to
run in the unaccelerated, dumb frame buffer mode, which works just fine.
For those who are interested in 2.4 software suspend, the first swsusp 1.1 release candidate was
announced on August 5. There's a number of useful changes in this
version, but the largest is probably the ability to save system state to
swapfiles (previous versions only worked with swap partitions). Software
suspend support in 2.6 is in more of a state of flux; the power management
changes have still not been merged, and work is being done to make the
swsusp support cleaner, more flexible, and more robust. 2.6 should
eventually have a solid swsusp implementation, though it may still be
stabilizing when 2.6.0 comes out. It is unclear whether swsusp will ever
be merged into the 2.4 kernel; it is a somewhat invasive patch to apply to
a stable series.
Comments (10 posted)
At the conclusion of
last week's
episode, Con Kolivas and Ingo Molnar were busily trying to improve
interactive response in the 2.6-test scheduler through a variety of
techniques. Con had picked up some of Ingo's changes, but had passed over
others. In particular, Con thought that Ingo's nanosecond timekeeping
functionality added extra overhead without really helping with interactive
scheduling.
So it was, perhaps, a surprise to some when Andrew Morton's 2.6.0-test2-mm3 kernel came with a little note:
"Con's CPU scheduler rework has been dropped out and Ingo's changes
have been added." There is a useful lesson here that has been
learned several times on linux-kernel: when Ingo starts to think seriously
about a development issue, it's usually worthwhile to pay attention to what
he comes up with. (Incidentally, Andrew merged Ingo's 4G/4G patch as well).
In particular, it seems that Ingo's nanosecond timekeeping in the scheduler
was necessary after all. The interactivity patches try to give a priority
boost to processes which perform short sleeps, and tracking those sleeps in
jiffies (usually 1/1000 second in 2.6) was insufficiently precise. Con reworked
his patch to use the higher-resolution times; the resulting O12.2int patch found its way back into 2.6.0-test2-mm4. Beyond the timekeeping
change, the patch continues to tweak the various parameters, but mostly
sticks to the techniques for discovering interactive processes that were
discussed last week.
Con's O13int goes a little further, however,
and denies an interactive bonus to processes for non-interruptible sleeps.
This type of sleep (which shows up in ps output as the dreaded
"D" state that can mark a non-killable process) is usually (but
not always) associated with a wait for disk I/O. Con's observation was
that processes which are pounding on the disk are usually not performing
truly interactive work, and shouldn't get the associated bonus.
This approach has a problem, however: the recently merged anticipatory
I/O scheduler will, on completion of a read request, idle the disk briefly
on the expectation that the reading process will immediately issue another,
nearby request. But if the scheduler makes the reading process wait (since
it was in a non-interruptible sleep and doesn't appear to be interactive),
the next read request may not arrive in time, with the result that the I/O
pause was done in vain. Idling a disk for no useful purpose does not help
response, interactive or otherwise. In the end, Con tweaked the code to allow tasks to build up
enough credit in non-interruptible sleeps to just barely qualify as
"interactive."
Since then, scheduler tweaking activity has slowed a bit. For the time
being, it seems, most of the ideas in circulation have been tried out.
Perfection in the scheduler is probably an unattainable goal; it may be
that it will soon be time to declare victory and move on to other issues.
Comments (2 posted)
It may seem like a small victory for some, but
David Mosberger seemed pleased enough when he
announced that, as of August 4, the
official Linus kernel builds correctly on the IA-64 architecture with no
additional patches needed. Non-x86 architectures often require external
patches to build correctly, and Itanium has been no exception. In fact,
IA-64 required a larger set of patches than most; the port was
initially done with a rather un-subtle hand. It has taken a lot of work
from numerous developers to bring the two trees back together;
congratulations are due.
Comments (1 posted)
Dipankar Sarma recently posted a pair of
patches which change the interface to the read-copy-update functionality in the
kernel; these patches shrink the
rcu_head structure and change the
prototype of the
call_rcu() function. Andrew Morton's
response was that the patches looked good, but
now the focus was on stabilization, not improvements. He
went on to say:
Oh I'd be okay with merging a change like this into (say)
2.6.3-pre1, without it having had a run in 2.7. We need to be able
to do things like that.
The only problem with this plan, of course, is that such a change would
break all code using RCU - during a stable series. The rcu_head
structure changes would break binary modules; very few developers are
particularly concerned about that. The call_rcu() prototype
change, however, would be a source API change; that sort of thing worries
more people. Some objections were raised, but it appears that Andrew's
plans have not changed. RCU users may want to bear in mind that an API
change may well happen early in the 2.6 series.
Comments (1 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Security-related
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
[This article was contributed by Ladislav Bodnar]
While working on a review
of Xandros Desktop 1.0, the author of this article happened to replace his
Matrox graphics card with a new NVIDIA GeForce one. Anyone who has done a
similar hardware upgrade knows that a change like that would not go unnoticed
during the next attempt to start the X Window system; in fact, even Microsoft's
operating systems would be caught off-guard with likely prompts to install a
new driver. So how did Xandros handle the change? In one of the most
impressive displays of user-friendliness, the Xandros operating system
detected the change, installed the necessary NVIDIA drivers, reconfigured
XF86Config and booted into KDE -- without as much as a single prompt!
Needless to say, this experience, together with many other innovative features
considerably increased the author's respect for the Xandros distribution.
Other reviewers felt similarly; an article in the January 2003 edition of
UK's Linux Format magazine concluded:
Xandros is a great, great distribution. Although you may think that
I am on commission for writing such a glowing review, I am not, but
I am simply very impressed at what they have managed to do. Xandros
has successfully managed to take a solid base distribution (Debian)
and make it simple to install and use for the masses. I am usually
quite despondent about shelling out the £££ for a
Linux distribution, but I would be happy to pay for Xandros Desktop
- they have managed to implement a feeling that you are getting
real value for money with the product.
The above examples illustrate two things. Firstly, the distribution decision
makers at Xandros have done some usability studies and came up with a range
of unique ideas. The highly useable Xandros
File Manager, the ability to resize NTFS partitions, the "switch user"
option allowing users to start new X sessions and easily switch between them,
the Xandros Help Center and many other features have yet to be surpassed by
most other so-called user-friendly distributions -- even now when Xandros
Desktop 1.0 is nearly one year old. Secondly, Xandros employs talented
developers who are capable of bug-free implementation of these ideas. Surely,
a combination like that should assure not only glowing reviews, but also a
steady revenue from satisfied and loyal users. Why, then, is Xandros Desktop
not the most widely used desktop Linux distribution on earth?
Some will argue that the $100 price tag is a relatively steep admission fee to
enjoy the benefits. Especially since there is no way to try the product
beforehand, while there is an abundance of other distributions which can
be had for no more than the cost of the bandwidth to download them. But is
that the only reason? Isn't there something else that Xandros could do to
gain a larger customer base? Here are a few ideas that might help:
- Establish retail channels. At the moment, Xandros Desktop is
sold almost exclusively through the company's online store and, to some
degree, OEM integrators. To increase sales and visibility, Xandros will
either have to launch a massive advertising campaign in general publications
or will have to get their software out to retail stores. Unfortunately, both
solutions require considerable expense. Some might disagree with the latter
solution; after all, hasn't Red Hat just discontinued its sales of
shrink-wrapped packages in software stores? Yes, but Xandros is a different
product; it is designed for an average consumer, rather than a technology
enthusiast, while its release schedule of about once per year is more
suitable for retail distribution than Red Hat's more rapidly evolving
products.
- Create a community. No Linux distribution has ever become
successful without making an effort to create a user community. This means
regularly updated web site with new information, tutorials, solutions, tips
and tricks and anything that makes users visit the web site daily.
Unfortunately, Xandros's site has been static ever since the product launch
and, with the exception of an occasional press release, no new content has
been published. Another excellent way to keep interest high is active
interaction with users on public forums. Mandrake has always been good at
this and that's perhaps one of the main reason for its continued popularity.
The Lindows.com
forums is another superb example of effective and frequent interaction
between the company and the users of its products - even the CEO of
Lindows.com Michael Robertson doesn't shy away from responding
to users' concerns and queries. It is amazing how many commercial
distributions neglect this simple form of communication with their
users!
- Release source code. This might sound like a too radical an idea,
but releasing some of Xandros's work, such as the Xandros File Manager under
GPL will do the company a lot of good. Firstly, it will be loudly applauded
by the Linux community as a great contribution to Free Software, as well as
the right thing to do from the ideological standpoint. After all, isn't much
of Xandros Desktop free code written by other developers? Secondly, the
excellent Xandros File Manager would surely find its way into many other
distributions and this would carry the company's name and prestige with it.
On the surface, the idea seems to conflict with Xandros's commercial
interests and the benefits of such a non-tangible action are hard to
quantify. But at the very least, it should be given serious consideration.
Earlier this week, Xandros
launched two new beta
programs for its upcoming releases of Xandros Desktop 2.0 and Xandros
Networks Enterprise. Both products are expected to go gold before the end of
this year. This would perhaps be a good time to make some aggressive changes
in the way the company operates. Failing that, the Xandros distribution will
continue to generate glowing reviews, while it will remain a product of
little significance in the world of Linux distributions.
Comments (6 posted)
Distribution News
The developers of Eridani Linux have sent out an announcement that
development of the distribution has ceased. "
There will be no further updates for Eridani Linux 6.3, and our advice to
existing users is to upgrade to a current supported distribution."
Full Story (comments: 3)
The August 5 edition of the Debian Weekly News is out; it looks at the
freeness of MPlayer, the philosophy behind Knoppix, DebConf 2005, Debian in
Schools, and several other topics.
Full Story (comments: none)
A new experimental version of Debian's APT packaging system
is available.
"
The DDTP team and the Debian-BR project are proud to announce the
new public release of APT featuring support for translated package
descriptions."
Full Story (comments: 2)
The August 4 Gentoo Weekly Newsletter is available; it looks at Gentoo's
LinuxWorld presence, the first Gentoo BugDay, and the removal of WineX from
Portage.
Full Story (comments: none)
The lengthy Gentoo 1.4 development process has finally come to an end - the
final version of Gentoo Linux 1.4 is available. There does not appear
to be a release announcement as such, other than a brief item on
gentoo.org. There you can also find a
list of mirrors to download from.
Comments (6 posted)
A Mandrake port of the Knoppix
Auto-configuration for Installed Distributions is available.
"
Knoppix Auto-configuration for Installed Distributions provides ports of Knoppix's Live CD automatic hardware detection system to installed systems."
Comments (none posted)
The July 31 Mandrake Linux Community Newsletter is out; this one looks at
the 9.2 Beta 1 release, a new MandrakeClub benefit, the business case
of the week, and more.
Full Story (comments: 1)
Version 1.3 of the OpenPKG meta-distribution has been announced. OpenPKG
now has some 400 packages, and can be run over several Linux distributions,
FreeBSD, and Solaris, with "partial support" for several other Unix-like
systems.
Full Story (comments: none)
The 1.1 release of OpenPKG is now officially deprecated.
Users of OpenPKG should upgrade to version 1.2 or 1.3.
Full Story (comments: none)
This week's
Slackware Changelog mentions that updates are available for
the latest wu-ftpd buffer overflow security update.
Comments (none posted)
Minor distribution updates
Bodo Giannone has released version 0.1.5 of
BG-Rescue Linux.
"
This is a very small Linux distribution that fits on either two floppy disks or one eltorito-boot cd". See the
Change Log for details about this version.
Comments (none posted)
Version 0.4.4 of
CDlinux has been released.
The changes include minor bugfixes and minor feature enhancement.
Comments (none posted)
Version 0.4.2 of
Damn Small Linux is out.
This release adds Xpaint, XzGV, emelFM, and Sylphed.
Comments (none posted)
A new package for the JACK Audio Connection Kit is available for
Audioslack.
"
I have also discovered a very important Jack packaging bug, which had to do with the source tarball used for the original compilation. If you were finding that Jack was not working for you, this should fix the problem of the missing /usr/lib/jack directory, and associated files in that directory."
Comments (none posted)
Two new versions of the
Mondo Rescue
version of
Mindi Linux are out.
"
New 1.6x, 1.7x snapshots are out. They fix a couple of silly bugs which were floating around for months but which I could not fix because I did not possess suitable hardware for testing my bugfixes. I do now, thankfully."
Comments (none posted)
Mitel Networks
has announced
version 6.0beta3, an unsupported developer release, of SME Server.
"
The changes in this release include engineering improvements, a new look and feel and Spanish language support for the server manager web interface, and the inclusion of a port forwarding panel."
Thanks to Brock A. Frazier.
Comments (none posted)
Version 0.2.2 of
stresslinux,
"a minimal linux distribution running from a bootable cdrom or via PXE", has been released.
Comments (none posted)
The
Trinix ramdisk-based
distribution has had some recent changes.
The
status
page says:
"
Over the last few weeks, the following new packages have been added: packit, disco. The following existing packages have been updated to the latest version: apache, darkstat, amap."
Comments (none posted)
Version 1.12 of
Warewulf, an
easily scalable cluster implementation, is available.
Comments (none posted)
Distribution reviews
Open For Business
reviews the Libranet distribution.
"
Libranet is a bit different than the other GNU/Linux distributions we are considering this time around. In an era when distributions are often judged by the glitz that their installer and customized desktop provides, Libranet has neither glitz nor much of a customized desktop.
At first glance, the Libranet installer could very well cause one to fear the worst about how long and arduous the installation might be."
Comments (none posted)
Page editor: Forrest Cook
Development
A group of hackers from the
GCJ project have been
awarded the Fast Free Eclipse Prize:
Andrew Haley and Tom Tromey led a team of gcj (GNU Compiler for Java)
hackers at Red Hat who won the Fast Free Eclipse prize. The Fast Free
Eclipse challenge was to produce a free and fast version of the
Eclipse development environment that would run on a completely Free
Software system like GNU/Linux. Tom and Andrew not only accomplished
all the goals of the original challenge, but they went far beyond that
to produce the fasted Eclipse based development environment to
date. This accomplishment means that the Free Software movement now
has another high productivity environment for creating software that
can be freely used, modified and distributed.
"Eclipse
is a kind of universal tool platform - an open extensible IDE for anything and nothing in particular."
The Eclipse project FAQ is quite comprehensive, it
covers many questions about the project.
Eclipse is an open source software development project dedicated to providing a robust, full-featured, commercial-quality, industry platform for the development of highly integrated tools. It is composed of three projects, the Eclipse Project, the Eclipse Tools Project and the EclipseTechnology Project, each of which is overseen by a Project Management Committee (PMC) and governed by its Project Charter.
Eclipse is being distributed under IBM's
Common Public License.
Downloads of Eclipse are available
here.
RPM packages of
Natively compiled Eclipse,
as well as dependency packages have been made available by Red Hat.
Thanks to Mark Wielaard.
Comments (6 posted)
System Applications
Audio Projects
Version 0.75.0 of the Jack Audio Connection Kit( JACK)
has been announced.
Change information is available in the source code.
Comments (none posted)
The latest news from
Planet CCRMA, a project that has assembled a collection of
audio related RPM files, includes the dropping of support for
Red Hat 7.2, and lots of updated packages.
See the
Change Log for details.
Comments (none posted)
Database Software
Version 1.5 RC 5 of the
Firebird database
is available.
"
The Release Candidate means that we're "almost there", and we turned our focus to remaining known issues and rough edges, final testing and bug squashing. We made a lot of progress with it thanks to your feedback.
The fifth Release Candidate should become the final release, so we are eager to hear about your experience (good or bad) with it."
Comments (none posted)
Version 0.8 of DBT-2
is available.
"
Database Test 2 (DBT-2) v0.8 now includes C stored functions for PostgresSQL.
The OSDL Database Test Suite aims to create database workload test kits used
to simulate heavy user loads for OLTP, Decision Support, and e-commerce
database transactions."
Comments (none posted)
The July 30, 2003 edition of the PostgreSQL Weekly News has been
sent out. Take a look for the latest PostgreSQL database news.
Full Story (comments: none)
Version 0.6.1-test1 of knoda, a database frontend for KDE, has
been released.
"
The main feature of the next release will be the support of Python as
scripting language, so it is possible to extend the capabilities of forms. The
feature has been implemented already and so it is time to start testing and
debugging. Scripting support for reports will follow."
Full Story (comments: none)
Embedded Systems
A new version of
BusyBox,
the minimalist replacement for a collection of command line utilities,
has been released.
"
The last prerelease (pre1) was given quite a lot of testing (thanks everyone!) which has helped turn up a number of bugs, and these problems have now been fixed.
Highlights of -pre2 include updating the 'ash' shell to sync up with the Debian 'dash' shell, a new 'hdparm' applet was added, init again supports pivot_root, The 'reboot' 'halt' and 'poweroff' applets can now be used without using busybox init. an ifconfig buffer overflow was fixed, losetup now allows read-write loop devices, uClinux daemon support was added, the 'watchdog', 'fdisk', and 'kill' applets were rewritten, there were tons of doc updates, and there were many other bugs fixed."
Comments (none posted)
Mail Software
Version 0.31 of milter-sender, a real-time sender address verification
package for sendmail,
has been announced.
"
Many important bugs fixes in this release such as a FreeBSD gethostbyname() fix and some other subtle bugs that may have caused milter-sender to silently crash in the past (which I've been hunting down for ages). There is also a long awaited enhancement: the successful sender cache is now preserved across milter-sender restarts, provided it was compiled with Berkeley DB support, which makes use of -m option and FullCallback: tag for sites like Yahoo more reasonable."
Comments (none posted)
Version 1.2 of POPSurgeon
has been released.
"
This release allows the inspection of message by looking at the
header, the body or both. POPSurgeon is a program to perform discrete
deletion on a POP3 server."
Comments (none posted)
Networking Tools
The
GNU Zebra project is a
GPL licensed packet routing system. The current maintainer,
Kunihiro Ishiguro,
has stated that the project may need help from a new maintainer, and
may also need to fork into a new project. Interested developers may
want to lend a hand.
Thanks to Simon Lyall.
Comments (1 posted)
Version 0.60.0 of Posadis, a DNS server,
has been released.
"
Posadis
0.60.0, which is a complete re-write of Posadis, now supports caching and
resolving, it has a plug-in system, and it can monitor your files for
activity."
Comments (none posted)
Version 0.5 of Sussen, a GNOME client for the Nessus Security Scanner,
is available.
"
The first big change is dropping the embedded MySQL server backend
and converting over to GNOME-DB. This will allow
you to use a wide range of databases (Oracle,SQL Server,MySQL,Postgres,
and more) for a backend."
Full Story (comments: none)
Peer to Peer
SourceForge has
an announcement for giFT 0.11.3.
"
giFT is a project designed to completely abstract low-level filesharing
protocol communication while allowing seamless support for multiple networks.
Currently available plugins include: OpenFT, Gnutella, and FastTrack (third
party). This release features only build environment improvements and new
command line options to override the local, home, plugin, and data
directories that giFT was configured to use."
Comments (none posted)
Printing
The Ghostscript project
has released
a new set of fonts.
"
It's been quite some time since the last update to the free URW standard postscript font set we ship with Ghostscript. In fact, the recommened font set has been unchanged since the 6.0 release almost 4 years ago.
Thus, we're very pleased to be able to recommend an updated free postscript font set, based on Valek Filippov's work. The new collection, packaged as ghostscript-fonts-std-8.11.tar.gz is recommended for all Ghostscript users, regardless of version."
Comments (none posted)
The
CUPS site has an announcement for
ESP Ghostscript 7.07.1rc1.
"
With the increasing number of Linux distributions shipping, or considering shipping CUPS as their standard printing system, we have had many requests to provide patches to the standard GNU Ghostscript source distribution so that they can ship a single version of Ghostscript.
Thanks to funding from EPSON, this has finally happened. Easy Software Products now produces maintenance updates of GNU Ghostscript under the name ESP Ghostscript. These updates incorporate bug fixes to the current GNU version of Ghostscript as well as the latest CUPS, GIMP-print, and other add-ons to Ghostscript." Also, version 1.14 of the PyKota print
quota system is available.
Comments (none posted)
The latest Printer Compatibility Database updates on
LinuxPrinting.org
include new drivers for several Brother printers, improvements to the
pxlmono/pxlcolor drivers, a new HP Business Inkjet 1100 driver, and more.
Comments (none posted)
Web Site Development
Version 1.2 of NewsMonster, a cross-platform weblog manager,
is available.
"
This is a
significant update from 1.1 which fixes a number of performance issues and
focuses on usability."
Comments (none posted)
Version 2.0.6 of phpBB, a flat-style discussion software package,
is available.
"
This release had been made to fix a
number of potential security related issues and more annoying bugs. Work
continues on 2.2.0 and again we do not plan on further releases of 2.0.x
except where critical issues arise."
Comments (none posted)
Version 1.6 of Symbio, an open-source site commenting system,
has been announced.
"
Symbio 1.6 is out, with exciting new features such as IP banning and themable
statistics, plus lots of tweaks for your convenience."
Comments (none posted)
Miscellaneous
A new version of the
CueCat driver, a driver for the CueCat barcode scanner, is available:
"
0.8.2 is out, with a new patch against Linux 2.4.21".
Comments (none posted)
Desktop Applications
Audio Applications
SourceForge has
an announcement for version 1.2.0 of Audacity.
"
Audacity 1.2.0-pre1 is a public test release of the free Audacity sound
editor. This release has improved professional-quality audio processing;
major new features such as the ability to speed up, slow down, and alter the
pitch of a track; and many bug fixes since the last beta version 1.1.3."
Comments (none posted)
Version 0.40 of Ceres, a program for generating sound effects
and displaying sonograms, has been released.
Full Story (comments: none)
Version 0.09 of gmorgan, an organ synthesizer with auto-accompaniment,
has been released. New features include a virtual chord keyboard,
a new look, more patterns and songs, new functions, and bug fixes.
Full Story (comments: none)
Version 2.2.4 of zinf, a cross-platform audio player,
has been released.
"
A new relese of zinf with bug fixes, enhancements, and a new build system! Zinf is the continuation of FreeA*p and has all the same features as
FreeA*mp: MP3, Vorbis, WAV and audio CD playback, streaming (SHOUTcast,
Icecast, RTP) support, a powerful musicbrowser/playlist editor, a themed
interface and a RMP download manager."
Comments (none posted)
Desktop Environments
Version 2.3.5 of the GNOME Development Series Desktop
is available.
"
This release is a feature-frozen, development series snapshot.
It is used by
developers and testers as their day-to-day working desktop, and is ready for
wider testing by our user community."
Comments (none posted)
Version 0.80 of MultiSync, a GNOME application for connecting to portable
computing devices,
is available for download.
Change information is documented in the
release notes.
Comments (none posted)
The August 1, 2003 edition of the
KDE CVS Digest has been published. The summary says:
"
QtRuby, Ruby bindings for Qt are now in Kdebindings. Kdevelop has a new class browser. An OBEX kio-slave has been added. Kwallet is enabled for compilation and testing. Plus Kwin improvements, lots of work on Kpilot conduits and many bugfixes."
Comments (none posted)
KDE.News is carrying
the announcement for the 1.0 release of Opie - the Open Palmtop Integrated Environment. Opie is a fork of Qtopia with a number of new features and, it is said, improved usability. See the announcement for an impressive list of capabilities.
Comments (none posted)
PYWM is a Python language
based X window system manager.
"
Some window managers are mouse heaven and keyboard hell. Other window managers are the other way around.
But PYWM aims to be very comfortable to use from either.
PYWM is a "pythonised" version of the fast light FLWM window manager, and gives you easy-to-use tools to create your own personal dream desktop. Control Freak Heaven." The most recent version of PYWM is
version 0.1, dated June 2, 2003.
Comments (none posted)
Financial Applications
Two issues of GNUe Traffic have been published with lots of
GNU Enterprise news. Take a look at
Issue #91 and
Issue #92.
Comments (none posted)
Games
SourceForge
covers the release of version 1.1Beta1 of Exult, a game engine
for running Ultima 7.
"
This release includes many bug fixes
and usability enhancements, including combat improvements, OGG Vorbis
support, additional artwork, party-formation, and the port to the Zaurus."
Comments (none posted)
Version 0.5.0 of ScummVM
has been announced.
"
ScummVM is a cross-platform adventure game interpreter, supporting Simon the
Sorcerer 1/2, Beneath a Steel Sky, and many LucasArts adventures. A new
stable release of ScummVM, version 0.5.0, is available. Along with the usual
bugfixes, this version supports several new games (Enhanced Maniac
Mansion/Zak McKracken, Beneath a Steel Sky). This version has undergone
extensive testing, and we are confident it is our best yet."
Comments (none posted)
Interoperability
Issue #181 of
Wine Traffic is on the web.
Topics include: SecurityFocus Article, Profiling Wine, Debug Problem
With Win98 Version, Testing Controls with Mono, and Library of
Microsoft Compression Formats.
Comments (none posted)
Office Applications
Version 0.11 of the
Bluefish html editor
is available.
"
Bluefish 0.11 is a minor update. It contains two critical fixes for the custom menu. In 0.10 the config file format for the custom menu changed, but the conversion was broken, this is fixed in 0.11. Also replace entries in the custom menu where broken, causing a segfault in some cases, this is also fixed in 0.11."
Comments (none posted)
Video Applications
Source Forge has
an announcement for version 1.3.3 of Freevo, a Linux application
that works as a multimedia jukebox.
"
This release includes many new features, one important
feature is Xine support to have DVD navigation (optional)."
Comments (none posted)
Web Browsers
Version 0.8.2 of the Epiphany browser for GNOME
is available.
This release features many code changes, interface improvements,
and bug fixes.
Comments (none posted)
According to MozillaZine, Milestone 2 of Jazilla
has been released.
"
The Jazilla project aims to rewrite Mozilla in Java.
Check out the Jazilla M2 Release Notes and Changelog for more
details and download a Jazilla binary from SourceForge.net."
Comments (none posted)
MozillaZine has
an announcement for the Mozilla 1.5 Beta trunk freeze.
"
During the freeze, only fixes approved by
drivers@mozilla.org will be allowed to land. The freeze will remain in effect
until the 1.5 final branch is cut, currently scheduled for Friday 29th
August."
Comments (none posted)
Word Processors
The August 3, 2003 edition of the
AbiWord Weekly News is out.
"
In this week's episode, Nadav's relaunches a far more advanced version of the Open Text Summarizer, OTS: Stemming the Tide. Dom releases 1.99.3 to the world, which is already available on Latest Releases page. We learn that we cannot --enable-gnome due to header issues from GNOME 2.2. Most interesting of all, Dom releases the AbiWord 2.2: TSWMRCAUSSWVLSD RoadMap. Lots of discussion and a criawips screenshot waiting within."
Comments (none posted)
Miscellaneous
Version 1.4.4 of Evolution, the GNOME groupware suite,
has been announced.
This is a bug-fix release, see the
release notes for more information.
Comments (1 posted)
Version 0.2 of Gnome Jabber, an instant messaging client,
is out.
"
A month on from the first release, Gnome Jabber's second installment is now
available for download. Improvements include new icons, a few new features
and more stability."
Comments (none posted)
Languages and Tools
C
O'Reilly has published
part three in the
Secure Programming Cookbook for C and C++
series.
"
In the final installment in this three-part series of sample recipes from
Secure Programming Cookbook for C and C++, the authors discuss what you need
to do to verify that a supplied email address, which your program has
accepted as input, is valid."
Comments (none posted)
Caml
The July 29 - August 5, 2003 edition of the Caml Weekly News
has been distributed. Topics include lablgtk status on Mac OS X,
GODI available for download, ocaml courses, and GD4O.
Full Story (comments: none)
Java
The announcement has gone out regarding the launch of the "Geronimo"
project within the Apache Software Foundation. Geronimo will be a free
implementation of the Java J2EE specification - and they plan to get it
certified. The project is looking for developers interested in helping to
carry this ambitious effort forward.
Full Story (comments: 12)
A preview release of Jfox, an open-source J2EE based application server
has been released.
"
jfox 1.0 Development Release with a fast scaleable ejb container and a lot of
excited features, but DR version is not the final version, only a preview for
java developers interested in jfox, the final version is in developing."
Comments (none posted)
The
GCJ site
has a bunch of news items this week. Red Hat has released
Naoko, a packaging of RPMS for Ant and Tomcat. RPMS are available
for the Eclipse developer platform, and a new tree-ssa branch patch
has been submitted for GCJ.
Comments (none posted)
Chuck Cavaness
discusses the Java Struts Tag Libraries on O'Reilly.
"
The popularity of JSP Custom Tags has been rapidly growing since they were first introduced in the JSP 1.1 specification. The Struts framework, which was introduced in 2000, includes a set of Tag libraries that are instrumental in harvesting the fruits of the Struts framework. This article looks at some of the ways to get more out of those tags and helps make sense out of a few of the more complicated tasks."
Comments (none posted)
IBM's developerWorks has published
an introduction to Java technology.
"
developerWorks offers this page to provide an overview of Java technology basics within the overall context of the language (especially as it pertains to application development and e-business). This resource delivers starting points in the form of relevant developerWorks articles, tutorials and tips, IBM learning services education, Webcasts, workshops, and IBM products for further investigation."
Comments (none posted)
Perl
Use Perl has
an announcement for Perl 5.8.1 RC3.
"
Please test extensively, even if you had no problems with RC1 or RC2. In RC3
we turned on by default the new "hash randomisation" feature which means that
the "order" of hash elements is now even more random. If an application
mistakenly assumes a repeatable ordering of hash elements, you will find it
out now."
Perl 5.8.1 RC4 was also
announced
this week.
"The same bat channel as for RC3, almost the same perldelta as for RC3. The main change from RC3 was a bunch of module updates (most importantly the CPAN.pm 1.76 which does not force feed Module::Signature)."
Comments (none posted)
The July 28 - August 3, 2003 edition of
This Week on perl5-porters has been published.
"
This week will undoubtedly be known to the future generations as the two-release-candidate-week. Be the first to read about it. And don't miss the other interesting parts : this week's summary is full of action, suspense and bug fixes."
Comments (none posted)
PHP
The
PHP Weekly Summary for August 4, 2003 is out. Topics include:
4.3.3 RC 2 ready, Manual translation to Indonesian, BC issues with functions and references, "Tidy" extension for PHP 5, expat compile warnings, virtual_realpath(), Libtool optimizations.
Comments (none posted)
O'Reilly is running a series on
PHP Security
"
If you have users, you'll undoubtedly have bad guys trying to break things.
As a PHP developer, it's your responsibility to make sure your code is secure.
John Coggeshall demonstrates one common PHP error that can leave you
vulnerable, and he explains how to think like a bad guy to prevent these
mistakes in the first place."
Comments (none posted)
Version 2.3.21 of Turck MMCache, a PHP Accelerator, Optimizer, Encoder
and Dynamic Content Cache,
is available.
Comments (none posted)
Python
Fredrik Lundh
has documented
the new modules in Python 2.3.
Comments (none posted)
Version 2.2 alpha 0 of Jython, an implementation of the Python language
in Java,
is available.
"
Experimental, unstable release of Jython now available. This is an alpha release, in that it is not feature complete for a Jython 2.2 release, and there are significant known issues."
Comments (none posted)
Andrew Kuchling talks about some areas where Python could improve with
his
Python Warts
presentation.
"
While I think Python has a very elegant design that successfully straddles the fine line between the minimalism of Lisp and the rococo complexities of Perl, it's certainly not perfect. There are various design features that I consider ugly, or at least suboptimal in some way. This essay will examine the most significant problems in Python as I perceive them, assisted by suggestions from the comp.lang.python crowd."
Comments (none posted)
Ruby
Version 1.8.0 of the Ruby language
has been announced.
See the
Changes Document for details on what's new.
Comments (1 posted)
XML
Kyle Downey
discusses the highlighting of XML source code on O'Reilly.
Comments (none posted)
Debuggers
A new stable release of
Valgrind,
an open-source memory debugger, was recently made available.
Thanks to Jos van den Oever.
Comments (none posted)
Miscellaneous
Version 4.3.1 of the
Q Equational Programming Language is out. The
NEWS
file says: "
Fixes for latest autotools and FreeBSD compatibility, bug fixes."
Comments (none posted)
Chromatic
introduces Extreme Programming on O'Reilly.
"
Extreme Programming (XP) is yet another popular idea gaining press. It adapts several of the best ideas from the past decades of software development. Whether or not you adopt XP, it's worth considering what XP teaches. In no particular order, here are five lessons you should learn from Extreme Programming."
Comments (none posted)
David Mertz
talks about declarative programming techniques on O'Reilly.
"
This article extends my discussion of advanced programming, but strays into an area that is not exclusively object oriented. What we are interested in for this installment is ways of writing programs that are declarative rather than imperative. In many cases, simply notating facts is more concise and less error prone than providing instructions. A number of less common programming languages make declarative styles predominant, but it is also possible to use a declarative style within generally imperative languages. In this article, as with the others in this series, I will focus on techniques as exemplified in Python."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
ComputerWorld
reports
on a German study which concludes that Linux is almost as easy to use
as Windows XP. "
Linux users, for example, needed 44.5 minutes to
perform a set of tasks, compared with 41.2 minutes required by the XP
users. Furthermore, 80% of the Linux users believed that they needed only
one week to become as competent with the new system as with their existing
one, compared with 85% of the XP users." (Thanks to Karl Vogel).
Comments (17 posted)
TechWeb
covers
a Microsoft lab that tests Linux. "
At its Enterprise Engineering
Center in Redmond, Wash., Microsoft has installed the Linux operating
system, Apache Web server, MySQL database, and Open LDAP directory-access
software on Intel-based computers, according to Martin Taylor, the
executive who recently assumed responsibility for Microsoft's strategy for
competing against Linux."
Comments (27 posted)
The Register
covers today's horrifying SCO teleconference. "
But SCO claims that IBM and Red Hat are the ones that forced it to put the blame on Linux users. Since IBM and Red Hat won't rush to the Linux community's rescue and hand over millions for unproven claims, SCO must attack the little guys."
Comments (46 posted)
Trade Shows and Conferences
News.com
reports from Sun VP Jonathan Schwartz's LinuxWorld keynote.
"
'When we out-ship Windows in desktop volume, we will look very seriously at open-sourcing Java on the desktop,' he said."
Comments (23 posted)
The (San Jose) Mercury News has
an
article about LinuxWorld, but really about SCO. "
'The SCO case
is one of the best things that could have happened for Linux right now,'
said Don Marti, editor in chief of Linux Journal. He added: 'Having a
common enemy always brings a community together.'
Comments (none posted)
Wired News
looks forward to LinuxWorld.
"
Robots will be hunting penguins at the LinuxWorld Conference and Expo this week.
The robots aren't part of some nefarious plot to replace Linux's cuddly mascot, Tux, with a fiercer emblem. The bots will be conducting demonstration search-and-rescue missions.
'No penguins will be hurt during the demos,' program head Regis Vincent promised."
Comments (none posted)
Companies
News.com
reports that Novell is looking to drop NetWare in favor of Linux.
"
Although company representatives haven't said that Novell will stop all development on the NetWare platform, they did say the company is looking to Linux as the future. The revenues from NetWare have declined 9 percent to 14 percent a quarter, said one representative, making the switch a no-brainer."
Comments (4 posted)
Here's
another Robin Bloor column on IT-Director.com on SCO.
"
A number of people are questioning why SCO simply doesn't declare what the violated code/IP in question is. My guess is that it actually exists (it's hard but not impossible to believe that SCO would do this if it had nothing to complain about) and that it came from someone in IBM. However as soon as SCO declares what it is, the Open Source movement will rewrite the offending code, leaving SCO with zero traction."
Comments (8 posted)
Linux systems from SuSE and IBM
have been certified with the international Common Criteria
standard, according to an article on ZDNet.
"
"It certainly raises the viability and increases the trust level of Linux in government contracts," IDC analyst Chris Christiansen said. Though commercial buyers don't usually give Common Criteria certification much more than passing notice, "the government market is very large," he said."
Comments (none posted)
Linux Adoption
NewsForge
examines the difficulties in selling Linux systems in computer stores.
"
We are used to paying for almost every single service and product we use, and our bills are steadily increasing every year. To expect someone to suddenly accept the idea that they can have a reliable and powerful tool to control their expensive, high-tech hardware for no cost at all is quite an assumption. 'Free software' flies in the face of everything the customer would expect. It simply doesn't make sense to them."
Comments (1 posted)
News.com is running
a Forrester Research pronouncement on the use of Linux in financial institutions.
"
Wallflower firms should screw up their courage, get on the dance floor--and enjoy the benefits of Unix reliability at Intel prices."
Comments (none posted)
Legal
Here's
a News.com article on the newly-formed
Open Source and Industry Alliance, which appears to be a sort of free software lobbying group. "
[The] OSAIA also will take a broad approach to open source, tracking intellectual property laws and international treaties, fighting those that would weigh on the software. And it plans to examine the procurement codes of different organizations and governments, making sure their buying plans don't discriminate against open-source software."
Comments (none posted)
Interviews
ZDNet
talks with Lindows CEO Michael Robertson.
"
[Our contract with SCO] doesn't indemnify us, but we had a working relationship with SCO back when it was called Caldera. We paid them money to do some Linux work for us. And because of that, I think we're in great shape when it comes to dealing with the licensing type of issues involved here."
Comments (10 posted)
Reviews
A document called
Galeon, a history has been published. Take a look to see how the
Galeon project was started, where it is headed, and how the Epiphany
browser project came to be.
"
Once upon a time, Marco Pesenti Gritti decided to make a web browser. He liked the Mozilla project, but wanted something that integrated well with his system and that was fast enough to be usable. Marco wanted a good, solid, simple browser for The Average User, in the Gnome environment, and so around June of 2000, Galeon 0.6 was released."
Comments (none posted)
Tired of FUD? Here's
a
feel-good article in the Globe and Mail. "
Linux is free,
therefore hard to compete with. But it's not that it's just like free
beer. It's also free like the English language, in that anyone can see how
it works and add new parts that make it better. And it's free in that it
runs on computers from many manufacturers, meaning more competition. Linux
is also better. It's reliable. It doesn't crash much. It resists hacker
attacks."
Comments (18 posted)
NewsForge
reviews the Samhain intrusion detection system.
"
Probably the neatest characteristic of samhain, which separates it from other host-based IDSes, is the stealth features. The designers have put a tremendous amount of paranoid code into this project, and a well-configured samhain installation can resist almost any subversion."
Comments (none posted)
Miscellaneous
News.com
reports on
the support for the Itanium processor in the 2.5 Linux Kernel.
"
The Itanium version of Linux crossed an important threshold Monday, developers said: It now can be built from the standard software maintained by Linux leader Linus Torvalds rather than requiring special patches."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Linux Professional Institute has
announced its plans for a Linux desktop certification program.
"
The Linux
Professional Institute, the premier international
professional certification program for the Linux community, is
planning a Linux desktop certification initiative to seek support and
prospective partnerships to build a community/commitment to meet the
market demand for the Linux desktop."
Comments (none posted)
The Open Source Development Lab has
announced the availability of a "position paper" on the whole SCO mess; the paper was written by FSF counsel Eben Moglen. There is a summary of the paper's points in the announcement, or the whole thing is available
in PDF format. As one might imagine, the paper does not take a particularly friendly position towards SCO's claims.
Comments (10 posted)
Commercial announcements
Remember the Gartner Group, which recently proclaimed that Linux would
remain a niche technology in Australia? It turns out that the company is
offering
a
set of seminars in Australia entitled "Open Source Revealed."
"
Open Source software has emerged as a stunning agent of change for
enterprise technology today. It will be considered as a viable contender
for at least one-third of all large-scale projects by the end of next
year." As niches go, that's a nicely sized one. For those who are
interested, the one-day events are happening in Canberra, Melbourne, and
Sydney starting in late August. (Thanks to Con
Zymaris).
Comments (1 posted)
Linux For You, an Asian Linux magazine, is now available
in all of the major Indian languages.
Full Story (comments: 1)
RealNetworks has
announced the launch of the "Helix Player" project - an effort to create "a comprehensive open source media player" for Linux and Unix systems. It appears that, to be truly "comprehensive," this player will still require binary plugins for the RealAudio and RealVideo formats, however.
Comments (26 posted)
Here's
the press release describing the deal between Sun and SuSE. Essentially, SuSE includes Sun's Java virtual machine in its distribution, and Sun sells x86 systems with SuSE preinstalled.
Comments (none posted)
Sun may yet become a Linux company; it has just
announced that it has joined the Open Source Development Laboratory. Sun plans "
...to help drive the development of
open-standard software including Linux and to lend its expertise in the data
center and carrier-grade markets."
Comments (4 posted)
Here is a carefully-chosen subset from the large pile of press releases
that were issued during the LinuxWorld Conference & Expo.
- Addison Wesley has sent out a press
release on the upcoming publication of Eric Raymond's The Art
of Unix Programming.
- AMD is showing
off a Linux PDA at LinuxWorld. AMD has also announced
a newer, faster Opteron processor. Also, SourceForge.net is
now running on an Opteron system.
- Dell has announced the
sale of a 1450-node cluster to the National Center for Supercomputing
Applications.
- The Free Standards Group has announced
that the U.S. Defense Information Systems Agency is now requiring
Linux Standard Base compliance for Linux-based products.
- HP has announced
a new set of cluster management utilities.
- IBM has announced
a whole new set of Linux customers, including Netflix, NYFIX,
Marinalife, Softbank Uway, and others. The company is also expanding
its Linux service offerings.
- MontaVista has announced
the availability of its "Carrier Grade Edition" distribution for IBM
PowerPC processors.
- MySQL AB announces
that the SAP database will henceforth be known as "MaxDB."
- Network Appliance and Red Hat have announced
an alliance involving NetApp deployments in Linux environments and
joint marketing efforts.
- Pogo Linux and MySQL AB have announced
the "DataWare 2600 server," said to be the first MySQL database
appliance.
- Progeny has announced
"Atlas," a search tool for finding open source packages.
- Red Hat has announced
a new strategy with a focus on web applications. To that end, the
company has joined the ObjectWeb consortium, will continue working
with Tomcat and Jakarta, and will integrate Eclipse into its
enterprise distributions.
- Rogue Wave has released
SourcePro C++ Edition 6 with support for Linux, MySQL, and PostgreSQL.
- SGI is testing out Altix
3000 systems with 128 processors.
- Sistina has
a deal with CommVault to integrate Sistina's software into
CommVault's products.
- Sistina has announced
the integration of its Global File System into HP's cluster
offerings.
- Snapgear has launched
a pair of new, Linux-based security appliances.
- SurfControl is offering its
email filter product on Linux.
- SYS-CON Media has announced
the launch of LinuxWorld magazine.
- TimeSys has announced
a deal with IBM to deliver TimeSys Linux RTOS on some of IBM's
system-on-a-chip processors.
- Trolltech has released Qtopia
1.7.
- TSANet has announced
a new "technical support community" involving BEA, Dell, EMC, HP,
Network Appliance, Novell, SuSE, Unisys, VERITAS, and VMware. It's
not entirely clear what this community will do.
- The UK Free Software Network has announced that it is being sponsored by
Digital Networks.
- Ulticom, a telecom signalling software company, has
joined OSDL.
Comments (none posted)
New Books
A new edition of "PC Hardware in a Nutshell" has been published.
"
A longtime favorite among PC users, the third edition of the book now
contains information for people running either Windows or Linux
operating systems."
Full Story (comments: none)
Resources
Evans Data has
announced the results of a new survey. "
Of more than 400
developers focused on Linux development more than 70% said that the
SCO lawsuit will 'probably not' or 'absolutely not' impact their
companies decision to use Linux, 12% said that the lawsuit will affect
adoption plans and 17% had no opinion." The survey also has concluded that there are more KDE than GNOME users.
Comments (2 posted)
Issue #93 of the
Linux Gazette
has been published by the folks at Linux Journal.
Full Story (comments: none)
Event Reports
Jonathan Riddell has published
a report
on KDE at the UKUUG Linux2003 Conference.
"
The KDE stall was helped along by Eilidh the booth babe and Kenny the booth boy (photo with me in middle). This was a technical conference so everyone knew what KDE was but people were interested in some of the new applications such as JuK and Kexi. KPlayer, while not part of KDE itself, impressed everyone by being a media player with a useable interface. We also demonstrated the Kolab server to a couple of people interested in using it for their clients."
Comments (none posted)
Upcoming Events
A Call for Venue
has been issued for the 2004 YAPC::NA Perl conference.
"
The YAPC::NA Conference Committee is planning to choose
the 2004 venue, in roughly two weeks (August 15th). This date will be
flexible enough to insure that all interested parties have enough
time to finalize submissions."
Comments (none posted)
| Date | Event | Location |
| August 7 - 10, 2003 | Chaos Communication Camp 2003 | Paulshof, Altlandsberg, Germany |
| August 7, 2003 | LinuxWorld Conference and Expo 2003 | (Moscone Convention Center)San Francisco, CA |
| August 7, 2003 | 5th Annual CERT Conference(NEbraskaCERT) | (Scott Conference Center)Omaha, NE USA |
| August 18 - 21, 2003 | New Security Paradigms Workshop 2003(NSPW 2003) | (Centro Stefano Francini)Ascona, Switzerland |
| August 22 - 30, 2003 | KDE Developers' Conference | (Zamek Castle)Nove Hrady, Czech Republic |
| August 27 - 29, 2003 | International Conference on Principles and Practice of Declarative Programming(PPDP 2003) | (Uppsala University)Uppsala, Sweden |
| September 3 - 4, 2003 | LinuxWorld Conference & Expo (Cancelled) | (The NEC)Birmingham, UK |
| September 8, 2003 | Boundaryless Information Flow: Open Source in the Enterprise | (Hilton London Paddington)London, UK |
| September 11 - 12, 2003 | Python for Scientific Computing Workshop(SciPy'03) | (CalTech)Pasadena, CA |
| September 15 - 18, 2003 | LogOn Web Days | Across Europe |
| September 15 - 18, 2003 | Embedded Systems Conference(ESC) | (Hynes Convention Center)Boston, Mass |
| September 26 - 27, 2003 | Third DZUG-Conference | Paderborn, Germany |
Comments (none posted)
Web sites
GnomeDesktop.org has
an announcement for the new
GNOME Hacks web site.
"
I've just thrown together a site called GNOME Hacks
which I hope will become a
repository for those little cool and useful tricks we all pick up. If you've
learnt something neat that you think other people will find useful, why not
submit it so that we can all benefit from your experience."
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| "Karl O. Pinc" <kop@meme.com> |
| To: |
| letters@lwn.net |
| Subject: |
| Preventing future SCOs |
| Date: |
| Sat, 02 Aug 2003 13:15:59 -0500 |
SCO undoubtedly thinks that they're making a show of strength by suing
IBM, the proverbial 800LB gorilla. Do they play a more dangerous game
than they know? With their suit, and more significantly the constant
barrage of press releases and threats to sue, SCO has insulted the
Free Software community, threatened our job satisfaction and in some
cases our very livelihood. There seems little to be done besides
playing at dueling press releases. Although the potential loss to the
Free Software community may be the larger there is a forgotten group who
are more directly harmed the the we are, the people who are now
purchasing SCO stock.
Step back for a moment and reflect on why the SCO of some months ago
has taken this path. Their stock was trading for less than $1/share
and the company was plainly on the road to ruin. Regardless of the
merit of their suit, the major stockholders could only stand to
benefit. And, of course, the lawyers get paid no matter what. There
are, of course, losers too. The people who buy SCO stock on the basis
of SCO's as yet unsubstantiated legal claims, and the notion that SCO
is perpetuating that, should their claims be true, SCO can somehow
require all Linux users to purchase licenses from SCO. IANAL, but
something slimy is clearly going on here.
SCO has had some help by others who are threatened by Linux. The suit
has lead the Gartner Group, a company paid to produce research
reports, to recommend against Linux, which has no owner interested in
paying for research reports.
(http://www3.gartner.com/DisplayDocument?doc_cd=116445) Interestingly,
there was no recommendation that AIX be avoided even though in
conjunction with the suit SCO has already suspended AIX's Unix related
licenses. Likewise, SCO has also received help from other businesses
threatened by Linux; when it started the suit it knew there are
powerful business interests which would help spread mis-information
and inflate SCO's stock value. There will always be groups interested
in disparaging Linux and Free Software.
SCO stock is now trading for more than 10 times it's former value.
Again, IANAL, but if it can be shown that the members of SCO's board
of directors are benefiting from this, and if it can be shown that the
board initiated all this activity knowing that it would inflate the
price of the stock beyond it's underlying value, I imagine that
there's a class action lawsuit that could be brought. There certainly
seems to be knowledgeable lawyers with grave doubts of the merits of
SCO's case. (See
http://www.osdl.org/docs/osdl_eben_moglen_position_paper.pdf and
others.) The scam may be even more complicated, for example see
http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,83452,00.html?SKC=linux-83452
but my underlying argument remains sound.
The only way to prevent this sort of underhanded activity in the
future is to make sure that those who initiate it don't profit. I
suppose the lawyers will always get paid, but who knows, there might
be a way to penalize their involvement as well.
Anyone who would like to prevent future suits like SCO's, and related
flimflamery, can help by preparing to sue the individuals responsible
(SCO's board?) when SCO's scheme, and it's stock, finally crashes to
earth. Regardless of what happens to the companies involved, if there
are people making money off practices like SCO's similar actions will
re-occur. It's time we put a stop to these practices before they
become common. The price of admission is low, the purchase of a
single share of SCO stock. If everyone contributes an amount equal to
the price of one share to a legal fund there should be enough money to
get started. Perhaps some lawyer who wishes to make a name for
himself can be found to work for cheap. No doubt there is some
question as to whether you can sue if you purchased your SCO share
knowing it's worthless. But there are many out there who _have_ been
taken in and by starting now we give them a better chance of
recovering something. In any case, ensuring that the perpetrators
don't profit from their schemes would serve the common good.
Me, I'm avoiding lawyers. By writing this note I hope to have
done my part, although I'd be willing to participate as a member of a
class action lawsuit. I leave the implementation to someone with more
time and knowledge than myself.
Regards,
Karl O. Pinc <kop@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
Comments (1 posted)
| From: |
| Anonymous <anonymous@anonymous.net> |
| To: |
| letters@lwn.net |
| Subject: |
| Hard questions I bet SCO is unwilling to answer |
| Date: |
| Sun, 03 Aug 2003 13:36:32 -0500 |
Here are some questions I'd like to see SCO executives answer,
preferably under oath for a number of them. This is not intended to be
well-researched or completely accurate content backed up by references.
It is only a result of my brainstorming sessions while I vented my anger
at SCO's extortionist behavior. Feel free to use any ideas in this list
for your own articles or for ammunition in any court cases against SCO.
1. Has SCO investigated which individuals or companies contributed the
allegedly infringing SysV code to the Linux kernel? Aren't they the
only party who has willfully infringed on your copyrights?
2. Why has SCO chosen to publicly attack IBM and the Linux community
with their irresponsible campaign of hype and sensationalism by making
repeated verbal attacks and unsubstantiated claims in the news media?
Why have they not chosen to take a much more professional, mature and
responsible approach to the case like IBM has, with just a few short
press releases?
3. What reasons would SCO continue to run this ongoing campaign of
constant verbal attacks in the news media unless it was meant to
artificially inflate the price of your stock or to be as big an
annoyance to IBM as possible to essentially blackmail them into buying
SCO or settling to shut you up?
4. Why is SCO unwilling to publicly show even a small sample of perhaps
50-100 lines of code that you are absolutely certain originated in SysV
code that you own the copyright to and you are certain didn't come from
BSD?
5. Wouldn't SCO gain instant respect and credibility and silence their
critics who claim they are lying by showing a small piece of evidence
that conclusively proves your claims have merit?
6. Does SCO acknowledge that IBM is the sole copyright owner of the SMP,
NUMA, JFS, etc. code they have contributed to the Linux kernel?
7. When SCO claims the Linux kernel has hundreds of thousands of lines
and hundreds of files containing infringing code, are they referring to
the enterprise features that IBM and other companies have contributed or
to SysV code that SCO owns the copyright to?
8. What specific law(s) gives SCO the authority to go after companies
using (but not distributing) the Linux kernel who have accepted, in good
faith, that they were receiving legal code under the GPL from Red Hat,
SuSE, etc.?
9. Doesn't copyright law only govern copying and distribution of
copyrighted material and not use of that material?
10. Didn't Caldera/SCO themselves benefit over a period of years from
some of these allegedly misappropriated enterprise features as well as
the allegedly infringing SysV code by selling and making revenue from
their own Linux distribution with a kernel that contained this code?
11. Didn't a significant portion of the money that Caldera used to buy
old SCO, including their rights to UNIX, come from either selling
versions of the Linux kernel that contain both your SysV code and IBM's
allegedly misappropriated trade secrets or from IPO money from stock
investors capitalizing on an opportunity to support a Linux company that
was benefiting from these allegedly stolen technologies?
12. Under what license did SCO distribute the allegedly infringing code
inside the Linux kernel to their own Linux customers over the last
couple years?
13. If the kernel you have distributed to your own Linux customers was
not entirely under the GPL, have you notified them that their license is
null and void and they do not have the redistribution rights given to
them under the GPL?
14. Why has SCO not made any accusations against Linux distribution
companies like Red Hat or SuSE, who would appear to be infringing on
your copyrights by distributing and profiting from your code and causing
injury to you?
15. Don't you think there is a significant risk of losing your
copyrights by allowing Linux distributors to infringe on your rights
with your full knowledge for a significant period of time?
16. Isn't SCO in a privileged and unique position as the owners of the
UNIX source code as well as a Linux distributor? Wasn't SCO grossly
negligent for not conducting an audit of the Linux source code long,
long ago so that they were aware of what they were distributing?
17. Doesn't SCO forfeit any copyright claims because of both their
failure to protect their rights by conducting audits of what they
themselves have been distributing and benefiting from for the last 2
years? You had full access to all the code and plenty of time. And
you've demonstrated that you're capable of voluntarily auditing the code
since you claim to have done that last December. What excuse for your
failure to do the audit sooner do you expect people to believe except
negligence?
18. Isn't it true that SCO had developers employed by them who were
contributing code to the Linux kernel, including code related to the
enterprise features that you allege IBM has misappropriated?
19. Is SCO willing to submit to an audit to ensure there is no code
licensed under the GPL contained in SCO's Linux Kernel Personality code?
20. Why did SCO continue to distribute their own version of Linux for 5
months after they became aware of the allegedly infringing code in
Linux? Wouldn't you consider that to be fraudulent and deceptive
behavior to misrepresent that the kernel you were distributing was being
licensed to your customers under the GPL when you were fully aware that
that kernel couldn't legally be distributed under the GPL and you were
unwilling to grant the rights required by the GPL to your customers?
21. Has SCO researched the true origin of all the SysV code they allege
is inside Linux to make sure it isn't covered by the BSD settlement and
the code didn't originate in some common, free place such as an
algorithm book or the public domain?
22. Considering that IBM, HP, Sun and other companies have access to the
UNIX source code, they can also do their own audit and discover any code
that is shared between Unix and Linux. Don't you think that these
companies who have contributed to--and make money from--Linux would be
busy removing or rewriting any non-BSD or public domain code that they
had found that they believe is truly a violation of your copyrights?
23. Aren't you concerned about being held accountable to your
shareholders since you've shut down your Linux business, failed to
invest in and improve on the Unix code and completely alienated your
company and possibly made yourself one of the most hated companies in
IT?
24. Do you really believe you can hold the Linux kernel hostage by
leaving your code inside it and refusing to document the allegedly
infringing code so that it can be removed and people can cease the
infringement? How is compelling people to pay for that which they don't
want not blatant extortion? How is preventing companies from legally
distributing the kernel because it contains non-GPL not restraint of
trade?
25. Wouldn't the most honorable and decent way to approach this dispute
be to: a) Document the allegedly infringing files and lines of code.
b) Prove that the code didn't originate from a legal source such as BSD
or public domain. c) Demand that and infringing code be removed and
replaced. d) Ask the companies who unknowingly distributed the code
like Red Hat and SuSE to pay a small amount of actual damages. e)
Investigate which individual or company copied the code illegally and
donated it to the Linux kernel and sue them.
26. How does SCO intend to make money, stay in business and avoid
bankruptcy for the next several years until the trial is over, including
the long process of multiple appeals that is almost inevitable if IBM
loses?
27. Why would anyone buy any products or services from SCO now that
they've alienated themselves and made themselves nearly universally
hated by so many people who support IBM and the Linux community?
Wouldn't the only people who would buy anything from you now likely have
a hidden agenda that includes indirectly supporting an attack by SCO on
IBM and Linux (i.e. Microsoft and Sun)?
28. If there are indeed hundreds of thousands of lines and entire files
containing SCO copyrighted code, including line-by-line copying with
typos in comments intact, that infringe, how could SCO have gone all
these years and not detected this code in the Linux kernel that they
themselves were distributing since the 2.4 kernel was released? What
excuse could you possible expect people to believe except gross
negligence or incompetence to explain this failure to protect your
copyrighted code?
29. Isn't it true that you continue to distribute Linux kernel binaries
and/or source on your FTP site which contains non-GPL code that is in
violation of copyright law and is harming the copyright owners of the
kernel source?
30. Isn't it true that SCO cannot sue for damages for any past
infringement since they weren't the registered copyright owners of the
Unix code? And isn't it true that SCO has an obligation to mitigate
damages so they cannot sue for any infringement that occurs after they
were aware of it?
31. Isn't it true that you can only sue for actual damages, and not
punitive or statutory damages or legal fees, for copyright infringement
by anyone who does not knowingly infringe, which makes it very difficult
to recover more damages than your own legal fees? Doesn't that
virtually eliminate any ability to sue end users of Linux because you
stand to lose more in attorney fees than you might possibly gain in
damages awarded?
32. Is SCO at all concerned about being sued for: 1. Damaging the
reputation of IBM and AIX by publicly claiming to revoke a contract that
may be ruled by a court to be irrevocable. 2. Violating copyright law
by distributing a kernel for months that you believed contained SCO code
that you do not agree to license under the required GNU Public License.
3. Committing trade libel and restraint of trade, thereby damaging the
business of Linux distributors like Red Hat or SuSE by making
unsubstantiated claims in the media 4. Possibly putting GPL code into
SCO's Linux Kernel Personality code in violation of copyright law 5.
Possibly infringing on any number of the patents in IBM's large patent
portfolio 6. Possibly artificially manipulating SCO's stock price in a
pump and dump scheme that the SEC won't look kindly on 7. SCO
potentially going out of business because they have alienated themselves
from most of the IT industry by attacking IBM and the Linux community,
and voluntarily shut down their Linux business thereby eliminating that
revenue, which may result in a shareholder lawsuit because the stock
owners will end up losing their money because of your irresponsible
actions
33. Why does SCO keep changing their story in the media? First you
claim you're not going to sue anyone distributing or using Linux, later
you threaten to. First you say you may sue Linus Torvalds, then you say
you won't. First you say there's no infringing code in the Linux
kernel, just on the periphery, then you claim there's code inside the
kernel. First you claim you have no evidence of IBM directly copying
SCO's code into the kernel, then you say you do. First you refer to the
code that IBM contributed to the kernel as "your" code then you admit
that IBM is the copyright owner of that code. First you say Red Hat and
SuSE will have their day of reckoning before this is over, then you
appear to be only going after end users of Linux. First you call older
versions of Linux a "bicycle" in the IBM lawsuit and then you remove the
statement. First you say you'll audit AIX customers, then we hear
nothing but silence (perhaps you realized that by "revoking" IBM's
contract, in the process you have also revoked any rights you claimed to
have to audit their customers that the contract might have given you).
First you hire David Boies to be your chief legal counsel and then you
quietly replace him with a SCO employee.
34. Doesn't it seem odd that whoever is responsible for putting the
allegedly infringing code into the Linux kernel didn't seem to have made
a serious effort to make significant changes to the code
in order to obfuscate it sufficiently enough so they it would be
difficult or impossible to detect? Why would they paste in the code
exactly, including comment typos, which would make it trivially easy to
detect? This would be equivalent to committing a crime and leaving
fingerprints or other obvious incriminating evidence at the crime scene
that would lead the police straight to you and result in an easy
conviction. Unless it was SCO employees who donated the code, or it was
done intentionally by someone with a malicious intent to contaminate the
kernel and hurt the businesses and companies who use it.
35. Is it possible that Caldera bought SCO and their rights to the Unix
code for the same reason that they seemingly bought DR-DOS? Someone saw
an opportunity to buy a company cheap and inherit the ability to file a
lawsuit against a large company and collect a ton of money? Perhaps the
Canopy group saw the lawsuit potential as the primary or even sole
motivation for buying DR-DOS and Unix?
36. Your lawsuit claims you deserve multiple billions of dollars in
damages, but how many decades or centuries would it have taken your
company to make that much in profit or even gross revenue had you not
been allegedly injured by IBM (assuming you would have stayed in
business)?
37. Shouldn't SCO be concerned about their very dubious and bizarre
interpretation of laws that almost every other attorney would disagree
with? Such as claiming IBM code that has no SCO owned code in it is a
derivative when it clearly doesn't meet the definition? Or declaring
that licensing the code inside the Linux kernel that you claim you own
with a Unixware license is somehow not sublicensing, a violation of the
GPL? Or that end users who aren't copying or distributing are liable
for copyright infringement, but Linux distributors who are clearly
distributing and making money by selling your allegedly infringing code
aren't violating copyright law?
38. Isn't it hypocritical and a double standard to claim that you
shouldn't be held accountable for both unknowningly and later knowingly
distributing your own version of Linux with a GPL-licensed kernel that
contains both IBM's enterprise code and your SysV code, but you claim
that end users owe you money even though who unknowingly received a
kernel in good faith that contains this allegedly infringing code from a
Linux company who also had no way of knowing it contained illegal code?
Why shouldn't you be held accountable for not knowing what you were
doing, but people who use Linux should?
39. What is the real reason SCO is suing IBM? It's not really because
you honestly believe IBM donating the source code for a few enterprise
features that almost no Linux users utilize killed Unixware, right? Is
it because of IBM abandoning Project Monterey or is it for revenge
because you tried to get IBM to pay for some licenses that they didn't
think they needed and they decided to stop doing business with you?
40. Doesn't there seem to be a pattern of incompetence in the way
Caldera and SCO have been run? First, you don't register the Unix
copyrights after they were transferred years ago. Then you don't audit
the Linux kernel source code to see if there's any unauthorized code in
the kernel you're distributing. Then you continue to distribute your
own version of Linux with the kernel under the GPL for months after you
actually did audit the code and claim to have found infringing code.
And you continue to distribute Linux kernel source under the GPL on your
FTP site to this day. And you keep changing your story as described
above.
41. Do you really believe the claim in your lawsuit that IBM's donated
code is responsible for killing Unixware? Don't you think that the 2.2
Linux kernel, which you've said doesn't contain misappropriated or
infringing code, is fully capable of destroying the market for
Unixware? Don't the vast majority of people who use Linux as well as
Unixware utilize it on small 1- or 2-CPU servers or in embedded devices,
which don't require the misappropriated or infringing code to operate?
42. Are you at all concerned that AT&T might testify on IBM's behalf and
state that they intended for IBM to have the right to distribute code
they contribute to their version of Unix, regardless of any ambiguity in
all the side letters to the original contract? Wouldn't that severely
cripple your case?
Comments (6 posted)
Page editor: Jonathan Corbet