LWN.net Logo

LWN.net Weekly Edition for October 23, 2003

Bernstein wins, sort of

October 22, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

Not with a bang, but a whimper. That's how Daniel Bernstein's fight with the federal government over cryptography regulations has wound to a close. It is an unsatisfying end to the eight years of court battles over the constitutionality of export restrictions on cryptography.

Bernstein may be better-known to the community as the author of qmail, djbdns, ezmlm and a number of other popular (if not quite free) packages. Bernstein, now an associate professor in the department of Mathematics, Statistics, and Computer Science with the University of Illinois, first filed suit against the Department of State in 1995.

Before the first suit was filed, Bernstein was a PhD candidate working in the field of cryptography at the University of California at Berkeley. Bernstein had produced "Snuffle," a private-key encryption system and requested a decision in June, 1992 from the Department of State as to whether the source code could be published on the "sci.crypt" newsgroups. The response was that Snuffle was a "defense item" and Bernstein would need licenses for export of Snuffle. After additional correspondence over the next three years, Bernstein and the Electronic Frontier Foundation filed suit against the Department of State and a number of individuals. Bernstein argued that the International Traffic In Arms Regulations (ITAR) requiring licensing for export of cryptographic software were unconstitutional.

The Bernstein case produced a landmark ruling that recognized code as a form of speech. The Department of State asked Judge Marilyn Hall Patel to dismiss the case, arguing (among other things) that export controls on encryption software do not constitute a prior restraint of free speech. Patel, in refusing to dismiss the case, issued an opinion in the case that source code is to be protected as speech under the First Amendment:

This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French...Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it...For the purposes of First Amendment analysis, this court finds that source code is speech.

Patel's ruling was the first that recognized source code as speech with regards to consideration under the First Amendment. Courts had previously recognized code as something that could be protected under copyright law, but not as communication to be protected under the First Amendment. Eventually, Bernstein won his case against the Department of State, with Patel agreeing with Bernstein in 1996 that the regulations were unconstitutional.

The victory, however, was short-lived. Regulation of encryption shifted from the Department of State under ITAR to the Commerce Department and a new set of regulations, the Export Administration Regulations (EAR). Bernstein challenged EAR, and Patel also found that the EAR was unconstitutional and enjoined the Department of State and the Commerce Department from enforcing it.

The government appealed and the Ninth Circuit upheld Patel's decision, finding that "encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive."

After failed appeals, the government changed the regulations and the case was remanded back to Patel. Instead of requiring Bernstein or other crypto researchers to acquire a license for every viewer of the information, the government now wanted encryption items sent to the Bureau of Industry and Security (BIS) for export approval. However, the changes in EAR were still not satisfactory to Bernstein or the EFF, and the legal battles continued.

Unfortunately, in the U.S. judicial system, it is apparently not enough to merely show that a particular law may be unconstitutional. One must also show that the law in question may be used against you. Patel dismissed Bernstein's case against the Department of Commerce on July 28 of this year for lack of standing. Patel also dismissed Bernstein's case against the Department of State last week, after the Bush administration said it would not attempt to enforce some of the encryption export regulations.

Though Bernstein seems safe from prosecution, at least at the moment, the problem is that the export regulations remain on the books. There is nothing stopping the government from prosecuting others for violation of EAR at this time. Anyone seeking to export "encryption software" to any country other than Canada must seek a license from the Commerce Department, barring encryption software used for "authentication or digital signature" functions alone.

Since this includes any distribution of software online, and even "technical assistance" with the development of encryption software subject to EAR, the EAR restrictions continue to pose at least a potential threat to open source developers working with encryption in the U.S. Violations of EAR could result in fines of up to $250,000 or ten years in prison, so the threat is not one to be taken lightly.

While it would be nice to believe that the regulations will be unenforced, it would have been a much better result if Bernstein could have succeeded in having them thrown out entirely. For now, we will have to settle for a partial victory.

Comments (5 posted)

The EU Open Source Migration Guidelines

The European Union Interchange of Data between Administrators project has (with the help of NetProject) published a document on how to migrate over to open source software. This document is available as a 148-page PDF file.

Much of this document will seem like basic common sense to many readers. Remember, however, that the target readership is high-level management, and one should not make too many assumptions with that crowd. Thus, for example, we have suggestions like "have a clear understanding of the reasons to migrate," "start with non-critical systems," and "ensure that there is active support for the change from IT staff and users." All of which is undoubtedly good advice.

The guidelines repeatedly suggest that, even if no changes are foreseen in the near future, it is still a good idea to avoid doing things that would make such a change harder in the future. Thus, web pages should be written to work with all browsers, excessive use of scripts and macros in documents should be avoided, standard file formats should be used, etc. This suggestion, by itself, would make life a lot easier for many people even if they never switch to free software.

The guidelines make specific suggestions for software to migrate to. These include OpenOffice.org (best Office replacement, can run on Windows), Evolution, Galeon (or Mozilla if it has to run on Windows too), MySQL, Exim (Postfix is "an acceptable alternative"), PhpGroupWare, Apache, and Zope. The report recommends GNOME over KDE ("netproject considers that [GNOME] has a better architecture and believes it has a better future").

A great many migration scenarios are provided; here the guidelines begin to resemble a system administration book. If you are looking for instructions on how to export your Access data for ingest into MySQL or how to convert your Word templates, this document has something for you. As a general rule, the information provided will not be sufficient for those who do not already have some expertise in making this sort of transition. It does, however, show that the transition is possible and highlight some of the potential pitfalls.

The document concludes with 50 pages of appendices. There is a lengthy list of available case studies, a detailed description of how mail systems are put together, some fairly useless tables of package versions, a Red Hat kickstart file for installing systems using the French language, and a glossary.

The Open Source Migration Guidelines may well prove to be a useful document for managers trying to plan (or decide on) a change to free software in their organizations. Its real value, however, may be found in a different area. What the Guidelines provide is a convincing demonstration that this transition can be done, and that the required tools exist. And that may be what many people pondering free software need more than anything else.

Comments (none posted)

Catching up with SCO

There have been a few developments in the SCO case over the last week or so; time to check in and see what they are up to.

Much noise was made about the $50 million equity investment that the company received. This money was presented as being from BayStar, a venture capital firm. In fact, BayStar was the minority investor, having put in $20 million. The rest came from the Royal Bank of Canada.

This is not a straightforward equity investment. The investors will be getting "Series A convertible preferred stock," which brings no voting rights. The holders of the stock do, however, get veto power over a number of possible corporate actions, including taking on large debts or sales of assets. The preferred stock can be converted to common stock at $16.93/share whenever the investors wish. The investors can also force SCO to buy back the stock (with cash) under certain conditions, including delisting of the stock or financial problems that suggest bankruptcy is near.

After one year, SCO must pay an 8% dividend on the preferred stock; that dividend goes up 2% per year to a maximum level of 12%. Starting next year, SCO will have to come up with $4 million in cash flow to service this dividend requirement.

In summary, SCO has tied itself to an investment scheme that is rather more expensive than a straightforward stock issue would have been. For those who are interested, the full agreement is online at the SEC.

Meanwhile, in the courtrooms, the story is mostly one of motions going back and forth. The company has submitted a new brief in support of its motion to dismiss the Red Hat suit; this brief has been analyzed in great detail over at Groklaw. Suffice to say that PJ was not particularly impressed. We'll not duplicate the analysis on Groklaw, but there is one paragraph (from the opening page) which is worthy of note:

Red Hat, despite the complete absence of any ownership rights whatsoever in the Linux kernels, seeks a declaration that these Linux kernels do not infringe SCO's intellectual property rights. Similarly, Red Hat seeks redress based upon Lanham Act and state law claims, despite the fact that the Linux kernel is provided to any and all comers for free. This lack of ownership, combined with a careful review of complete quotations and accurate statements of law, makes clear that Red Hat's claims must fail.

A quick grep through the kernel source turns up an awful lot of Red Hat copyright statements. Red Hat indisputably has ownership rights in the Linux kernel. The fact that the relevant code has been placed under a license that allows free redistribution under certain conditions does not change that fact.

What is going on here is that the SCO Group, despite its ongoing bluster about intellectual property rights, is trying to deprive those who have contributed to the Linux kernel of their rights. This denial of Red Hat's rights goes along with SCO's attacks on the GPL. SCO would like nothing better than to invalidate all rights on the kernel - except, of course, those it claims to own itself. As long as others have rights to the kernel and the GPL holds, SCO cannot make a serious go at a general Linux tax.

The court records in Delaware show that SCO has filed to change its legal representation in the Red Hat case. Such a change in the middle of an ongoing case is generally unexpected. According to Groklaw, SCO is using some of its BayStar money to trade up to a higher-class, better-connected law firm.

In Utah, SCO is trying to fight (or at least delay) IBM's "motion to compel" the company to disclose the exact nature of its claims. From IBM's latest filing opposing a request from SCO for a delay:

There is nothing for SCO to say in response to IBM's motion except that it will provide all of the information IBM has requested. As stated in IBM's motion, SCO does not claim the right to withhold responsive information based on any of its boilerplate objections to these interrogatories. By contrast, further delay will compound the prejudice imposed upon IBM by SCO's delay of more than three months. This case has been pending more than seven months, and SCO has still failed to disclose what its claims are about.

Again, see Groklaw (where else?) for the details.

SCO has a new agreement with Boies, Schiller & Flexner, the law firm representing it in the IBM case. The company's recent 8K filing describes the new deal:

As part of this modification, which is subject to a definitive agreement, the law firm would receive a contingent fee of 20 percent of the proceeds from certain events related to is protection of SCO's intellectual property rights, including certain licensing fees, settlements, judgments, equity financings or a sale of SCO during the pendancy of litigation or through settlement, subject to certain agreed upon credits for amounts received as discounted hourly fees or prior contingency payments. In addition, this modification may result in the payment to such law firm of up to $1,000,000 and the issuance of up to 400,000 shares of SCO's common stock.

In other words, Boies et al. are no longer willing to work for a straight contingency deal. The 20% fee could yet be lucrative - it is not clear whether it includes the $50 million from BayStar and RBC - but Boies is now getting $1 million and almost $7 million worth of stock as well regardless of the outcome of any litigation. SCO's lawyers win whether its client does or not.

The 8K filing also notes that Microsoft has pumped another $8 million worth of "licensing fees" into SCO.

SCO has backed down from its threats to "cancel" SGI's Unix license. At the latest conference call, Darl McBride noted that SCO was happy with the (about 200 lines) of code that SGI has removed from the kernel; he seems to have stopped talking about the XFS filesystem. Mr. McBride also, in response to a question, stated that SCO did not have any other Unix vendors in its sights. He did, however, make a rather chilling statement about SCO's several thousand end-user Unix licensees. There is, apparently, something in those contracts which makes those users - if they also use Linux - look like especially tempting targets. SCO remains a good company to avoid signing contracts with.

Comments (7 posted)

Time for another Europatent push

As described in this FFII alert, the software patent proposal recently voted in the European Parliament may yet get pushed aside. "If UK ministers cannot be convinced otherwise before 10 November, it is believed they will push for the Council to adopt a November 2002 draft text, which is even worse than the infamous McCarthy report. The European Parliament's rules for second reading make it very difficult for MEPs to fix a bad text from the Council." There will be a meeting of "patent officials from across Europe" held on October 23 to work out the next steps for the establishment of software patents in Europe. FFII is requesting that everybody who can contact their (national) Parliament members to help them understand why software patents are a bad idea. This battle is not yet over. (Thanks to James Heald)

Comments (18 posted)

Page editor: Jonathan Corbet

Security

Brief items

Blocking forgeries and spam with SPF

Anybody who has spent any amount of time dealing with spam (i.e. just about anybody with an email address) knows that a great deal of it comes with forged return addresses. Email worms attacking certain proprietary systems also have a habit of generating mail with fake return addresses. If there were a way to filter out mail with bogus sender addresses, a great deal of spam and other unpleasant mail could be automatically removed from our mailboxes.

A technique called "Sender Permitted From" (SPF) is being readied to attempt to make this sort of filtering possible. Those looking for details can find them in the draft RFC, but the core concept is simple: the DNS database for each domain should be augmented with information on which systems are authorized to originate email for that domain. This information is added as a DNS "text" record, so no changes to the DNS protocol are required.

So, for example, the DNS zone file for a domain which never, ever sends mail could be made SPF-compliant by adding one line:

    example.com  IN  TXT  "v=spf1 default=deny"

The "v=spf1" portion indicates that this is an SPF version 1 entry, and the rest says to deny all mail from that domain.

In most interesting cases, however, people will want to be able to send mail from a domain. So the SPF entry must be modified to tell mail recipients which systems can send mail for the domain. The simplest way of doing that, perhaps, is to simply state that the domain's MX servers can originate mail:

    example.com  IN  TXT "v=spf1 mx default=deny"

There are, of course, many ways of specifying, in great detail, exactly which systems can legitimately send mail for the domain of interest; see the RFC for details.

None of this will work until receiving systems perform SPF tests, of course. One of the nice features of SPF is that the check can be done before the body of a message is received. If the message will be filtered, this filtering can be done at the SMTP level and a meaningful message returned to the sender - if, indeed, there is a real sender. Patches exist for a number of MTAs now; expect more as the SPF specification solidifies. There are also plans to add SPF support in other places; apparently SpamAssassin 2.70 will support it, for example.

SPF certainly will not solve the spam problem; spammers will just use domains that lack SPF information, open relays, or throwaway domains of their own. But it does place one more obstacle in their way, and will doubtless reduce the flow somewhat. The real value of SPF may be in its ability to make the forgery of email more difficult. In a fully SPF-compliant world, Linux users would no longer be flooded with "virus notifications" every time a new worm starts digging through peoples' address books. A dedicated attacker would probably still be able to forge email from a specific victim, but the days of easy, casual forgery would, one hopes, be over. And that is worth something.

Comments (13 posted)

New vulnerabilities

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 17, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
SCO Group CSSA-2004-006.0 2004-03-01
Trustix 2003-0042 2003-11-15
Mandrake MDKSA-2003:106 2003-11-12
Red Hat RHSA-2003:309-01 2003-11-03
Immunix IMNX-2003-7+-026-01 2003-10-31
Conectiva CLA-2003:771 2003-10-24
Conectiva CLA-2003:768 2003-10-22

Comments (none posted)

gdm: local attacker may crash or freeze gdm

Package(s):gdm CVE #(s):CAN-2003-0793 CAN-2003-0794
Created:October 17, 2003 Updated:October 27, 2003
Description: Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that would allow a local attacker to cause gdm to crash or freeze.

CAN-2003-0793 CAN-2003-0794

Alerts:
Slackware SSA:2003-300-01 2003-10-22
Conectiva CLA-2003:766 2003-10-17
Mandrake MDKSA-2003:100 2003-10-16

Comments (none posted)

ircd: denial of service vulnerability

Package(s):ircd CVE #(s):CAN-2003-0864
Created:October 17, 2003 Updated:October 22, 2003
Description: Piotr Kucharski reported a buffer overflow vulnerability that may allow an attacker to crash the ircd server, thus causing a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0864 to this issue.
Alerts:
OpenPKG OpenPKG-SA-2003.045 2003-10-19
Conectiva CLA-2003:765 2003-10-17

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 24, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 2003-12-19
Gentoo 200308-01 2003-08-14
Debian DSA-358-4 2003-08-13
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-2 2003-08-05
Debian DSA-358-3 2003-08-04
Debian DSA-358-1 2003-07-31
EnGarde ESA-20032407-018 2003-07-24
Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
SCO Group CSSA-2003-030.0 2003-11-07
Yellow Dog YDU-20030718-2 2003-07-18
Red Hat RHSA-2003:203-01 2003-07-03
Gentoo 200306-13 2003-06-25
Conectiva CLA-2003:662 2003-06-25
Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

glibc - buffer overflow

Package(s):glibc CVE #(s):CAN-2003-0689
Created:October 15, 2003 Updated:November 25, 2003
Description: The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun.
Alerts:
Gentoo 200311-05 2003-11-22
Mandrake MDKSA-2003:107 2003-11-18
Trustix 2003-0039 2003-11-15
Red Hat RHSA-2003:325-01 2003-11-12
Conectiva CLA-2003:762 2003-10-14

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 16, 2003 Updated:November 18, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 2003-11-17
Conectiva CLA-2003:694 2003-07-11
Yellow Dog YDU-20030602-4 2003-06-02
Mandrake MDKSA-2003:061 2003-05-22
Slackware ssa:2003-141-04 2003-05-22
Red Hat RHSA-2003:175-01 2003-05-20
Gentoo 200305-04 2003-05-16
OpenPKG OpenPKG-SA-2003.029 2003-05-16
EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Mandrake MDKSA-2003:118 2003-12-19
Gentoo 200311-01 2003-11-15
Debian DSA-388-1 2003-09-19
Conectiva CLA-2003:747 2003-09-19
Mandrake MDKSA-2003:091 2003-09-16
Red Hat RHSA-2003:269-01 2003-09-16

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

openssl: vulnerabilities in ASN.1 code

Package(s):openssl CVE #(s):CAN-2003-0543 CAN-2003-0544 CAN-2003-0545
Created:September 30, 2003 Updated:November 4, 2003
Description: Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay.

An attack against other applications that use OpenSSL could result in a Denial of Service. See CAN-2003-0543 and CAN-2003-0544.

It may be possible for an attacker to exploit this issue to execute arbitrary code. See CAN-2003-0545.

CERT has an updated OpenSSL advisory identifying additional OpenSSL vulnerabilities.

Alerts:
EnGarde ESA-20031104-029 2003-11-04
Debian DSA-394-1 2003-10-11
Conectiva CLA-2003:759 2003-10-03
EnGarde ESA-20031003-028 2003-10-03
Tawie 2003-0001 2003-10-02
SuSE SuSE-SA:2003:043 2003-10-01
Slackware SSA:2003-273-01 2003-09-30
Mandrake MDKSA-2003:098 2003-09-30
Gentoo 200309-19 2003-10-01
Debian DSA-393-1 2003-10-01
Conectiva CLA-2003:751 2003-09-30
EnGarde ESA-20030930-027 2003-09-30
Immunix IMNX-2003-7+-022-01 2003-09-29
OpenPKG OpenPKG-SA-2003.044 2003-09-30
Red Hat RHSA-2003:292-01 2003-09-30
Red Hat RHSA-2003:291-01 2003-09-30

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

proftpd: remote root shell

Package(s):proftpd CVE #(s):CAN-2003-0831
Created:September 24, 2003 Updated:January 2, 2004
Description: The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
Alerts:
Mandrake MDKSA-2003:095-1 2003-12-31
Conectiva CLA-2003:750 2003-09-29
Gentoo 200309-16 2003-09-28
Trustix 2003-0037 2003-09-27
Mandrake MDKSA-2003:095 2003-09-26
OpenPKG OpenPKG-SA-2003.043 2003-09-25
Slackware SSA:2003-259-02 2003-09-23

Comments (2 posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

sendmail: remotely exploitable buffer overflow

Package(s):sendmail CVE #(s):CAN-2003-0694 CAN-2003-0681
Created:September 17, 2003 Updated:November 18, 2003
Description: Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix.
Alerts:
SCO Group CSSA-2003-036.0 2003-11-17
SuSE SuSE-SA:2003:040 2003-09-20
OpenPKG OpenPKG-SA-2003.041 2003-09-19
Conectiva CLA-2003:742 2003-09-18
Yellow Dog YDU-20030917-2 2003-09-17
Immunix IMNX-2003-7+-021-01 2003-09-17
Mandrake MDKSA-2003:092 2003-09-17
Debian DSA-384-1 2003-09-17
Red Hat RHSA-2003:283-01 2003-09-17
Slackware SSA:2003-260-02 2003-09-17
Gentoo 200309-13 2003-09-17

Comments (none posted)

stunnel: signal handler reentrancy DoS

Package(s):stunnel CVE #(s):CAN-2002-1563
Created:July 25, 2003 Updated:November 25, 2003
Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over a secure connection (encrypted using SSL or TLS) or to provide a secure means of connecting to services that do not natively support encryption.

When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits.

Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service.

Alerts:
Red Hat RHSA-2003:296-01 2003-11-24
SCO Group CSSA-2003-026.0 2003-10-03
Conectiva CLA-2003:736 2003-09-05
Trustix 2003-0030 2003-08-07
EnGarde ESA-20030806-020 2003-08-06
Red Hat RHSA-2003:221-01 2003-07-25

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

tomcat4: denial of service vulnerability

Package(s):tomcat CVE #(s):
Created:October 15, 2003 Updated:October 15, 2003
Description: Aldrin Martoq has discovered a denial of service (DoS) vulnerability in Apache Tomcat 4.0.x. Sending several non-HTTP requests to Tomcat's HTTP connector makes Tomcat reject further requests on this port until it is restarted.
Alerts:
Debian DSA-395-1 2003-10-15

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):unzip CVE #(s):CAN-2003-0282
Created:July 1, 2003 Updated:November 13, 2003
Description: A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:
SCO Group CSSA-2003-031.0 2003-11-07
Debian DSA-344-2 2003-08-26
Slackware SSA:2003-237-01 2003-08-25
Mandrake MDKSA-2003:073-1 2003-08-19
Conectiva CLA-2003:724 2003-08-18
Red Hat RHSA-2003:199-02 2003-08-15
Yellow Dog YDU-20030710-1 2003-07-10
Gentoo 200307-02 2003-07-11
OpenPKG OpenPKG-SA-2003.033 2003-07-10
Debian DSA-344-1 2003-07-08
Mandrake MDKSA-2003:073 2003-07-07
Conectiva CLA-2003:672 2003-07-02
Immunix IMNX-2003-7+-017-01 2003-07-02
Red Hat RHSA-2003:199-01 2003-07-01

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

webmin: session ID spoofing

Package(s):webmin CVE #(s):CAN-2003-0101
Created:June 13, 2003 Updated:November 18, 2003
Description: miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges.
Alerts:
SCO Group CSSA-2003-035.0 2003-11-17
Debian DSA-319-1 2003-06-12

Comments (none posted)

wget: buffer overflow

Package(s):wget CVE #(s):CAN-2003-1565
Created:August 5, 2003 Updated:December 10, 2003
Description: The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution.
Alerts:
Red Hat RHSA-2003:372-01 2003-12-10
SCO Group CSSA-2003-025.0 2003-10-03
Conectiva CLA-2003:716 2003-08-04

Comments (1 posted)

XFree86 4.3.0 integer overflows in font libraries

Package(s):XFree86 CVE #(s):CAN-2003-0730
Created:September 12, 2003 Updated:November 25, 2003
Description: Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details.
Alerts:
Red Hat RHSA-2003:286-01 2003-11-25
Red Hat RHSA-2003:287-01 2003-11-25
Red Hat RHSA-2003:288-01 2003-11-17
Debian DSA-380-1 2003-09-12
Mandrake MDKSA-2003:089 2003-09-11

Comments (none posted)

xinetd: Memory leak in xinetd 2.3.10

Package(s):xinetd CVE #(s):CAN-2003-0211
Created:May 13, 2003 Updated:November 13, 2003
Description: Xinetd is a 'master server' that is used to to accept service connection requests and start the appropriate servers.

Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable.

In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations.

All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues.

Alerts:
Conectiva CLA-2003:782 2003-11-12
Yellow Dog YDU-20030602-1 2003-06-02
Gentoo 200305-08 2003-05-19
Mandrake MDKSA-2003:056 2003-05-14
Red Hat RHSA-2003:160-01 2003-05-13

Comments (none posted)

Resources

Linux Security Week

The October 20 issue of Linux Security Week from LinuxSecurity.com is available.

Full Story (comments: none)

Events

DallasCon Wireless Security Conference 2004

The third annual DallasCon Wireless Security Conference is happening in Dallas, Texas on May 1 and 2, 2004. Papers are being accepted now; see the announcement for details.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current development kernel is 2.6.0-test8, which was released by Linus on October 17. This patch includes a working NFS direct I/O implementation, a workaround for the Athlon prefetch bug, various architecture updates, working signal handling for kernel threads, an ALSA update, some software suspend work, and numerous other fixes. The long-format changelog has the details.

Linus's BitKeeper repository is full of stability fixes, as is appropriate for his current goal of getting 2.6.0 in shape. It also includes an SGI Altix serial console driver and Jeff Garzik's libata driver (covered here last August).

The current stable kernel is 2.4.22; Marcelo has not released any 2.4.23 prepatches since 2.4.23-pre7 on October 9.

Comments (none posted)

Kernel development news

The unfinished SCSI job

The repository for SCSI patches has just been forked into two separate trees. One of them is a bugfix-only repository, with its contents meant to get past Linus's "stability fixes only" filter and into the 2.6.0-test kernel. The other is for everything else, which will be held for 2.7, or, at least, a post-2.6.0 release.

This change brought out the question: what about expanding the number of SCSI disks (and partitions) that can be supported by the kernel? That was, after all, one of the reasons for expanding the dev_t type in the first place. The larger device numbers are now in place, but there are no patches in the mainline to make more SCSI disks available.

There are, as it turns out, a few remaining issues that must be addressed before the SCSI expansion can be completed. One of those is naming. Currently, the first 26 SCSI drives are called sda through sdz. Then a second letter is added, making sdaa through sdzz available. The default plan seems to be to go to sdaaa thereafter, and sdaaaa if need be.

Is the number of partitions per drive to be expanded? The current limit of fifteen is apparently constraining to some. As a result, there has been persistent talk of raising the limit to 63. That change, however, would create interesting numbering challenges. The current numbering scheme divides the (eight-bit) minor number in half; the upper nibble is the drive number, and the lower nibble is the partition number. To support more partitions, the portion of the (now 20-bit) minor number dedicated to the partition number would have to be expanded. A naive implementation would simply remap the minor number so that bits 0..5 describe the partition, and bits 6..19 the drive number.

The only problem with that approach is that it would break all existing SCSI device nodes. The kernel hackers have a sense that they might get a complaint or two if they did that, so they are fairly strongly committed to ensuring that old device numbers continue to work. As a result, there have been proposals for more complicated schemes, with the two new partition bits being placed, for example, up at the high end of the minor number. This approach would put an end to the manual creation of device nodes for large SCSI devices - who wants to figure out what number to give to mknod? - but there was not likely to be much of that going on anyway.

A better long-term approach might be to go to one or more completely new major numbers for SCSI drives. The block layer could then assign numbers dynamicly as the drives are discovered, with a tool like udev creating device nodes on demand. For sites that need old numbers to work, a small compatibility module could map between the old and new numbers at device open time. That is all certainly 2.7 material, however. For 2.6.0, the most likely scenario might be the merging of a simple patch (like Badari Pulavarty's patch found in the -mm tree) which expands the number of disks supported in a relatively unintrusive way. The complete solution can come later.

Comments (2 posted)

The cpuset mechanism

A set of patches has been making the rounds for the last month or so which implements a concept known as a "cpuset." A cpuset is simply an arbitrary collection of processors in an SMP system; cpusets can be used to partition a large system into smaller virtual machines in a flexible sort of way. This patch was originally posted by Simon Derr; more recent versions (found in the "patches" section, below) have been sent out by Stephen Hemminger at OSDL.

Internally, the patch creates a hierarchy of cpusets. At boot time, the root set is created containing all of the system's processors. System calls can then be used to create child sets. The creation of a cpuset is not a privileged task, but no process can expand beyond the set of processors initially assigned to it. Thus, for example, the system administrator can create a cpuset for a particular group of processes which will be confined to the designated processors. Those processes can, however, further partition the set for their own purposes.

In normal use, one would expect cpusets to correspond to the underlying hardware; all processors in a set would normally be part of the same NUMA node, for example. There is nothing in the patch that requires users to do things that way, however; cpusets can be any arbitrary subset of the available processors. Processors can also belong to multiple cpusets, so cpusets can overlap each other in arbitrary ways. There is, however, a "strict" flag which can be set to disallow the sharing of processors in this way.

There are a few new system calls created by this patch:

cpuset_create();
Creates a new cpuset as a child of the process's current cpuset, containing the same processors as the parent.

cpuset_destroy();
Destroys the given cpuset.

cpuset_attach()
Attaches a process to a particular cpuset.

cpuset_alloc()
Changes the set of processors belonging to a cpuset. The name of this call is a little misleading, since it can release processors from a cpuset. In fact, removing CPUs will be the normal usage, since a cpuset cannot contain processors which are not also contained in its parent.

cpuset_getfreecpus();
Returns a list of processors which are not part of the current cpuset, but which could be added.

Processes running within a cpuset have no view of the processors which are not contained within that set. Processors in a cpuset are renumbered to appear to be the only processors on the system; thus, for example, system calls like sched_setaffinity() will only bind processes within their particular cpuset.

This patch has generated a certain amount of interest in the large-systems community. It clearly does not fall within the 2.6.0-test "stability patches only" mandate, but there may be pressure to get it into the kernel not much after 2.6.0 is released.

Comments (1 posted)

Driver porting

kobjects and sysfs

This article is part of the LWN Porting Drivers to 2.5 series.
In The Zen of Kobjects, this series looked at the kobject abstraction and the various interfaces that go with it. That article, however, glossed over one important part of the kobject structure (with a promise to fill in in later): its interface to the sysfs virtual filesystem. The time has come to fulfill our promise, however, and look at how sysfs works at the lower levels.

To use the functions described below, you will need to include both <linux/kobject.h> and <linux/sysfs.h> in your source files.

How kobjects get sysfs entries

As we saw in the previous article, there are two functions which are used to set up a kobject. If you use kobject_init() by itself, you will get a standalone kobject with no representation in sysfs. If, instead, you use kobject_register() (or call kobject_add() separately), a sysfs directory will be created for the kobject; no other effort is required on the programmer's part.

The name of the directory will be the same as the name given to the kobject itself. The location within sysfs will reflect the kobject's position in the hierarchy you have created. In short: the kobject's directory will be found in its parent's directory, as determined by the kobject's parent field. If you have not explicitly set the parent field, but you have set its kset pointer, then the kset will become the kobject's parent. If there is no parent and no kset, the kobject's directory will become a top-level directory within sysfs, which is rarely what you really want.

Populating a kobject's directory

Getting a sysfs directory corresponding to a kobject is easy, as we have seen. That directory will be empty, however, which is not particularly useful. Most applications will want the kobject's sysfs entry to contain one or more attributes with useful information. Creating those attributes requires some additional steps, but is not all that hard.

The key to sysfs attributes is the kobject's kobj_type pointer. When we looked at kobject types before, we passed over a couple of sysfs-related entries. One, called default_attrs, describes the attributes that all kobjects of this type should have; it is a pointer to an array of pointers to attribute structures:

    struct attribute {
	char			*name;
	struct module 		*owner;
	mode_t			mode;
    };

In this structure, name is the name of the attribute (as it will appear within sysfs), owner is a pointer to the module (if any) which is responsible for the implementation of this attribute, and mode is the protection bits which are to be applied to this attribute. The mode is usually S_IRUGO for read-only attributes; if the attribute is writable, you can toss in S_IWUSR to give write access to root only. The last entry in the default_attrs list must be NULL.

The default_attrs array says what the attributes are, but does not tell sysfs how to actually implement those attributes. That task falls to the kobj_type->sysfs_ops field, which points to a structure defined as:

    struct sysfs_ops {
	ssize_t	(*show)(struct kobject *kobj, struct attribute *attr, 
                        char *buffer);
	ssize_t	(*store)(struct kobject *kobj, struct attribute *attr, 
			const char *buffer, size_t size);
    };

These functions will be called for each read and write operation, respectively, on an attribute of a kobject of the given type. In each case, kobj is the kobject whose attribute is being accessed, attr is the struct attribute for the specific attribute, and buffer is a one-page buffer for attribute data.

The show() function should encode the attribute's full value into buffer, being sure not to overrun PAGE_SIZE. Remember that the sysfs convention requires that attributes contain single values or, at most, an array of similar values, so the one-page limit should never be a problem. The return value is, of course, the number of bytes of data actually put into buffer or a negative error code.

The store() function has a similar interface; the additional size parameter gives the length of the data received from user space. Never forget that buffer contains unchecked, user-supplied data; treat it carefully and be sure that it fits whatever format you require. The return value should normally be the same as size, unless something has gone wrong.

As you can see, sysfs requires the use of a single set of show() and store() functions for all attributes of kobjects of the same type. Those functions will, usually, maintain their own array of attribute information to enable them to find the real function charged with implementing each attribute.

Non-default attributes

In many cases, the kobject type's default_attrs field describes all of the attributes that kobject will ever have. It does not need to be that way, however; attributes can be added and removed at will. If you wish to add a new attribute to a kobject's sysfs directory, simply fill in an attribute structure and pass it to:

    int sysfs_create_file(struct kobject *kobj, struct attribute *attr);

If all goes well, the file will be created with the name given in the attribute structure and the return value will be zero; otherwise, the usual negative error code is returned.

Note that the same show() and store() functions will be called to implement operations on the new attribute. Before you add a new, non-default attribute to a kobject, you should take whatever steps are necessary to ensure that those functions know how to implement that attribute.

To remove an attribute, call:

    int sysfs_remove_file(struct kobject *kobj, struct attribute *attr);

After the call, the attribute will no longer appear in the kobject's sysfs entry. Do be aware, however, that a user-space process could have an open file descriptor for that attribute, and that show() and store() calls are still possible after the attribute has been removed.

Symbolic links

The sysfs filesystem has the usual tree structure, reflecting the hierarchical organization of the kobjects it represents. The relationships between objects in the kernel is often more complicated than that, however. For example, one sysfs subtree (/sys/devices) represents all of the devices known to the system, while others represent the device drivers. These trees do not, however, represent the relationships between the drivers and the devices they implement. Showing these additional relationships requires extra pointers which, in sysfs, are implemented with symbolic links.

Creating a symbolic link within sysfs is easy:

    int sysfs_create_link(struct kobject *kobj, 
			  struct kobject *target,
			  char *name);

This function will create a link (called name) pointing to target's sysfs entry as an attribute of kobj. It will be a relative link, so it works regardless of where sysfs is mounted on any particular system.

The link will persist even if target is removed from the system. If you are creating symbolic links to other kobjects, you should probably have a way of knowing about changes to those kobjects, or some sort of assurance that the target kobjects will not disappear. The consequences (dead symbolic links within sysfs) are not particularly grave, but they would not do much to create confidence in the proper functioning of the system either.

Symbolic links can be removed with:

    void sysfs_remove_link(struct kobject *kobj, char *name);

Binary attributes

The sysfs conventions call for all attributes to contain a single value in a human-readable text format. That said, there is an occasional, rare need for the creation of attributes which can handle larger chunks of binary data. In the 2.6.0-test kernel, the only use of binary attributes is in the firmware subsystem. When a device requiring firmware is encountered in the system, a user-space program can be started (via the hotplug mechanism); that program then passes the firmware code to the kernel via binary sysfs attribute. If you are contemplating any other use of binary attributes, you should think carefully and be sure there is no other way to accomplish your objective.

Binary attributes are described with a bin_attribute structure:

    struct bin_attribute {
	struct attribute attr;
	size_t size;
	ssize_t (*read)(struct kobject *kobj, char *buffer, 
			loff_t pos, size_t size);
	ssize_t (*write)(struct kobject *kobj, char *buffer, 
			loff_t pos, size_t size);
    };

Here, attr is an attribute structure giving the name, owner, and permissions for the binary attribute, and size is the maximum size of the binary attribute (or zero if there is no maximum). The read() and write() functions work similarly to the normal char driver equivalents; they can be called multiple times for a single load with a maximum of one page worth of data in each call. There is no way for sysfs to signal the last of a set of write operations, so code implementing a binary attribute must be able to determine that some other way.

Binary attributes must be created explicitly; they cannot be set up as default attributes. To create a binary attribute, call:

    int sysfs_create_bin_file(struct kobject *kobj, 
			      struct bin_attribute *attr);

Binary attributes can be removed with:

    int sysfs_remove_bin_file(struct kobject *kobj, 
			      struct bin_attribute *attr);

Last notes

This article has described the low-level interface between kobjects and sysfs. Unless you are implementing a new subsystem, however, you are unlikely to work with this interface directly. Each subsystem typically implements its own set of default attributes, and, perhaps, a mechanism for interested code to add new ones. This mechanism is generally a straightforward wrapper around the low-level attribute code, however, so it should look familiar to readers of this page.

Comments (1 posted)

Patches and updates

Kernel trees

Core kernel code

Device drivers

Filesystems and block I/O

Architecture-specific

Benchmarks and bugs

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

No More Free Beer?

October 22, 2003

This article was contributed by Ladislav Bodnar

It is no secret that many commercial Linux companies are struggling to survive in a market often dominated by the perception that Linux is free. Much of the blame can of course be attributed to the unfortunate use of "free" in English, which, unlike most other languages, makes no distinction between the two common meanings of the word - free as in speech and free as in beer. Fighting off this perception is not easy and many Linux distributions are trying hard to find new ways to throttle the the free beer tap or to restrict access to it.

MandrakeSoft released its latest Mandrake Linux, version 9.2, last week. It was the first time in the company's 5-year history that the final product was withheld until the box sets are ready for shipment. Only those who had joined MandrakeClub were given a privileged access to the three ISO images - via the BitTorrent file sharing technology. Not every member was happy about it - those on a dial-up connection or some of those behind firewalls find themselves excluded from the party. But while public FTP servers will only carry the ISO images at the end of this month, MandrakeSoft has made the entire 9.2 directory tree available for those wishing to upgrade an existing installation directly from FTP servers.

Like Mandrake, Lycoris also restricted the public availability of their recently released Desktop/LX Update 3. According to notes on the distribution's mirrors, the ISO images will only be uploaded in November, more than 2 months after the official release. However, the online system upgrade has not been restricted, so anybody who previously installed an older beta release can perform a simple but unsupported upgrade to the latest stable version.

SuSE has always tried hard to convince users about the value of their boxed sets. Firstly, the product's best-known utility (YaST) comes with a somewhat hard-to-interpret, non-GPL license, which prevents users from distributing the ISO images. Secondly, SUSE does not provide ISO images as a matter of company policy, with the exception of some products made for less widely used architectures. Even beta testing is closed to public. However, SuSE does supply a means to install the distribution directly from FTP servers, usually about 1 - 2 months after the official release.

Many other commercial distributions have much more restrictive policies. The latest releases from Libranet, Lindows.com and Xandros are only available from their respective online stores. Of the three, only Libranet provides any form of free download - that of an outdated and stripped-down edition. It is interesting to note that cheap illegal copies of LindowsOS and Xandros have reportedly been spotted on the streets of Thailand and other Asian countries, right next to pirated Microsoft products.

Although Linux distributions seem increasingly inclined to restrict, or at least delay, the free availability of their products, all is not bad news. Slackware still provides complete and unrestricted access to their product immediately after release; in fact of the major and well-established commercial distributions, Slackware is the only one with such a policy. This is largely due to the fact that Slackware is a small (2-person) company with minimal development costs and a relatively large and loyal user base.

Then there is Red Hat. Always innovative and always different from the rest, Red Hat has decided to buck the trend and turn their distribution over to the Fedora community for further development. The Fedora Project has yet to establish itself and there are some rough bumps on the transition road (Fedora 0.95 ISOs were released without the usually meticulous release notes!), but freeing the distribution from its commercial shackles will almost certainly result in a better and more user-oriented product.

Of course, Linux is about choice and those unable to accept any form of commercialization or restrictions on availability from a Linux distribution can always turn to non-commercial Debian, Gentoo or any of the dozens of smaller projects for all their needs. If in doubt, talk to the wise or the penniless to find out which of the pubs still serve free beer...

Comments (20 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for October 21, 2003 covers the deployment of 100 new Debian GNU/Linux systems at the audit court of the German province Mecklenburg-Vorpommern, the Dutch robot soccer team Mission Impossible Twente's use of Debian woody, Debian and the LPI, Debian in the News, a Package Policy Checker, and much more.

Martin Michlmayr reflects on his last six months as Debian Project Leader with news about Debian internal management, Debian finance and legal matters, Publicity & events and Partner relations.

Debian developers have until October 29, 2003 to vote on a General Resolution to amend the Debian Constitution to disambiguate section 4.1.5. Here's an early status report with additional information.

Martin Michlmayr talks about Debian and the Linux Professional Institute (LPI), which has certification tests available using Debian tools such as dpkg.

DebianPlanet reports that registration is open for Debian MiniConf3, taking place in Adelaide, South Australia on January 12 - 13, 2004 (right before the 2004 linux.conf.au).

Comments (none posted)

Gentoo Weekly Newsletter -- Volume 2, Issue 42

The Gentoo Weekly Newsletter for the week of October 20, 2003 is out. This issue has an update on GLEPs (Gentoo Linux Enhancement Proposal), a look at featured developer Peter Johanson, and more.

Full Story (comments: none)

Mandrake Linux

A few LWN readers have mentioned that the Mandrake 9.2 ISO images do not include a kernel source package. We asked Gaël Duval for an explanation. He said they simply ran out of room on the binary CDs, so they pushed the kernel source to the CDs with all of the other source code.

There are new nss_ldap packages available for Mandrake Corporate Server 2.1. LDAP authentication did not work properly on the x86_64 platform due to the wrong location of the nss_ldap and pam_ldap libraries. This update corrects the problem.

Comments (1 posted)

Red Hat Linux / Fedora

Here is Red Hat's press release on the availability of Red Hat Enterprise Linux 3. This release includes the Native POSIX Threading Library, greater scalability, and a wider range of supported architectures.

There are updated sane packages available for Red Hat Linux 9 that prevent possible hardware damage to Epson 1260 scanners.

A freeze schedule for Fedora Core 1 has been posted, showing October 28, 2003 as the date the entire tree will be frozen. Get your bug reports and changes in now.

Comments (2 posted)

Minor distribution updates

Damn Small Linux

Damn Small Linux has released v0.4.10 with minor feature enhancements. "Changes: This version includes new Xvesa and Xfbdev Xservers from CVS, in which the mouse scroll is better, and there is no need to re-map the mouse buttons any more. A fun addition for this release is TuxNES, and an assortment of public domain games. The Firebird install script is updated to 0.7, and there is a new Fluxbox theme, "Lawn". Also new is Nano-tiny. It is now possible to dynamically load usb-storage only when mounting USB drives."

Comments (none posted)

Local Area Security Linux

L.A.S. Linux has released version 0.4 MAIN. "Changes in this latest version of L.A.S. include the addition of the 'toram' boot option allowing the user to boot the whole CD image into RAM. Allowing for the removal of the CD to free up the CDROM for burning etc." Many new packages were added as well.

Full Story (comments: none)

Recovery Is Possible! (RIP)

Recovery Is Possible! (RIP) has released v6.5 with minor feature enhancements. "Changes: NFS server support was added, and some of the software was updated. A few bugs were fixed."

Comments (none posted)

rpm-livelinuxcd

rpm-livelinuxcd has released 1.0 RC 2. "Changes: This is a Red Hat 9.0=based live CD with X11/KDE, samba, Mozilla Firebird, and several other tools. It supports including home directories from a Samba server, as well as a basic 'profile' mechanism. It is a prototype for a networked workstation that gets additional resources such as office (OpenOffice.org) or groupware (OpenGroupware.org) from a server. The bzip2 package is about 193 Mb in size."

Comments (none posted)

Snootix

Snootix has released v0.4 beta with minor feature enhancements. "Changes: This version now has a framework of shell scripts in place to install BLFS and Snootix packages. Users are now able to install KDevelop."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Freedesktop.org Project

October 20, 2003

This article was contributed by Biju Chacko

Freedesktop.org has been quietly working since March 2001 to improve interoperability between X desktops. Unlike ostensibly similar groups like the Free Standards Group freedesktop is not a standards organization. Freedesktop's mission is achieved by getting developers to informally hash out ways to interoperate rather than legislating formal standards documents. Its specifications are hammered out quickly on mailing lists or IRC, instantly tested in real-world code and patched accordingly. This speedy, informal approach allows developers to build interoperability specs without having to disrupt projects with interim hacks while a standard is finalized. The expectation at freedesktop.org is that the de facto standards created this way will eventually get "blessed" by an organization with a mandate to legislate standards.

The benefits of interoperability are often ignored. Nowadays, we take it for granted that we will be able to cut-and-paste or drag-and-drop between GNOME and KDE applications. This casual acceptance is a good thing. Applications should "just work" whether or not they are on their native desktop. Thanks to freedesktop, they mostly do. Contrast this with life under very early versions of GNOME and KDE.

Standards simplify the lives of developers trying to be desktop-neutral. The standardization of desktop entries and menus, for example, allow ISVs to easily install icons for their applications without having to worry about the end-user's desktop environment. The developers of a skinned media player can be assured that their app will look and behave the same under all compliant window managers if they use the hints defined in the Window Manager Spec.

Freedesktop.org has published several specifications that have wide acceptance across X desktops. For example, the Window Manager Spec, which defines window manager behavior, is supported by GNOME, KDE, XFce and many other window managers. The qt and GTK+ supported XEmbed spec is a protocol to embed one application's controls into another. The clipboard spec is a consensus on using the X clipboard.

Several draft specifications haven't been widely implemented. For example, the one that defines application menus has only been implemented by GNOME, but KDE and XFce have indicated support in future releases. The Shared MIME Database creates a common library of MIME types to be used file handling tools. It's currently implemented only by ROX Filer and slated to be part of GTK+ 2.4.

Recently, freedesktop decided to expand the scope of its work to hosting desktop oriented projects, especially those that provide needed infrastructure to desktops. The DRI project recently moved its CVS repository to freedesktop.org, for example. Other projects hosted on freedesktop include Cairo - a vector graphics library, D-BUS - a message bus system, fontconfig and pkgconfig. A particularly interesting new project is HAL, which aims to create a standard abstraction layer through which desktops can configure and use hardware devices. It's an ambitious project, but one well worth the effort.

Comments (none posted)

System Applications

Audio Projects

ALSA 0.9.8 released

Version 0.9.8 of the ALSA sound driver is available. Change information is in the source code.

Comments (none posted)

LADCCA 0.3.2 available

Version 0.3.2 of LADCCA, a session management system for JACK and ALSA audio applications, is available. This release fixes a minor bug.

Full Story (comments: none)

LADCCA 0.4.0 and ALSA Patch Bay 1.0.0

Bob Ham has sent out a multiple announcement for version 0.4.0 of LADCCA and version 1.0.0 of ALSA Patch Bay. "LADCCA's now reached a state where I reckon it's worth releasing again. It's pretty stable for me, and it now seems to do what it should without any hiccups. I'm releasing alsa patch bay and jack rack along with it as the only changes are support for the new ladcca version."

Full Story (comments: none)

Database Software

knoda 0.6.1 released

Version 0.6.1 of knoda, a KDE-based database front end, has been released. "Main feature of this version is the scripting support in forms and reports. Hk_classes is also available as a Python module."

Full Story (comments: none)

phpMyAdmin 2.5.4 is released! (SourceForge)

Version 2.5.4 of phpMyAdmin has been announced. "The development team is proud to announce the availability of this version, with over 12 improvements and 20 bug fixes. phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the http://www."

Comments (none posted)

PostgreSQL Weekly News

The PostgreSQL Weekly News for October 15, 2003 is out, with a look at some of the issues that have been found in beta4.

Full Story (comments: none)

Upgrading a MySQL Application (O'ReillyNet)

Russell Dyer covers database design issues relating to upgrades on O'Reilly. "Most developers design MySQL databases for their own use or for the use of their employers. Occasionally, though, a developer will design a database for use by others, for sale as an application. Since an application developer usually isn't present when his application is installed and used, he must consider many factors when designing the database."

Comments (none posted)

Mail Software

Hotwayd 0.7 released (SourceForge)

Version 0.7 of Hotwayd, a POP-3 to HTTPMail gateway daemon, is out. "This release introduces fully functional proxy support. This means that should your ISP require that you use a proxy server you can now tell hotwayd about it and it will route all the HTTP requests via the specified proxy server. It is now possible to download folders other than your inbox by specifying it as part of your user name."

Comments (none posted)

milter-sender version 0.41 released

Version 0.41 of milter/sender, an email spam filtering system, is available. "It has some significant modifications namely -m is removed, auto-whitelist added, and successful sender cache expire policy changed."

Comments (none posted)

POPFile v0.20.0 release (SourceForge)

POPFile v0.20.0 has been announced on SourceForge. "POPFile is an email classification tool with a Naive Bayes classifier, a POP3 proxy and a web interface. It runs on most platforms and with most email clients. v0.20.0 is a major update to POPFile with the focus being on performance."

Comments (none posted)

Printing

New GhostScript Software

The GhostScript site lists new versions of GSview, a PostScript previewer, and Epstool, which adds and removes previews from Encapsulated PostScript files.

Comments (none posted)

Common UNIX Printing System 1.1.20rc4

Version 1.1.20rc4 of CUPS, the Common UNIX Printing System, has been announced. "In accordance with the CUPS Configuration Management Plan, you now have until Thursday, October 30th to test this release candidate to determine if there are any high-priority problems and report them using the Software Trouble Report form".

Comments (none posted)

Web Site Development

The Atom API

Mark Pilgrim looks at the Atom API on O'Reilly. "Atom is an up-and-coming format for editing, syndicating, and archiving weblogs and other episodic web sites. The final details are still being hashed out, but that's never stopped me before, having written several articles about XHTML 2. To understand the problems that Atom is designed to solve, we should look briefly at what came before it."

Comments (none posted)

mod_security 1.7 released

Version 1.7 of mod_security is available. "Mod_security is an Apache module whose purpose is to protect vulnerable applications and reject human or automated attacks. It is an open source intrusion detection and prevention system for Apache."

Full Story (comments: none)

Create Web applets with Mozilla and XML (IBM developerWorks)

Nigel McFarlane covers XML web applications on IBM's developerWorks. "To go beyond simple HTML, historically the only options have been to use Java technology or plug-ins. Now, you have a new way -- write and display applications natively in XML. The Mozilla platform provides such a mechanism. In this article, Nigel McFarlane introduces XUL (the XML User-interface Language). XUL is set of GUI widgets with extensive cross-platform support that are designed for building GUI elements for applications that have traditional, non-HTML GUIs."

Comments (none posted)

Documentation

Albert 0.4.7 released

Version 0.4.7 of Albert, a Common Lisp DocBook documentation generator, is available. "This version provides control of symbol presentation based on package export, support for including license boilerplate, more user-configurable settings, support for MK-DEFSYSTEM and CLISP, and several more fixes."

Full Story (comments: none)

Desktop Applications

Audio Applications

Announcing Gnomoradio (GnomeDesktop)

GnomeDesktop.org has an announcement for the initial release of Gnomoradio. "Gnomoradio is rapidly becoming a fully-featured music playing system for Gnome. In addition to playing mp3s, it can read Creative Commons licenses in RDF format, and download and share music that is freely available."

Comments (none posted)

Helix Player 1.0 Milestone 1 release

The first Helix Player 1.0 milestone release is now available. "The Helix Player is designed for Linux and Solaris desktops, built using GTK+, and includes a Mozilla browser plug-in. It supports local file playback and streaming over RTSP/RTP, RTSP/RDT, and HTTP. It supports video zoom in original, double size and full screen, and has support for the following media types in open source: SMIL 2.0, MP3, Ogg Vorbis, H.263 video, JPEG, GIF, PNG, and RealPix. Additionally, RealVideo (RV9, RV8, RV7, RVG2), and RealAudio (RA8, G2 audio) are available in binary form." This is still a testing release; the project hopes to get a stable version out early next year.

Full Story (comments: 40)

Desktop Environments

KDE-CVS-Digest

The KDE.News summary and comments for the October 17, 2003 KDE-CVS-Digest says: "Disconnected IMAP fixed in KMail. KHTML now supports jng image format. KDevelop has a Subversion plugin. KDE has global settings for mouse gestures. Kopete has new "Away" and plugin configuration dialogs. KControl has a new style configuration dialog. Plus many bugfixes in KMail and KHTML."

Comments (none posted)

New Module Proposal Time (GnomeDesktop)

Developers who wish to include new modules into GNOME 2.6 should read this announcement on GnomeDesktop.org.

Comments (none posted)

GSwitchIt XKB toolkit 2.5.0 is released (GnomeDesktop)

GnomeDesktop.org has an announcement for a new release of GSwitchIt. "In the preparation of merging into GNOME 2.6, the very first release in 2.5 series of GSwitchIt is out. International GNOME users get real hope for proper xkb support straight out of the GNOME box".

Comments (none posted)

Electronics

gEDA News

The latest news from the gEDA project includes the release of new versions of the Covered Verilog code coverage analysis tool, the Gerber viewer, and the Icarus Verilog compiler.

Comments (none posted)

Games

Gnocatan 0.8.0 Released (GnomeDesktop)

Version 0.8 of Gnocatan, a clone of the game Settlers of Catan, is available. "The program was ported to GTK2/GNOME2, among many other changes found in version 0.8.0."

Comments (none posted)

Graphics

New Dia release (GnomeDesktop)

GnomeDesktop.org has an announcement for version 0.92 of Dia, a graphical diagram, graphing, and chart tool. "Dia 0.92 has been released featuring numerous bug fixes a new features."

Comments (none posted)

Multimedia

GStreamer 0.7.1 Released (GnomeDesktop)

Version 0.7.1 of GStreamer has been announced. "The new 0.7.x branch has a lot of improvements compared to the 0.6 branch, especially for video applications as it supports more formats both for decoding/demuxing and for muxing/encoding. It also features good error handling, better typefinding, a framework for interactivity to handle such things as DVD menu's and Flash and soon a new metadata system."

Comments (none posted)

XMMS GTK2 Port (GnomeDesktop)

A preview release of the XMMS multimedia system has been announced for GTK2. "Here's a 'preview' release, since many things aren't done yet, but it compiles and works, and if you currently don't need more than OSS output and vorbis and MP3 playing, you're ready to go."

Comments (none posted)

Music Applications

ALSA MIDI Metronome 0.4 available

Version 0.4 of ALSA MIDI Metronome has been released. Change information is in the source code.

Full Story (comments: none)

RTSynth 1.9.2 released

Version 1.9.2 of RTSynth, a midi event triggered musical synthesizer, has been released. "This is mainly a clean-up and speed-up version."

Full Story (comments: none)

Digital Photography

libgphoto2/gphoto2 2.1.3 released (SourceForge)

Version 2.1.3 of libgphoto2 and gphoto2 has been announced. "libgphoto2/gphoto2 2.1.3 are out, featuring support for lots of new cameras and bug fixes. gPhoto is a program and library framework that lets users download pictures from their digital cameras."

Comments (none posted)

Web Browsers

Mozilla 1.4.1 Released (MozillaZine)

According to MozillaZine, version 1.4.1 of Mozilla is available. "Mozilla 1.4.1 contains around 100 additional bug fixes but no new features." Despite that statement, a new spell checker has been included in this release.

Comments (none posted)

Word Processors

AbiWord Weekly News

Issue #166 of the AbiWord Weekly News was published on October 19, 2003. Here's the summary: "More on the new features, no bloat AbiWord and dependency hell, Johnny Lee's final speed-up patch, Win32 in a week or two and some CVS bragging. Plusse, editor negotiates AWN readability."

Comments (none posted)

Miscellaneous

Disc-O-Matic 0.3 Released (GnomeDesktop)

Version 0.3 of Disc-O-Matic, a GTK+ DVD/CD-ROM archiving tool, has been announced. "In release 0.3 glade has been removed in favor of pure gtk. It now also supports DVD's through dvdrecord, and basic error checking for burning has been implemented."

Comments (none posted)

Languages and Tools

C

GCC 3.3.2 has been released

Version 3.3.2 of GCC, the GNU Compiler Collection, has been released. See the changes document for a long list of fixed bugs.

Comments (none posted)

Caml

Caml Weekly News

The October 14-21, 2003 edition of the Caml Weekly News has been published, take a look to see what's been happening with Caml this week.

Full Story (comments: none)

Java

JBoss 3.2.2 released (SourceForge)

Version 3.2.2 final of JBoss, a J2EE based application server, is available.

Comments (none posted)

Magic with Merlin: Dynamic event listener proxies (IBM developerWorks)

John Zukowski explains Java's EventHandler class on IBM's developerWorks. "Many developers create anonymous inner classes for event handling. For simple event handling, inner classes can be a real hassle. Luckily, Java 1.4 introduces the EventHandler class, which relies on the dynamic generation of listeners to ease the task at hand. Though the new features are typically meant for the IDE vendor to use, in this article columnist John Zukowski shows you how you can use them for hand coding, too."

Comments (none posted)

Configuration Blues (O'Reilly)

Craig Castelaz covers Java application configuration issues on O'Reilly. "Have you ever noticed how some applications seem to configure themselves? I don't mean that they auto-detect their settings; rather, the configuration process and tools are so well designed that they are a pleasure to use. Like most things in development, this level of functionality didn't appear by accident. 'Application configuration deserves careful design -- perhaps even more than application code.' (Halloway, 02) If we want to offer a similar experience to all our users, we need to stop treating configuration as an afterthought."

Comments (none posted)

Lisp

CL-PDF 2.0 released

Version 2.0 of CL-PDF, a Common Lisp library for generating pdf documents, is out.

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The October 13-19, 2003 edition of This Week on perl5-porters has been published. "What happens in the post-5.8.1 world ? Read about the plans for the (nearest than you may think) 5.8.2, 5.8.1-specific problems, and other Perl language and implementation questions."

Comments (none posted)

PHP

PHP 4.3.4RC2 released

Version 4.3.4 RC2 of PHP has been released. "This release candidate is hopefully the final release candidate prior to the 4.3.4 release and should be very stable. Please test this release as much as possible, so that any remaining issues can be uncovered and resolved prior to the final release."

Comments (none posted)

PHP Weekly Summary for October 20, 2003

The PHP Weekly Summary for October 20, 2003 is out. Topics include: PHP 5 Beta 2 coming, BIND 9 problems, Documentation translations, Adding a regex operator?, WDDX 64-bit test, ZE2 Memory Cache.

Comments (none posted)

The PHP Scalability Myth (O'ReillyNet)

Jack Herrington addresses PHP Scalability issues on O'Reilly. "PHP scales. There, I said it. The word on the street is that "Java scales and PHP doesn't." The word on the street is wrong, and PHP needs someone to stand up and tell the truth: that it does scale."

Comments (none posted)

PHP Performance Profiling (Linux Journal)

Jonathan Oxer writes about PHP performance profiling on Linux Journal. "Due to the incredible growth of PHP in the last couple of years, it's now being used for tasks ranging from tiny scripts to large-scale Web applications. Some Web applications contain hundreds of thousands of lines of PHP code, and the fact that PHP can scale to these levels is a great testament to its design and the efficient Zend Engine that actually manages PHP code execution. Of course, bigger and more complex projects result in more load on your servers, and when you throw a database into the mix you have even more potential performance bottlenecks to track."

Comments (none posted)

Python

This week's Python-URL

Dr. Dobb's Python-URL for October 22 is out; it looks at Python performance, portability, Powerpoint-like applications, and more.

Full Story (comments: none)

PyUMLGraph initial release

The initial release of PyUMLGraph, a Python-based debugger, is available. "PyUMLGraph is a Python debugger that produces UML diagrams by inspecting running Python programs. The output is in Graphviz's dot language, and dot can produce pictures in many popular formats, such as PNG, PDF, SVG, and others. The UML diagrams can contain information about class inheritance relationships, references to other classes, class methods and return types, as well as class attributes and types."

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The October 20, 2003 edition of Dr. Dobb's Tcl-URL! has been published. Take a look for a summary of the week's Tcl/Tk development news.

Full Story (comments: none)

XML

Three More For XML Output (O'Reilly)

Uche Ogbuji examines three more Python-based XML tools on O'Reilly. "This column has touched on some advanced XML processing topics, but I keep coming back to basics. The reason for this is that the two most common XML processing tasks for Python users are to extract particular data fields from XML files and to generate XML in order to feed another program."

Comments (none posted)

XML security: Implement security layers, Part 1 (IBM developerWorks)

Manish Verma discusses XML security issues with part one of an IBM developerWorks series. "This article focuses on the basic plumbing technologies, defining security in an XML context, XML canonicalization, and PKI infrastructure, and providing a step-by-step guide to generating keys."

Comments (none posted)

microdom: an XML DOM Designed For HTML (O'Reilly)

Itamar Shtull-Trauring Introduces microdom on O'Reilly. "This article introduces microdom, a XML DOM implementation written in Python which was designed for dealing with HTML's legacy issues both when parsing and when generating documents."

Comments (none posted)

Cross Assemblers

gputils-0.11.7 Released

Version 0.11.7 of gputils, a cross-assembler and tool set for Microchip's PIC processors, has been released. The Changes statement says: "Fixed 18xx gplink bugs and added support for 18xx config and idlocs sections in gpasm."

Comments (none posted)

Editors

Leo 4.0 final released

Version 4.0 of Leo, a programmer's outlining editor and flexible browser, has been released. This version brings a long list of changes including an improved derived file format, better error handling, new commands, and more.

Full Story (comments: none)

Profilers

Smashing performance with OProfile (IBM developerWorks)

Prasanna S. Panchamukhi explains OProfile on IBM's developerWorks. "Analyzing the performance of the Linux operating system and application code can be difficult due to unexpected interactions between the hardware and the software, but profiling is one way you can identify such performance problems. This article looks at OProfile, a profiling tool for Linux that will be included in the upcoming stable kernel."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Open Source Everywhere (Wired)

Wired examines the open source model as it spreads from software into other industries. "A decade ago, Michael Eisen slogged through swamps in Costa Rica studying the mating behavior of frogs. That's what biologists did, he figured - and if he had to fight off a few leeches along the way, so be it. Now he's all about coding, crafting blocks of genetic data and churning them through his computer. "It's a great time to be a biologist," says Eisen, a computational scientist at Lawrence Berkeley National Laboratory. "Origin of Species is the best thing ever written in biology. But you just wish Darwin knew about genomics." Yet if biology is in a renaissance, there are still relics of a medieval age." (Thanks to Andrew Willson)

Comments (6 posted)

Linux not accountable for security, Ballmer says (SearchWin2000)

SearchWin2000 reports from a talk by Steve Ballmer, CEO of Microsoft. "What sets Windows apart from Linux in terms of development, security and patching, Ballmer said, is that Microsoft has an infrastructure that takes responsibility for Windows. 'There's no roadmap for Linux. Nobody is held accountable for security problems with Linux.'" Hey Steve, who can we hold accountable for all that worm mail clogging our lines and mailboxes?

Comments (30 posted)

Business Technology: About Linux: An Open Letter to Microsoft (TechWeb)

CMP's Editor in Chief has posted an open letter to Microsoft. "First, customers will deploy both Windows and Linux. Second, they will ideally want all of their systems to be able to work together without requiring 5,000 man-years of workarounds. Third, your value to those customers will decline if you continue to give them reason to believe that you are intentionally refusing to take the steps necessary to help them run their businesses, including their heterogeneous systems, more effectively."

Comments (13 posted)

Trade Shows and Conferences

A Historic Moment in Boston (Linux Journal)

Linux Journal looks forward to the Desktop Linux Conference, coming to Boston next month. "The Desktop Linux Conference aims to drive home the message that for the first time in computing history, a legitimate desktop alternative is available that is better, faster and cheaper. As an extension of the newly formed Desktop Linux Consortium's mission of providing "wide scale understanding and adoption of the Linux operating system and its applications for use on the desktop", the program offers key champions of Linux: Bruce Perens, Nat Friedman, Jeremy White, Sam Greenblatt, Mark Hinkle, Mark Westerman, Havoc Pennington, Amy D. Wohl, Shuji Sado and many more."

Comments (11 posted)

KDE at Linux Expo UK 2003 Report (KDE.News)

KDE.News reports on the KDE activities at the Linux Expo UK 2003. "Almost everyone wanted to know if/when their distribution would be shipping KDE 3.2, how they could upgrade and whether we had the code available on CD. It's clear that many users do not know how to upgrade to the latest release and some are still running KDE 2. The difficulty of software upgrades and installation was one of the general GNU/Linux grumbles people kept mentioning. The others were drivers for some hardware (caused by manufacturers who do not work with the open source development process) and the integration issues which HAL aims to fix."

Comments (none posted)

University students in Mexico promote free software (NewsForge)

NewsForge covers the Congreso Software Libre y Nuevas Tecnologias, which was held last week in Villahermosa, Mexico. "Windows is nearly universal in Villahermosa. There is hardly any sign of Mac life. And there is little publically visible Linux action, although there are obviously enough people interested in free software -- particularly Linux -- to put on a free software conference. There is also a local Linux Users Group that gets between 20 and 30 people at most meetings and tutorial session and claims a total membership of about 400."

Comments (none posted)

The SCO Problem

SCO backs off Linux invoice plan (News.com)

According to this News.com story, the SCO Group has, once again, decided that the time is not right to start sending out invoices to Linux users. "'The executives have said we haven't had to do it yet,' SCO spokesman Blake Stowell said of the invoice plan. 'They're happy with progress in the licensing program.'" Procrastinators will be happy to know that the "half price introductory period" has been extended through the end of the month.

Comments (4 posted)

SCO Backs Down on Invoicing and SGI (Computer Business Review)

Computer Business Review reports on the latest climbdowns by SCO. Apparently SCO said there was never any threat of action against Linux users. "Meanwhile, SCO has also extended indefinitely Silicon Graphics Inc's deadline of October 14 to remedy alleged contractual violations also affecting its Unix IP. The deadline was extended following 'discussions'." How much fun it would have been to hear those "discussions"...

Comments (13 posted)

SCO license currently for biggest users only (IDG)

According to IDG, SCO has decided that it will only be selling "Linux licenses" to big companies for now. "SCO may be proceeding cautiously with licensing sales for fear of litigation from an entity like the Free Software Foundation which has intellectual property claims to Linux, said IDC analyst Dan Kusnetzky. 'As soon as they sell the first one, litigation will be started from all quarters,' he predicted. 'I think the people from The SCO Group realized that if they opened that box, they'd never be able to close it again.'"

Comments (4 posted)

Linux Adoption

China urged to join Asian Linux push (AustralianIT)

AustralianIT covers Asian efforts to promote Linux. "In China, programmers developed a homegrown Linux version called Red Flag Linux a few years ago. That software has been touted by Beijing as a secure alternative to Windows. But the latest multi-government attempt to promote Linux is unprecedented in its scope, although some remain sceptical about its prospects."

Comments (none posted)

Open Source: The Whole Product (O'Reilly)

Bernard Golden examines the processes behind the adoption of open-source technology. "In Geoffrey Moore's book on technology strategy, Crossing the Chasm, he describes a similar process in the life cycle of technology adoption: a first wave of adventurers and a later wave of settlers, whom he calls Early Adopters and Pragmatists. Each type has different product requirements that they demand when adopting a technology. The Early Adopter seeks advantage in new technologies. The Pragmatist seeks stability with established technologies. Moore's book is a classic technology strategy book but does it make sense in a world of open source?"

Comments (none posted)

Interviews

Interview: Jon 'maddog' Hall (NewsForge)

NewsForge talks with Jon 'maddog' Hall. "NewsForge: What about patent and other infringement threats a la SCO? Are you hearing about any potential corporate Linux users pulling back because of this problem?
maddog: I heard about one or two. But then other companies who are in the multi-operating system business, so have no real ax to grind with respect to Linux, tell me that more and more companies are now moving. I think that the SCO thing caught people off guard. But the more people think about it, the more that SCO fails to deliver "the smoking gun", the more that people apply business and legal logic to it, the less they fear it.
"

Comments (1 posted)

Resources

An Easy Way to Avoid Spam (Linux Journal)

The Linux Journal has found another spam filter. "Testmail, the filter discussed in this article, is a Perl filter of average size and moderate complexity. It checks e-mail messages available at the POP3 server, filters them according to defined rules and, depending on the selected method, sends messages to the local mailbox or removes them from the server."

Comments (none posted)

Writing Audio Applications With JACK - A tutorial/journal

James Shuttleworth has written a tutorial on developing audio applications for JACK, the JACK Audio Connection Kit. "The first thing I did when I decided to bite the bullet and have a crack at this was to look for a nice introductory tutorial - something that would cover the basics and give me an idea of how all of this fit together. I couldn't find exactly what I wanted, and saw lots of posts suggesting that the way to learn was to look at the source code or the example clients and other JACK apps. And I did. And then I realised that if I just documented my exploration, I'd end up with exactly the document that I was looking for. That's what you have here."

Comments (none posted)

Reviews

NeL: The Software Behind the Next Great MMORPG? (O'ReillyNet)

O'ReillyNet takes a look at NeL, an open source gaming engine for massive multi-player online role-playing games. "NeL (for Nevrax Library) is a toolkit for the creating 3D-graphic MMORPGs or similar online game-play environments that require both client and server code. It runs on the Linux and Windows OSes, using OpenGL as its 3D graphics renderer."

Comments (none posted)

MySQL Breaks Into the Data Center (COMPUTERWORLD)

COMPUTERWORLD examines the adoption of MySQL by database users. "NASA's Clark compared MySQL's performance against Oracle's for his application, and it averaged 28% faster during the battery of tests he hammered it with. He adds that unlike competing products, 'MySQL was not a machine resources hog.'"

Comments (none posted)

Miscellaneous

Researchers take debugging to the masses (News.com)

News.com covers researchers at the University of California and Stanford University who have released versions of several open-source software packages modified to send debugging information to a central site. "One key part of the project is ensuring the sampler software doesn't bog down the program; the project's goal was to slow performance only by as much as 5 percent, Liblit said. To avoid this degradation, the sampler software records information only occasionally, based on a randomization scheme. One thing that's recorded every time, though, is whether the program exited properly or crashed."

Comments (2 posted)

Remembering Multics (OSViews)

Here's one for the history buffs: OSViews looks at the Multics OS. "Multics is an acronym for "Multiplexed Information and Computing Service." It was a timesharing operating system which began its life as far back as 1965. Although the OS is relatively unknown today, many might be surprised that the OS has several direct influences on many operating systems commonly used today."

Comments (6 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

GNU-Darwin: Bounty hunters search for proprietary code

The GNU Darwin project, in cooperation with the Free Software Foundation, wants to wipe out any proprietary code in the Darwin code base. Click below for more information.

Full Story (comments: 18)

2003 GNOME Foundation election

The first announcement for the 2003 GNOME Foundation Board election has gone out. If you are not a member of the Foundation, and you would like to vote, you have until the end of October to sign up. Nominations for Board members must be received by November 7.

Comments (none posted)

Commercial announcements

MailStripper 1.1.1 released

Eridani has announced version 1.1.1 of MailStripper, an email spam filtering application.

Full Story (comments: none)

IBM and Reuters turn to Linux for support of Reuters Market Data System

The latest IBM press release announces support for Reuters Market Data System (RMDS) on IBM eServer xSeries and BladeCenter hardware running Linux.

Full Story (comments: 1)

Lindows.com launches developer program

Lindows has announced a new program intended to inspire developers to create applications for the LindowsOS distribution. To that end, the company has created a new "LindowsDeveloper edition" and a free publication service. There is also a mechanism for getting applications integrated into the "Click-N-Run Warehouse."

Comments (none posted)

SCO gets $50 million

The SCO Group has announced the receipt of $50 million in financing from BayStar Capital. "The increase in cash will significantly enhance the overall financial strength of SCO while providing substantial additional funding for business objectives including future UNIX and SCOx Web Services software development, new strategic partnerships, and protection of the Company's UNIX intellectual property and related programs." Those of you who have been missing the always-amusing SCO teleconferences will be glad to know that one is happening today (Friday) at 12:00 US/Eastern time.

Comments (6 posted)

Notes from the SCO conference call

The SCO conference call followed the usual lines; everything is going great for SCO. Some of the more interesting points: the $50 million from BayStar will be expensive; after a year it requires an 8% dividend. That dividend will increase 2% per year up to a maximum of 12%. SCO is pleased with its discussions with SGI; the removal of 200 lines of code by SGI was presented as a victory. No mention of XFS. Darl McBride said that they didn't see starting any other potential litigation against Unix vendors, but that they have several thousand customers with end-user Unix licenses. SCO apparently sees some opportunity to go after those end-user licensees for their use of Linux. Once again, it is made clear that SCO is not a good company to sign a contract with.

The 8K filing on the BayStar deal is now available; we'll be looking at it shortly. Update: that look is now complete; click below (subscribers only) for our summary.

Full Story (comments: 10)

Breakthrough Results with SGI Altix at NASA Ames

Here's a press release (click below) from SGI about large-scale SGI Altix 3000 systems, running Linux, that have been generating breakthrough performance results on scientific applications at NASA Ames Research Center.

Full Story (comments: 1)

SuSE Openexchange server 4.1

SuSE has announced the forthcoming release of OpenExchange 4.1, its "complete messaging and groupware package." New features include a WebDAV interface, support for calendar and contact information, and more.

Full Story (comments: none)

Resources

EDRI-gram newsletter

The October 22 EDRI-gram newsletter is available, with coverage of issues relevant to digital civil rights in Europe. Topics this time around include pan-European anti-spam measures, the pending intellectual property enforcement directive (and the 199 amendments which have been filed so far), the proposed EU-wide health care identity card, and several others.

Full Story (comments: none)

The IDA Open Source Migration Guidelines

IDA (Interchange of Data between Administrations) has published recommendations on how to migrate to Open Source Software (OSS)-based solutions. "These guidelines have been designed to help public administrators decide whether a migration to OSS should be undertaken and describe, in broad technical terms, how such a migration could be carried out. They are based on practical experience of a limited number of publicly available case studies, and cover a wide range of management and technical concerns." (Thanks to A.Ismael Olea González)

Comments (none posted)

LDP Weekly News

The October 22, 2003 edition of the Linux Documentation Project Weekly News is out. Take a look for the latest documentation updates.

Full Story (comments: none)

Event Reports

ILC 2003 proceedings available

The news and reports from the ILC 2003 International Lisp Conference are available.

Full Story (comments: none)

Second Netfilter Development Workshop

A web site has been put together to document the 2nd netfilter developer workshop which took place in Budapest, Hungary on August 18 and 19, 2003 Thanks to Harald Welte.

Comments (none posted)

Upcoming Events

ApacheCon 2003 speakers announced

The Apache Software Foundation has sent out a press release listing the speakers for ApacheCon 2003, which is happening November 16 to 19 in Las Vegas (next to Comdex). The keynote speakers will be Chris Pirillo and Doc Searls; many other speakers are on the schedule, see the PR for the full list.

Comments (none posted)

EclipseCon 2004 announced

The EclipseCon 2004 has been announced. "Eclipse, the open community and consortium for universal tools integration, announces EclipseCon, a new technical conference that will take place February 2-6, 2004 in Anaheim, CA. Produced and managed by Eclipse consortium member the Object Management Group, EclipseCon brings together the Eclipse ecosystem: developers, software architects, technical managers, systems integrators, thought leaders, and other software development tools producers and consumers using or interested in learning about Eclipse technology."

Comments (none posted)

SANE 2004 Call for Posters

The 4th International SANE Conference is less than a year away. The next System Administration and Network Engineering Conference will be held September 27 - October 1, 2004 at the RAI Centre in Amsterdam, The Netherlands. This is a call for Posters. "The SANE Posters provide an excellent forum for authors to present their work in an informal and interactive setting. Posters are ideal for presenting speculative, late-breaking results or for giving an introduction to interesting, innovative work. Posters are intended to provide authors and participants with the ability to connect with each other and to engage in discussions about the work."

Full Story (comments: none)

YAPC::NA::2004 Dates Set (use Perl)

According to Use Perl, the YAPC::NA::2004 conference will be held in Buffalo, NY on June 16-18, 2004.

Comments (none posted)

Events: October 23 - December 18, 2003

Date Event Location
October 23, 2003Enterprise Linux Forum(Washington Convention Center)Washington, D.C.
October 23 - 24, 2003PHP-Con WestSanta Clara, CA
October 26, 2003
October 27 - 31, 2003
Large Installation Systems Administration Conference(LISA)(Town & Country Resort Hotel)San Diego, CA
October 27 - 29, 2003LinuxWorld Conference & Expo 2003(Fairgrounds Frankfurt)Frankfurt, Germany
October 29 - 31, 2003Asian Enterprise Open Source Conference(AEOSC)(Suntec International Convention and Exhibition Centre)Singapore
October 30 - 31, 20034to Encuentro LinuxValparaiso, Chile
November 2 - 3, 2003International PHP Conference 2003(Astron Hotel Frankfurt-Mörfelden)Frankfurt, Germany
November 6 - 7, 2003HiverCon 2003(Davenport Hotel)Dublin, Ireland
November 6, 2003Netherlands Unix Users group fall conference(Conference Center De Reehorst)Ede, the Netherands
November 6 - 7, 2003PacSec.jp 2003(Hotel East 21 Tokyo)Tokyo, Japan
November 8, 2003Lightweight Languages 2003(LL3)(MIT)Cambridge MA
November 10, 2003Desktop Linux Conference(Boston University Corporate Education Center)Tyngsboro, Massachusetts
November 10 - 11, 2003Congreso Nacional de Software Libre(CONASOL)(Universidad de Talca)Talca, Chile
November 14 - 16, 2003Third International Ruby Conference(Red Lion Hotel)Austin, Texas
November 15 - 21, 2003Supercomputing Conference(SC2003)(Phoenix Civic Plaza Convention Center)Phoenix, AZ
November 16 - 19, 2003ApacheCon 2003Las Vegas, Nevada
November 20 - 21, 2003ObjectWeb Conferenc3(INRIA Rocquencourt)Rocquencourt, France
November 22, 2003Southern California Linux Expo(SCALE)(Los Angeles Convention Center)Los Angeles, CA
November 22 - 24, 2003New York GNOME Summit(Brooklyn College)New York, NY
November 24 - 26, 2003Open Standards and Libre Software in Government Conference(EGOVOS 3)Paris, France
December 2 - 4, 2003Linux Bangalore/2003Bangalore, India
December 9 - 13, 2003International Conference on Logic Programming(ICLP'03)Mumbai (Bombay), India

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds