LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Announcements
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for January 19, 2012LCA: A Samba 4 updateThe systems administration miniconf at the 2012 linux.conf.au hosted 'a casual conversation' with a group of core Samba developers on the project's near future roadmap and the plans for Samba 4. Andrew "Tridge" Tridgell led off by saying that the last a lot of people had heard about the project's plans came from "an article in a disreputable web site." The discussion reported on there was "very exciting," in that it moved the project's point of view on the Samba 4 release from "someday" to "let's get ready for a release." Since then, things have gotten quiet, but that does not mean that nothing has been happening.
The ensuing discussion was lively, but AD DC support was not the main point; everybody seems to agree that it is working well. The sticking point has to do with the long-time "bread and butter" features of Samba - little things like file serving. The new file server implementation in Samba 4 is missing a number of features that have gone into Samba 3 in recent years, so now the focus is on integration of Samba 4 with the Samba 3 file server. The developers have come up with a plan for this integration, and are now busily trying to implement it as quickly as possible. As Tridge put it, they ran into a social problem and came up with a technical solution because, in the end, coding is easier than arguing. The discussion has gone quiet because this coding is underway; they expect to present their solution soon, at which point the release discussion can be expected to restart. Andrew spent some time talking about some of the things the Samba team has achieved with Samba 4. One of those is the new integrated build system - there is now "a single Samba." It is possible to build all binaries together; and there are a number of plugins to further integrate Samba's various pieces. As a result, Samba is now "one project," rather than a collection of related pieces. Related to that is the new combined testing framework which is, according to Andrew, the most important thing that the Samba team has achieved. The framework can do full testing of all AD semantics. It is also set up to test Samba 3 and 4 against each other. A number of "rather embarrassing" interoperability problems between the two releases have been found and, naturally, fixed. This testing can now be done before every commit. There is also a common security system that simplifies administration and fixes a lot of old "misunderstandings of Kerberos" that have been with the project for a long time. The Samba 3 and 4 security architectures have been merged.
The project's relationship with Microsoft, they said, is quite good. They get quick answers to questions, even for detailed protocol history queries that require a fair amount of digging in the code to answer. Tridge said that he has been very impressed with the quality of the engineers that Microsoft has assigned to work with the project. Another area of development is easing the process of upgrading from Samba 3 to Samba 4. Production sites, it seems, do not react well if you tell them that all of their users have to set new passwords before they can work under a new Samba release. At this point they have full user and group import into Samba 4, so users should not see the difference. The update is transparent to clients, except that they see the new AD support and start using it. There is still a bit of a flag day involved, though, in that clients, once they see an AD server, will not go back to talking to an older server release. So careful testing before deploying Samba 4 is still called for.
The "roadmap," according to Andrew, is that Samba 4 will probably be the next release from the project. It will include all of the expected features, including file and print servers, support for NT4-like domain controllers, and active directory support. It will also feature a number of improved tools and better usability in general. Samba has seen nearly 8,000 commits over the past year, changing 800,000 lines of code, and coming from some 70 authors. It has been, he said, a busy and important year. With a Samba 4 release likely, 2012 could be an even busier and more important year for this project, which quietly celebrated its 20th anniversary at the end of 2011. [Your editor would like to thank the LCA organizers for assisting with his travel to Ballarat.]
Tizen releases source code and SDK previewsThe nascent Tizen project unveiled its first set of materials on January 9, consisting of "preview" releases of the operating system source code and SDK, both intended to elicit feedback from developers. The announcement was accompanied by the launch of two new mailing lists and online documentation of the project's architecture and APIs. Tizen was announced in September 2011, but Intel took a markedly different approach to publicizing and promoting the project than it had with MeeGo. While MeeGo was launched with fanfare, the Tizen governance structure, policies, community resources, and ultimately code have been delivered at a much more measured — if not downright conservative — pace. Critics (particularly those upset over the demise of the MeeGo project) labeled the new project "vaporware" early on, but they — and everyone else — can now examine the source code up close. Sources![[Tizen emulator]](/images/2012/tizen-emulator-sm.png)
The source code release comes in the form of a git repository, which hosts both Tizen packages and trees pulled from upstream projects. Tizen is often referred to as the successor to MeeGo, which was an Intel-Nokia collaboration on a "consumer electronics" Linux base layer derived from merging the two companies' existing projects. But even though Tizen's goals are the same, the actual software is a significant departure from MeeGo — the stack is based on the LiMo Foundation's work and is expected to integrate Samsung's Bada platform. More significantly for third-party developers, the application framework is centered around HTML5 rather than Nokia's Qt. The components beneath that application framework are quite similar, of course (as they are in most embedded Linux distributions): the kernel (version 2.6.36), EGLIBC (2.13), Busybox, D-Bus, PulseAudio, GStreamer (0.10), ConnMan, and so forth. Among the other notable modules are a multi-lingual input framework derived from SCIM, hardware acceleration for OpenGL ES 1.1 and 2.0, and a WebKit-based web runtime. There is also a security module which provides Smack access control, secure data storage, and certificate management. Perhaps the most significant departure from MeeGo is that Tizen's graphics toolkit is provided by the Enlightenment Foundation Libraries (EFL), rather than GTK+ or Qt. It has been a few years since Enlightenment and EFL were headline-makers on Linux desktops, but they have been in active development all the same, with support from Samsung, among others. LWN looked at EFL back in August. EFL provides a canvas (called "Evas") that supports multiple back-ends; the Tizen project's is currently using the X11 back-end, which came as a mild disappointment to some observers, considering the work Intel had put into porting MeeGo to the Wayland display server. EFL's Carsten Haitzler told the mailing list that the hurdle was a lack of Wayland drivers for the system-on-chip video hardware targeted "at this stage," however, so there remains hope for Wayland support in the future. EFL also provides application developers with a scripting environment called Embryo, a widget set (with touch support) called Elementary, as well as various utility libraries for timers, callbacks, event loop management, and data structures. Tizen includes the E17 version of EFL's Enlightenment window manager which supports compositing. Web APIsEFL does not encompass as much as Qt, however — richer APIs for hooking into system services and support for device features (like cameras and sensors) are both provided through Tizen's HTML5 application framework. The framework consists of three pieces: the "Tizen Web API," the Wholesale Application Community (WAC) "Device APIs," and the World Wide Web Consortium (W3C) "Widget Specification." The Tizen Web API covers generic application objects, and interfaces to the communications, system information, and personal information management (PIM) subsystems. The supported communication frameworks include Bluetooth, NFC, cellular phone calls, and a general "messaging" module that encompasses email, IM, SMS, and MMS. The Tizen Web API's Contact, Calendar, and Messaging modules are each extensions of the corresponding WAC Device API modules, apparently with minor additions only. For example, The Tizen Web API's MessagingMessage adds message IDs and inResponseTo attributes, which allows an application to thread conversations. WAC is an organization formed in 2010 by telecommunications companies and device OEMs. It publishes its own suite of OS-independent application development APIs, which are intended to provide a uniform HTML5 target for developers across the members' products. This effort is similar to the work produced by the W3C's Device APIs Working Group, but WAC does not develop its APIs in the open. Further confusing the situation, some of WAC's APIs require compliance with the corresponding W3C API, but some do not. The Tizen alpha makes use of WAC's PIM APIs (the contacts, calendaring, and messaging modules mentioned above), its sensor APIs, its camera module, and its filesystem module. The sensor APIs provide interfaces to a mobile device's hardware sensors: accelerometer, digital compass, ambient light sensor, rotation/orientation sensor, and so on. The camera API covers both still and video capture, as well as displaying a preview image on screen. The filesystem module provides a single view of a device's storage, combining all on-board or removable storage into a unified virtual filesystem. Finally, in spite of its name, the W3C Widget Specification is actually a standard for "installable" web applications — a storage format for compressed HTML5, CSS, and JavaScript applications, with an XML-based manifest. The Widget specification supports digital signatures and a device-controlled security policy to limit applications' access to network resources and local data. Together, the Web API offerings may sound like a bit of a hodge-podge — after all, the WAC and W3C specifications overlap in many places, and conflict in others. Intel's Sakari Poussa responded to one developer's question by saying that Tizen was tracking the standards as best it could, considering that both APIs are still evolving, and that the project was committed to sticking with existing standards where possible. Developing![[Tizen IDE]](/images/2012/tizen-ide-sm.png)
In addition to the source code, the alpha release also includes the first look at the Tizen SDK. The SDK is available only for 32-bit Ubuntu (11.04 and newer), though the project says other distributions and operating systems will be supported in the final release. The SDK download is an installer script, which fetches and installs an Eclipse-based IDE, a QEMU-based emulator, testing tools, and support files. The IDE includes project templates in two classes: "Tizen Web projects" and "native" Tizen projects. That is more-or-less in line with the messaging of the project, which emphasizes that HTML5 is the only supported application framework, but expresses tolerance for developers who wish to write code directly for the system APIs. The web project templates come in several flavors: WAC-only, generic HTML5, and jQuery (in several variations), and include Tizen packaging rules. The IDE experience also incorporates an event injector supporting mobile device hardware events, sensor data, and voice or SMS traffic. Some web application debugging tools are also built in to the IDE, such as a WYSIWYG HTML5 editor and JavaScript/CSS syntax checkers. I was never able to get the IDE to launch the web project templates without crashing, so I cannot speak to their usefulness. There are known issues with the SDK mentioned in the release notes (including the fact that it is incompatible with OpenJDK — my experience suggests it may also be very picky about Sun Java 6); hopefully these concerns will be addressed between now and the final release. The emulator has a few known issues of its own, of course, but the basic functionality is there. Currently only x86 targets can be created, with a handful of configuration options. The form factor of the virtual device is a keyboard-less mobile phone. The SDK documentation emphasizes that smartphones and tablets are the target devices for the alpha release, but that others will follow. Like MeeGo, Tizen is designed to eventually serve several distinct classes of hardware (including vehicles and smart-TVs). ![[Tizen documentation browser]](/images/2012/tizen-docs-sm.png)
The SDK also includes a documentation browser that encompasses an overview of the platform, the SDK tools themselves, and the various APIs. Some of this information is replicated on the Tizen developer site: the "Getting Started with Tizen" and "Tizen Web API Reference" sections in the documentation. But there is more in the SDK's browser, which covers packaging issues and hacking on the Tizen platform itself. Community communicationsAlthough it was not part of the developer preview per se, the SDK and code release coincided with the launch of two new Tizen mailing lists: one for application developers, and one for Tizen contributors. Up until now, the Tizen-General list and IRC channel had been the only communication channels for the project — very different from the approach taken with MeeGo, which had numerous mailing lists, forums, IRC channels, and a blog-aggregating Planet. Intel's we'll-announce-nothing-until-it-is-ready approach with Tizen has produced a slower trickle of discussion, but perhaps that is better than the publicity blitz that accompanied MeeGo's launch, when you consider that announcing the project and putting devices in consumers' hands can be many fiscal quarters apart. A related development on the project management front was the sudden disappearance of the LiMo Foundation web site, which was replaced by the Tizen Association on or about January 1. The Tizen Association is essentially a re-branding of the LiMo Foundation, and, as yet, Intel itself has not finalized its membership. The Association's site describes its goal as enabling "key stakeholders to actively shape the industry role of Tizen and develop its market presence" by the "gathering of requirements, identification and facilitation of service models, and overall industry marketing and education." The project itself will continue to be hosted by the Linux Foundation. The specifics of Tizen's project governance have not been fleshed out, but those are probably details that should come after the code itself has been released and developers have had a chance to work with it. In retrospect, the MeeGo project was very organization-heavy (as it was marketing-heavy), and in the end that did not help it make an impact in the marketplace. Tizen may still be a long way from shipping on commercial devices, but starting with the code rather than the other trappings of a large distributed project is a good first step.
LCA: Addressing the failure of open sourceBruce Perens wore a suit and tie for his linux.conf.au 2012 keynote for a reason, he said: it reflects our community's need to think more about how it appears to the rest of the world. Despite our many successes, he said, we have failed to achieve the goals that our community set for itself many years ago. We have failed to engage and educate our users, and are finding ourselves pulled into an increasingly constrained world. To get out of this mess, we will have to make some changes - and expand our scope beyond software and culture.The open source (he always used that term) movement's goal, he said, was once to help a population that increasingly does everything - from entertainment to finances and voting - through computers. We wanted to enable people to do, not to be done to. But we find ourselves in a world where people are increasingly slaves to their tools. Yes, he said, tools like the iPhone empower their users, but they also constrain those users. They are designed not to allow their users to do things that might reduce the profits of their makers or of a number of related industries. Why is this important? It matters to anybody who likes democracy. Almost all information is mediated through computers now - through computers controlled by a very small number of large corporations. That is a threat to democracy - and to freedom. But, he asked, why is it open source's job to address this problem? The answer is that the open source community is the only credible producer of software that is not bound to a single company's interest. History has given us absolutely no reason to believe that we can trust companies or governments to do that for us. To be able to fill that role, we must continue to establish and defend our right to write and distribute open source software. In other words, he said, open source software should be legal. Things could be worse: we have been very lucky with software patents, for example. Patents could have been used to shut us down entirely by now; that has not happened - yet. But, increasingly, we find ourselves shut out of access to content, which does not help our cause. There are also threats from new laws; increasingly, Bruce said, general-purpose computing is seen as a threat. Anti-hacking laws threaten the security of the net as a whole. SOPA-like laws threaten our tools and our infrastructure. The advent of 3D printers is going to inspire a whole new raft of laws as politicians figure out that they can be used to create weapons or other things that they do not want us to have. We are very much on the defensive in these battles; why, he asked, do we have so much trouble being heard? The answer is that open source software has not built a relationship with "the common person" and does not have their sympathy. Instead, open source software has been co-opted and is being used to control people; thus we end up with locked-down products like the TiVo. We are, Bruce said, helping to make people into slaves of their tools. A project he worked on - busybox - is now shipped as an important component in any number of locked-down systems. As an aside, Bruce said that, in retrospect, he should have continued to lead the busybox project. It comes down to the fact that open source has not been able to protect its future through the reform of hostile laws. That is a result of our failure to reach the common man. We, as a community, have not achieved a sympathy for our users in the way that companies like Apple have. Some specific projects have had some success - he named Mozilla and Wikipedia - but, in general, our work is not particularly accessible to - or visible to - most users. In fact, he said, most of us do not really even like users; we are making the software for ourselves. Demands from users who have not contributed anything are just annoying. But, he said, we need to get over that mindset; working only for ourselves is too limiting.
So, he asked, where did we go wrong? There was a period where we held a moral high ground; that enabled political progress that we are not making any more. As for-profit corporations took over the foreground, we lost that high ground. Now we are just competitors, like any other. The commercial intermediaries represent us now, but they represent us in their own best interest. That is not surprising - it is what is expected of them - but it shows why they are wrong for this role. We really only have one tool for managing the behavior of these companies - copyright - and it is not helpful in this situation. In dealing with companies, Bruce said, we always need to keep track of whether we are getting back something worthwhile for our efforts. Working for free to enrich Mark Shuttleworth is not a smart thing to do. We need to maintain a presence that is independent of organizations like Ubuntu. Debian, he said, does the real work of making Ubuntu; Canonical just adds the frosting. But does anybody in the wider world care about Debian at this point? We are, he said, failing at self promotion. Yes, tooting our own horn is tiresome, but if we don't do it, nobody else will do it for us. Mobile apps are an especially big problem, he said. This is a commercial paradigm that has succeeded; that means, in particular, that the web failed. Now we are seeing open source software being sold as apps to people who don't know that they are buying something they could have for free. These apps, he said, duplicate every problem we have seen with proprietary software, only worse because these apps are meant to be ephemeral. We are going to have to find a way to change this paradigm, somehow. Concluding this part of the talk, Bruce noted a strong trend away from generic platforms, toward proprietary, locked-down platforms. In the end, we will be left with nowhere to run free systems, and only jail environments for applications. Open source software, he said, has achieved tremendous things. But he is seeing signs that we have peaked; the locked-down platform is beating us. If we cannot find a way to address this problem, he said, it is our destiny to live in a constrained world.
Open hardwareThere is a moment, far into Arlo Guthrie's epic "Alice's Restaurant," where he is required to remind the audience that, contrary to what they may think, they are listening to a song about Alice. Bruce's talk was similar; it was billed as being about open hardware, but it was only toward the end that he actually got around to talking about that subject. It is clearly Bruce's hope that a new revolution is building around open hardware, and that it may, in the end, help to save us from locked-down platforms. There are a lot of challenges in this area, he said, but he reminded the audience that the open source community has done many things that people thought were impossible. Once upon a time, he said, people working on open hardware might have been seen as "isolated nutjobs." The good news is that, in the age of the Internet, there are no more isolated nutjobs. No matter how nutty you may be, there will always be fifty others like you on the net. In the open source world, those people got together and created tools that others could build on; things then took off from there. This history is, he said, repeating itself with open hardware. There is a new set of enabling factors that are driving open hardware. We have the net, of course, but we also have the economic paradigms and collaboration methods developed by the open source community. But the big thing is that hardware is slowly being transformed into software; it can be developed - and shared - in much the same way. 3D printers, increasingly, let us print out solid objects that can be designed like software. Gate arrays allow the immediate implementation of complicated digital logic - at the level of a new CPU, for example. Throw in fast, cheap circuit board manufacturing and there is a lot that can be done by just about anybody. So what is happening with open hardware? For many, the flagship project is certainly Arduino, which has found its way into many or most open hardware projects at this point. The boards can be cheap enough to (for example) throw into the LCA swag bag. There are over 250 "shields" adding interesting functionality; for any problem, there is likely to be a plugin solution out there somewhere. It has a development environment that makes it programmable by people like artists; as a result, Arduino is showing up in a lot of art applications now. And the whole thing is surrounded by an active community.
Arduino has some down sides. It does not use a 32-bit processor, so it
cannot run complex software (like Linux, for example). There are a lot of
alternatives out there, though, for those needing more power; the
Bruce waved around a DSO Quad, a pocket-sized digital storage oscilloscope. It is all open hardware and software; it shows that one does not need a large corporation to create compelling mobile products. Then, there is the Bus Pirate, a general-purpose electronic hacking tool that can take on all kinds of tasks from programming FPGAs to sniffing data transfers from an I2C bus. Bruce also mentioned the Papilio gate array development board. This device can become almost any kind of circuit from a CPU emulator to a receiver for 20 simultaneous radio streams. For those wanting more physical projects, there is the MakerBot, a plastic 3D printer. MakerBot leaves a lot to be desired; in particular, Bruce said, it will fall short until it has enough resolution to make high-quality Lego parts. It will be able to make anything one might want eventually; for now it is limited to "small, crappy-looking things." But it shows where things are headed. For the truly adventurous, there is OpenPCR, which allows genetic sequencing and duplication at home. The list could probably have gone on for a long time, but Bruce had made his point - there is a lot happening in the open hardware area. There is the potential for amazing things to happen. But much depends on the legal climate, and it is clear that there are going to be legislative attacks on open hardware. We will have to be attentive if this revolution is not to be choked off before it can really begin. [Your editor would like to thank the LCA organizers for assisting with his travel to Ballarat.]
Help wanted at LWNDo you have an interest in helping to create the best free software technical information site on the net? Here at LWN.net, we have reached a point where we can hire another full-time editor if we can find the right person. We have put together a list of the skills we are looking and if you (or someone you know) meets them, please get in touch. The full job listing has more information.
Security SOPA and PIPAAs this article is being written on January 18, many high-profile web sites have gone "black" in order to protest proposed legislation in the US that would, ostensibly, combat online "piracy". Lots of different sites are participating, from Wikipedia and Google to sites that cater to more technical audiences like Reddit and Bruce Schneier's security blog. The intent is to raise the profile of the two related pieces of legislation with the hope that users (both technical and less so) will recognize the threat to a "free and open internet" that the laws represent. As seems to commonly be the case—at least in the US—the proposals have been given names that don't accurately reflect their scope. The "Stop Online Piracy Act" (SOPA) is the House of Representatives' entrant, while the Senate bill is called the "Protect Intellectual Property Act" (PIPA). Both are strongly backed by the content industries who make unsubstantiated claims about the financial and job losses caused by online piracy—and are undoubtedly pouring lots of money into lobbying for their passage. But, many internet sites and luminaries are extremely wary of the bills' contents because they could "break the internet". The law of "unintended consequences" is often present in internet-targeted legislation, but it's a little hard to see some of the consequences from SOPA/PIPA as being unintended—at least by some of their proponents. The content industry has found it expensive and difficult to combat the copyright infringement of its works under the existing laws, and is always looking for a way to make others responsible for enforcement. SOPA/PIPA are just the latest salvo in that effort. The biggest technical problem with the legislation is that it tries to fundamentally alter how the domain name system (DNS) works, so that "rogue" sites that carry infringing content—or even links to infringing content—can be "banished" from the internet. As pointed out by Paul Vixie, though, all of the technical measures that SOPA/PIPA want to use to blacklist these supposedly rogue sites won't do so. In addition, implementing these "features" will just increase the load on DNS servers as clients try to route around the censorship. The argument from proponents is that many of the sites that they would like to shut down are foreign-owned, and thus are impossible to affect via US law. Aside from the irony of using US legislation to somehow do the impossible, mandating that US companies blacklist web sites via DNS or any other method is only likely to result in fragmenting the infrastructure of the internet. As an open letter from 83 internet inventors and engineers to the US Congress in December put it:
The US government has regularly claimed that it supports a free and open
Internet, both domestically and abroad. We cannot have a free and open
Internet unless its naming and routing systems sit above the political
concerns and objectives of any one government or industry. To date, the
leading role the US has played in this infrastructure has been fairly
uncontroversial because America is seen as a trustworthy arbiter and a
neutral bastion of free expression. If the US begins to use its central
position in the network for censorship that advances its political and
economic agenda, the consequences will be far-reaching and destructive.
The bills would mandate that US companies enforce the blacklist, and provide penalties if a service allows users to circumvent the list. Not only does that put a large burden on ISPs, web application providers, internet startups, and others, it also adds a large uncertainty factor by the terms used. Rather than focusing strictly on sites that infringe copyrights (for which there are plenty of laws already available), these bills would be enforced against sites that are "enabling or facilitating" infringement (at least in SOPA). That kind of ambiguity leaves the door open to all sorts of abuse. Those penalties can be severe. One of the actions that a copyright holder could take against a site deemed to have violated these acts is to get a court order that requires payment sites and advertising networks to cut the site off. So, a site that "facilitates" infringement (which could easily be applied to almost any site on the internet) could suddenly find itself cut off from its funding sources—or in court to show why it shouldn't be. For larger, well-established sites and service providers, that will be an expensive annoyance, but for smaller fish (including startups and sites like LWN) it could easily put the company out of business. Proponents of these laws downplay the potential for widespread applicability, explaining that they are targeted at the "worst of the worst" offenders. But, as we have seen with almost any law (internet-focused or not), they is almost always some kind of overreach. Once these (or similar) laws are on the books, the content industries will be pushing the envelope. We've seen this overreach with the DMCA, anti-"hacking" laws, the PATRIOT act, and more. Meanwhile, the rest of the world (along with much of the US) will just find ways to route around the blockades. Certainly copyright infringement is a problem. Copyright is, after all, the tool that the free software community uses to enforce its licenses. The question is how big of a problem infringement really is, and what the right solution is. The content industries would have us believe that infringement is stealing food from the mouths of babes—while often reporting record profits. It's not at all clear that passing more and more laws will "fix" the problem. The only real way to completely prevent digital copyright infringement is to curtail general purpose computing (and networking) in ways that would be drastically detrimental to the worldwide economy (not to mention little things like personal freedom). Cory Doctorow recently spoke about the likelihood of an upcoming war against general-purpose computing. One could argue that we have already lost some battles in that war (e.g. DMCA) and SOPA/PIPA are yet another. Hopefully, the efforts of the high-profile sites protesting this legislation will start to wake people up about what kinds of things the content industries and their "pet" legislators are trying to do. If not, we will likely see even more draconian legislation down the road. For readers wanting to know more, Techdirt's Mike Masnick has two analyses of SOPA/PIPA [1, 2] that are well worth a read.
Brief items NSA releases security-enhanced Android (The H)The H looks at SEAndroid, which was recently released by the US National Security Agency. It brings some of SELinux to the Android kernel to limit the damage that malicious apps can do. "In a presentation [PDF] originally given at the 2011 Linux Security Summit, Stephen Smalley of the NSA explained the functionality within SEAndroid. He noted that it brings Mandatory Access Control to Android's Linux kernel and can help sandbox, isolate and prevent privilege escalation by applications with a centralised policy that is amenable to analysis. That said, it cannot protect against kernel vulnerabilities and misconfiguration of the security policy. Smalley also discussed how SEAndroid works to protect against a number of known exploits and how SEAndroid would have stopped them in different ways."
Berrangé: Building application sandboxes with libvirt, LXC & KVMOn his blog, Daniel P. Berrangé writes about a new application sandbox tool that uses libvirt, LXC (Linux Containers), and KVM. It is based on some of the ideas behind the SELinux sandbox but uses KVM or LXC to isolate the application from the rest of the OS. "People also generally assume that running a KVM guest, means having a guest operating system install. This is absolutely something that is not acceptable for application sandboxing, and indeed not actually necessary. In a nutshell, libvirt-sandbox creates a new initrd image containing a custom init binary. This init binary simply loads the virtio-9p kernel module and then mounts the host OS' root filesystem as the guest's root filesystem, readonly of course. It then hands off to a second boot strap process which runs the desired application binary and forwards I/O back to the host OS, until the sandboxed application exits. Finally the init process powers off the virtual machine. To get an idea of the overhead, the /bin/false binary can be executed inside a KVM sandbox with an overall execution time of 4 seconds."
New vulnerabilities acroread: code execution
kernel: multiple vulnerabilities
kernel: syscall instruction induces guest panic
kernel: denial of service
libxml2: code execution
openssl: private key disclosure
plib: arbitrary code execution
rubygem-rack: denial of service
simplesamlphp: cross-site scripting
t1lib: multiple vulnerabilities
wordpress: cross-site scripting
Page editor: Jake Edge Kernel development Brief items Kernel release status3.2 is the most recent kernel, released on January 4. The 3.3 merge window is still open, see the article below for what's been merged in the last week. 3.3-rc1 can probably be expected sometime soon. Stable releases: The 3.1.10 stable kernel was released on January 18. This is the last stable kernel in the 3.1.x series, so users should upgrade to the 3.2 series. In addition, the 2.6.32.54, 3.0.17, 3.1.9, and 3.2.1 stable kernels were released on January 12.
Quotes of the week
Don't think for a minute that something won't get done just
because its obviously inappropriate.
-- Casey Schaufler
So I think that line should go away entirely. It doesn't have any
meaning.... I realize that I wrote it, and that it as such must be
bug-free, but I suspect that removing that line is even *more*
bug-free.
-- Linus Torvalds
Tracepoints are being added like the US deficit. We need to set
some rules somewhere. Either by making a library that can handle
small changes (like the one we are discussing, even though a memcpy
should cope), or we need to put a kabosh to adding new tracepoints
like they are the new fad app. Perhaps we should put the same
requirements on new tracepoints as we do with new syscalls.
-- Steven Rostedt
Work on dma-buf was originally started with the goal of unifying
several competing "memory management" systems developed with
different ARM SoCs in mind. It would be unfortunate if restricting
its use to only GPL-licensed modules caused dma-buf adoption to be
limited.
-- NVIDIA's Robert Morell
Kernel development news 3.3 merge window part 2As of this writing, almost 8,800 non-merge changesets have been pulled into the mainline kernel for the 3.3 development cycle - 2,900 since last week's summary. The pace of the merge window clearly slowed in its second week, but there were still a number of interesting changes merged.User-visible changes merged since last week include:
Changes visible to kernel developers include:
The 3.3-rc1 release can be expected at almost any point; after that, the stabilization process begins for the 3.3 development cycle. If the usual timing holds (and it almost always does anymore), the final 3.3 kernel release can be expected in the second half of March.
System call filtering and no_new_privsWe briefly covered a proposal for restricting system calls using the kernel packet filtering mechanism on the January 12 Kernel page, but, at that time, there hadn't been any comments on the proposal. Since then there have been several rounds of comments and revisions of the patch set, along with a revival of an older idea to let a process limit itself and its children to its current privilege level. So far, both sets of patches have received generally positive feedback, to the point where it seems like general-purpose system call filtering just might make it into the mainline sometime in the not-too-distant future. For some time now, Will Drewry has been trying to find an acceptable way to enhance the seccomp ("secure computing") facility in the kernel so that more flexible system call filtering can be done. His target for the feature is the Chrome/Chromium web browser in order to sandbox untrusted code, but other projects (including QEMU, openssh, vsftpd, and others) have expressed interest in the feature as well. He (and others) have tried various approaches over the last few years without finding one that passed muster. His latest attempt, which uses the BPF (Berkeley Packet Filter) engine to filter the system calls, seems like it avoids many of the problems that were noted in the earlier attempts. The basic idea is that instead of examining packet contents, the filters will examine system calls and any arguments passed in registers (that means that it won't follow pointers to avoid time-of-check-to-time-of-use races). The code will only allow those calls that pass the filter tests to be executed. The filtering fails "closed" so that any calls not listed in the filter, or whose arguments don't correspond to the filter rules, will return an EACCES error. The syntax for creating a filter, as described in the documentation file, is fairly painful, but Eric Paris has already started on a translator to turn a more readable form into the BPF rules needed. In order to avoid a longstanding problem with the interactions between binaries that can change their privileges (e.g. setuid or file-based capabilities) and mechanisms to reduce privileges for a process, Drewry's initial patch would restrict the ability of a process to make an execve() call once a filter had been installed. The problem is that privilege-changing binaries can get confused when faced with an environment with fewer privileges than are expected. That confusion can lead to privilege escalation or other security holes. This is why things like chroot(), bind mounts, and, eventually, user namespaces are restricted to root-privileged processes. If a filtered process can't successfully call execve(), though, all of the concerns about confusing those binaries is gone. It does make using the system call filtering a little clunky, however. One would expect that a parent could set up filters and then spawn a child that would be bound by those filters, but, without a way to exec, that won't work. That can be worked around for most existing programs with some LD_PRELOAD trickery, but in the discussion another potential solution was proposed. Andrew Lutomirski pointed to his execve_nosecurity proposal as a possible solution. That would allow processes to set a flag so that they (and their children) would be unable to call execve() and would add a new variant (called, somewhat confusingly, execve_nosecurity()) that could be used instead but would not allow any security transitions for the executed program. That means that setuid, LSM context changes, changing capabilities, and so on would not be allowed. Linus Torvalds agreed that adding a way to restrict privilege changes would be useful:
We could easily introduce a per-process flag that just says "cannot
escalate privileges". Which basically just disables execve() of
suid/sgid programs (and possibly other things too), and locks the
process to the current privileges. And then make the rule be that *if*
that flag is set, you can then filter across an execve, or chroot as a
normal user, or whatever.
That led Lutomirski to propose a flag in struct task_struct called no_new_privs that would be set via the PR_SET_NO_NEW_PRIVS flag to prctl(). It would be a one-way gate as there would be no way to unset the flag. If set, the flag would restrict executing binaries in much the same way that the nosuid mount flag works. In addition, it would disallow processes changing capabilities on exec or SELinux security context transitions. But, Lutomirski's patch does not implement a sandbox, as it can still be subverted via ptrace() as Alan Cox points out. Cox was also concerned that preventing SELinux, AppArmor, or other LSMs from changing privileges could lead to other problems because those transitions may actually be changing the context to a less privileged state. Simply keeping the previous context, as Lutomirski's patch does, could lead to executing programs in a more-privileged context. But Eric Paris clarifies that SELinux, at least, will still make the same policy decision even without the transition (as it does for nosuid mounts), so that the execution will still fail if the process has the wrong context. Lutomirski also notes that a sandbox will be much less useful if execve() has to fail when there is any kind of security transition, as Cox suggested. The presence of a policy on a particular binary would make that binary unusable from within a sandbox, no matter what the policy is. A better solution, Lutomirski said, is to set the no_new_privs bit, then set up a sandbox (using Drewry's seccomp system call filtering for example), then execute the binary, which will succeed or fail based on the actual mandatory access control (MAC) policy. That solves the problem of ptrace() and other circumvention methods as well because a sandbox requires both the no_new_privs patch and some other mechanism to filter system calls:
no_new_privs is not intended to be a sandbox at all -- it's a way to
make it safe for a task to manipulate itself in a way that would allow
it to subvert its own children (or itself after execve). So ptrace
isn't a problem at all -- PR_SET_NO_NEW_PRIVS + chroot + ptrace is
exactly as unsafe as ptrace without PR_SET_NO_NEW_PRIVS. Neither one
allows privilege escalation beyond what you started with.
If you want a sandbox, call PR_SET_NO_NEW_PRIVS, then enable seccomp (or whatever) to disable ptrace, evil file access, connections on unix sockets that authenticate via uid, etc. Meanwhile, Drewry has been revising his patches to take advantage of no_new_privs. One of those revisions brought about some other concerns regarding whether dropping privileges should be allowed after the bit is set. Torvalds is worried that allowing privilege dropping will somehow lead to confusing other programs: "We've had security bugs that were *due* to dropped capabilities - people dropped one capability but not another, and fooled code into doing things they weren't expecting it to do." Lutomirski's patches do not restrict things like calls to setuid() because they are not meant to implement a sandbox—that's what the existing seccomp, or an enhanced version from Drewry's patches (aka seccomp mode 2) will do. As Lutomirski explains:
Another way of saying this is: no_new_privs is not a sandbox. It's
just a way to make it safe for sandboxes and other such weird things
processes can do to themselves safe across execve. If you want a
sandbox, use seccomp mode 2, which will require you to set
no_new_privs.
It's clear that Lutomirski, at least, thinks the no_new_privs changes cannot lead to the problems that Torvalds and others (notably Smack developer Casey Schaufler) are concerned about. But, any program that uses no_new_privs needs to be aware of what it does (and doesn't) do. Coupling it with a system call filtering mechanism seems like it could only increase the security of the system. But, interactions between security mechanisms often have unforeseen effects, typically resulting in security holes, so it makes sense to be cautious. So far, these changes are still being discussed, and no subsystem maintainer has volunteered to take them, but the two proposals seem to have support that other similar ideas have lacked. Whether Lutomirski can convince the other kernel hackers that no_new_privs can't lead to other problems, or whether he needs to figure out how to stop the dropping of privileges is unclear. But it does seem like there may now be a path for an enhanced seccomp to reach the mainline.
The future calculus of memory managementOver the last fifty years, thousands of very bright system software engineers, including many of you reading this today, have invested large parts of their careers trying to solve a single problem: How to divide up a fixed amount of physical RAM to maximize a machine's performance across a wide variety of workloads. We can call this "the MM problem." Because RAM has become incredibly large and inexpensive, because the ratios and topologies of CPU speeds, disk access times, and memory controllers have grown ever more complex, and because the workloads have changed dramatically and have become ever more diverse, this single MM problem has continued to offer fresh challenges and excite the imagination of kernel MM developers. But at the same time, the measure of success in solving the problem has become increasingly difficult to define. So, although this problem has never been considered "solved", it is about to become much more complex, because those same industry changes have also brought new business computing models. Gone are the days when optimizing a single machine and a single workload was a winning outcome. Instead, dozens, hundreds, thousands, perhaps millions of machines run an even larger number of workloads. The "winners" in the future industry are those that figure out how to get the most work done at the lowest cost in this ever-growing environment. And that means resource optimization. No matter how inexpensive a resource is, a million times that small expense is a large expense. Anything that can be done to reduce that large expense, without a corresponding reduction in throughput, results in greater profit for the winners. Some call this (disdainfully or otherwise) "cloud computing", but no matter what you call it, the trend is impossible to ignore. Assuming it is both possible and prudent to consolidate workloads, it is increasingly possible to execute those workloads more cost effectively in certain data center environments where the time-varying demands of the work can be statistically load-balanced to reduce the maximum number of resources required. A decade ago, studies showed that, on average, only 10% of the CPU in an average pizza box server was being utilized... wouldn't it be nice, they said, if we could consolidate and buy 10x fewer servers? This would not only save money on servers, but would save a lot on power, cooling, and space too. While many organizations had some success in consolidating some workloads "manually", many other workloads broke or became organizationally unmanageable when they were combined onto the same system and/or OS. As a result, scale-out has continued and different virtualization and partitioning technologies have rapidly grown in popularity to optimize CPU resources. But let's get back to "MM", memory management. The management of RAM has not changed much to track this trend toward optimizing resources. Since "RAM is cheap", the common response to performance problems is "buy more RAM". Sadly, in this evolving world where workloads may run on different machines at different times, this classic response results in harried IT organizations all buying more RAM on most or all of the machines in a data center. A further result is that the ratio of total RAM in a data center vs. the sum of the "working set" of the workloads, is often at least 2x and sometimes as much as 10x. This means that somewhere between half and 90% of the RAM in an average data center is wasted, which is decidedly not cheap. So the question is begged: Is it possible to apply similar resource optimization techniques to RAM? A thought experimentBear with me and open your imagination for the following thought experiment: Let's assume that the next generation processors have two new instructions: PageOffline and PageOnline. When PageOffline is executed (with a physical address as a parameter), that (4K) page of memory is marked by the hardware as inaccessible and any attempts to load/store from/to that location result in an exception until a corresponding PageOnline is executed. And through some performance registers, it is possible to measure which pages are in the offline state and which are not. Let's further assume that John and Joe are kernel MM developers and their employer "GreenCloud" is "green" and enlightened. The employer offers the following bargain to John and Joe and the thousands of other software engineers working at GreenCloud: "RAM is cheap but not free. We'd like to encourage you to use only the RAM necessary to do your job. So, for every page, on "average" over the course of the year, that you have offline, we will add one-hundredth of one cent to your end-of-year bonus. Of course, if you turn off too much RAM, you will be less efficient at getting your job done, which will reflect negatively on your year-end bonus. So it is up to you to find the right balance." John and Joe quickly do some arithmetic: so, since my machine has 8GB RAM, if I on average keep 4GB offline, I will be $100 richer. They quickly start scheming ideas on how to dynamically measure their working set and optimize page offlining. But the employer goes on: "And for any individual page that you have offline for the entire year, we will double that to two-hundredths of a cent. But once you've chosen the "permanent offline" option on a page, you are stuck with that decision until the next calendar year." John, anticipating the extra $200, decides immediately to try to shut off 4GB for the whole year. Sure, there will be some workload peaks where his machine will get into a swapstorm and he won't get any work done at all, but that will happen rarely and he can pretend he is on a coffee break when it happens. Maybe the boss won't notice. Joe starts crafting a grander vision; he realizes that, if he can come up with a way to efficiently allow others' machines that are short on RAM capacity to utilize the RAM capacity on his machine, then the "spread" between temporary offlining and permanent offlining could create a nice RAM market that he could exploit. He could ensure that he always has enough RAM to get his job done, but dynamically "sell" excess RAM capacity to those, like John, who have underestimated their RAM needs ... at say fifteen thousandths of a cent per page-year. If he can implement this "RAM capacity sharing capability" into the kernel MM subsystem, he may be able to turn his machine into a "RAM server" and make a tidy profit. If he can do this ... AnalysisIn the GreenCloud story, we have: (1) a mechanism for offlining and onlining RAM one page at a time; (2) an incentive for using less RAM than is physically available; and, (3) a market for load- balancing RAM capacity dynamically. If Joe successfully figures out a way to make his excess RAM capacity available to others and get it back when he needs it for his own work, we may have solved (at least in theory) the resource optimization problem for RAM for the cloud. While the specifics of the GreenCloud story may not be realistic or accurate, there do exist some of the same factors in the real world. In a virtual environment, "ballooning" allows individual pages to be onlined/offlined in one VM and made available to other VMs; in a bare-metal environment, the RAMster project provides a similar capability. So, though primitive and not available in all environments, we do have a mechanism. By substantially reducing the total amount of RAM across a huge number of machines in a data center, both capital outlay and power/cooling would be reduced, improving resource efficiency and thus potential profit. So we have an incentive and the foundation for a market. Interestingly, the missing piece, and where this article started, is that most OS MM developers are laser-focused on the existing problem from the classic single machine world which is, you recall: how to divide up a fixed amount of physical RAM to maximize a single machine's performance across a wide variety of workloads. The future version of this problem is this: how to vary the amount of physical RAM provided by the kernel and divide it up to maximize the performance of a workload. In the past, this was irrelevant: you own the RAM, you paid for it, it's always on, so just use it. But in this different and future world with virtualization, containers, and/or RAMster, it's an intriguing problem. It will ultimately allow us to optimize the utilization of RAM, as a resource, across a data center. It's also a hard problem, for three reasons: The first, is that we can't predict, but can only estimate, the future RAM demands of any workload. But this is true today, the only difference is whether the result is "buy more RAM" or not. The second, is that we need to understand the instantaneous benefit (performance) of each additional page of RAM (cost); my math is very rusty, but this reminds me of differential calculus, where "dy" is performance and "dx" is RAM size. At every point in time, increasing dx past a certain size will have no corresponding increase in dy. Perhaps this suggests control theory more than calculus but the needed result is a true dynamic representation of "working set" size. Third, there is some cost for moving capacity efficiently; this cost (and impact on performance) must be somehow measured and taken into account as well. But, in my opinion, this "calculus" is the future of memory management. I have no answers and only a few ideas, but there's a lot of bright people who know memory management a lot better than I. My hope is to stimulate discussion about this very-possible future and how the kernel MM subsystem should deal with it.
Patches and updates Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet Distributions LCA: The past, present, and future of Ubuntu on ARMThe ARM architecture has traditionally been served by source-based distributions that are hand-built for specific systems; it has not seen much in the way of generic distributions like x86 has. As the ARM architecture grows in capability, adoption, and importance, though, distributors are looking more seriously about providing support for it. Ubuntu has been working on its ARM support for a few years now; in a 2012 linux.conf.au talk, Canonical developer David Mandala reviewed the history of Ubuntu's ARM distribution and gave some thoughts on where he thought things might go.Ubuntu started making a distribution for ARM in 2008. This distribution was not based directly on Debian's effort for a simple reason: Debian was built around the ARMv4 architecture, but Ubuntu wanted to target the newer ARMv7. After some work, the first ARM-based release came out in April, 2009; it was targeted at the Freescale iMX51 development board.
Thereafter, ARM releases followed the same six-month schedule as the
x86-based Ubuntu releases. The 9.10 release got them up to the ARMv6
instruction set and added support for a Marvell Armada board. 10.04 added
support for an OMAP3 development board, could build on ARMv7, and
was able to use the Thumb-2 instruction set. The Ubuntu ARM release also
rebased itself onto the Netbook Edition at that time. 10.10 added initial
The current release, 11.10, supports the Beagleboard and Pandaboard systems, along with the iMX53 QuickStart board. There is a community-supported build for Toshiba's ARM-based AC-100 netbook system which, David said, is a lot nicer to work with than a development board. Ubuntu has also produced the first technical preview of the upcoming ARM server release. The team is now working on the 12.04 release, due in April, which should include support for ARM server system-on-chip (SoC) processors from Marvell and Calxeda. The distribution is moving over to the ARMhf architecture, which offers hardware floating support (among other things), leading to a faster system overall. Ubuntu 12.04 will be fully multiarch-clean, which will make it much easier to do cross-development and testing on x86-based systems. Life has been getting easier over time as the team gains experience and many of the software problems are hunted down and fixed. Creating the first ARMel archive, with 25,000 packages, took about three months; the ARMhf archive, instead, with 37,000 packages, was done in about three weeks. Lots of build issues have been overcome, and problematic assumptions in the code (such as "ARM systems will never be SMP") have been fixed. Looking forward, David clearly sees a bright future for the ARM server architecture. That may be surprising to some; ARM has not generally been known as an architecture for servers, but that may be about to change. Power consumption is an increasingly important issue for data centers; many of them, at this point, have reached a point where no more power can be brought in and, thus, cannot accommodate any more systems. The industry spends some $45 billion per year on data center power and cooling. Anything that can reduce power consumption in this setting is welcome. ARM is known for low power consumption, an attribute that makes it attractive in this situation. The architecture is adding a number of other features of interest to the server use case; we will be seeing 64-bit, multi-core processors with 2GHz clocks and support for virtualization. It will be possible to buy a quad-core SoC that can run flat-out with 5W of power, far less than any x86 chip. ARM servers, thus, have the potential to handle the server role while being much cheaper to buy and run. So ARM servers may well find considerable success. Part of David's job, naturally, was to convince us that we would want to run Ubuntu Server on those ARM systems. It makes sense, he said, because Ubuntu has that experience with ARM going back to 2008; they have run into all the issues and know how things work. They have a distribution built natively for the Cortex A9 multi-core processor, ready to handle SMP workloads. And a lot of these systems will be running workloads like web serving - the sort of thing that Ubuntu has traditionally been good at. Additionally, ARM-based server systems are going to bring some interesting system administration challenges. The density of these systems will be impressive, allowing the installation of thousands of servers into a single rack. Managing all of those systems - even at the level of ensuring they all get IP address when they boot - is not going to be straightforward. David thinks that Ubuntu's Juju configuration management system, originally developed for cloud deployments, will be well suited to the ARM server environment. Looking forward, David anticipates that the first actual server release, targeting the Calxeda and Marvell SoCs, will happen in October. That will make Ubuntu the first operating system to support the ARM Cortex A15 processor. 12.10 will include support for virtualization with KVM or Xen. It will be a 32-bit release (64-bit work is getting started but is not ready yet), but it will support large amounts of physical memory using the (just merged for the 3.3 kernel) large physical address extension feature. Some of this support may also go into the 12.04 LTS release in later updates. In 2013, the range of supported hardware will grow; there will also be support for the Cortex A7 processor and its interesting power management technologies. In 2013, he said, Ubuntu will be the first system to support the 64-bit ARMv8 architecture. UEFI boot will also be supported. Looking forward to 2014 and beyond, there will be a serious effort to create a unified kernel; running a single kernel on any ARM processor is a challenging goal, but it should be able to run on a wider range of processors than any kernel available today. All told, it is an ambitious undertaking; ARM is not an architecture that has been congenial to general-purpose distributions in the past. But, if the ARM folks have their way, we may be about to see a significant change in the server market; Ubuntu clearly plans to be there if and when that happens. [Your editor would like to thank the LCA organizers for assisting with his travel to Ballarat.]
Brief items FreeBSD 9.0 releasedFreeBSD 9.0 has been released. Highlights of this release include a new installer, Capsicum Capability Mode for sandboxing, softupdates journaling for the Fast Filesystem, user-level DTrace, ZFS updates, and much more, see the release notes for more information. "The FreeBSD Project dedicates the FreeBSD 9.0-RELEASE to the memory of Dennis M. Ritchie, one of the founding fathers of the UNIX[tm] operating system. It is on the foundation laid by the work of visionaries like Dennis that software like the FreeBSD operating system came to be. The fact that his work of so many years ago continues to influence new design decisions to this very day speaks for the brilliant engineer that he was. May he rest in peace."
PC-BSD 9.0 ReleasedThe PC-BSD development team and iXsystems have announced the release of PC-BSD version 9.0 "Based upon FreeBSD 9.0-Release, this is also the first PC-BSD which offers users a variety of desktop environments to chose from, such as KDE, GNOME, XFCE, LXDE and more! Also available are pre-built VirtualBox / VMware images with integrated guest tools for rapid virtual system deployment, and native support for installing directly to OSX BootCamp partitions."
Newsletters and articles of interest Distribution newsletters
Page editor: Rebecca Sobol Development Multi-touch support landing in XX.Org 1.12, the next release of the reference X server, is currently in release candidate status. With it comes several new features, but the most anticipated is probably multi-touch support, courtesy of version 2.2 of the XInput2 extension. Peter Hutterer, maintainer of XInput2, has been writing about adding multi-touch support in his blog since December 2011 — including the architecture and what application developers will need to address before they can bring multi-touch and gesture support to users. Of course, any discussion of multi-touch X begins by explaining what it is and what it isn't. Multi-touch refers specifically to the ability to recognize and use multiple input points on a single hardware device. For example, using more than one finger to manipulate objects on a touchscreen device, or multi-finger gestures on a touchpad. It is a different animal entirely from multi-pointer X (MPX), which is the ability to use two or more on-screen cursors at the same time, controlled by separate hardware devices. MPX support was added — also by Hutterer — to XInput2 in 2009, and was first released with X.Org 1.7. Touchpad users are probably already familiar with two-finger scrolling and two- or three-finger mouse clicks. Although detecting multiple points-of-contact is involved, this is also not genuinely multi-touch — detecting the multiple taps or scrolling simply triggers a different event from the touchpad driver. A simple way to tell the difference is that with two-finger middle-clicks, the position of the user's fingers do not matter; the cursor stays (more or less) in one place. With a multi-touch gesture event like a pinch, however, tracking and interpreting the motion and relative positions of the fingers makes all the difference in the world. Devices and eventsXInput2.2 defines two distinct classes of multi-touch device that correspond to the two major modes of multi-touch user interaction. An XIDirectDevice is one where the touch event occurs on screen (as is the case with tablets, touch-screen monitors, and the like). In these cases, the coordinates where the event happens come directly from the position of the touch. The other class is an XIDependentDevice, which is typically a non-display input device like a touchpad. An XIDependentDevice controls a cursor in the "normal" fashion most of the time, but supports multi-touch events, too. The positions of the touch events on an XIDependentDevice are interpreted relative to the cursor position. XInput2.2 also defines three event types that together describe a touch sequence in the wild: XI_TouchBegin, XI_TouchUpdate, and XI_TouchEnd. By definition, each touch event starts with an XI_TouchBegin, followed by zero or more XI_TouchUpdates, and ends with an XI_TouchEnd. Client applications that want to catch touch events must use the XISelectEvents method to register for all three event types. To a client application listening for the new event types, touches appear no different from any other XInput event — with the addition of a "touch ID" that is returned in the event's detail field. This ID is a 32-bit value that the application must use to keep track of multiple, simultaneous touches. The touch events use the XIDeviceEvent structure that is also used for pointer and keyboard events; handling touches separately (including interpreting gestures) is left up to the application, library, or toolkit. Device grabbing and ownershipAlthough the Begin, Update, and End events cover almost all touch event cases, there is a fourth touch event called XI_TouchOwnership defined by XInput2.2 in order to provide no-delay touch event processing in unusual situations. The need arises because it is not always unambiguously clear which X client ought to process a series of touch events. For example, on a tablet, a window manager and an image viewer might both reasonably be expected to listen for touch events on the same window — the user could click and drag the window, or perhaps pinch and zoom in on the image. XInput allows a client to stake out a claim to the events that happen in a window by "grabbing" touch events. Calling the grab API tells the X server that the grabby client wants exclusive access to the input device. But a client application that holds a grab on a device could begin to process a touch event sequence and only then discover that the sequence is not intended for it. To follow up on the example above, the image viewer might grab a touch event sequence, then process it and determine that it is not a gesture it recognizes. In that case, the grabby client sends a reject to the server, and the server then sends the sequence to the next client (i.e., the window manager), which hopefully does recognize the gesture and can react accordingly. When a client decides that it does want to process the touch sequence, it sends an accept instead. That process works reasonably well when only one or two clients are involved, but every client that studies and rejects the gesture adds lag time, which is exacerbated because the X server re-sends the touch sequence to each subsequent client. If there are several involved, the UI suddenly becomes sluggish to the user. XInput2.2's solution is the XI_TouchOwnership event. A client can select to listen for this event in addition to the usual touch sequence events. When it does so, the X server sends a copy of each event sequence to the client immediately — even if another client has a grab on the device. The result is that the client listening for XI_TouchOwnership can begin to process touch events immediately and lower its response times. However, because one of the other clients may accept the touch event sequence, whatever action the listening client takes needs to be either invisible and reversible, or hold off on execution until the X server tells the client that its turn has come by sending it an XI_TouchOwnership event. Toolkit and application supportAs the grabbing/ownership scenario illustrates, multi-touch support in X is difficult precisely because X handles multiple active applications running simultaneously. In 2010, Hutterer observed that this was a higher bar than that faced by Apple iOS or Microsoft's Surface project, both of which function in pre-defined environments with only a single full-screen application active at any one time. X is also expected to make multi-touch devices co-exist peacefully with keyboards and standard pointers, which touch-only devices generally do not support. The result is that XInput2.2's multi-touch support arrives via a separate set of input device types and events, that applications will need to add support for manually. Consequently it may be several release cycles after X.Org 1.12 before window managers, GIMP, Firefox, and the rest fully support the new multi-touch features. GUI Toolkit support is closer. Qt already has a stable multi-touch API that supports gestures, introduced in version 4.6. Ubuntu recommended Qt to application developers in 2011, while it maintained its own uTouch framework for the Unity environment during the XInput2.1 development cycle. Although uTouch included a patchwork of components in the past, the distribution is migrating it to XInput2.2 for its 12.04 release. That leaves the GNOME side of field. Carlos Garnacho and others are working on adding multi-touch support to GTK+ and GDK in the multitouch branch. However, it is not clear when this work is expected to land. Garnacho noted his progress in his blog twice in early 2011, but there have been no formal updates there or on the mailing lists for months. Hutterer indicated on the Fedora wiki's multi-touch page that support may land as soon as GTK+ 3.4. Interested parties can keep up to date by watching the GNOME Shell Touchscreen wiki page. The essential building blocks are lined up (if not all in place) for true multi-touch on X.org systems, so it is plausible that before 2013 arrives, desktop and mobile Linux users will consider multi-touch applications commonplace. But that does not mean that they will be happy about it. As Hutterer mentions on his blog, one of the most challenging aspects of multi-touch is coming up with good, intuitive user interface designs to fit together with the technical underpinnings. On that front, 2012 may also be the year of multi-touch experimentation.
Brief items Quotes of the week
One always got the feeling that somebody was steering GNOME, but it
wasn’t clear who. When it started, I thought it was Miguel and Nat,
then Novell, then Redhat. Now it has that floaty, determined
meandering that the best mass open source projects have. From a
distance, everyone seems to be constantly bickering and regretting
the next steps; but the steps get made, and slowly everyone adapts
to them. GNOME feels like a nation now.
-- Danny
O'Brien
But these days anything is possible with version-numbers really,
except for going backwards. Which is precisely what we are
avoiding here.
-- Stephan Arts for
the Xfce project
Just look at Mozilla Firefox (moving from 4 to 9 at the same pace as they went from 0.7 to 1.0) or Google chrome (what version-number are they using anyway?), or the linux-kernel, going from 2.6.0 to 2.6.39 with entire subsystems being rewritten from scratch, and then moving from 2.6.39 to 3.0 without any radical change whatsoever. Really, moving from 4.8 to 4010 is not really that big a deal, if it serves the right purpose.
Cheese 3.3.4 releasedThe Cheese webcam photo and video capturing application with multiple "fancy special effects" has released unstable version 3.3.4. The biggest new feature is support for photo and video sharing that "was added by GNOME Outreach Program for Women intern Patricia Santana Cruz". In addition, the test suite was improved, documentation creation now uses stylesheets, microphone control was added via PulseAudio, and more, including lots of bug fixes.
Media Goblin 0.2.0 releasedMedia Goblin, an "AGPL-licensed federated multi-media hosting platform" that is part of the GNU project has released version 0.2.0 ("Our Tubes!"). New in this version is support for HTML 5 compliant video delivery, better handling of resizing uploaded images, additional customization options, and better documentation. "MediaGoblin's big picture goal is to support loads of different media types, so video is just the beginning. In the near future MediaGoblin will be able host slide sharing, three dimensional model uploading and viewing, even ascii art."
Salt 0.9.5 releasedThe Salt the remote execution manager has released version 0.9.5. The release notes detail all the changes that have gone into "one of the largest steps forward in the development of Salt". Those changes include moving from Python pickles to Message Pack for better network serialization performance, automatic module loading and reloading without requiring a restart, easier module deployment, node groups, and more. "Salt allows commands to be executed across large groups of servers. This means systems can be easily managed, but data can also be easily gathered. Quick introspection into running systems becomes a reality. Remote execution is usually used to set up a certain state on a remote system. Salt addresses this problem as well, the salt state system uses salt state files to define the state a server needs to be in. Between the remote execution system, and state management Salt addresses the backbone of cloud and data center management."
Newsletters and articles Development newsletters from the last week
Organizing Open Source Efforts at NASA (Linux.com)Over at Linux.com, Rikki Endsley interviews two NASA workers who are responsible for organizing and expanding the US space agency's open source efforts. "In December, [William] Eshagh announced NASA's presence on GitHub, and their first public repository houses NASA's World Wind Java project, an open source 3D interactive world viewer. Additional projects are being added, including OpenMDAO, an open-source Multidisciplinary Design Analysis and Optimization (MDAO) framework; NASA Ames StereoPipeline, a suite of automated geodesy and stereogrammetry tools; and NASA Vision Workbench, a general-purpose image processing and computer vision library."
Kruisselbrink: Calligra on AndroidOn his blog, Marijn Kruisselbrink reports on getting Calligra Mobile working on Android. In it he describes various problems he ran into in porting the mobile office suite, including a lack of DBus and KSyCoCa support in Android. "So after some (sometimes frustrating) hacking, I've got the first results: Calligra Mobile running on an android tablet. There are still lots of rough edges, and not everything works correctly, but as you can see in these screenshots, it does actually run and work. To get to this point I had to make some rather ugly hacks though to work around some of the android limitations." (Thanks to Inge Wallin.)
Typing at 255 WPM shouldn't cost $4000: Plover, the open source steno system (Opensource.com)Mel Chua writes about Plover, an open suite for stenography, at Opensource.com. "Plover isn't just a straight-out copy-paste of existing proprietary CART [Communication Access Realtime Transcription] software; it also has several feature advantages over them. Most steno software has a time-based buffer, forcing the user to conform to the software's timing; Plover is designed the other way around, so the software responds to a human, and typists can take their time to think and control the pacing of their words. Plover is also the first steno software of any kind that follows the Unix design principle of modularity, acting essentially as a keyboard emulator - no different from any other alternative input option such as on-screen keyboards for tablets or input methods for the disabled. In contrast, proprietary steno programs contain full-fledged word processors that typists are then forced to use."
Raghavan: PulseAudio vs. AudioFlinger: Fight!On his blog, Arun Raghavan reports on comparing the performance of PulseAudio vs. Android's AudioFlinger, running them both on a Galaxy Nexus smartphone under Ice Cream Sandwich (Android 4.0). He compares CPU, memory, power usage, latency, and the features offered by both, and PulseAudio fares quite well. "For future work, it would be interesting to write a wrapper on top of PulseAudio that exposes the AudioFlinger audio and policy APIs — this would basically let us run PulseAudio as a drop-in AudioFlinger replacement. In addition, there are potential performance benefits that can be derived from using Android-specific infrastructure such as Binder (for IPC) and ashmem (for transferring audio blocks as shared memory segments, something we support on desktops using the standard Linux SHM mechanism which is not available on Android)."
Page editor: Jonathan Corbet Announcements Articles of interest SFLC: Microsoft confirms UEFI fears, locks down ARM devicesThe Software Freedom Law Center has taken a look at Microsoft's Windows 8 certification requirements for the ARM architecture (which require that the system be fully locked down) and is not amused. "The new policy betrays the cynicism of Microsoft's initial response to concerns over Windows 8's secure boot requirement. When kernel hacker Matthew Garrett expressed his concern that PCs shipped with Windows 8 might prevent the installation of GNU/Linux and other free operating systems, Microsoft's Tony Mangefeste replied, 'Microsoft’s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves.' It is clear now that opportunism, not philosophy, is guiding Microsoft's secure boot policy."
Garrett: Why UEFI secure boot is difficult for LinuxOn his blog, Matthew Garrett provides an update on the UEFI secure boot situation. Unlike what some have said, the Microsoft certification requirements for Windows 8 still place significant barriers in the way of installing Linux—even on x86 systems—which Garrett outlines. "I wrote about the technical details of supporting the UEFI secure boot specification with Linux. Despite me pretty clearly saying that this was ignoring issues of licensing and key distribution and the like, people are now using it to claim that Linux could support secure boot with minimal effort. In a sense, they're right. The technical implementation details are fairly straightforward. But they're not the difficult bit."
Web Protests Piracy Bills, and 2 Senators Change Course (New York Times)The New York Times reports that Internet protests against anti-piracy legislation (SOPA and PIPA) are working. "Freshman Senator Marco Rubio of Florida, a rising Republican star, was first out of the starting gate Wednesday morning with his announcement that he would no longer back anti-Internet piracy legislation he had co-sponsored. Senator John Cornyn, the Texas Republican who heads the campaign operation for his party, quickly followed suit and urged Congress take more time to study the measure that had been set for a test vote next week."
Second batch of FOSDEM 2012 speaker interviewsThe series of interviews with FOSDEM (Free and Open Source Software Developer's European Meeting) speakers continues with:
Google Code-in 2011-2012 ConcludesThe 2011-2012 Google Code-in has ended. "Over eight busy weeks, 545 high school (pre-university) students competed in the Google Code-in contest completing tasks for 18 open source projects. The Google Code-in contest is designed to introduce high school students to the world of open source software development by having them complete ‘bite sized’ tasks while gaining knowledge and earning prizes along the way."
New Books Web Development Recipes--New from Pragmatic BookshelfThe Pragmatic Bookshelf has released "Web Development Recipes" by Brian P. Hogan, Chris Warren, Mike Weber, Chris Johnson, and Aaron Godin.
Calls for Presentations PGCon 2012 Call for PapersPGCon 2012 will be held May 17-18, 2012 in Ottawa, Canada. The conference will be preceded by two days of tutorials taking place May 15-16. "If you are doing something interesting with PostgreSQL, please submit a proposal. You might be one of the backend hackers or work on a PostgreSQL related project and want to share your know-how with others. You might be developing an interesting system using PostgreSQL as the foundation. Perhaps you migrated from another database to PostgreSQL and would like to share details. These, and other stories are welcome. Both users and developers are encouraged to share their experiences." Proposals are due by January 29.
2nd CFP: Open64 Workshop at PLDI'12The Open64 Workshop will take place June 15, 2012, in Beijing China. "Active Open64 researchers & developers from academia and industry will report their research projects, experimental results, and development experiences using the Open64 compiler. The workshop provides a forum for discussion of your findings and experiences with a broad range of Open64 researchers and developers. " The call for proposals ends February 10.
Upcoming Events SUSE Announces First Annual Enterprise Linux ConferenceSUSE has announced the first annual SUSECon, to be held September 18-21, 2012, in Nuremberg, Germany. "SUSE will bring together from across the globe its seasoned and knowledgeable experts, its strong partnerships with industry-leading technology vendors, and its showcase of successful customers to deliver a comprehensive agenda that offers both business and technical advice for enterprise Linux practitioners. Content and activities will be announced throughout the year for the September 2012 event - which coincides with SUSE's twentieth anniversary, a milestone that will be reflected at the conference."
SuperCollider 2012 program announcedSuperCollider is an audio programming environment. April 12-19, 2012 musicians, artists and coders will meet in London, UK for a festival showcasing works created with SuperCollider.
Events: January 19, 2012 to March 19, 2012The following event listing is taken from the LWN.net Calendar.
If your event does not appear here, please tell us about it.
Page editor: Rebecca Sobol
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![[Andrew Bartlett]](/images/conf/2012/lca/AndrewBartlett-sm.jpg)
![[Andrew Tridgell]](/images/conf/2012/lca/AndrewTridgell-sm.jpg)
![[Amitay Isaacs and Kai Blin]](/images/conf/2012/lca/Amatay+Kai-sm.jpg)
![[Bruce Perens]](/images/conf/2012/lca/BrucePerens-sm.jpg)
![[Bruce Perens]](/images/conf/2012/lca/BrucePerens2-sm.jpg)
![[David Mandala]](/images/conf/2012/lca/DavidMandala-sm.jpg)