LWN.net Weekly Edition for November 6, 2003 [LWN.net]

Will the real Linux Gazette please stand up?

The Linux Gazette has been a fixture of the Linux community since its beginnings in 1995. The first issue, published entirely by John Fisk, introduced itself in this way:

Hopefully, what it will do is make running Linux a bit more fun, enjoyable, or easier. This is a compilation of ideas I've shamelessly plagerized [sic] from so many sources that, quite frankly, I'm not sure where some of them came from, let alone being able to give due credit to the originator.

The Gazette grew quickly, attracting new readers and new authors. By the fifth issue, mirrors were necessary; these were contributed by Phil Hughes (of SSC, the publisher of the Linux Journal) and Alan Cox. Putting out the Linux Gazette took time, however, and the project lapsed for some months in early 1996. When Issue 8 came out in August of that year, it carried the following announcement:

As of the next LG issue the Linux Gazette will officially come under the auspices of the Linux Journal . The 'ol Linux Gazette has grown over the past year -- this is actually its First Birthday this month -- and it is probably fitting that after a year it's ready to come under the watch care of the folks at Linux Journal. Phil Hughes has very graciously offered to take over the day-to-day management of the Linux Gazette while continuing its tradition as a free and freely available WWW publication.

Once it came under the Linux Journal's wing, the Linux Gazette thrived. Over 80 issues were produced, on an approximately monthly basis, and the range of authors and topics seemed to increase every month. The Linux Gazette carried early articles by a number of well known community authors, including Joe Barr, Miguel de Icaza Chris DiBona, Jon 'maddog' Hall, Michael J. Hammel, Dwight Johnson, Evan Leibovitch, Dave Phillips, Alessandro Rubini, Doc Searls, Jamie Zawinski, and many others. And, of course, the infamous "Answer Gang" - though the Gang started small with Jim Dennis as the Answer Guy. Over the years, the Linux Gazette has remained true to its roots, providing high-quality, noncommercial information aimed at making Linux more fun.

The Linux Gazette has reached a fork in the road, however, which threatens to make things somewhat less fun for a while. The volunteer core which puts together the Gazette has announced that the publication is leaving SSC's embrace, and is striking out on its own. This group has put out an Issue 96 which includes a fairly strongly-worded editorial:

During the past month, the Linux Gazette, as we and our readers have known it for a number of years, has come to an end. SSC, the company who had been hosting - and, to some degree, supporting - our efforts since shortly after the inception of the Gazette has decided that it somehow belongs to them, to change, adapt - or to destroy - at their pleasure. We - the people who have volunteered our efforts to write for it, assemble it, produce it, and publish it - disagree... and the wind of the desert howls over all, blowing away what once was, leaving nothing but the pure idea that still lives, independent of hardware, software, and corporate manipulation, and existing only in the minds of those who believe in it.

The dissidents have set up shop at LinuxGazette.net. Meanwhile, SSC continues to operate LinuxGazette.com, which has published an Issue 96 of its own. There are, in other words, two competing publications using the same name and even the same issue numbering scheme.

The core of the dispute is a decision by SSC to move the Linux Gazette to a modern content management system with reader forums, a constant stream of articles, etc. Phil Hughes explained the reasoning for this change to us:

I had received complaints that it felt like you had to be in a "special club" to contribute to Linux Gazette. This detracted from the community spirit of the publication. We also saw that good content was being held for weeks before publication because there was only a monthly edition.... Finally, going to a CMS makes it possible to easily add new capabilities. We already have forums and article comments in place but there is more to come. For example, we have had one person recently point out that he is vision impaired. Having everything in a database means text-to-speech, for example, could be added.

To many in the Linux Gazette organization, the changes to the site went against everything the Gazette had always been: a high-quality, edited, carefully-selected, monthly publication which can be mirrored worldwide. Rather than be part of a publication which, from their point of view, has been thoroughly compromised, these people decided to leave SSC - and to take the Linux Gazette with them.

What will happen now is unclear. Having two publications each claiming to be the "real" Linux Gazette seems unlikely to be good for either one of them. The departing contributors have asked that the LinuxGazette.com domain name be transferred to them, but that seems unlikely to happen. According to Phil Hughes, "SSC will continue to run Linux Gazette and it will continue to appear at www.linuxgazette.com." SSC does own that domain name, and it has a seven-year history of publishing the Linux Gazette (and employing its editor for most of that time); it could be hard to find anybody with a stronger legal claim to the right to use that name if it came down to a fight.

There have been signs that this disagreement could turn nasty, and some accusations have started to fly. These include stripped copyrights (since fixed, apparently) and censorship issues: the LinuxGazette.net Issue 95 mailbag contains a couple of letters which are missing from the LinuxGazette.com version. SSC has, by its own admission, been deleting posts on LinuxGazette.com that reference LinuxGazette.net, and has started making noises about trademark violations. Even so, most of the people involved seem to understand that neither the Linux community nor the Linux Gazette (either version) needs an ugly public feud. One can only hope that the relevant parties are able to keep that idea in mind as they carry their respective projects forward.

Comments (20 posted)

On Novell's acquisition of SUSE

As most readers will know by now, Novell has announced a deal to acquire SUSE Linux. Many of the details can be found in the associated press release; others came out during the press conference and afterward.

SUSE was bought for $210 million in cash. The deal thus values SUSE at less than one tenth the market capitalization of Red Hat ($2.4 billion as of this writing, down somewhat after Novell's announcement). Since SUSE has never been a public company, information on its finances has been hard to come by; at the press conference, however, SUSE's revenues for this year were estimated to be between $35 and $40 million. Red Hat's revenue will be on the order of three times that figure. So SUSE truly is a smaller company, deserving of a lower valuation. The magnitude of the difference is striking, however.

The press conference was full of upbeat "forward looking statements" on how this acquisition positions SUSE as a proper competitor for Red Hat. Novell's large, global support and training operation was mentioned several times; indeed, having a business on that scale behind the distribution might just help nervous CIOs sleep better at night. Novell and SUSE also have high hopes for Novell's large sales (and reseller) channel. Of course, Caldera/SCO was also supposed to succeed based on its channel... Novell also wastes no opportunity to point out that it now has "the whole stack" of offerings, from the base operating system through its proprietary enterprise products.

SUSE currently has 399 employees. It appears that Novell plans, for now, to keep the technical staff around; there may be some reductions in the administrative area, however. Novell has stated that it is committed to maintaining SUSE's presence in Nuremberg.

Novell's management has learned to say the right things with regard to the open source community - though they accepted no questions from community publications at the conference. Novell, says CEO Jack Messman, "expects to learn a lot" from the SUSE engineers, and plans to continue to be a leader in the development community.

After the conference, we asked about Novell's plans in a couple of areas. Unlike Red Hat, Novell/SUSE does not plan to drop its retail distribution; instead, it will fire up its sales channels and try to create a much larger presence for all of SUSE's products, especially in the U.S. The situation with desktops is a little less clear. SUSE has long been a supporter of the KDE desktop, but Novell owns Ximian, which is rather firmly in the GNOME camp. Novell, apparently, doesn't yet know how it will resolve that difference; PR person Kevan Barney told us "We'll be evaluating how to proceed on the desktop front in the coming months."

The same press release announced that IBM is investing $50 million into Novell. The two companies will be negotiating other deals in the future for the continued support of SUSE Linux on IBM's platforms.

The long-term consequences of this deal could be large. Red Hat is no longer the biggest Linux distributor; it will now be competing with an established, large company with a huge installed base of customers. The upper end of the Linux distribution market looks increasingly like a duopoly controlled by two giants. Despite the wealth of distributions available to Linux users, only a very few of those distributions will ever develop the mass to be successful in the commercial arena.

It's also worth noting that, for the first time, one of the core Linux distributions is owned by something other than a community-based company. It is certainly possible for a large company like Novell to handle such a resource properly and not ruin SUSE's relationship with the development community that supports it. Novell does seem to be trying to do the right thing in this regard. This acquisition might just work, and it could turn out to be a good thing for everybody involved, but the Linux commercial landscape has a different look than it did last week.

Comments (45 posted)

Red Hat Linux ends - now what?

November 5, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

Red Hat's announcement earlier this week that it would be ending the Red Hat Linux product line should not be too surprising for those who have been reading the tea leaves -- or LWN. Red Hat announced the end of the Red Hat Linux product line in July, and merged the Red Hat Linux Project and Fedora Project in September. Still, the end-of-life announcement sent to Red Hat Network (RHN) subscribers this week seemed to catch some by surprise:

Red Hat will discontinue maintenance and errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December 31, 2003. Red Hat will discontinue maintenance and errata support for Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release another product in the Red Hat Linux line.

While Red Hat will continue to sell and support its enterprise line of products, users who have grown accustomed to the (relatively) inexpensive Red Hat Linux line and RHN support are now looking for other options. Users have about six months to decide what direction they want to go. RHN channels with updates for discontinued versions will remain available for at least six months after the end-of-life, but the April 30 date will be the end of new errata for regular Red Hat Linux products. RHN subscribers who are paid-up past April 30 will receive an evaluation ISO for Red Hat Enterprise Linux WS and channel access to updates for that distribution until their subscription expires. Red Hat is no longer allowing subscribers to extend their subscription past April 30, though subscribers can renew up until April 30 for $20.

The first option for Red Hat loyalists is Red Hat Enterprise Linux. Red Hat is offering introductory pricing for Red Hat Enterprise Linux WS or Red Hat Enterprise Linux ES; the deal is 50% off either product for up to two years, putting annual cost of the workstation product (WS) at $89.50 per system and the server product (ES) at $174.50 per system. This pricing structure, while not overly expensive for a single system, may not be popular with Red Hat users who have been maintaining multiple systems with Red Hat Linux.

Another likely choice for hobbyists and users who have grown fond of Red Hat Linux is the Red Hat Linux Project's successor: Fedora (which has just made its first core release). Fedora will likely replace Red Hat on many systems as Red Hat Linux 9 approaches end-of-life. However, many users are likely to be a bit wary about adopting Fedora as the project is still in its infancy and it has yet to be seen how well the project will evolve. Fedora will will also be a more volatile distribution, with each release being, essentially, a "dot-zero" version.

Users might also choose to move to derivative products like Tummy.com's KRUD, or KRUD Server. KRUD is based on Red Hat Linux and users can opt for a monthly subscription with updates via CD-ROM. A one-year subscription to KRUD will run users $65, a one-year subscription to KRUD Server is $190. This may be an attractive option to many users, since Tummy.com does not require a per-machine subscription. Thus, a KRUD subscription is usable on any number of machines, unlike subscriptions to Red Hat Enterprise products.

There are, of course, other distributions which will be more than happy to pick up customers left behind by Red Hat. Red Hat's termination of the "consumer" line of products may be a blessing for other commercial Linux distributions with a strong interest in the retail Linux market. SUSE, Mandrake Linux, Xandros, Lindows and other commercial distributors may pick up some of Red Hat's audience still looking to buy a supported retail product. Non-commercial distributions like Debian might gain users as well; see this week's Distributions page. In the commercial arena, Mandrake is still working to emerge from bankruptcy, leaving SUSE as the strongest contender for the retail market at this point, particularly with the backing of Novell.

Joseph Eckert, SUSE's Vice President of Corporate Communications, told us that he is optimistic about SUSE's prospects in the retail channel. He noted that SUSE has seen a jump in sales with the 9.0 release, though it has not been available for very long. Unlike Red Hat, SUSE's retail products still account for a significant portion of their overall sales. According to Eckert, SUSE expects between €35 million and €40 million in sales this year, with the SUSE's desktop products accounting for more than 50 percent of their business.

Eckert also said that SUSE has no plans to cancel its desktop products. "As Red Hat continues to distance itself [from retail products] we consider it a service to the community to keep the desktop alive...it's not just about the enterprise desktop, it's about making sure that our community of developers and enthusiasts are satisfied."

Indeed, it may be important for any vendor interested in the enterprise to keep developers and enthusiasts happy. Red Hat's decision to abandon retail products and focus solely on its enterprise products may help boost Red Hat's rivals in the enterprise market as well. Red Hat found its way into many organizations because that was what IT staff used at home. With some of Red Hat's user base looking at moving to different distributions, they may decide to bring those distributions into the workplace with them.

Comments (18 posted)

FCC "broadcast flag" approved

The U.S. Federal Communications Commission has approved the "broadcast flag" scheme put forth by the MPAA and its associates. Details can be found on the FCC site in the form of a news release and the actual order - both in PDF format.

Why do we need a digital broadcast flag? From the order:

In this report and order, we conclude that the potential threat of mass indiscriminate redistribution will deter content owners from making high value digital content available through broadcasting outlets absent some content protection mechanism. Although the threat of widespread indiscriminate retransmission of high value digital broadcast content is not imminent, it is forthcoming and preemptive action is needed to forestall any potential harm to the viability of over-the-air television.

So "mass indiscriminate redistribution" is not a problem now, but preemptive action is the way of things in the US these days, so we have to mandate copy protection mechanisms for transmissions on our public spectrum.

The actual broadcast flag rule, as found in page 40 of the order document, states that a digital TV demodulator cannot send unprotected content to any output, except in a set of specific cases:

Analog output continues to be allowed.
Specific digital output formats which much maintain the presence of the broadcast flag.
Digital outputs are allowed if they are protected by an "Authorized Digital Output Protection Technology." Encrypted output to devices which also follow the broadcast flag rules is allowed as well.
Output to a recording device is allowed - but, of course, that device, too, must implement an "Authorized Recording Method."
Digital output from computers is allowed as long as the resolution of the image is reduced to no more than 350,000 pixels per frame.

The FCC repeatedly asserts that home recording will not be affected by the broadcast flag. The rules, however, do place significant constraints on digital recordings. In particular, the resulting recording cannot be transferable to another device, or the recorder must be explicitly "authorized" by the FCC. The MPAA had pushed hard for the "authorization" mechanism to require, among other things, approval by at least two "major studios," but the FCC, at least didn't buy that. Instead, there will be an involved bureaucratic process where manufacturers of recorders have to show the FCC how their product will implement copy protection schemes.

Much debate evidently went into the specification of "robustness rules." The MPAA wanted an extensive set of regulations on things like "how content may be transmitted on data paths within Demodulator Products" and such, an an effort to make circumvention as difficult as possible. The FCC, however, concluded that a level of robustness sufficient to defeat an "ordinary user" would be enough. Interestingly, the FCC uses the CSS scheme used on DVDs as an example:

Although the CSS copy protection system for DVDs has been "hacked" and circumvention software is available on the Internet, DVDs remain a viable distribution platform for content owners. The CSS content protection system serves as an adequate "speed bump" for most consumers, allowing the continued flow of content to the DVD platform.

One might have just as easily concluded that a copy protection (and "region coding" price support) scheme like CSS was unnecessary in the first place, but the FCC wasn't willing to go there.

The resulting "robustness requirements" say that the broadcast flag scheme must be implemented in products in a way that can't be defeated or circumvented by "an ordinary user using generally-available tools or equipment." Examples of such tools, as listed in the regulation, include screwdrivers, jumpers, clips, soldiering irons, EEPROM writers, debuggers, and decompilers.

This rule will have an obvious effect on free software - under the broadcast flag provisions, there simply cannot be a free TV demodulator system. Even if somebody wrote a free system which implemented the broadcast flag restrictions, a source-available system clearly would not meet the "robustness requirements." The FCC report does, at least, note this problem:

In response to our Notice of Proposed Rulemaking, EFF questioned the impact of a flag based regime on innovations in software demodulators and other DTV open source software applications... We seek further comment on the interplay between a flag redistribution control system and the development of open source software applications, including software demodulators, for digital broadcast television.

Given that the FCC seeks further comments, the free software community would be well advised to provide them with those comments. The Electronic comment filing system can be used for this purpose (the docket number for the report is 02-230). The chances of getting any sort of free software exemption to the broadcast flag requirements appear slim, however. The MPAA might not have gotten everything it wanted out of the FCC - thanks to the efforts of the EFF and many others - but that organization remains the driving force behind the FCC's rulemaking.

Comments (19 posted)

Page editor: Jonathan Corbet

Security

Brief items

Which OpenSSL are you running?

OpenSSL is a well-advanced project developing a free implementation of the Secure Socket Layer and Transport Layer Security protocols. The OpenSSL code can be used in many contexts, but the most prominent use is almost certainly in web servers which need to offer the "https" protocol. When you (hint...) type your credit card number at LWN.net, the OpenSSL code ensures that said number cannot be captured by eavesdroppers lurking between your browser and our server. OpenSSL is, in other words, a critical part of the net's infrastructure.

The central role played by OpenSSL makes any security vulnerabilities in that package especially frightening. The software is widely deployed and exposed directly to the net, so holes can open up large numbers of systems to compromise. Sites using OpenSSL are also relatively likely to have something worth protecting, and are thus also relatively likely to be targets for certain types of crackers.

One would thus think that administrators of sites running OpenSSL would tend to stay current on their security updates. According to a survey run by Netcraft, however, one would be wrong. Netcraft looked at the advertised OpenSSL versions running on just over 50,000 web sites. Fully half of those sites were running version 0.9.6d (or earlier), which has vulnerabilities that are fully exploitable by a remote attacker. Only 1,356 out of 50,891 sites were running versions 0.9.6k or 0.9.7c, which were, at the time, free of known vulnerabilities (a vulnerability has since been found which can lead to crashes on Windows platforms). OpenSSL users, it would seem, have not been keeping up with their patches.

As Netcraft acknowledges, the above results are overly pessimistic. Security updates provided by distributors usually just backport the fix for the specific problem(s) to the (older) version of the software that was originally included in the distribution. So numerous sites which appear (to the outside) to be running vulnerable software are, in fact, up to date. Netcraft could have improved its numbers by seeing if an actual exploit worked on each system tested, but that approach to data collection has practical problems of its own.

The bottom line, however, is that there are certainly many vulnerable sites out there. The fact that widespread exploits have not happened suggests that the net is not quite as scary a place as it is sometimes made out to be. But, sooner or later, an opening of this magnitude will certainly be exploited. Whether it is used for some sort of unpleasant worm or for a credit card scam doesn't really matter. Either way, it will impair the trust in Linux, Apache, and network commerce in general. And it is entirely avoidable.

If you have systems running older versions of OpenSSL, it is past time to update them. The LWN vulnerability entry will point you at the relevant distributor updates.

Comments (12 posted)

New vulnerabilities

bugzilla: multiple vulnerabilities

Package(s):

bugzilla

CVE #(s):

Created:

November 5, 2003

Updated:

November 5, 2003

Description:

Several new vulnerabilities have been found in bugzilla; these include a pair of SQL injection bugs (usually only exploitable by privileged users) and some information leaks. See this advisory for details; upgrading to versions 2.16.4 or 2.17.5 fixes the problems.

Alerts:

Conectiva

CLA-2003:774

2003-11-05

Comments (1 posted)

CUPS: denial of service

Package(s):

CUPS

CVE #(s):

CAN-2003-0788

Created:

November 3, 2003

Updated:

March 4, 2004

Description:

Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).

Alerts:

SCO Group	CSSA-2004-012.0	2004-03-03
Conectiva	CLA-2003:779	2003-11-07
Mandrake	MDKSA-2003:104	2003-11-05
Red Hat	RHSA-2003:275-01	2003-11-03

LWN.net Weekly Edition for November 6, 2003

bugzilla: multiple vulnerabilities

CUPS: denial of service

postgresql: remote code execution

2.4 kernel - several vulnerabilities

apache: buffer overflows in mod_alias, mod_rewrite

apache2: Denial of Service vulnerability

ethereal: security problems in Ethereal 0.9.12

Filename disclosure vulnerability in fam

fetchmail may crash on specially crafted message

fileutils/wu-ftpd: denial of service

glibc - buffer overflow

glibc: DNS stub resolvers contain buffer overflow vulnerability

gnupg: key validation

gtkhtml: malformed messages cause crash

KDE: Two issues in KDM

kernel-utils: setuid vulnerability

libnids: remotely exploitable buffer overflow

libpng, libpng3: buffer overflow

mikmod: buffer overflow

mplayer: remotely exploitable buffer overflow vulnerability

Nessus NASL scripting engine security issues

net-snmp: denial of service vulnerability

nfs-utils xlog() off-by-one bug

openssh: timing attack leads to information disclosure

openssl: vulnerabilities in ASN.1 code

postfix: denial of service vulnerabilities

PostgreSQL - more buffer overflows

proftpd: remote root shell

Multiple-use vulnerability in Safe.pm

sane-backends: several vulnerabilities

sendmail: remotely exploitable buffer overflow

stunnel: signal handler reentrancy DoS

File overwrite vulnerability in tar and unzip

Multiple vendor telnetd vulnerability

thttpd: multiple vulnerabilities

unzip: directory traversal vulnerability

vim - modeline vulnerability

webmin: session ID spoofing

wget: buffer overflow

XFree86 4.3.0 integer overflows in font libraries

xinetd: Memory leak in xinetd 2.3.10