LWN.net Logo

Advertisement

ThinLinc Terminal Server

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux, 10 licenses for free!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Looking forward to Fedora Core 2

[Posted December 16, 2003 by corbet]

Commercial Linux distributions have provided much of the driving force behind the increasing adoption of free software. These distributions tend to be high-quality products, and most Linux users end up running one of them. One disadvantage of commercial distributions, however, has typically been the relatively closed nature of their development process. It is hard to know where a distribution is going until the next release arrives; consider how surprised many Red Hat users were when the expected Red Hat Linux 8.1 release turned into Red Hat Linux 9 with a number of disruptive changes. This situation is not unique to Red Hat; of the commercial distributions, only Mandrake has really gone out of its way to open up its development process to its users.

The evolution of Red Hat Linux into Fedora has changed things. Red Hat may still guide Fedora with a firm hand, but the process is now being carried out in a relatively open manner, with input from the wider community. As a result, it is possible to develop a reasonable idea of what will appear in the Fedora Core 2 (FC2) release, which is now scheduled for April 5, 2004.

From the beginning, FC2 was destined to be based on the 2.6 kernel. It will thus likely be the first big-name distribution to be truly committed to 2.6, rather than just offering it as an option. There may be a backup 2.4 kernel available for systems that simply can't run 2.6, but its use will probably be rare.

FC2 is not stopping at adopting 2.6, however; this distribution will also be set up to use the NSA Security Enhanced Linux (SELinux) subsystem. SELinux is packaged with 2.6 (as a Linux security module), but actually making use of it is not just a matter of turning it on. SELinux is based on a complex, rule-based mandatory access control mechanism which requires that a whole set of rules and policies be created. To this end, Red Hat has hired Russell Coker, who got his start in this area doing SELinux work for Debian. Russell's SELinux work will show up in FC2, and, after the Fedora users have shaken out the bulk of the problems, in the Enterprise Linux Advanced Server products.

FC2 will also include full IPSec support, given that the requisite protocol support exists in 2.6. Not everybody is happy with the choice of IPSec-Tools for configuration and management, however.

A big issue on the fedora-devel list was whether GNOME 2.6 would make it into FC2. Nobody spoke against the idea, but Fedora leader Michael Johnson did point out one issue with GNOME and Fedora: how their respective schedules work together. GNOME tries to make releases every six months, while Fedora is trying to go a little faster than that. The result is that, sooner or later, Fedora will miss a major GNOME release and spend a few cycles catching up. Recent discussions suggest, however, that GNOME 2.6 will be in FC2. The FC2 release schedule should allow the developers plenty of time to incorporate the imminent KDE 3.2 release as well.

Web browsers are a topic of conversation. It may be hard to remember that, only a few years ago, the only real browser alternative for Linux was the proprietary Netscape 4.x release - and we were glad to have it. There are now so many browsers available for Linux there there is no real hope of including them all. For FC2, it looks like the choices may be Konqueror, Epiphany, and Mozilla. In the future, when Mozilla Firebird stabilizes somewhat, it may replace Mozilla "classic" in Fedora.

There have been a fair number of requests to drop sendmail in favor of a more secure mail transfer agent. Postfix would appear to be the preferred replacement. There does not appear to be a whole lot of desire within Red Hat to change the system's MTA, however, so sendmail looks likely to hang around for a while yet.

One user requested a natively-compiled version of the Eclipse development environment. That wish appears likely to come true; the FC2 schedule states that a number of Java components, compiled with GCJ, are on the list to be incorporated into the distribution.

There is a fair amount of interest in a "bare-bones" installation mode. A minimal install could be used for old and small systems, or as a base platform for a subsequent network install (much as Debian installations can be done). This "bootstrap" install option may well show up in FC2.

Some desired packages will be kept out as a result of licensing issues. Thus valgrind, though often requested, is off the list; it apparently suffers from software patent problems. MySQL 4.x is also an interesting problem; with the 4.x release, the license on the MySQL libraries was changed from the LGPL to the GPL. That change makes it harder to write proprietary applications using the libraries, which can be a concern for distributors (UserLinux is coping with similar issues). The MySQL 4.x library license, however, also blocks the use of MySQL with PHP, which has a GPL-incompatible license. A MySQL/PHP adaptor, as a derived product of both systems, cannot be distributed. So MySQL 3.x will likely be in Fedora Core for a while yet.

The actual Fedora Core 2 release will doubtless contain some surprises. But it will be, by far, the most open release ever to come out of Red Hat. This visibility into the development process will give Fedora users the opportunity to be better prepared for future releases (a good thing, since quick upgrades will be required to keep getting security patches) and to have some influence on how the distribution is developed. It is too soon to say whether Fedora will be a success, but the new approach to its development is already showing some benefits for its users.

(Log in to post comments)

SELinux

Posted Dec 18, 2003 13:53 UTC (Thu) by brugolsky (subscriber, #28) [Link]

SELinux should have a profound effect on security. With proper safeguards in place, one need not scramble like mad to get the latest buffer overflow patch in place within hours of its exploitation. With a little policy work (much of which Russell Coker already has in place), apps like Mozilla and Evolution can be confined from doing nasty things to user data (at least directly).

With a viable and secure Linux alternative, the first bit of truly destructive Windows malware is going to accelerate Linux adoption on the corporate server/desktop, as well as in government.

At the moment, the gaping hole in desktop security, even with SELinux, is the X server, and inter-client communication. There is a design paper on how to secure X, but AFAIK, no work has been done yet. Once SELinux is in widespread use, perhaps this will gain some attention.

SELinux

Posted Dec 18, 2003 14:35 UTC (Thu) by jamesm (guest, #2273) [Link]

Work is being done on Security Enhanced X, but it is not something that will be ready soon. Some of the basic building blocks have been completed:

- The SO_PEERSEC patch which allows userspace applications to authenticate each other using SELinux (or other security) credentials in addition to pid/uid/gid.

- A userspace implementation of the AVC (access vector cache), which is the part of SELinux which makes security decisions.


SELinux

Posted Dec 18, 2003 21:07 UTC (Thu) by oak (subscriber, #2786) [Link]

What about including systrace:
http://www.citi.umich.edu/u/provos/systrace/
?

Looking forward to Fedora Core 2

Posted Dec 18, 2003 14:57 UTC (Thu) by havardk (subscriber, #810) [Link]

Postfix has been included in RedHat/Fedora for a while, but sendmail will be installed by default in a new installation.

Looking forward to Fedora Core 2

Posted Dec 19, 2003 17:21 UTC (Fri) by X-Nc (guest, #1661) [Link]

With any luck sendmail will remain the default MTA, too, for at least the next year. Yes, Postfix is all around better and yes, sendmail will likely continue to have some security blips (for a while at least) but the bottom line is that sendmail is the backbone for email on the 'net. Just like bind for DNS. Would I like to see alturnatives replace these two old work horses? Sure. But not today.

Looking forward to Fedora Core 2

Posted Dec 24, 2003 3:26 UTC (Wed) by trustcommerce (subscriber, #7616) [Link]

Why? Postfix is pretty much drop-in replaceable for sendmail. The first thing I do on any Red Hat or Fedora install is "up2date postfix; rpm -e sendmail". Sendmail 1. sucks, 2. sucks, and 3. really sucks. Why keep it around?

inetd was the "workhorse of the internet" and Red Hat wisely replaced it with xinetd a few versions ago. BSD lpd was the standard UNIX print system for decades, but they replaced it with CUPS recently. And Netscape Navigator was the standard UNIX browser for countless years, but they thankfully replaced it with Mozilla.

Sendmail has had a good run, just like inetd, lpd, and Netscape Navigator. But now it's time to take it out back and put a bullet in its head to make room for a modern replacement like Postfix.

Looking forward to Fedora Core 2

Posted Dec 26, 2003 2:05 UTC (Fri) by dskoll (subscriber, #1630) [Link]

> Why? Postfix is pretty much drop-in replaceable for sendmail

Wrong. Until Postfix has the equivalent of Milter, I stick with Sendmail.

Looking forward to Fedora Core 2

Posted Dec 18, 2003 19:25 UTC (Thu) by bferrell (subscriber, #624) [Link]

OK, I'll bite. What's the patent issue with valgrind? I didn't turn it up on a cursory google search. It looks to me like it's completely GPL, but IANAL

Looking forward to Fedora Core 2

Posted Dec 19, 2003 19:06 UTC (Fri) by tom_verbeure (guest, #5665) [Link]

I don't know what the patents problems are with Valgrind, but if it's any help, it has absolutely nothing to do with GPL.
Patents are completely independent from the copyright license.

Looking forward to Fedora Core 2

Posted Dec 23, 2003 5:48 UTC (Tue) by bferrell (subscriber, #624) [Link]

Ouch!! I usually don't make that type of mistake... I make other ones :)

Looking forward to Fedora Core 2

Posted Apr 6, 2004 13:04 UTC (Tue) by barbersweb (guest, #20689) [Link]

"The MySQL 4.x library license, however, also blocks the use of MySQL with PHP, which has a GPL-incompatible license."

What is the scoop with this? Is there another article or something I missed entirely about these two not playing together nicely?

Thanks,
MJB

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds