Last June, we published
a story about
LinkSys and its WRT54G wireless router product. That router runs Linux,
but LinkSys was not making the source for its Linux kernel available as the
GPL requires. In response to pressure from the community, LinkSys
eventually released a kernel tarball, and it
appeared that the episode had come to a close. Another apparent victory
for the GPL.
In this case, however, it seems that the victory celebrations were a bit
premature. A group of programmers has been working with the LinkSys
tarball in the hopes of creating a new, more accessible firmware image for
the WRT54G. Over time, this group has come to the conclusion that the
kernel source released by LinkSys is incomplete. Efforts to resolve the
situation with LinkSys have not been conclusive, so, on September 28,
this group sent out a letter describing its
findings.
Much of the code in the WRT54G kernel gets there by way of loadable
modules. In particular, much of the truly interesting stuff - the code
that implements the low-level wireless functionality - is packaged in
modules. The question of whether loadable modules are a derived product of
the kernel - and thus subject to the GPL - is a topic of ongoing debate;
not all kernel hackers are happy to see their work used by binary-only
modules. A definitive conclusion in that debate may never come about; in
the real world, however, binary-only modules are tolerated. Nobody has
made any serious public effort to get LinkSys to release the source to its
binary kernel modules. (Update: it turns out that claim is not
entirely true; see the comments added to this article for details).
The results of the investigation by the WRT54G hackers, however, indicate
that the WRT54G kernel contains a substantial amount of built-in code.
There is no ambiguity around code which is patched directly into the
kernel; it is clearly a derived product. A kernel which is patched in this
way can, by the GPL, only be distributed if the source for those patches is
released under the same license. LinkSys (or the contractor which did its
kernel work) has tried to slip in a kernel source tarball which does not
include the code found in its binary image; that is a GPL violation, and
the company has been caught. It is not clear how the people involved
thought they would get away with this attempt; perhaps they thought nobody
was really interested in looking at their source.
What happens now? The WRT54G hackers have released their information in
the hope that a wider public awareness of the problem will help push
LinkSys into living up to its obligations under the GPL. It turns out,
however, that the Free Software Foundation is
working on this case, and they are asking for patience.
GPL violations sometimes take time to resolve. We wish that we
could force resolution quicker, but we haven't found a way to do
that. We have, however, discovered a variant of Brooks's Law:
adding more lawyers to a GPL violation usually makes it take
longer. Lawyers are reluctant to admit to mistakes, because they
fear it could be used against them. Engineers and product managers
are typically interested in fixing mistakes, so we try our best to
work with them first before escalating to legal teams on both
sides. Such escalation has happened on this violation, so it will
take additional time to resolve the matter.
The FSF also points out that the kernel is only a part of the GPL-licensed
software running on a WRT54G router. The FSF is trying to represent the
copyright holders of all the affected software and resolve the whole
problem. They will, they say, keep the community informed as things
progress.
The FSF's work on GPL enforcement is usually hard to see; it is done in a
quiet and diplomatic manner that is invisible behind the rhetoric that
comes out of other parts of that organization. The FSF claims to have built the free software
community, but it toots its own horn rather less on the subject of GPL
compliance. But the FSF's GPL work plays a crucial role in keeping the
free software community going; we owe them a debt of gratitude for the work
they do to ensure that the terms of our licenses are respected. In the
LinkSys case, we also owe them some space and time to do their work. The
FSF has been highly successful in resolving GPL violations without the need
for long and expensive court cases. With some luck and patience, we can
hope to see a similar resolution here.
Comments (35 posted)
As much as we might have wished that the SCO case would have gone away over
the last week, it's still there. So here's the obligatory update on what
has been happening...
IBM has filed a new set of counterclaims against SCO. The full, new filing
is available in PDF
format. The new material is relatively small, and makes three points.
The first of those points is a promissory estoppel claim. SCO, says IBM,
promised that it would distribute Linux only under the terms of the GPL.
IBM, acting on those promises, has now been burned, and has suffered an
injury as a result. IBM claims damages to compensate for that injury, but
the real purpose of the estoppel claim is to shut SCO up:
In addition to an award of damages, IBM is entitled to declaratory
and injunctive relief, including but not limited to a declaration
that SCO is not entitled to assert proprietary rights with respect
to products distributed by SCO under the GPL except upon the terms
set out in the GPL.
"Estoppel" says that a company cannot behave in one way, allow others to act
based on that behavior, then change the rules afterwards. IBM is claiming
that this is exactly what SCO is trying to do in this situation, and is
asking the court to put a stop to it.
The second new counterclaim alleges copyright infringement based on
violations of the GPL. This claim is different from (and additional to)
the GPL violation claim in IBM's first counterfiling. Whereas the previous
claim was a breach of contract claim (SCO did not live up to the
obligations it took on when it accepted the GPL), the new one is a pure
infringement claim. IBM lists several contributions for which it has
registered its copyrights (they include EVMS, dynamic probes, PowerPC
support, the Omni print driver, JFS, and others), and claims:
SCO has infringed and is infringing IBM's copyrights by copying,
modifying, sublicensing and/or distributing Linux products except
as expressly provided under the GPL. SCO has taken copyrighted
source code made available by IBM under the GPL, included that code
in SCO's Linux products, and copied modified, sublicensed and/or
distributed those products other than as permitted under the
GPL. SCO has no right - and has never had any right - to copy,
modify, sublicense and/or distribute the IBM copyrighted code
except pursuant to the GPL.
The last new counterclaim is a request for a declatory judgement along the
line of Red Hat's suit. Essentially, IBM is asking the court to make SCO
shut up.
SCO's response came in the form of yet
another
strange press release. SCO has nothing to say about IBM's description
of its behavior; instead, the company has gone for a flat-out attack on the
GPL:
IBM, not SCO, has brought the GPL into the legal controversy
between the two companies. SCO believes that the GPL -- created by
the Free Software Foundation to supplant current U.S. copyright
laws -- is a shaky foundation on which to build a legal case. By
contrast, SCO continues to base its legal claims on well-settled
United States contract laws and United States copyright laws.
The GPL has never faced a full legal test, and SCO believes that it will
not stand up in court.
We asked SCO how it is that the GPL serves "to supplant current US
copyright laws" while its own software licenses do not, but SCO chose not
to answer us. Regardless,
what SCO hopes to gain by attacking the GPL is unclear; its
legal theories on the subject are bizarre at best. But if the GPL fails,
then SCO will never have had a valid license to distribute Linux at all.
It would be interesting to hear how SCO justifies its continued
distribution of the Linux kernel if it believes it lacks a valid license
to do so.
Red Hat, meanwhile, has filed a "memorandum in opposition" of SCO's
attempt to get Red Hat's lawsuit summarily dismissed. Groklaw has posted
the motion in
PDF format. Also on Groklaw is this
detailed analysis of Red Hat's motion which covers the relevant points.
SCO also claimed that its speech was protected by the First
Amendment. Frankly, that argument is so funny it seems pointless to
stay up late to explain it to you... Red Hat had to actually
research the point and answer it in detail. I'll bet they were
rolling on the floor laughing though. Once they pulled themselves
together, they point out to the judge that there are laws
specifically written that forbid companies from making 'false or
misleading statements' about another's product, and it's called the
Lanham Act...
As expected, the SCO Group has also expanded the battle to include SGI.
Very little has been said in public (we're waiting for the inevitable
conference call), but a couple of alert readers found the following in SGI's
annual report as filed with the U.S. Securities and Exchange
Commission:
We have received a letter from SCO Group alleging that, as a result
of our activities related to the Linux operating system, we are in
breach of the fully-paid license under which we distribute our IRIX
operating system. The letter purports to terminate our UNIX System
V license effective October 14, 2003.
SGI believes, like IBM, that its Unix license cannot be terminated in this
manner. SCO arguably has a better case against SGI, since SGI did actually
allow a small amount of SYSV code to slip into its Linux kernel
contributions. SCO will have a hard time talking a tiny infringement
involving code that, by some reckoning, is in the public domain into a
major case, however.
Speaking of SGI's actions, the company has posted a letter to the Linux
community from software VP Rich Altmaier. The letter admits that the
ate_malloc() code shown by SCO could have been taken from SYSV,
though SGI also reiterates the claim that the code in question may well
have entered the public domain. SGI has sent patches to its customers
removing the code in question, but it has not stopped there:
Following this occurrence, we continued our investigation to
determine whether any other code in the Linux kernel was even
conceivably implicated. As a result of that exhaustive
investigation, SGI has discovered a few additional code segments
(similar in nature to the segments referred to above and trivial in
amount) that may arguably be related to UNIX code. We are in the
process of removing and replacing these segments.
In other words, the Linux kernel has now been compared to the Unix code
base by somebody other than SCO, and it has been given an (almost) clean
bill of health.
SGI's letter also denies that SCO has any claim to the XFS filesystem. XFS
is explicitly claimed as SGI's work.
It may be that SCO is taking the position that merely because XFS
is also distributed along with IRIX it is somehow subject to the
System V license. But if so, this is an absurd position, with no
basis either in the license or in common sense. In fact, our UNIX
license clearly provides that SGI retains ownership and all rights
as to all code that was not part of AT&Ts UNIX System V.
The position described is, of course, exactly the claims SCO has made
against IBM.
Finally, remember that the SCO City-to-City
Tour starts on October 7. Those of you in or near Toronto,
Boston, Chicago, Vancouver, Dallas, Orlando, Newark, Minneapolis,
St. Louis, Irvine, or Atlanta may want to consider signing up to share your
views with the company.
Comments (4 posted)
As the 2.6 kernel slowly approaches release, it is natural that vendors and
users are becoming more interested in what this kernel has to offer. But
some distributors may be jumping the gun a bit with this kernel. Consider
these announcements:
- LynuxWorks announced
that a beta version of BlueCat Linux 5.0, a 2.6-based embedded
distribution, was available. Says LynuxWorks: "The embedded
developer community has been eagerly anticipating the availability of
the Linux 2.6 kernel and we are proud to offer the first embedded
operating system ready for beta testing."
- SuSE has stated that SuSE
Linux 9.0 will have a 2.6 kernel option.
- SnapGear has released
SnapGear Embedded Linux 3.0, which is based on the 2.6 kernel.
The company claims to have the "world's first production Linux system
powered by the 2.6 kernel."
The only problem, of course, is that there is no 2.6 kernel. The
2.6.0-test series is not the 2.6 kernel. It remains in active
development, and many parts of it are still volatile. The most recent
release (2.6.0-test6) included a fundamental change in the dev_t
device number type, a bunch of scheduler work, numerous power management
patches, and a lot of other changes. A number of important kernel
interfaces are still in flux. Auditing for security problems still needs
to be done.
One should also bear in mind that most stable kernels do not truly
stabilize until several releases after "dot-zero."
The 2.5 kernel development series looks to be one of the most successful in
quite some time. Many important objectives have been attained, and the
2.6.0-test kernels appear to be quite stable for most users. It is
certainly an appropriate time for distributors to consider offering a 2.6
preview kernel, as SuSE will do with its 9.0 release. But it is too soon
to present a 2.6-based distribution as being "production ready." Any
distributor which is offering the 2.6 kernel as anything other than an
early preview for testing purposes is not being entirely honest. We'll
have our stable,
2.6-based distributions sometime in 2004; some things cannot be rushed.
Comments (13 posted)
Page editor: Jonathan Corbet
Security
Brief items
The National Infrastructure Security Co-ordination Centre (
NISCC) is an organization within the UK
Government, set up to defend against electronic attack. As part of that
mandate, the NISCC recently prepared a test suite to check the operation of
SSL/TLS software when presented with a wide range of malformed client
certificates. Dr Stephen Henson of the OpenSSL core team identified and
prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code
when running the test suite. Since these vulnerabilities were found during
code review, there are no known exploits, and there won't be any as long as
everyone updates their systems in a timely fashion. Many distributions
have already provided updates for these problems, shown in the new
vulnerability report listed below.
All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
versions of SSLeay are affected, as well as any application that makes use
of OpenSSL's ASN1 library to parse untrusted data. This includes all SSL or
TLS applications, those using S/MIME (PKCS#7) or certificate generation
routines.
From the advisory:
- Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6. The Common
Vulnerabilities and Exposures project has assigned the name
CAN-2003-0545 for this issue.
- Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.
The Common Vulnerabilities and Exposures project has assigned the names
CAN-2003-0543 and
CAN-2003-0544 for this issue.
- A malformed public key in a certificate will crash the verify code
if it is set to ignore public key decoding errors. Public key decode
errors are not normally ignored, except for debugging purposes, so this
is unlikely to affect production code. Exploitation of an affected
application would result in a denial of service vulnerability.
- Due to an error in the SSL/TLS protocol handling, a server will
parse a client certificate when one is not specifically requested. This
by itself is not strictly speaking a vulnerability but it does mean that
*all* SSL/TLS servers that use OpenSSL can be attacked using
vulnerabilities 1, 2 and 3 even if they don't enable client
authentication.
All OpenSSL users should upgrade to OpenSSL 0.9.7c or 0.9.6k and recompile
any OpenSSL applications statically linked to OpenSSL libraries.
Comments (3 posted)
New vulnerabilities
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
freesweep: buffer overflow
| Package(s): | freesweep |
CVE #(s): | CAN-2003-0828
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
freesweep contains a buffer overflow vulnerability which may be exploited by a local user to obtain access to the "games" group. |
| Alerts: |
|
Comments (none posted)
lsh: remotely exploitable buffer overflow
| Package(s): | lsh |
CVE #(s): | CAN-2003-0831
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
lsh (an ssh implementation) 1.5.2 and prior has a remotely exploitable buffer overflow vulnerability; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
marbles: buffer overflow
| Package(s): | marbles |
CVE #(s): | CAN-2003-0830
|
| Created: | October 1, 2003 |
Updated: | October 1, 2003 |
| Description: |
The 'marbles' game contains a buffer overflow in its processing of the HOME environment variable. A local user can exploit this vulnerability to obtain access to the "games" group. |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
openssl: vulnerabilities in ASN.1 code
| Package(s): | openssl |
CVE #(s): | CAN-2003-0543
CAN-2003-0544
CAN-2003-0545
|
| Created: | September 30, 2003 |
Updated: | November 4, 2003 |
| Description: |
Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate
problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and
all versions of SSLeay.
An attack against other applications that use OpenSSL could result in a
Denial of Service. See
CAN-2003-0543 and
CAN-2003-0544.
It may be possible for an attacker to exploit this issue to execute
arbitrary code. See
CAN-2003-0545.
CERT has an updated OpenSSL advisory
identifying additional OpenSSL vulnerabilities. |
| Alerts: |
|
Comments (none posted)
webfs: buffer overflows, file and directory exposure
| Package(s): | webfs |
CVE #(s): | CAN-2003-0832
CAN-2003-0833
|
| Created: | September 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP
server for static content.
CAN-2003-0832 - When virtual hosting is enabled, a remote client could
specify ".." as the hostname in a request, allowing retrieval of directory
listings or files above the document root.
CAN-2003-0833 - A long pathname could overflow a buffer allocated on
the stack, allowing execution of arbitrary code. In order to exploit this
vulnerability, it would be necessary to be able to create directories on
the server in a location which could be accessed by the web server. In
conjunction with CAN-2003-0832, this could be a world-writable directory
such as /var/tmp. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 24, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
autorespond: buffer overflow
| Package(s): | autorespond |
CVE #(s): | CAN-2003-0654
|
| Created: | August 18, 2003 |
Updated: | October 1, 2003 |
| Description: |
Christian Jaeger discovered a buffer overflow in autorespond, an email
autoresponder used with qmail. This vulnerability could potentially
be exploited by a remote attacker to gain the privileges of a user who
has configured qmail to forward messages to autorespond. This
vulnerability is currently not believed to be exploitable due to
incidental limits on the length of the problematic input, but there
may be situations in which these limits do not apply.
CAN-2003-0654 |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
eroaster: insecure temporary file
| Package(s): | eroaster |
CVE #(s): | CAN-2003-0656
|
| Created: | August 19, 2003 |
Updated: | October 1, 2003 |
| Description: |
A vulnerability was discovered in eroaster where it does not take any
security precautions when creating a temporary file for the lockfile. This
vulnerability could be exploited to overwrite arbitrary files with the
privileges of the user running eroaster.
CAN-2003-0656 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
exim: buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2003-0743
|
| Created: | September 5, 2003 |
Updated: | October 1, 2003 |
| Description: |
A buffer overflow exists in exim, which is the standard mail transport
agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.
CAN-2003-0743 |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | October 1, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 16, 2003 |
Updated: | November 18, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gopherd: buffer overflow
| Package(s): | gopher |
CVE #(s): | CAN-2003-0805
|
| Created: | September 24, 2003 |
Updated: | September 24, 2003 |
| Description: |
The University of Minnesota gopherd daemon has a set of remotely exploitable buffer overflows which can allow an attacker to execute code as the "gopher" user. Both remaining gopher servers are advised to upgrade in the near future. |
| Alerts: |
|
Comments (3 posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
hztty: buffer overflow vulnerability
| Package(s): | hztty |
CVE #(s): | CAN-2003-0783
|
| Created: | September 24, 2003 |
Updated: | September 24, 2003 |
| Description: |
hztty (a program for translating Chinese character encodings) has a pair of buffer overflow vulnerabilities which can be exploited by a local attacker. This problem is compounded on Debian systems by the fact that hztty is (unnecessarily) installed setuid root. Version 2.0-6 has the fix. |
| Alerts: |
|
Comments (none posted)
ipmasq: insecure packet filtering rules
| Package(s): | ipmasq |
CVE #(s): | CAN-2003-0785
|
| Created: | September 22, 2003 |
Updated: | September 24, 2003 |
| Description: |
ipmasq is a package which simplifies configuration of Linux IP
masquerading, a form of network address translation which allows a
number of hosts to share a single public IP address. Due to use of
certain improper filtering rules, traffic arriving on the external
interface addressed for an internal host would be forwarded,
regardless of whether it was associated with an established
connection. This vulnerability could be exploited by an attacker
capable of forwarding IP traffic with an arbitrary destination address
to the external interface of a system with ipmasq installed. |
| Alerts: |
|
Comments (none posted)
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb |
CVE #(s): | CAN-2003-0686
|
| Created: | August 26, 2003 |
Updated: | October 1, 2003 |
| Description: |
libpam-smb is a PAM authentication module which makes it possible to
authenticate users against a password database managed by Samba or a
Microsoft Windows server. If a long password is supplied, this can cause a
buffer overflow which could be exploited to execute arbitrary code with the
privileges of the process which invokes PAM services. See this advisory for more information.
CAN-2003-0686 |
| Alerts: |
|
Comments (1 posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mindi: insecure file creations
| Package(s): | mindi |
CVE #(s): | CAN-2003-0617
|
| Created: | September 2, 2003 |
Updated: | October 1, 2003 |
| Description: |
Mindi versions prior to 0.86 creates files in /tmp which could allow local
user to overwrite arbitrary files.
CAN-2003-0617 |
| Alerts: |
|
Comments (none posted)
mpg123 - buffer overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0577
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. |
| Alerts: |
|
Comments (none posted)
mysql: arbitrary code execution
| Package(s): | mysql |
CVE #(s): | CAN-2003-0780
|
| Created: | September 15, 2003 |
Updated: | October 9, 2003 |
| Description: |
Frank Denis
reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and
earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users
are stored in the "Password" field of the "User" table, part of the "mysql"
database. The passwords are hashed and stored as a 16 characters long
hexadecimal value. Unfortunately, a function involved in password checking
misses correct bounds checking. By filling a "Password" field a value
wider than 16 characters, a buffer overflow will occur. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0780 to the problem. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netris: buffer overflow
| Package(s): | netris |
CVE #(s): | CAN-2003-0685
|
| Created: | August 18, 2003 |
Updated: | October 1, 2003 |
| Description: |
Shaun Colley discovered a buffer overflow vulnerability in netris, a
network version of a popular puzzle game. A netris client connecting
to an untrusted netris server could be sent an unusually long data
packet, which would be copied into a fixed-length buffer without
bounds checking. This vulnerability could be exploited to gain the
priviliges of the user running netris in client mode, if they connect
to a hostile netris server.
CAN-2003-0685 |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1
and 3.7.1p1
| Package(s): | openssh |
CVE #(s): | |
| Created: | September 23, 2003 |
Updated: | October 1, 2003 |
| Description: |
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs is remotely
exploitable (under a non-standard configuration, with privsep disabled).
See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSH: buffer management error
| Package(s): | OpenSSH |
CVE #(s): | CAN-2003-0693
|
| Created: | September 16, 2003 |
Updated: | October 1, 2003 |
| Description: |
All versions of
OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is
uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete.
See the second advisory for details.
CAN-2003-0693 |
| Alerts: |
|
Comments (none posted)
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2003-0672
|
| Created: | August 11, 2003 |
Updated: | October 1, 2003 |
| Description: |
Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the
username to be used for authentication is used as a format string when
writing a log message. This vulnerability may allow an attacker to
execute arbitrary code with the privileges of the program requesting
PAM authentication.
CAN-2003-0672 |
| Alerts: |
|
Comments (none posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | October 1, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | October 1, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
proftpd: remote root shell
| Package(s): | proftpd |
CVE #(s): | CAN-2003-0831
|
| Created: | September 24, 2003 |
Updated: | January 2, 2004 |
| Description: |
The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
semi: insecure temporary file
| Package(s): | semi, wemi |
CVE #(s): | CAN-2003-0440
|
| Created: | July 7, 2003 |
Updated: | October 1, 2003 |
| Description: |
semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug.
CAN-2003-0440 |
| Alerts: |
|
Comments (none posted)
sendmail: bad DNS reply causes crash
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0688
|
| Created: | August 26, 2003 |
Updated: | October 1, 2003 |
| Description: |
There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x
versions with respect to DNS maps. The bug did not exist in versions before
8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9,
released March 29, 2003. See this advisory for more
information.
CAN-2003-0688 |
| Alerts: |
|
Comments (none posted)
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0694
CAN-2003-0681
|
| Created: | September 17, 2003 |
Updated: | November 18, 2003 |
| Description: |
Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
Comments (none posted)
sup: insecure temporary file
| Package(s): | sup |
CVE #(s): | CAN-2003-0606
|
| Created: | July 29, 2003 |
Updated: | October 1, 2003 |
| Description: |
sup, a package used to maintain collections of files in identical
versions across machines, fails to take appropriate security
precautions when creating temporary files. A local attacker could
exploit this vulnerability to overwrite arbitrary files with the
privileges of the user running sup.
CAN-2003-0606 |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
teapop: SQL injection
| Package(s): | teapop |
CVE #(s): | CAN-2003-0515
|
| Created: | July 9, 2003 |
Updated: | October 1, 2003 |
| Description: |
teapop, a POP-3 server, includes modules for authenticating users
against a PostgreSQL or MySQL database. These modules do not properly
escape user-supplied strings before using them in SQL queries. This
vulnerability could be exploited to execute arbitrary SQL under the
privileges of the database user as which teapop has authenticated.
CAN-2003-0515 |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
unzip: directory traversal vulnerability
| Package(s): | unzip |
CVE #(s): | CAN-2003-0282
|
| Created: | July 1, 2003 |
Updated: | November 13, 2003 |
| Description: |
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
vixie-cron: Local vulnerability
| Package(s): | vixie-cron |
CVE #(s): | CVE-2001-0559
|
| Created: | April 17, 2003 |
Updated: | October 3, 2003 |
| Description: |
From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in
LWN on the May 10,
2001 security page. |
| Alerts: |
|
Comments (none posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
wget: buffer overflow
| Package(s): | wget |
CVE #(s): | CAN-2003-1565
|
| Created: | August 5, 2003 |
Updated: | December 10, 2003 |
| Description: |
The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. |
| Alerts: |
|
Comments (1 posted)
wu-ftpd: off-by-one bug
| Package(s): | wu-ftpd |
CVE #(s): | CAN-2003-0466
|
| Created: | July 31, 2003 |
Updated: | October 5, 2003 |
| Description: |
An off-by-one bug has been discovered in versions of wu-ftpd up to and
including 2.6.2. On a vulnerable system, a remote attacker would be able
to exploit this bug to gain root privileges. See this advisory for more details. |
| Alerts: |
|
Comments (none posted)
wu-ftpd: insecure program execution
| Package(s): | wu-ftpd |
CVE #(s): | CVE-1999-0997
|
| Created: | September 5, 2003 |
Updated: | September 24, 2003 |
| Description: |
wu-ftpd, an FTP server, implements a feature whereby multiple files
can be fetched in the form of a dynamically constructed archive file,
such as a tar archive. The names of the files to be included are
passed as command line arguments to tar, without protection against
them being interpreted as command-line options. GNU tar supports
several command line options which can be abused, by means of this
vulnerability, to execute arbitrary programs with the privileges of
the wu-ftpd process. |
| Alerts: |
|
Comments (1 posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 |
CVE #(s): | CAN-2003-0730
|
| Created: | September 12, 2003 |
Updated: | November 25, 2003 |
| Description: |
Several vulnerabilities were discovered by blexim(at)hush.com in the font
libraries of XFree86 version 4.3.0 and earlier. These bugs could
potentially lead to execution of arbitrary code or a DoS by a remote user
in any way that calls these functions, which are related to the transfer
and enumeration of fonts from font servers to clients. See the
advisory for additional details.
|
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 13, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
zblast: buffer overflow
| Package(s): | zblast |
CVE #(s): | CAN-2003-0613
|
| Created: | August 11, 2003 |
Updated: | October 1, 2003 |
| Description: |
Steve Kemp discovered a buffer overflow in zblast-svgalib, when saving
the high score file. This vulnerability could be exploited by a local
user to gain gid 'games', if they can achieve a high score.
CAN-2003-0613 |
| Alerts: |
|
Comments (1 posted)
Resources
The first issue of Infocon Magazine is now available online. Available
articles include an interview with Dan Kuehl, a "psychological operations
interview" with a NATO deputy commander, discussions of business continuity
planning, economic espionage, and more.
Full Story (comments: none)
This week's
Linux Advisory Watch and
Linux Security Week newsletters from
LinuxSecurity.com are available.
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current development kernel is 2.6.0-test6, which was finally
released by Linus on September 27. The
most significant change in this kernel, perhaps, is the long-awaited
expansion of
dev_t to 32 bits (as covered in
last week's LWN Kernel Page).
Other patches which have been merged include a device mapper update,
some NFS updates, a big I2C update, Con Kolivas's and Ingo Molnar's
scheduler interactivity patches, a Coda filesystem update, some initramfs
tweaks, improvements in random driver locking, the removal of some ext3
debugging hooks, direct I/O support for reiserfs, some CPU frequency work,
numerous power management patches, an Intel SpeedStep-SMI driver, a
substantial amount of janitorial work, and lots of fixes. The
long-format changelog has the details.
Note that 2.6.0-test6 changed the semantics of
/proc slightly as part of an effort to get thread information
represented properly. That change may be reverted in a future release.
Linus's BitKeeper tree contains, as of this writing, a janitorial effort to
move EXPORT_SYMBOL calls out of ksyms.c to the places
where the exported symbols are actually defined, some IDE driver updates,
and lots of fixes.
The current stable kernel is 2.4.22. Marcelo released 2.4.23-pre6 on October 1; it fixes a
number of ACPI problems, adds SCTP support, and includes the usual pile of
fixes and updates.
Comments (none posted)
Kernel development news
The Linux kernel currently allows any process to be a member of up to 32
groups at the same time. As with many such limits, the 32-group allowance
is sufficient for most users, but not for all. In fact, some users have a
need for significantly more group memberships than that.
This problem came to Rusty Russell's attention; it seems there is a client
down under with a need for almost 200 simultaneous groups. The client is
running Samba-based servers and having to deal with NT's hierarchical group
structure. So Rusty sent out a patch making
the maximum number of groups adjustable via a sysctl file. If a process
expands to more than 32 groups, the code will dynamicly allocate an array
to store them all.
Rusty's patch asked for comments, and got them in the form of a rather
exasperated note from Tim Hockin. Tim has been posting a very similar
patch for quite some time; LWN included a
version of this patch back in October, 2002. Despite repeated posts,
the patch had never been picked up and merged.
In response to Tim's note,
Rusty set about the task of merging the two patches.
It turns out that Tim's needs were a little different, however; his
customers need, for some reason, to have processes be members of up to
10,000 groups. That changes things a bit. So, among other things, the
combined patch will use vmalloc() to allocate the array of group
IDs should an attempt with kmalloc() fail. Since
vmalloc() can create large virtual arrays in kernel space through
the use of page tables, it works better when large, virtually contiguous
chunks of memory are required.
That approach didn't fly with Linus,
however; he asked: "Have you been looking at glibc sources lately, or
why do you believe that we should encourage insane usage?" These
comments have led Tim to take a turn reworking the patch. In his version,
the kernel maintains a list of individual pages full of group IDs when the
need arises. The lists are shared and reference counted (to help avoid
unnecessary copying); they are also sorted so that searches are quick.
Given that Linus is "definitely happier about
this one," there is a distinct possibility that it may yet find its way
into the 2.6 kernel. Sometimes, getting your patch in is just a matter of
waiting for somebody else to reimplement it.
Comments (4 posted)
Joerg Schilling has a
complaint. If you try
to include the kernel header file
include/linux/scsi/scsi.h in a
user-space program, a number of compilation errors are the result. Joerg
had reported the problem a good year ago, but it remains unfixed.
"
Is there no interest in user applications for kernel features or is
there just no kernel maintainer left over who makes the needed
work?"
The initial reaction from the kernel developers was rather unsympathetic.
In the modern world, applications are not supposed to be including kernel
header files directly. Instead, they should use whatever sanitized version
is provided by glibc. Anybody who tries to include kernel headers into
user-space applications should not complain when things fail to work.
In the real world, however, such a simple answer is not sufficient. The
kernel exports a vast number of interfaces; consider just the various
ioctl() calls offered by innumerable device drivers and
subsystems, for example. Even if the communications between the kernel and
glibc developers were better than they are, it would be difficult to expect
the glibc people to keep up with every obscure interface that gets added to
the kernel. As David Miller put it:
Even if one is of the opinion that nobody should be including the
kernel headers, you must fully realize that as a matter of
practicality people absolutely must do this to use many kernel
interfaces to their full extent. Suggest changes to fix the
problems, but just saying "don't include kernel header in your user
apps, NYAH NYAH NYAH!" does not help anyone at all.
For the short term, David suggests that the relevant kernel header files
should simply be fixed so that they work when included into user-space
programs.
In the longer term, there is clearly a need to get a better handle on what,
exactly, the interface between kernel and user space is. One approach that
is being taken in this direction is to push kernel interfaces into virtual
filesystems such as sysfs. Interfaces defined in this way are explicit and
visible, and they rarely require any C header file support at all. The
virtual filesystem approach works well in many cases, but it is unlikely to
replace other kernel interfaces entirely.
So it is still necessary to, somehow, better define the kernel's binary
application interface. To that end, Andries Brouwer has posted a patch bringing back the idea of a separate
set of "Linux ABI" include files. In this rendition, there would be a new
include/linuxabi directory (along with architecture-specific
variations) which would contain header files defining constants and data
structures used for communication with user space. They would be
specifically intended to be included from user space. Andries starts by
removing the various mount option flags from <linux/fs.h>
and putting them in <linuxabi/mountflags.h>.
This idea has come up before, but it has never been adopted in the mainline
kernel. Getting to a point where a significant part of the kernel binary
interface is documented in include/linuxabi will clearly take a
long time. Rearranging the kernel include file hierarchy may not be an
appropriate thing to do at this point in the development cycle. It might
not be a bad idea for early in the 2.7 series, however.
Comments (3 posted)
For those wanting to follow Alan Cox's progress as he disconnects from
kernel development and heads off to pursue an MBA: Paul Sladen has been
translating his diary
from
the original Welsh.
"
So, the next three days to finish hacking
the VIA CLE266, unsubscribe from all the lists and buy some paper
folders. Except in 3 days, awful food, woe and having to get up in the
morning... I hope I can remember the hang of studying."
Comments (11 posted)
Nigel Cunningham, the developer responsible for making software suspend
actually work in the 2.4 kernel, has recently
announced that his work is now being funded by
LinuxFund.org. This grant will enable him to
complete his 2.4 work, and to work at bringing it forward to the 2.6 kernel
as well. For those who are interested in following Nigel's progress, he
has set up
a
weblog on the LinuxFund.org site.
Comments (4 posted)
Driver porting
The "kobject" structure first made its appearance in the 2.5.45 development
kernel. It was initially meant as a simple way of unifying kernel code
which manages reference counted objects. The kobject has since encountered
a bit of "mission creep," however; it is now the glue that holds much of
the device model and its sysfs interface together. It is rare for a driver
writer to have to work with kobjects directly; they are usually hidden in
structures created by higher-level code. Kobjects have a certain tendency
to leak through the intervening layers, however, and make their presence
known. So a familiarity with what they are and how they work is a good
thing to have. This document will cover the kobject type and related
topics, but will gloss over most of the interactions between kobjects and
sysfs (those will be covered separately, later on).
Part of the difficulty in understanding the driver model - and the kobject
abstraction upon which it is built - is that there is no obvious starting
place. Dealing with kobjects requires understanding a few different types,
all of which make reference to each other. In an attempt to make things
easier, we'll take a multi-pass approach, starting with vague terms and
adding detail as we go. To that end, here are some quick definitions of
some terms we will be working with.
- A kobject is an object of type struct kobject.
Kobjects have a name and a reference count. A kobject also has a
parent pointer (allowing kobjects to be arranged into hierarchies), a
specific type, and, perhaps, a representation in the sysfs virtual
filesystem.
Kobjects are generally not interesting on their own; instead, they are
usually embedded within some other structure which contains the stuff
the code is really interested in.
- A ktype is a type associated with a kobject. The ktype
controls what happens when a kobject is no longer referenced and the
kobject's default representation in sysfs.
- A kset is a group of kobjects all of which are embedded in
structures of the same type. The kset is the basic container type for
collections of kobjects. Ksets contain their own kobjects, for what
it's worth. Among other things, that means that a kobject's parent is
usually the kset that contains it, though things do not normally have
to be that way.
When you see a sysfs directory full of entries, generally each of
those entries corresponds to a kobject in the same kset.
- A subsystem is a collection of ksets which, collectively,
make up a major sub-part of the kernel. Subsystems normally
correspond to the top-level directories in sysfs.
We'll look at how to create and manipulate all of these types. A bottom-up
approach will be taken, so we'll go back to kobjects.
Embedding kobjects
It is rare (even unknown) for kernel code to create a standalone kobject;
instead, kobjects are used to control access to a larger, domain-specific
object. To this end, kobjects will be found embedded in other structures.
If you are used to thinking of things in object-oriented terms, kobjects
can be seen as a top-level, abstract class from which other classes are
derived. A kobject implements a set of capabilities which are not
particularly useful by themselves, but which are nice to have in other
objects. The C language does not allow for the direct expression of
inheritance, so other techniques - such as structure embedding - must be
used.
So, for example, the 2.6.0-test6 version of struct cdev, the
structure describing a char device, is:
struct cdev {
struct kobject kobj;
struct module *owner;
struct file_operations *ops;
struct list_head list;
};
If you have a struct cdev structure, finding its embedded kobject
is just a matter of using the kobj pointer. Code that works with
kobjects will often have the opposite problem, however: given a struct
kobject pointer, what is the pointer to the containing structure?
You should avoid tricks (such as assuming that the kobject is at the
beginning of the structure) and, instead, use the container_of()
macro, found in <linux/kernel.h>:
container_of(pointer, type, member)
where pointer is the pointer to the embedded kobject,
type is the type of the containing structure, and member
is the name of the structure field to which pointer points. The
return value from container_of() is a pointer to the given
type. So, for example, a pointer to a struct kobject
embedded within a struct cdev called "kp" could be converted to a
pointer to the containing structure with:
struct cdev *device = container_of(kp, struct cdev, kobj);
Programmers will often define a simple macro for "back-casting" kobject
pointers to the containing type.
Initialization of kobjects
Code which creates a kobject must, of course, initialize that object. Some
of the internal fields are setup with a (mandatory) call to
kobject_init():
void kobject_init(struct kobject *kobj);
Among other things, kobject_init() sets the kobject's reference
count to one.
Calling kobject_init() is not sufficient, however. Kobject users
must, at a minimum, set the name of the kobject; this is the name that will
be used in sysfs entries. If you dig through the kernel source,
you will find code which copies a string directly into the kobject's
name field, but that approach should be avoided. Instead, use:
int kobject_set_name(struct kobject *kobj, const char *format, ...);
This function takes a printk-style variable argument list.
Believe it or not, it is actually possible for this operation to fail;
conscientious code should check the return value and react accordingly.
The other kobject fields which should be set, directly or indirectly, by
the creator are its ktype, kset, and parent. We will get to those shortly.
Reference counts
One of the key functions of a kobject is to serve as a reference counter
for the object in which it is embedded. As long as references to the
object exist, the object (and the code which supports it) must continue to
exist. The low-level functions for manipulating a kobject's reference
counts are:
struct kobject *kobject_get(struct kobject *kobj);
void kobject_put(struct kobject *kobj);
A successful call to kobject_get() will increment the kobject's
reference counter and return the pointer to the kobject. If, however, the
kobject is already in the process of being destroyed, the operation will
fail and kobject_get() will return NULL. This return
value must always be tested, or no end of unpleasant race conditions could
result.
When a reference is released, the call to kobject_put() will
decrement the reference count and, possibly, free the object. Note that
kobject_init() sets the reference count to one, so the code which
sets up the kobject will need to do a kobject_put() eventually to
release that reference.
Note that, in many cases, the reference count in the kobject itself may not
be sufficient to prevent race conditions. The existence of a kobject (and
its containing structure) may well, for example, require the continued
existence of the module which created that kobject. It would not do to
unload that module while the kobject is still being passed around. That is
why the cdev structure we saw above contains a struct
module pointer. The reference counting for struct cdev is
implemented as follows:
struct kobject *cdev_get(struct cdev *p)
{
struct module *owner = p->owner;
struct kobject *kobj;
if (owner && !try_module_get(owner))
return NULL;
kobj = kobject_get(&p->kobj);
if (!kobj)
module_put(owner);
return kobj;
}
Creating a reference to a cdev structure requires creating a
reference also to the module which owns it. So cdev_get() uses
try_module_get() to attempt to increment that module's usage
count. If that operation succeeds, kobject_get() is used to
increment the kobject's reference count as well. That operation could
fail, of course, so the code checks the return value from
kobject_get() and releases its reference to the module if things
don't work out.
Hooking into sysfs
An initialized kobject will perform reference counting without trouble, but
it will not appear in sysfs. To create sysfs entries, kernel code must
pass the object to
kobject_add():
int kobject_add(struct kobject *kobj);
As always, this operation can fail. The function:
void kobject_del(struct kobject *kobj);
will remove the kobject from sysfs.
There is a kobject_register() function, which is really just the
combination of the calls to kobject_init() and
kobject_add(). Similarly, kobject_unregister() will call
kobject_del(), then call kobject_put() to release the
initial reference created with kobject_register() (or really
kobject_init()).
ktypes and release methods
One important thing still missing from the discussion is what happens to a
kobject when its reference count reaches zero. The code which created the
kobject generally does not know when that will happen; if it did, there
would be little point in using a kobject in the first place. Even
predicatable object lifecycles become more complicated when sysfs is
brought in; user-space programs can keep a reference to a kobject (by
keeping one of its associated sysfs files open) for an arbitrary period of
time.
The end result is that a structure protected by a kobject cannot be freed
before its reference count goes to zero. The reference count is not under
the direct control of the code which created the kobject. So that code
must be notified asynchronously whenever the last reference to one of its
kobjects goes away.
This notification is done through a kobject's release() method.
Usually such a method has a form like:
void my_object_release(struct kobject *kobj)
{
struct my_object *mine = container_of(kobj, struct my_object, kobj);
/* Perform any additional cleanup on this object, then... */
kfree (mine);
}
One important point cannot be overstated: every kobject must have a
release() method, and the kobject must persist (in a consistent state)
until that method is called. If these constraints are not met, the code is
flawed.
Interestingly, the release() method is not stored in the kobject
itself; instead, it is associated with the ktype. So let us introduce
struct kobj_type:
struct kobj_type {
void (*release)(struct kobject *);
struct sysfs_ops *sysfs_ops;
struct attribute **default_attrs;
};
This structure is used to describe a particular type of kobject (or, more
correctly, of containing object). Every kobject needs to have an
associated kobj_type structure; a pointer to that structure can be
placed in the kobject's ktype field at initialization time, or
(more likely) it can be defined by the kobject's containing kset.
The release field in struct kobj_type is, of course, a
pointer to the release() method for this type of kobject. The
other two fields (sysfs_ops and default_attrs) control
how objects of this type are represented in sysfs; they are beyond the
scope of this document.
ksets
In many ways, a kset looks like an extension of the
kobj_type
structure; a kset is a collection of identical kobjects. But, while
struct kobj_type concerns itself with the
type of an
object,
struct kset is concerned with aggregation and collection.
The two concepts have been separated so that objects of identical type can
appear in distinct sets.
A kset serves these functions:
- It serves as a bag containing a group of identical objects. A kset
can be used by the kernel to track "all block devices" or "all PCI
device drivers."
- A kset is the directory-level glue that holds the device model (and
sysfs) together. Every kset contains a kobject which can be set up to
be the parent of other kobjects; in this way the device model
hierarchy is constructed.
- Ksets can support the "hotplugging" of kobjects and influence how
hotplug events are reported to user space.
In object-oriented terms, "kset" is the top-level container class; ksets
inherit their own kobject, and can be treated as a kobject as well.
A kset keeps its children in a standard kernel linked list. Kobjects point
back to their containing kset via their kset field.
In almost all
cases, the contained kobjects also have a pointer to the kset (or, strictly, its
embedded kobject) in their parent field. So, typically, a kset
and its kobjects look something like what you see in the diagram to the
right. Do bear in mind that (1) all of the contained kobjects in the
diagram are actually embedded within some other type, possibly even other
ksets, and (2) it is not required that a kobject's parent be the
containing kset.
For initialization and setup, ksets have an interface very similar to that
of kobjects. The following functions exist:
void kset_init(struct kset *kset);
int kset_add(struct kset *kset);
int kset_register(struct kset *kset);
void kset_unregister(struct kset *kset);
For the most part, these functions just call the analogous
kobject_ function on the kset's embedded kobject.
For managing the reference counts of ksets, the situation is about the
same:
struct kset *kset_get(struct kset *kset);
void kset_put(struct kset *kset);
A kset, too, has a name, which is stored in the embedded kobject. So, if
you have a kset called my_set, you would set its name with:
kobject_set_name(my_set->kobj, "The name");
Ksets also have a pointer (in the ktype field) to the
kobj_type structure describing
the kobjects it contains. This type will be applied to any kobject which
does not contain a pointer to its own kobj_type structure.
Another attribute of a kset is a set of hotplug operations; these
operations are invoked whenever a kobject enters or leaves the kset. They
are able to determine whether a user-space hotplug event is generated for
this change, and to affect how that event is presented. The hotplug
operations are beyond the scope of this document; they will be discussed
later with sysfs.
One might ask how, exactly, a kobject is added to a kset, given that no
functions which perform that function have been presented. The answer is
that this task is handled by kobject_add(). When a kobject is
passed to kobject_add(), its kset member should point to
the kset to which the kobject will belong. kobject_add() will
handle the rest. There is currently no other way to add a kobject to a
kset without directly messing with the list pointers.
Finally, a kset contains a subsystem pointer (called subsys). So
it must be time to talk
about subsystems.
Subsystems
A subsystem is a representation for a high-level portion of the kernel as a
whole. It is actually a simple structure:
struct subsystem {
struct kset kset;
struct rw_semaphore rwsem;
};
A subsystem, thus, is really just a wrapper around a kset. In fact, life
is not quite that simple; a single subsystem can contain multiple ksets.
This containment is represented by the subsys pointer in
struct kset; so, if there are multiple ksets in a subsystem, it
will not be possible to find all of them directly from the
subsystem structure.
Every kset must belong to a subsystem; the subsystem's rwsem
semaphore is used to serialize access to a kset's internal linked list.
Subsystems are often declared with a special macro:
decl_subsys(char *name, struct kobj_type *type,
struct kset_hotplug_ops *hotplug_ops);
This macro just creates a struct subsystem (its name is the
name given to the macro with _subsys appended) with the
internal kset initialized with the given type and
hotplug_ops.
Subsystems have the usual set of setup and teardown functions:
void subsystem_init(struct subsystem *subsys);
int subsystem_register(struct subsystem *subsys);
void subsystem_unregister(struct subsystem *subsys);
struct subsystem *subsys_get(struct subsystem *subsys)
void subsys_put(struct subsystem *subsys);
Most of these operations just act upon the subsystem's kset.
Kobject initialization again
Now that we have covered all of that stuff, we can talk in detail about how
a kobject should be prepared for its existence in the kernel. Here are all
of the
struct kobject fields which must be initialized somehow:
- name and k_name - the name of the object. These
fields should always be initialized with kobject_set_name().
- refcount is the kobject's reference count; it is initialized
by kobject_init()
- parent is the kobject's parent in whatever hierarchy it
belongs to. It can be set explicitly by the creator. If
parent is NULL when kobject_add() is
called, it will be set to the kobject of the containing kset.
- kset is a pointer to the kset which will contain this kobject; it should
be set prior to calling kobject_add().
- ktype is the type of the kobject. If the kobject is
contained within a kset, and that kset has a type set in its
ktype field, then this field
in the kobject will not be used. Otherwise it should be set to a
suitable kobj_type structure.
Often, much of the initialization of a kobject is handled by the layer that
manages the containing kset. Thus, to get back to our old example, a char
driver might create a struct cdev, but it need not worry about
setting any of the fields in the embedded kobject - except for the name.
Everything else is handled by the char device layer.
Looking forward
So far, we have covered the operations used to set up and manipulate
kobjects. The core concept is relatively simple: kobjects can be used to
(1) maintain a reference count for an object and clean up when the
object is no longer used, and (2) create a hierarchical data structure
through kset membership.
What is missing so far is how kobjects represent themselves to user space.
The sysfs interface to kobjects makes it easy to export information to (and
to receive information from) user space. The symbolic linking features of
sysfs allow the creation of pointers across distinct kobject hierarchies.
Stay tuned for a description of how all that works.
Comments (10 posted)
Patches and updates
Kernel trees
Build system
Core kernel code
Device drivers
Filesystems and block I/O
Networking
Architecture-specific
Security-related
Benchmarks and bugs
Miscellaneous
- Andries.Brouwer@cwi.nl: linuxabi.
(October 1, 2003)
Page editor: Jonathan Corbet
Distributions
Martin Michlmayr has
floated the idea of allowing vendors and projects to carry a Debian brand to promote their efforts and the Debian Project.
Work based on the Debian Project has certainly found its way into plenty
of third-party projects. The KNOPPIX
project is based on Debian GNU/Linux, as well as Xandros, Lindows.com, and the Skolelinux distribution
for schools. Many, but not all, of the organizations that work with
Debian have also been good about folding code back into the Debian
Project. It would certainly raise the visibility of the Debian Project
if all of these projects carried a Debian brand. It may be no secret to
KNOPPIX users that KNOPPIX is based on Debian GNU/Linux, but how many
Lindows users are aware of the Debian connection?
The discussion came about because the Skolelinux project sought to call
their non-profit foundation "Debian Foundation Norway." Michlmayr
indicates that it would be a bad idea to let third-parties that are
paying developers to use the Debian name itself:
However, I believe that "Debian" should not pay developers. By "Debian"
I mean the project as a whole or any of its organizations (such as SPI).
"Debian" paying developers might lead to many problems. The project
paying some developers while others work on it in their spare time is
not fair, and there is the big problem of selecting who to hire. This
can cause great animosity and have bad effects on the motivation of
developers.
No doubt some developers would chafe at the idea of other Debian
developers being paid by the project for their efforts, while they're busy
contributing
for free. But few, if any, seem to mind when code makes its way back
from projects that are utilizing work from the Debian Project, whether
the developers working on said code are paid or volunteer. Michlmayr
proposes that third parties be allowed to use a "Debian Labs" or similar
brand to indicate that they're doing work related to Debian without
being an official part of the Debian Project.
We could create a "Debian Labs" brand and publicize what it means for an
organization to carry that name. Since we own the Debian trademark, we
can control who is allowed to use the "Debian Labs" brand. We have to
develop a set of guidelines for this. So in some sense Debian has some
control over what those organizations do. On the other hand, they are
largely autonomous of Debian and can do with their money whatever they
want -- that way, "Debian" wouldn't need to decide who to hire, etc, and
could avoid the problems described in the mail mentioned above.
Though the idea has been well received so far, Michlmayr says it still
needs to be fleshed out. One major question is whether for-profit
companies would be allowed to use the Debian Labs brand. Several users
on the Debian mailing list were against allowing for-profit companies to
use a Debian Labs brand or similar, while a few said they had no problem
with the idea of a commercial entity using Debian Labs.
Another concern that was raised is to make sure that any agreement that
would allow an outside organization to use a Debian brand could be
terminated. It would be somewhat embarrassing, to say the least, to have
a "SCO Debian Labs" brand still in widespread use at this point.
If the idea comes to fruition, a Debian trademarked brand will no doubt
carry much more stringent guidelines than the Linux trademark, which is
administered fairly liberally. If the Debian Project can come up with a
workable agreement, it would no doubt be of benefit to the project and
the projects and organizations using Debian in their work.
Comments (2 posted)
Distribution News
It's official. Slackware Linux 9.1 has been released. "
This is
another great release, featuring GCC 3.2.3, GNOME 2.4.0, KDE 3.1.4, and
Kernel 2.4.22."
Full Story (comments: 4)
Since the 9.1 release a a few changes have rolled in to
slackware-current, including an updated OpenSSL and Perl (for security
reasons), plus Samba 3.0, Xfce 4.0 and SlackPKG 0.99.1.
Comments (none posted)
The second Fedora Core (once known as Red Hat Linux) test release is now
available. "
Use of test releases in
production environments could lead to disastrous results, such as
spontaneous musical theatre from your engineers. Be afraid." If you
are not sufficiently afraid, the announcement contains a list of mirror
sites.
Linux Journal provides some thoughts
on the Red Hat/Fedora merger. "The main reason for the Red
Hat/Fedora merger is straight-forward: Red Hat is a for-profit company, not
a charity. In short, Red Hat loses money on Red Hat Linux. Turning it over
to Fedora will help keep the company profitable."
LinuxQuestions.org
interviews Jeremy Hogan, Manager of Community Relations at Red Hat.
LQ) Tell us a little about the just released Fedora project (How do you
see it impacting RH, how does it compare to Cooker or even Debian, what
went into it's release, etc).
JH) Fedora is what Red Hat Linux was. Kind of the People's Republic of
Myanmar to Burma. It's a project with rolling releases, not a product
with predictable release dates, support, services, etc.
Red Hat Linux bug fixes:
Comments (none posted)
SuSE has sent out a
press release announcing
that version 9.0 of the SuSE Linux distribution will be available "by
October 24th." This release includes the inevitable new desktop, winmodem
support, user-mode Linux, and a version of the (unreleased) 2.6 kernel
along with a 2.4.21 kernel full of 2.6 backports.
SuSE has also announced the release schedule of SuSE Linux Enterprise
Server would stretch from the current 12 months to an 18 - 24 month cycle.
Vnunet covers the
announcement. "The next major Linux Enterprise Server release
will be in the second or third quarter of 2004 and will support the Linux
2.6 kernel. "[This release] will be a watershed in terms of scalability
and will be easier for independent software vendors developing for both Red
Hat and SuSE," said [SuSE VP David] Burger."
Comments (none posted)
In nearly simultaneous announcements, MandrakeSoft and SuSe have announced
the end of support for their older distributions. MandrakeSoft
is no longer supporting Mandrake Linux 8.2
as of September 30. The oldest supported version of Mandrake Linux is
now 9.0. SuSE
has cut off SuSE Linux 7.2,
but is still supporting 7.3.
Comments (9 posted)
Earlier this week Trustix AS, parent company behind TSL,
announced that the company was filing for
bankruptcy, and as a result all sales and support of the Trustix Linux
Solutions product line were suspended.
Then Erlend Midttun, founding father of TSL, and TSL developer Christian
Toldnes announced the start of a new
company, Tawie Technologies AS, to provide full support and services.
Trustix Secure Linux has become Tawie Server Linux in the process.
TSL has bug fixes in swup and swupconf
available for versions 1.5 and 2.0.
Comments (none posted)
The
September 23 edition of the Debian
Weekly News looks at Gnoppix, changelog abuse, the new cdimage.debian.org
with iso images and an authoritative directory structure, and much more.
The September 30 edition of DWN is also
available. This issue looks at the "Joey meets Joey" session at the
Oldenburg Linux Developers conference; Lessons in Packaging Linux
Applications; the newly formed Committee for FSF-Debian Discussion; Python
Transition Problems; and much more.
Debian secretary Manoj Srivastava has announced a period of discussion on proposals
to amend section 4.1.5 of the Debian constitution.
Comments (none posted)
The Gentoo Weekly Newsletter for the week of September 29, 2003 is out.
Topics include the next Gentoo BugDay and the featured sponsor of the week
- Oregon State University.
Full Story (comments: none)
The embedded Linux companies seem to be having some sort of race to see who can deploy the (still unreleased) 2.6 kernel first. LynuxWorks
announced a 2.6-based beta three weeks ago. Now SnapGear has sent out
a press release proclaiming the availability of SnapGear Embedded Linux 3.0, which, of course, includes a 2.6 kernel. The PR claims that the distribution is available for download now from
snapgear.org, but it looks like it's not quite there as of this writing.
Comments (2 posted)
Minor distribution updates
ALT Linux Compact 2.3 beta
(20030926) has been released. Click below for details.
Full Story (comments: none)
ClusterKnoppix has released
v3.2-2003-09-05-EN with
minor feature enhancements. "
Changes: This version syncs with the
latest Knoppix release. It upgrades to kernel 2.4.22 and openmosix-1
release, upgrades to openmosix-user-0.3.4, upgrades to the latest
openmosixview, adds libgtop2 libcommoncpp2-1.0- 0c102, adds chpox-0.5, adds
Gomd CVS 20030917, and removes the default MFS/DFSA support because of a
tmpfs bug."
Comments (none posted)
Damn Small Linux has released
v0.4.8 with minor
feature enhancements. "
Changes: Fabian Franz's 'toram' linuxrc
routine was added, so the whole system can be put into RAM, which requires
only 64M of RAM. The CD player plugin for XMMS was added. The ability to
chose language specific keyboard layout was restored (e.g. 'lang=de'), and
the default is US English. The Debian 'wireless-tools' package was added. A
bug in Xpacman was fixed, and the keys to work with German, French, and
English were re-mapped. Other small feature and usability enhancements were
made."
Comments (none posted)
DietLinux has released
v0.1.2 with major feature
enhancements. "
Changes: The Makefiles for downloading the
dietlinux-files and build images were rewritten. It's now possible to build
floppy images as well. Including your own files in the image has been made
easier."
Comments (none posted)
dyne:bolic has released
v1.0 with major feature
enhancements. "
Changes: Important milestones for the project have
been reached since the last stable release: XBOX support, automatic
clustering on the same LAN, a nested data storage mechanism, and improved
speed and hardware support. Many new applications have been added in order
to complete the desktop functionality and fulfill many different tasks and
needs which became apparent after much testing of ergonomic and usability
issues."
Comments (none posted)
GNOPPIX has released
v0.5.4-1 with major
feature enhancements. "
Changes: This version adds a GNOPPIX
installer, an icon for modem/DSL connections, support for NTFS volumes, a
Persistent Home option, and English and US descriptions to Desktop
icons. It fixes automounter close, moves to UTF-8 code, fixes changing of
root and user passwords, updates the hw-database for autoconfig, backports
120 new packages, removes all non-free packages, updates to kernel
2.4.22-xfs, installs gnome-cups-manager, and include many bugfixes and
updates."
Comments (none posted)
SmoothWall has released
v2.0 beta 6 with major
bugfixes. "
Changes: The 2.4.22 kernel is now used and the core
distribution was updated to updated Red Hat 8.0. The BeWAN PCI ADSL card is
now supported, and ping and traceroute diagnostics were added to the Tools
section. H.323, MMS (streaming), and Quake masquerade helper modules were
included. Port forward ranges were implemented and the HTTPS admin port was
changed from 445 to 441."
Comments (none posted)
Source Mage GNU/Linux v0.7, code name
"Flare" has been released. Click below for details.
Full Story (comments: none)
ThinStation has released
v1.0.1.
"
Changes: This version now uses busybox 1.0pre2, and updates the
scripts to work with it, fixes a bug in the xf-common script for the Xvesa
server, fixes a bug in sound-nasd and sound-esd which caused boot to hang,
and adds a colours fix for ICA."
Comments (none posted)
Warewulf has released
v1.15 with major bugfixes.
"
Changes: The purpose of this release is to fix a typo/bug in the
Warewulf library that caused most tools to error out."
Comments (none posted)
Distribution reviews
DistroWatch has
a
review of Source Mage, with a look at some other source based
distributions. "
As Source Mage proclaims in their "mission
statement" their goal is to give total control back to system
administrators. They are not kidding. It is very clear this system means
business and is not intended for beginners. Onebase on the other hand
aspires to being easy to install and use even for less experienced users,
as well as being flexible and powerful, yet transparent. To this end it
provides a tool, OLM, intended for both configuring and managing the
system. I was very curious to see how it will achieve these somewhat
conflicting goals."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Version 4.0 of
XFce,
a lightweight desktop environment,
has been announced.
XFce creator Olivier Fourdan sums up the goals of the project:
XFce is a lightweight desktop environment for various *NIX systems.
Designed for productivity, it loads and executes applications fast, while conserving system resources.
The full XFce 4.0
press release indicates that this version has substantial changes
from version 3.
XFce 4 is a complete rewrite of the previous version. It's based on the popular GTK+ 2.x toolkit and it has a radically different architecture from XFce 3. It embodies extreme modularity and re-usability and all of XFce 4's core components have been written from scratch in order to fit into this new architecture. Another priority of XFce 4 is adherence to standards, specifically those defined by freedesktop.org, which aims to standardize the Unix/Linux desktop.
Furthermore, the press release sums up these new capabilities:
XFce 4 consists of a number of components that together provide the full functionality of the desktop environment. They are packaged separately and users can pick and choose from the available packages to create the best personal working environment. XFce 4 includes a number of new themes, international keyboard support, easy-to-use preference panels for all common desktop actions, native interoperability with both Gnome and KDE and their applications, an improved file manager (Xffm) with Samba browsing and mount/umount capabilities, an easily re-locatable main panel (vertical or horizontal, with variable size, auto-hide feature and with easy-to-setup detachable menus and application launchers), enhanced drag-n-drop support, anti-alias fonts.
It will be interesting to see if XFce 4 can gain a substantial following
in the landscape of available Linux desktop environments.
A lighter system may be able to carve out a decent sized
niche on systems that don't require all of the capabilities of
KDE and Gnome.
Comments (8 posted)
System Applications
Audio Projects
Version 0.9.7 of the
Alsa sound driver and
associated utilities is available.
Change information is in the source code.
Comments (none posted)
The
latest changes to the Planet CCRMA audio packaging project include
new versions of Snd, Noteedit, Lilypond, and Qjackctl.
Comments (none posted)
Version 1.0.2 of the
Speex
speech codec has been released.
"
Just a bugfix release. This update adds soundcard support for Solaris and the BSDs as well as minor bugfixes and a documentation update."
Comments (none posted)
Database Software
Version 1.2.0 of Gedafe, the Generic Database Front-End,
is available.
"
The idea behind Gedafe is to put all the application logic into the
database, along with meta-information on how to present the data.
The front-end then gathers this information and uses it to build the
user interface. This approach greatly reduces development time since
you only have to develop the application at the database level and
the web front-end comes for free."
Full Story (comments: none)
Version 1.0.0 of pgAdmin is available for download.
"
The pgAdmin Development Team are pleased to announce the first stable release of pgAdmin III, an Open Source management and administration tool for the PostgreSQL Object Relational Database Management System."
Full Story (comments: none)
The September 26, 2003 PostgreSQL Weekly News is
out with the latest PostgreSQL database news.
Topics include 7.4 Beta testing, JDBC fixes,
bug fixes, and documentation updates.
Full Story (comments: none)
Mail Software
Verson 2.1.3 of Mailman, the GNU Mailing List Manager,
is available.
"
Version 2.1.3 is a bug fix release which also contains support for
four new languages: Ukrainian, Serbian, Euskara (Basque), and Danish.
This release also contains a fix for a cross-site scripting
vulnerability, as well as improved queue runner performancey."
Full Story (comments: none)
Milter-date 0.2 beta, a date-based spam filter,
has been announced.
"
How many times have you seen spam thats from the future, or is older than the world wide web, or looked at message headers and wondered why a message should take 30 days to go from one hop to the next?"
Comments (none posted)
Joe Stump
writes about the process of putting together an email server
in the first part of an O'Reilly series.
"
All Linux distributions that I know of come with an MTA of some sort. The most popular is Sendmail. Other popular MTAs include Exim, postfix, and Qmail. This article discusses how to build an advanced mail server which sports all of the latest mail protocols, checks all incoming mail for spam, and scans all incoming and outgoing mail for viruses."
Comments (none posted)
Networking Tools
Divmod Quotient 0.6 has been announced.
"
Quotient is multi-protocol (SMTP, POP, IMAP, SIP, HTTP, Q2Q) server
that helps with all your online conversations be they over email, IRC, IM,
mailing lists or voice over IP. It is written in Python on the Twisted
framework
and uses Lupy and SpamBayes".
Full Story (comments: none)
Printing
The latest news from
LinuxPrinting.org
includes improved support for the HP LaserJet 1010, 1012, and 1015 and
the HP DeskJet 5150, the 5652 printers.
Also, it is now possible to access the Epson inkjet memory card readers.
Comments (none posted)
Web Site Development
Version 3.2.15 of the
mnoGoSearch
web site search engine is available.
See the
history
document for change information.
Comments (none posted)
Version 0.8.0 of mod_caml, the Objective CAML bindings for
Apache, is out.
"
This is an interim release for testing. The main change is that some
API functions which previously returned 'string option' ('None'
meaning that the C string was NULL) have been changed to return just
'string', and to raise 'Not_found' if the C string is NULL."
Full Story (comments: none)
Aaron Trevena
illustrates web site searching techniques on O'Reilly.
"
If you are building a small, simple database-backed web site with only a couple of hundred records, then relatively simple SQL should be all you need. It would be trivial to add a simple and Foo_Name like '%keyword%' to the queries being used.
When your needs go beyond this, there are three ways you can proceed: you can use native database full-text searching, an external search engine, or you can roll your own."
Comments (none posted)
Desktop Applications
Audio Applications
Version 1.2.0-pre2 of
Audacity is available.
"
Audacity 1.2.0-pre2 is a public test release of the free Audacity sound editor. This version fixes all of the known major bugs in 1.2.0-pre1, and we anticipate very few changes between this version and the final 1.2.0 release in a few more weeks."
Comments (none posted)
Version 3.0.0 of Tkeca, a GUI interface to the Ecasound audio
tool, is out.
"
I strongly advice to upgrade to this version!
I think that Tkeca is becoming in a serious recording tool."
Full Story (comments: none)
Desktop Environments
KDE.News
reports
that KDE 3.2 Alpha 2 is available.
"
As the first Beta was delayed to finish more PIM features, we're proud to
present the second Alpha release of KDE 3.2. The first Alpha was already seen
as a very strong release and the second one is even better (1374 bugs closed
in the last 31 days). The major changes are the import of ksvg and kpdf into
the KDE distribution, along with a major rewrite of the window manager."
Comments (none posted)
The September 26, 2003
KDE-CVS-Digest is available, here's the summary:
"
Quanta visual editor makes progress. Khtml gets text selection optimizations and immediate repaint from Safari. Kontact, KMail, KAddressbook get work on settings, time cards, drag and drop, plus many bug fixes."
Comments (none posted)
Desktop Publishing
Version 1.0.2 of Alambic, a PDF creation and distribution utility,
has been announced.
Changes include:
"
Minor fixes and enhancements for version 1.0.2. Added German localization provided by Kai-Steffen Jens Hielscher."
Comments (none posted)
Version 1.3.3 of LyX, a GUI frontend to the TeX typesetting
system, is out.
Full Story (comments: none)
Electronics
Release 20030925 of
Covered, a
Verilog code coverage analyzer, is available.
"
This release contains the first working FSM code coverage
portion in Covered."
Comments (none posted)
Financial Applications
Linas Vepstas has sent out a roadmap for GnuCash 1.10/2.0
development.
"
The reason I'm sending this note is because I'm impatient and
I want to write more code during the next month, and I have to
pick what I will be working on."
Full Story (comments: 1)
Games
GnomeDesktop.org has
an announcement for Monkey Bubble version 0.1.5.
"
tcataldo writes "A few days ago, the first release of Monkey Bubble landed on the internet. It is a fully functional bust'a'move clone with a few nice features : vector graphics based on librsvg, frozen bubble level support, two player games,..."
Comments (none posted)
Graphics
Version 0.4.1 of
vtkFLTK is available.
"
vtkFLTK is a small C++ class library easing development of FLTK event-driven interfaces for use with VTK. vtkFLTK allows composition of complex graphical interfaces to complex visualization facilities by bridging disparities between FLTK and VTK event and windowing system handling."
Change information is in the source code.
Comments (none posted)
Instant Messaging
Version 0.70 of
Gaim,
an instant messaging client, is available.
"
Our friends over at Cerulean Studios managed to break my speed record at cracking Yahoo authentication schemes with an impressive feat of hackery. They sent it over and here it is in Gaim 0.70."
Comments (none posted)
Interoperability
Version 1.2.0 RC1 of DOSEMU, the DOS emulator,
is available.
"
Since Fri, 26 Oct 2001, Bart Oldeman has become coordinator/maintainer of DOSEMU, while the former coordinator Hans Lermen remained responsible in the background as a 'backup facility'. For the same reason Hans would still maintain the stable releases (currently 1.0.x), so Bart can concentrate on the development tree (currently 1.1.x). However, because of personal reasons Hans is no longer able to maintain 1.0.x now, and 1.0.x is without a maintainer. We hope to stabilize 1.1.x into a 1.2.0 release later this year (2003)."
Comments (none posted)
Samba version 3.0 has been released.
"
Samba 3.0 contains the first Open Source/Free Software implementation
of Windows NT Primary and Backup Domain Controller functionality.
Customers can transparently migrate their existing Windows NT domains
to Samba 3.0 whilst keeping their existing user and group account
databases. This enables significant cost of ownership savings over a
Windows NT4 domain as a Samba 3.0 Domain Controller does not require
client access licenses."
Full Story (comments: none)
Issue #189 of
Wine Traffic has been published.
Take a look for the latest Wine development news.
Comments (none posted)
Music Applications
GnomeDesktop.org has
an announcement for Jamboree 0.3.
"
Jamboree is a music player with an iTunes like interface that utilizes
gstreamer. The first public release, dubbed 0.3 contains: Browse mode, smart
and normal playlists, OGG/MP3 support, lightning speed."
Comments (none posted)
Version 0.1.4 of the vst ladspa plugin has been released.
Full Story (comments: none)
Version 2.0 of LilyPond, a musical typesetting system, is out.
"
For this version, we have dramatically simplified many parts of the
syntax, making it easier to use than ever before. Other improvements
include quarter-tone accidentals, and conditional inclusion of music
fragments."
Full Story (comments: none)
Office Applications
Version 0.2 of the Chandler Personal Informantion Management (PIM)
system is out.
"
Our 0.2 release is an architectural release, where we focus on building
Chandler as a platform. The 0.2 release was triggered by the clock as
opposed to any functional or feature milestone. We want to show that we
are making progress at regular intervals even though we might not have
the loose ends all tidied up."
For more information on the Chandler project, see the Chandler
Status Update Number 9.
Full Story (comments: none)
Office Suites
KDE.News
mentions
the release of KOffice 1.3 Beta 4.
"
This release sports tons of bugfixes made during the KDE
developers' conference in Nové Hrady, Czech Republic (see KOffice
Developers' Meeting Report). It is the last beta in the 1.3 series according
to the revised KOffice 1.3 release schedule which plans the final release now
for November 12, 2003."
Comments (none posted)
Version 1.1 Release Candidate 5 of OpenOffice.org
has been released."
The build includes bug fixes and is speedier and more robust. No new
features have been introduced since RC4. Just bug fixes. We thank you
for helping us find and fix them; the work the user community has done
has been invaluable."
Full Story (comments: none)
It's official: OpenOffice.org 1.1 has been released. Click below for the
announcement, or see
the features
list for an idea of what has been added this time around. "
This
build has, as we have learned, many new features that no other
office suite has yet to think of."
Full Story (comments: 16)
Science
Version 0.9.4 of GRAMPS, the Genealogical
Research and Analysis Management System,
has been announced.
Comments (none posted)
Version 2.5 of NAMD has been released.
"
The Theoretical and Computational Biophysics Group at the University of
Illinois is proud to announce the public release of a new version of
NAMD, a parallel, object-oriented molecular dynamics code designed for
high-performance simulation of large biomolecular systems."
Full Story (comments: none)
Version 0.9.9 of
Vision Egg,
a Python-based system that generates stimuli for vision research experiments,
has been released.
"
There is nothing more I intend to add before I release Version 1.0 -- this is a release candidate subject to final testing and bug fixing, so I would appreciate all the abuse you can put it through. In particular, test/conform.py runs many tests on your system and reports the output."
Comments (none posted)
Web Browsers
Mozilla 1.5 Release Candidate 2
has been announced.
"
This new test build contains around twenty fixes that were not in Release
Candidate 1, including a new preference for specifying whether opening a
bookmark group should replace the existing tabs or append the new pages to
the current set."
Comments (none posted)
Issue #3 of the Mozilla Links Newsletter has been published.
Take a look for the latest Mozilla browser news.
Full Story (comments: none)
MozillaZine
points to the September 22 Mozilla.org staff meeting minutes.
"
Issues discussed include Mozilla 1.5 final, Mozilla 1.4.1, Talkback, Mozilla Thunderbird, the September 30th deadline, the Roadmap, the Mozilla Foundation employees mailing list, localisation and moving the web and mail servers."
Comments (none posted)
GnomeDesktop.org has a
multiple announcement for Mozilla
Firebird 0.7 and Mozilla Thunderbird 0.3.
"
Like Firebird,
Thunderbird 0.3 will come from the 1.5 branch, with developers hoping for a
simultaneous release of Mozilla 1.5 and Thunderbird 0.3."
Comments (none posted)
Word Processors
Issue #163 of the
AbiWord Weekly News is online.
"
RTF import capability has been sped up like you wouldn't believe, thanks to Johnny Lee. The BeOS port verges on oblivion; get the word out; one week to find a maintainer. Languages with accented characters are known to be having issues on Win32. And!, assuming I can get this to work, we have an important poll, or something Mark wants to know...."
Comments (none posted)
Miscellaneous
Axiom, a common Lisp based computer algebra system,
has been released as open-source software under a BSD-style license.
"
The project started in 1971 at IBM as a research system named
Scratchpad. Scratchpad was renamed to Axiom in the 1990s and sold to
NAG, which distributed it as a commercial product until 2001. Axiom is
a powerful system, which in the current state "represents about 30
years and 300 man-years of research work""
Full Story (comments: none)
GnomeDesktop.org
mentions the release of
a new version of Ross Burton's GammaarRRr monitor color calibration tool.
"
This tool features Black point
calibration, per-Display gamma calibration for arbitrary target gamma values,
a graphical editor for calibrating the gamma and a GNOME applet to select
gamma corrections quickly."
Comments (none posted)
Languages and Tools
Caml
The September 23-30, 2003 edition of the Caml Weekly News
is out with the week's Caml language developments.
Full Story (comments: none)
New software on
The Caml Light / OCaml Hump includes new versions of
the GODI source-based O'Caml distribution, the Why software verification tool,
Schoca: an implementation of the Scheme language, the Extlib small standard
OCaml library, and the mod_ocaml Apache binding.
Comments (none posted)
Java
Stephen Jungels
writes about Java 1.5 on O'Reilly.
"
The Java 1.5 proposal offers programmers a false choice between
desirable new features and readability. In fact, all of the proposed new
features for 1.5 can be represented by clear, unambiguous, and readable
constructs without breaking backwards compatibility. In the rest of this
article I will illustrate this point by describing three alternative
syntaxes I am proposing."
Comments (none posted)
Lisp
A Common Lisp string processing library known as Chio is
available.
Full Story (comments: 1)
Perl
Use Perl has the
initial announcement for Perl 5.8.1.
"
Jarkko has released perl 5.8.1, and it has propagated to
CPAN. Thanks for all the hard work! Changes include randomizing hash orders
for security (they were never supposed to be reproduceable, anyway), module
updates, and Unicode updates." See the Perl 5.8.1
official announcement for more information.
Comments (none posted)
The September 22-28, 2003 edition of
This Week on perl5-porters has been published.
"
Perl 5.8.1 was released. 'Nuff said."
Comments (none posted)
The September 21, 2003 edition of
This week on Perl 6 is out, take a look for the latest Perl 6
developments.
Comments (none posted)
The Plalanx project
has been announced.
"
Andy Lester writes "Phalanx is a Perl QA project created
to provide a solid testing
base for Ponie, the next version of Perl 5 that will be based on
the Parrot virtual machine. By increasing the test coverage of
Perl modules and Perl itself, we will make Ponie be the best-tested
version of Perl ever"
Comments (none posted)
Mike Scott has written a new
Getting Started With Parrot Development document that's
available on the Parrot Wiki.
Comments (none posted)
A new release of the
gtk2-perl
Perl bindings for Gtk+ 2.x is available.
Comments (none posted)
PHP
Version 0.2.1 of kses, an HTML/XHTML filter written in PHP,
has been released.
"
The 0.2.1 release adds a new object-oriented version of kses, three new
attribute value checks (minlen, minval and valueless), a work-around for an
Opera "feature" that treats chr(173) as whitespace, and some other minor
changes."
Full Story (comments: none)
Version 4.3.4RC1 of PHP
has been announced.
"
This release candidate contains only bug fixes, so it should be quite stable. Please test this release as much as possible, so that any remaining issues can be uncovered and resolved prior to the final release. "
Comments (none posted)
Python
Python 2.3.2 RC 1 has been made available.
"
Python 2.3.2 is a bug-fix release, to repair a couple of build problems
and packaging errors in Python 2.3.1. Assuming no major problems crop up,
a final release of Python 2.3.2 will follow later this week."
Full Story (comments: none)
The
secsh project
aims to implement an SSH2 client and server for Python.
Currently, only the client is available.
"
Secsh is a module for python 2.3 that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines."
Comments (none posted)
A new
primer
is available for
Wax,
a layer on the
wxPython GUI system.
"
This document illustrates some of the basics of Wax. As an example program, we're going to make a simple editor. I'm going to build it step by step; you are encouraged to apply the changes incrementally and run the code after every step."
Comments (none posted)
Tcl/Tk
The September 29, 2003 edition of Dr. Dobb's Tcl-URL!
is out with lots of links to useful Tcl/Tk articles and info.
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
According to
this Dow Jones
story (on Yahoo), IBM has filed a new set of counterclaims against
SCO. "
According to the memo, which was obtained by The Wall Street
Journal, the new counterclaim charges that SCO infringed IBM's copyrights
by distributing IBM's contributions to Linux after SCO had violated its
Linux license by claiming a copyright on parts of Linux." So it
looks like another GPL-based claim.
Comments (27 posted)
A
report
(PDF format) titled
CyberInsecurity: The Cost of Monopoly is
currently available. NewsForge
reports that
Dan Geer, recently CTO of @Stake, has been fired in reaction to this
report. "
When you hire a security consultant for your factory or
warehouse, you expect that consultant to tell you if your security fence
needs reinforcement, not to defend the fence manufacturer. And if seven
respected consultants tell you a particular make of fence is too weak for
your purposes, and "industry associations" and "think tanks" supported
heavily by that fence manufacturer lash out at the consultants and claim
they being paid off by rival manufacturers even though they aren't, it's
the manufacturer of the weak fences that looks bad in the end."
Comments (17 posted)
News.com
reports
that Massachusetts has adopted a new policy favoring open-source.
"
The state will also give preference to open-source software,
although it will continue to purchase proprietary products if they are
found to be superior technologically or otherwise, Kriss said. He
identified state Web servers, which currently run on Microsoft's Internet
Information Services software, as a potential early candidate for
retrofitting. "We're taking a serious look at Apache as a Web server," he
said."
Not everyone is entirely happy about it, as indicated by this press
release from the Council for Citizens Against Government Waste (CCAGW).
Comments (45 posted)
The SCO Problem
News.com is carrying
a
letter from Joe Firmage, a former Novell VP and once a "good friend" of
SCO CEO Darl McBride. They won't be such good friends anymore.
"
SCO's real agenda in refusing to identify the offending code is
quite clear: Prevent the open-source community from removing and rewriting
implicated segments of source code. In effect, SCO is seeking to prevent
the Linux community from correcting the alleged plagiarism so as to broaden
and sustain its prospects for royalties. Thus, SCO is now an accomplice to
the crime it alleges by refusing to allow the alleged perpetrators to clean
up their act. Courts should succinctly reject such blatant and calculated
extortion."
Comments (3 posted)
Groklaw
analyzes
two research papers by Renaissance Ventures on SCO. "
The first
document is an explanation of Renaissance's reasons for thinking SCO was a
good investment. I know you've been wondering what in the world those folks
in the stock market have been thinking. The second is an analysis of the
SCO v. IBM lawsuit. They are both so blazingly wrong in both facts and
conclusions that I fully grasp for the first time how some people may have
invested in SCO, based on such misinformation." Worth a read.
Comments (5 posted)
vnunet
has some fun with
the SCO case. "
Particularly controversial was the claim that SCO had
the capability to launch a wave of invoices within 45 minutes of an
outbreak of licence infringement. This was flatly contradicted by
intelligence reports, which insisted that the only weapons in the company's
armoury were a few elderly FUD missiles and the odd bluster bomb."
Comments (3 posted)
The Register
follows up on HP's sponsorship of the SCO road show.
"
HP is still sponsoring the SCO City-to-City Tour, but it did ask the great
Utah IP defender to pull mention of its backing from the Web site. Now,
Microlite sits alone as a SCO friend, receiving premier sponsorship perks
without paying the premiere sponsor price."
Comments (1 posted)
Companies
News.com
reports
on possible collaboration between IBM and JBoss Group. "
The two
companies are investing independently in a software development technique
called aspect-oriented programming, or AOP, which is intended to make
application development faster, more flexible and less prone to error.
Both companies are now looking to make AOP a standard feature of Java, said
Bob Bickel, JBoss' vice president of corporate development and
strategy."
Comments (1 posted)
The Register
looks forward to SCO's "road show," which begins next week.
"
The SCO City-to-City Tour is a nice touch to the whole IP affair. It gives
the impression that SCO still has a vibrant, diverse user base that is
clamoring for the latest details on SCO software. While there are plenty of
SCO users out there, the need for a company-backed outreach program is quite
slim. That might be why per city registration is capped off at 50 customers.
Wouldn't it be funny if ambitious Linux users filled all of those spots?" The article also asks why HP has signed up as the primary sponsor for this set of events.
Comments (6 posted)
According to
this story in The Register, Seagate will be offering its 40GB Barracuda 7200.7 drive to resellers with Lindows preinstalled. "
Seagate will sell the hard drives with our without the Linux OS at the same cost and estimates that Whitebox manufacturers can save about $100 per computer by picking the pre-loaded option."
Comments (6 posted)
Linux Adoption
TechNewsWorld
takes a lengthy
look at the use of Linux in digital film production. "
Contrary
to common sense, to build the best secret proprietary software you need an
open-source platform underneath it. The reason is that proprietary software
can require tweaks to the operating system itself that no proprietary
operating system vendor would be interested in implementing. Moreover,
motion picture production is a very time-sensitive business. A problem in
the operating system can't be allowed to hold up production. With open
source, studios can throw programmers at anything, whether at the software
or OS level."
Comments (none posted)
IT-Director is running
a Robin Bloor column on the use of Linux in government.
"
In Pakistan 50,000 low cost computers will be installed in schools and colleges all over Pakistan (for less than $100 each) that use GNU/Linux. Pakistan is also considering the use of StarOffice office. Salman Ansari, an advisor to the Ministry of Science and Technology says 'Don't be surprised if we become the first country in the world to say that all (government-run) services are going to be GNU/Linux based'." As an aside, the article also mentions questions about the provenance of the code in SCO's "Linux Kernel Personality" offering.
Comments (11 posted)
The Miami Herald is carrying
a AP
story stating that the state of Massachusetts is adopting a policy of
moving over to open systems. Quoting Eric Kriss, the state's
Administration and Finance Secretary: "
Kriss said the state's
decision was driven by a desire to reduce licensing fees but also 'by a
philosophy that what the state has is a public good and should be open to
all.'"
Comments (8 posted)
News.com
reports on a
South Korean plan to replace a significant percentage of its desktop
and server systems with free software by 2007.
"
'If the change is successful, we will be able to save about $300 million a year. Also, we may insure security and interconnectivity of national information system', the ministry representative said.
However, industry experts have expressed skepticism, saying that the country's software developers don't have the resources to support both Windows and Linux."
Comments (2 posted)
Legal
The Financial Times
reports
on the European software patent vote. "
So what happens next?
Last week's decision is only the first stage in a procedure that will see
the legislation approved by EU member states, many of which would have
preferred tougher rules and will seek to have the directive returned to the
parliament for redrafting. But already there is speculation that Frits
Bolkestein,the EU single market commissioner, may decide to take the matter
out of the European parliament's hands." (Thanks to Thomas Hood).
Comments (4 posted)
Interviews
DesktopLinux.com
interviews
Tom Adelstein, founder & chief proponent of
Government Forge. "
Tom
Adelstein, longtime Linux advocate and consultant has spent the last year
working closely with state, local, and federal government open source
software initiatives. Tom launched Government Forge, a Web site devoted to
state and local governments interested in Linux and open source which is
newly part of the Open Source Software Institute. In November 2002, Tom
initiated the legislation for Open Source Software in Texas which resulted
in Senate Bill 1579 filed by State Senator John Carona."
Comments (none posted)
O'ReillyNet
interviews
Bernard Leach about porting Linux to Apple's iPod. "
The port
uses uClinux, a Linux flavor designed for devices that lack a memory
management unit (MMU). While the iPod has some MMU-type capabilities, they
are not sufficient to support the Linux kernel. The code is released under
the GNU General Public license."
Comments (6 posted)
eWeek
interviews
Ransom Love former CEO of (the company now known as) the SCO Group.
"
This is awkward to me, I don't know what's going on inside SCO
today, and I don't want to throw stones on either side. I, however, no
longer have any investments in SCO. When news of the IBM lawsuit broke, I
sold the last of my stock. I no longer have any relationship with the
company." (Thanks to Denice Deatrich).
Comments (7 posted)
eWeek
talks
with security expert Dan Geer. "
Software diversity in the name
of security is by no means a new idea, but Geer and the other authors are
all very visible in the high-tech industry, especially within the security
community, and their opinions carry a certain weight. However, Geer said
Monday that the opinions in the paper were no more controversial or edgy
than many of the things he's said in speeches, interviews and other papers
during his time with @stake."
Comments (none posted)
Reviews
Linux Journal
explores RSA
encryption in OpenSSL. "
When sending your credit card number
through a public medium, such as the Internet, your financial credibility
may be compromised if the number is not first encrypted. It is impossible
to tell who may be listening in on your connection as you shop for new CDs
or books. The RSA encryption method often is used to hide your credit card
number from would-be thiefs on the Internet, because it uses a public key
to hide your information and a private key to reveal it. This article
banishes the mystery surrounding RSA encryption and explains how a
realistic implementation of RSA works in the OpenSSL library.
Comments (none posted)
Jeremy Allison
introduces
Samba 3.0 in this NewsForge article. "
Samba 3.0 contains the
first Open Source/Free Software implementation of Windows NT Primary and
Backup Domain Controller functionality. Customers can transparently migrate
their existing Windows NT domains to Samba 3.0 whilst keeping their
existing user and group account databases. This enables significant cost of
ownership savings over a Windows NT4 domain as a Samba 3.0 Domain
Controller does not require client access licenses. Existing Windows tools
can be used to manage a Samba PDC, allowing customer Windows expertise to
be leveraged in a domain migration. A choice of LDAP back-ends allows
integration with an existing customer directory service."
Comments (6 posted)
NewsForge
takes a
look at the SuSE Linux 9.0, due out next month. "
The latest
version of the company's home user operating system will be the first to
support AMD's Athlon 64 processor, and will include a test version of the
2.6 Linux kernel, according to Holger Dyroff, SuSE's general manager,
Americas."
Comments (8 posted)
Miscellaneous
Linux Journal
looks at the
possibilities of building an automated broadcast radio station using
Linux. "
RFPI downloads much of its program material from the
Internet--using a Linux system, of course. Rather than save the material on
the computer, RFPI saves it on mini-disks. Broadcasts, then, are done with
a live announcer filling in between pre-recorded material. The live
broadcast also is recorded on tape for re-broadcast later in the day. In
the RFPI example, the only missing link to full automation is some
software."
Comments (none posted)
Computer Business Review Online
reports that the United Nations has eliminated "Programmers Without
Frontiers" and any preference for open source in the latest draft of the
United Nations' World Summit on the Information Society's Plan of Action.
"
Language in an August draft of the WSIS Plan of Action that would
have advocated the use of open-source software, particularly in developing
nations, was toned down in the September 26 draft, to give equal weight to
the value of proprietary software. The August draft promoted open source
awareness, the creation of intellectual property mechanisms supporting open
source, and the creation of a UN "Programmers Without Frontiers" body to
support open source software in developing nations."
Comments (4 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
As many readers have pointed out to us, we missed the twentieth anniversary
of the
initial
announcement of the GNU project. Richard Stallman sent out that
announcement on September 27, 1983. Not everything happened as RMS
planned, but the founding of the GNU project was a crucial event in the
resurgence of free software. "
So that I can continue to use computers without violating my principles,
I have decided to put together a sufficient body of free software so that
I will be able to get along without any software that is not free."
Comments (31 posted)
The Linux Documentation Project has sent out an announcement celebrating
its tenth anniversary. "
Ten years later, it is no exaggeration to say this issue has been dealt
with, thoroughly: TLDP today is one of the largest Internet projects,
where a few hundred people have written several hundred documents, from
small manual pages to in depth guides that span over a hundred pages,
covering nearly all aspects of Linux." Congratulations, and we're
looking forward to the next ten years.
Full Story (comments: none)
OpenPKG is looking for feedback from the community. If you are using
OpenPKG consider taking a few minutes to fill out
this form.
Full Story (comments: none)
The OpenOffice.org Community Council has been formed.
"
The Community
Council will be charged with many tasks that directly affect you, the
community. Therefore, we will be working as openly as possible and in
collaboration with the community, which includes both independent
users, contributors, developers as well as Sun developers and managers."
Full Story (comments: none)
The Open Source Applications Foundation has sent out an announcment stating
that it has received $2.75 million in grants. These grants, from the
Andrew W. Mellon Foundation and Common Solutions Group, will be used to
extend OSAF's "Chandler" application (which does calendars, email, contact
management, and instant messaging) to meet the needs of higher education
users.
Full Story (comments: none)
The notes from the Open Source Applications Foundation
meeting of September 29, 2003 are available.
Comments (none posted)
Commercial announcements
Telephone support for Mozilla
will soon be available.
"
The service, which will cost $39.95 per incident, will be
provided by DecisionOne, who currently offer telephone and email support for
Netscape."
Comments (none posted)
A free beta version of the commercial typing software
"Ten Thumbs Typing Tutor" is available.
Full Story (comments: none)
New Books
A new book on Samba is coming out soon.
"
Prentice Hall PTR, the leading publisher of advanced technology
books, announces the forthcoming release of, "The Official Samba- 3 HOWTO
and Reference Guide".
Full Story (comments: none)
O'Reilly has published the second edition of "Learning XML"
by Erik T. Ray.
Full Story (comments: none)
Resources
The September 24, 2003 edition of the Linux Documentation Project
Weekly News is out. Take a look for the latest documentation changes.
Full Story (comments: none)
The September 30, 2003 edition of the
Linux Documentation Project Weekly News
is out with even more documentation news.
Full Story (comments: none)
The Linux Professional Institute News for September 2003
is available.
"
This month the President of LPI, Evan Leibovitch, is pleased to tell you
of some interesting news regarding LPI's participation at the
'World Summit on the Information Society'.
His article can be found at the beginning of the news letter followed by
other things LPI is doing."
Full Story (comments: none)
Dave Phillips has written an article on
Using VST Plugins In Linux in the
Quicktoots
series.
Full Story (comments: none)
Upcoming Events
A Linux install party and "Free Software for music" workshop
will be held at the Resonances 2003 conference at IRCAM in France
on October 23, 2003.
"
The "Free software for music" day will make a tour on free musical and
professional audio software, the evolution of Linux towards an easier
use, compatibility with audio equipment, audio drivers and MIDI."
Full Story (comments: none)
The Linux Users' Group of Davis will be holding another Linux
Installfest workshop on October 5 at UC Davis in Davis, CA.
Full Story (comments: none)
The
Southern California Linux Expo (SCALE) will be held on
November 22, 2003 in Los Angeles, CA.
Comments (none posted)
The speakers list for the Hivercon 2003 corporate security conference
has been announced. The event will be held in Dublin, Ireland on
November 6 and 7, 2003.
Full Story (comments: none)
A
Linux Accessibility Step-by-Step
pre-conference workshop will be held at the
Techshare 2003 conference in Birmingham, UK on November 19, 2003.
"
This day long session will demonstrate the process of installing and configuring Linux for use by a blind individual. The current Red Hat distribution will be installed and augmented with speech and braille interfaces. Additional configuration will include Ethernet and modem based networking and ssh for secure remote login. The Advanced Linux Sound Architecture (ALS) will be installed to support voice over IP, and Real media streaming, wav, MP3, and ogg creation and playback."
Thanks to Daniel James.
Comments (none posted)
Mitch Kapor will present the Keynote at the PyCon DC 2004
conference. The event will be held in Washington, D.C.
from March 24-26, 2004.
Full Story (comments: none)
The Linux Asia 2004 conference will be held at the
India Habitat Centre in New Delhi, India on
February 11-13, 2004.
"
The event is aimed at shifting Linux from labs to offices."
Full Story (comments: 2)
| Date | Event | Location |
| October 7 - 8, 2003 | LogOn Web Days | Across Europe |
| October 8, 2003 | Demystifying Open Source Technology for non-profits | (121 Sixth Avenue)New York, NY |
| October 12 - 15, 2003 | International Lisp Conference 2003(ILC 2003) | New York, NY |
| October 14 - 16, 2003 | 10th Linux-Kongress | Saarbrücken, Germany |
| October 15 - 17, 2003 | The First Plone Conference | (Tulane University)New Orleans, Louisiana |
October 26, 2003 October 27 - 31, 2003 | Large Installation Systems Administration Conference(LISA) | (Town & Country Resort Hotel)San Diego, CA |
| October 29 - 31, 2003 | Asian Enterprise Open Source Conference(AEOSC) | (Suntec International Convention and Exhibition Centre)Singapore |
| October 30 - 31, 2003 | 4to Encuentro Linux | Valparaiso, Chile |
| November 2 - 3, 2003 | International PHP Conference 2003 | (Astron Hotel Frankfurt-Mörfelden)Frankfurt, Germany |
| November 6 - 7, 2003 | HiverCon 2003 | (Davenport Hotel)Dublin, Ireland |
| November 6, 2003 | Netherlands Unix Users group fall conference | (Conference Center De Reehorst)Ede, the Netherands |
| November 10, 2003 | Desktop Linux Conference | (Boston University Corporate Education Center)Tyngsboro, Massachusetts |
| November 14 - 16, 2003 | Third International Ruby Conference | (Red Lion Hotel)Austin, Texas |
| November 16 - 19, 2003 | ApacheCon 2003 | Las Vegas, Nevada |
| November 22, 2003 | Southern California Linux Expo(SCALE) | (Los Angeles Convention Center)Los Angeles, CA |
| November 24 - 26, 2003 | Open Standards and Libre Software in Government Conference(EGOVOS 3) | Paris, France |
Comments (none posted)
Web sites
KDE.News has
an announcement
for the new KDE Community Wiki Site.
"
Everyone is welcome to join and participate on the content. The main idea is to share KDE users' and developers' experience. Every registered user is able to create, edit and modify the content of Wiki pages. It's fast and easy."
Comments (none posted)
OpenJay.org
is a new web site that is dedicated to the use of open-source
software for Disk Jockeys.
"
The common problem is that Linux
applications are usually developed by programmers thinking to other
programmers and not to common users.
Ok...from all this stuff came my idea to build OpenJay.org,
a site dedicated to OpenSource DJs. I thinked OpenJay expressly
to show the Linux audio
power, giving evidence to the audio applications with reviews, tips,
tricks and making easier the life of the OpenSource audio maniac".
Full Story (comments: none)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Miscellaneous
KDE.News
reports that the KDE
Web Team has set up a public poll to determine the new logo for
KDE.org. The poll is open for two weeks, starting September 28th, 2003.
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| "Eric S. Raymond" <esr@snark.thyrsus.com> |
| To: |
| wire-service@snark.thyrsus.com |
| Subject: |
| "Proposed" Software monopoly? |
| Date: |
| Tue, 30 Sep 2003 19:45:28 -0400 |
Citizens Against Government Waste should be ashamed of itself. As a
liberty-loving foe of intrusive government, I'm normally sympathetic to
their crusade against bureaucracy and over-regulation. But today,
CAGW made the strongest argument I've ever seen for writing them off
as mere shills for corporate greed.
CAGW's press release[1] attacking the Massachusetts Freeware
Initiative reads like it was dictated by Microsoft's PR department --
complete with a fraudalent assertion that open source is more
expensive, and even an attempt to associate open source with the
hideous evils of the Soviet Union and socialism.
CAGW affects to be horrified by what it calls a "Proposed Software
Monopoly". Which raises this question: where has CAGW been all these
years while Massachusetts taxpayers were being gouged by an *actual*
monopoly?
Massachusetts CIO Peter Quinn is doing his job, ensuring that the
government and the people of Massachusetts will no longer be
locked into closed formats and closed software and unhealthy
dependence on a monopolist. Open government demands open source.
[1] Press release at PRNewsWire
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
This would be the best of all possible worlds, if there were
no religion in it. -- John Adams, in a letter to Thomas Jefferson.
Comments (none posted)
| From: |
| ketil@ii.uib.no (Ketil Z. Malde) |
| To: |
| letters@lwn.net |
| Subject: |
| Darl McBride hits the nail on the head |
| Date: |
| 25 Sep 2003 12:37:59 +0200 |
(Not tired of the SCO case yet? :-)
Darl McBride, interviewed by Computerworld
http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,84819,00.html
Clearly, the free model just about killed our company, and I would
argue that it's going to kill a lot of other software companies if
the GPL [General Public License] is able to gain a foothold and run
rampant throughout the industry.
Among all his wild and ludicrous statements, I think this is right on
the mark, addressing the core of the problem. One reason Microsoft is
so vehemently opposed to open source, is of course that, in spite of
all their ventures into different markets, it is only making real
money by producing shrink-wrapped software: Windows and Office. Open
source is threatening that business model.¹
This is, of course a real problem, in particular if you work at, own
stock in, or have your political campaigns funded by a software(-only)
company.
However, that business models are obsoleted over time is a fact of
capitalism and free markets. Railroads made a lot of other
transportation obsolete, but helped to instigate the industrial
revolution. Ever wonder how the world would look like if the horse-
and oxcart interests, unable to compete in a changed marketplace, had
managed to sue the steam engine out of existence?
But looking only at the downside is, I think, rather naive and
unproductive. With open source, a lot of power and freedom is turned
over to users, system integrators and consultants: for instance the
power to adapt anything to your specific needs, the power to repair
any perceived problem, and the freedom to be independent on any
particular manufacturer or contractor. From an economic perspective,
commercial software -- like any other "intellectual property"
introduces monopolization, the exploitation of which is generally
negative. Open source is the key to setting the economy free from
burden of these monopolies.
In a sense, the fact that SCO is suing IBM is very telling; SCO is a
software company, that, in McBride's own words, is being killed by
open source; IBM is in addition a hardware manufacturer, system
integrator and service provider that thinks open source is so
beneficial that it invests heavily in both developing and marketing
it, even if it is at the expense of IBMs own software offerings.
SCO was unable to give its products an edge over competing open source
offerings -- something that could have kept it, along with companies
like Microsoft and Oracle, alive and perhaps profitable. SCO was
obsolete, technically insignificant. It's only function now is as a
legal obstacle to technical and economical progress. Good riddance!
-kzm
¹) Ditto for Sun, who to a large extent depend on the qualities of
Solaris and control over Java to dominate the commercial Unix niche,
large scale adoption of Linux along with open source J2EE
implementations may relegate them to being yet another hardware
manufacturer.
--
If I haven't seen further, it is by standing in the footprints of giants
Comments (4 posted)
Page editor: Jonathan Corbet