LWN.net Logo

LWN.net Weekly Edition for January 8, 2004

Red Hat borrows $500 million

Red Hat has a balance sheet that many other companies would envy. The company was lucky (and smart) enough to be the first Linux company to go public during the brief Linux portion of the dotcom bubble; it even had sufficient time to do a second offering to bring in another pile of cash. That windfall, along with careful management, left the company with $329 million in cash and investments at the end of November, 2003 (the last quarter for which numbers are available). That cash pile has been growing in recent quarters; Red Hat certainly need not be concerned about running out of money anytime soon.

So one might well wonder why Red Hat has just issued $500 million in bonds. Why take on half a billion dollars in long-term (20 years) debt when you haven't really figured out what to do with the cash you already have? We asked the company, and were told:

We decided to take this great opportunity to capitalize our company for the purpose of achieving our goal to become the defining technology company of the 21st century. We are focused on building and expanding our organization long term.

There are no specific plans for the cash at this time.

In other words, they aren't telling. One may well speculate that there are acquisitions (big ones) in the works; this idea is reinforced by this (Raleigh) News & Observer article:

"We believe the time for us as a company to take control of the market is now," said chief financial officer Kevin Thompson. "What we've done is capitalize ourselves so that we can react very quickly to opportunities that come up in the marketplace."

Customers are demanding products that Red Hat can't offer, Thompson said. It likely will have to buy other companies to add new products and services.

One assumes that Red Hat has some "opportunities" in mind, but they are not ready to talk about them at this time.

The truth of the matter is that Red Hat was able to get this money on great terms. The interest rate on this loan is 0.5%. So Red Hat could simply put the money into certificates of deposit (currently paying 4% or so in the U.S. for long terms), pay off the loan in 20 years, and pocket the interest. If Red Hat invests this money in this way, it has just acquired a few million dollars per year in free income for the next two decades. This is not a deal the company could afford to turn down.

The real question, perhaps, is why the (unnamed) investors decided to loan money to Red Hat on such terms. Long-term U.S. treasury bills pay 4.2% as of this writing - eight times what Red Hat is paying. The U.S. government is unlikely to reinvest such money as wisely as Red Hat, but it has the advantage of its coercive powers when payback time comes. Treasury bills pay more, and are safer too.

The answer to that question can only lie in the conversion feature of these bonds. The purchasers can convert the bonds to stock at a rate of about $25/share at any time. That rate is significantly above Red Hat's current stock price ($18.50, as of this writing) but, remember, these investors are working with a twenty-year horizon. The bonds are, essentially, a long-term call option which enables the investors to get their funds back if the stock price never goes above $25. Unless Red Hat goes into bankruptcy, the bond holders will probably do OK.

Red Hat started the first Linux financial boom with its IPO. What we may be seeing here is the beginning of the second, more sustainable boom. Serious money is, once again, flowing into Linux companies. The first boom changed the industry in many ways, and left numerous investors rather poorer than they were before. The second boom may be seen as when Linux really took off; it will doubtless bring changes as well. As always, it is going to be interesting to watch.

Comments (5 posted)

LWN's Obviously Incorrect 2004 Predictions

The new year is upon us, and so, like many other publications, we feel an irrational urge to wave our hands in the air and make predictions for what we think the coming year will bring us. So here we go. Needless to say, anybody who is thinking of acting on any of the following would be well advised to get a second opinion...

Enterprise Linux

The "enterprise Linux" business came into its own in 2003, as Red Hat, in particular, found a steady stream of willing customers which drove the company into a profitable state. Red Hat's enterprise offerings must be providing value to the company's customers, given the claimed 90% renewal rate on enterprise support contracts. But the per-system licensing of Red Hat Enterprise Linux has rubbed some community members the wrong way; many developers feel that Red Hat's contracts do not reflect the sort of world they thought they were helping to build.

So, we predict that, in 2004, the enterprise Linux backlash will grow, and we will begin to see whether that backlash can change the enterprise Linux market. A number of free enterprise Linux projects are out there, including CaOS, Whitebox Linux, and UserLinux. These projects have an uphill road ahead of them; to be successful, they will have to convince skeptical companies that they will be able to provide high-quality support for many years into the future. They will also have to make independent vendors see them as important enough to certify applications for. Oh, and, of course, they will have to create a top-quality distribution aimed at the needs of this sort of customer. Creating that distribution will not be easy, but it may prove to be the simplest of the challenges faced by any would-be challenger to Red Hat's enterprise offerings.

The interesting thing is, of course, that these challenges look remarkably similar to those faced by Linux itself a few years ago, when the idea that Linux could pull the rug out from under proprietary Unix systems and challenge Microsoft seemed ludicrous to many. But it happened. Now, challenging enterprise Linux with truly free Linux looks like a daunting task. But it may yet be that a free distribution combined with a distributed network of supporters could supplant today's enterprise offerings in just the same way that Linux has taken Unix's place. The community is capable of amazing things. Not everybody would see such an event as a good thing, but it could happen.

Desktop Linux

The desktop wars will heat up again in 2004. For those of us who remember the KDE/GNOME flame wars of years past, the relative calm and cooperation which has prevailed more recently has been a welcome thing. But there are pressures building which threaten to upset the peace.

The first of those pressures is licensing. Ironically, KDE's choice of the GPL for its libraries may work against it here. The looser GNOME library licensing allows its toolkits to be used, royalty-free, with proprietary applications. Proprietary KDE applications can only be distributed by paying royalties to Trolltech, which owns the Qt libraries. Many users and developers would rather not see proprietary applications exist at all, or, at least, not without paying those who have developed the underlying toolkit. These people are happy with KDE's licensing. Most users, of course, don't care. Distributors, however, usually want to enable vendors to sell applications on their platforms. This interest will push them toward the GNOME camp.

The other point, however, is that distributors are increasingly under pressure to make a choice. Supporting two desktop systems adds to the total workload of maintaining a distribution, and that costs money which may not be available. There is a common perception at this point that the two desktops are functionally identical in all the ways that matter; if that is true, why bother with two of them?

In 2004, these pressures will lead to rising emotions in the camps of both desktops as they see decisions being made for or against them. Perhaps the result will be a greater degree of cooperation between the two development communities via freedesktop.org or other mechanisms. Or, perhaps, our newsgroups, web sites, and mailing lists will once again play host to heated debates and flame wars in vain attempts to establish one desktop as being superior to the other.

Beyond that, however, the hackers will stay busy and desktop Linux will amaze us again. In 2003, it was widely recognized that Desktop Linux has everything that many, if not most, business users need to get their jobs done. 2004 will be the year that desktop Linux stops playing catch-up (in some areas, at least) and truly begins to blaze interesting trails of its own. Projects like Dashboard, GNOME Storage, and Reiser4 are just the beginning of a wave of innovative projects which will change how we use our computers.

2004 may not, however, bring Linux into many more homes. A Linux system is more than adequate for Grandma to send email and wander around on the web. Your editor insists that his children use Linux for their email, browsing, and homework tasks, and it handles those jobs well. The sad truth, however, is that there still needs to be a Windows system around for other vital tasks - such as playing games. Home users are not interested in dual-boot systems; until Linux can do everything they need, they will stick with the same old stuff. Linux may eventually have a free application base which replaces many of the commercial offerings currently filling the shelves of computer stores, but it remains hard to imagine free games, for example, which can compete with the hit-driven commercial variety. Until there is a lively market for commercial Linux applications, there will be some hard limits to how many desktops we can occupy.

Legal issues

The SCO case will drag on, and become more complicated, in 2004. IBM may well succeed in getting many of SCO's complaints dismissed early in the year, but SCO probably has a good chance of keeping some of its breach of contract charges alive. SCO may have to retreat to some of its earliest charges (i.e. JFS, RCU, NUMA, SMP), but IBM may have to go to trial to prove that its code in those areas is not derived from SCO's Unix. SCO can probably muddy the waters enough to keep the judge from dismissing the case outright.

Even if the IBM case is dismissed in 2004, however, there is the issue of SCO's threats of copyright infringement suits against Linux users. One may be tempted to dismiss these threats as just that much more empty SCO bluster. It is worth considering, however, the pressures that SCO will be under, including the agenda of its lawyers and the looming "dividend" payments on the BayStar investment. SCO has no hopes for increasing revenue from its remaining software products at this point; it must litigate further to bring in cash. With the lawyers in charge, chances are that SCO will, indeed, launch new suits.

In fact, the company may well find backbone-challenged Linux users that will cave in and pay up rather than risk a court battle. Such an event will do short-term wonders for SCO's stock price and cash flow.

The simple fact is, however, that the SCO Group has still put forward very little evidence to back up its claim, and what evidence it has presented has mostly been laughed off the stage. The company's claims to own the "Unix ABI" will get no further. Beyond that, Novell's new copyright assertions have the potential to stop the show dead, at least until that dispute has its own day in court. But, regardless of the validity of Novell's claims, SCO's case is empty and the world, increasingly, is seeing that. By the end of 2004, the SCO cases will probably still be alive in some form, but the end will be in sight.

As an aside, Novell will face a severe test of its credibility in the eyes of the community. Nobody wants to see the SCO case resurrected in the future by a Novell which, perhaps after a management change or two, decides that its Unix copyrights (if they are Novell's) might yet be worth something. If Novell is serious about being a part of the Linux community, it needs to make a statement, soon, about just what it intends to do with the Unix copyrights it claims to own.

The GPL may have its day in court. The SCO Group has, of course, stated its intent to break the GPL in court. But that company's arguments, thus far, have failed to impress. SCO's GPL challenges should not get far. More interesting GPL-oriented cases may come from a different direction.

Many developers working in the industry are full of stories of rampant GPL violations, especially where embedded systems are involved. Last year's episode with the LinkSys WRT54G router is just the small tip of a large iceberg in this regard. To an extent, people have been willing to look the other way; it just hasn't seemed worth the trouble to challenge closed-source uses of GPL-licensed code in many cases. There are developers, however, who are increasingly unwilling to close their eyes to violations of their licenses. Expect more challenges against vendors using GPL-licensed code in non-licensed ways. The lack of any court decisions on the GPL will eventually embolden a violator to try his luck in front of a judge. At that point, we will begin to see what the judicial system really thinks of the GPL.

Security

2004 will make us care more about security. In 2003, we saw an ominous string of attacks against the servers which support the Linux development community. There is no reason to believe that these attacks will stop anytime soon. Sooner or later, perhaps in 2004, somebody is going to do some real damage on a scale we have not yet seen. A major breach, perhaps compromising the systems of many Linux users, will cost us money, time, and much credibility.

In recent years, most attacks against Linux systems have exploited known vulnerabilities for which patches existed. A well-managed site is nearly immune to attacks using known vulnerabilities; all of the major distributors are quite good (usually) about quickly preparing updates when a problem comes to light. The attacks we saw at the end of 2003, however, made use of previously unknown holes in rsync and the kernel. Defending against unknown vulnerabilities is much harder, and there do exist attackers who realize this, and who are smart enough to find such problems. In the coming year, we may well see some truly scary exploits of this sort of "zero-day" vulnerability.

There is some good news, however. By the end of 2004, we will see wider deployment of hardened Linux systems. The incorporation of SELinux and various other security technologies into the Fedora Core distribution (and, from there, into Red Hat Enterprise Linux) will drive much of this deployment, and threats from the outside will do the rest. Adding SELinux is a significant step in the evolution of Linux distributions; if this work is done properly, Linux users should soon have a much higher level of security available with a default system install. Proper containment of security breaches should, for example, make that next web server buffer overflow be much less of a threat than it is now.

Kernel

2.7 kernel development will begin after the 2.6.0 kernel has had a few months to stabilize. Expect the 2.7 development series to be quite different from 2.5, however. By the time that 2.5.0 came out, there was a massive backlog of patches waiting for inclusion. The 2.4 stabilization process had taken nearly a year, and there was a long shopping list of planned changes for 2.5, including the block layer rewrite, expanding the dev_t device number type, a new loadable module subsystem, a new kernel build mechanism, asynchronous and direct I/O, and many others.

On the eve of 2.7, the "patch pressure" is far lower. There's no end of ideas for 2.7, including virtual memory work (page clustering, shareable page tables, etc), the never-ending desktop interactivity work, and much internal reworking to eliminate race conditions, and so on. But many users are (or will be) far happier with 2.6 than they were with 2.4, and the list of features that the Linux kernel must have to not be jealous of its Unix predecessors is shrinking. The Linux kernel is maturing, in other words. It may well be that, with 2.7, the pace of change begins to slow a little.

Or maybe the kernel hackers will come up with some amazing new ideas and run with them; at that point, all bets are off.

To conclude...

It's going to be an interesting year. That, perhaps, is the only truly safe prediction to be found among all the others on this page. All the rest are offered with no warranty as to their veracity, suitability for any particular purpose, or connection with any sort of reality whatsoever. LWN.net does not provide indemnification for users of its predictions - though purchasers of our "predictions license" (available for a limited-time special half-price deal through January, 2007) will get a promise from us to not sue them.

Comments (29 posted)

Some LWN notes

We recently received a message complaining about the lack of "LWN status update" news in recent times. It is true we have backed off on such articles; LWN should carry the news, not be the news. But, for those who are wondering, here's a brief update.

When we started the subscription program, we set our goal at 4000 individual subscribers as a minimum needed to keep going. We have not achieved that goal; there were just over 3000 subscribers when the "great expiration" hit at the end of September. At that point, about 1000 subscriptions ran out over the course of a few weeks. We have since clawed our way back up to just under 3000 subscribers again. It is gratifying, to say the least, that the renewal rate was so high.

3000 subscriptions is sufficient to keep us going for now, but we still need to find a way to increase that number substantially. We are pondering various ideas; stay tuned over the next few months as we figure out how to proceed.

Meanwhile, thanks to the generosity of the folks at HP, LWN editor Jonathan Corbet will be attending (and speaking at) Linux.Conf.Au from January 14 to 18. We look forward to reporting from what is, by all accounts, an outstanding conference. There is also a distinct appeal to going to a place where the temperature is above freezing.

Finally, LWN.net will celebrate its sixth anniversary in about two weeks. Six years ago, we could never have dreamed of the directions LWN would take us - it was, after all, simply intended to be an attention-getter for a Linux consulting and support company. It has been (and continues to be) a great ride, however, and we expect to keep doing this for a long time. Thanks to all of you for being such a great and supportive reader community.

Comments (6 posted)

Page editor: Jonathan Corbet

Security

The Savannah Compromise - what really happened?

January 1, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

2003 hasn't been a banner year for computer security, and that includes Linux. The CVS repository for the Linux kernel was attacked (if clumsily), several servers related to the Debian project were compromised, and the GNU Project's Savannah server was also broken into recently. Since there has been little information published about the nature of the Savannah compromise, we contacted Bradley Kuhn, executive director of the Free Software Foundation for more information.

Kuhn described the Savannah compromise as "almost identical to what happened to Debian." (A detailed account of the Debian compromise can be found here.) Kuhn said that he believes that the Savannah compromise and the Debian attacks were related, and happened at about the same time. However, he said that the project has not put a great deal of time and effort into analyzing the attacks because it was more important to put Savannah back online and to try to harden the system to see to it that a similar compromise doesn't happen again. The hard drives from Savannah have been saved for future reference, but the project is not putting its efforts into thoroughly analyzing the attacks.

For the most part, Savannah has been restored and changes have been made to try to ensure a similar attack will not be possible. However, there are still some features that remain unavailable, including Web CVS access and new projects are not being approved for the time being. According to the Savannah website, new projects will probably be accepted sometime before the end of January, 2004.

Has there been an attempt to insert a trojan into any of the code residing on Savannah? Kuhn says that they've asked the owners of projects on Savannah to go through and verify the code that is on Savannah to be sure that it hasn't been trojaned. So far, there have been no reports of tainted code. However, not all of the projects have reported their status. Kuhn also noted that projects on the Savannah website will soon have an indicator to report whether or not the developers have verified that they have checked the integrity of their software.

We also asked if there was any sensitive information on Savannah that may have been compromised. Kuhn said that the useful information on Savannah mostly consists of the code for the various projects, and that the only other information of interest would be developers' passwords. The passwords on Savannah have been reset, of course, and the developers have been encouraged to "investigate their own personal security."

For now, the GNU Project is not actively pursuing criminal prosecution of the attacker or attackers. Kuhn says that the project is not "ethically opposed" to prosecuting the intruder, but that with limited resources he'd rather divert time and energy to restoring the services and trying to harden systems to make future attacks more difficult and easier to contain.

To that end, the compromise may actually be a good thing in the long run. Kuhn said that they have contacted the CVS maintainers and have offered to pay for development of features that would allow GPG signing of commits through CVS -- making it much more difficult for changes to be inserted unnoticed into code held in a CVS repository. He said that they have also contacted the GNU Arch maintainer about adding GPG signing. Though it may take some time to develop, the addition of GPG signing to commits would be a welcome feature.

Kuhn said that he expects that the future will bring more attacks on the community, as free and open source software become more prevalent. Opponents of the open development model will no doubt be using these events as an illustration of the "dangers" of open source. Though the recent intrusions have mostly been an inconvenience, it's important that the community learn from these attacks, and redouble efforts to prevent them in the future.

Comments (21 posted)

New vulnerabilities

cvs: possible root compromise

Package(s):cvs CVE #(s):CAN-2003-0977
Created:December 29, 2003 Updated:February 13, 2004
Description: Stable CVS 1.11.11 has been released, adding code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file.
Alerts:
Whitebox WBSA-2004:004-01 2004-02-12
Fedora-Legacy FLSA:1207 2004-01-28
Conectiva CLA-2004:808 2004-01-20
Debian DSA-422-1 2004-01-13
Red Hat RHSA-2004:003-01 2004-01-09
Gentoo 200312-08 2003-12-28

Comments (none posted)

fsp: buffer overflow and directory traversal

Package(s):fsp CVE #(s):CAN-2003-1022 CAN-2004-0011
Created:January 7, 2004 Updated:January 7, 2004
Description: fsp suffers from both a buffer overflow vulnerability (which can be exploited to run arbitrary code) and a directory traversal problem.
Alerts:
Debian DSA-416-1 2004-01-06

Comments (none posted)

jabber: denial of service

Package(s):jabber CVE #(s):CAN-2004-0013
Created:January 7, 2004 Updated:January 26, 2004
Description: A vulnerability was discovered in jabber, an instant messaging server, whereby a bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service.
Alerts:
Mandrake MDKSA-2004:005 2004-01-23
Debian DSA-414-1 2004-01-06

Comments (1 posted)

kernel: two vulnerabilities in 2.4.23

Package(s):kernel CVE #(s):CAN-2003-0984 CAN-2003-0985
Created:January 5, 2004 Updated:January 19, 2004
Description: Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0985 to this issue. There is also a minor information leak in the real time clock (rtc) routines. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0984 to this issue. See this advisory for more information.
Alerts:
Debian DSA-427-1 2004-01-19
SuSE SuSE-SA:2004:003 2004-01-15
Debian DSA-417-2 2004-01-09
Slackware SSA:2004-008-01 2004-01-08
Gentoo 200401-01 2004-01-08
Mandrake MDKSA-2004:001 2004-01-07
Slackware SSA:2004-006-01 2004-01-06
Red Hat RHSA-2003:416-01 2004-01-07
Fedora FEDORA-2003-047 2004-01-07
Debian DSA-417-1 2004-01-07
Immunix IMNX-2004-73-001-01 2004-01-05
SuSE SuSE-SA:2004:001 2004-01-05
Fedora FEDORA-2003-046 2004-01-05
Debian DSA-413-1 2004-01-06
Trustix 2004-0001 2004-01-05
Conectiva CLA-2004:799 2004-01-05
EnGarde ESA-20040105-001 2003-01-05
Red Hat RHSA-2003:419-01 2004-01-05
Red Hat RHSA-2003:418-01 2004-01-05
Red Hat RHSA-2003:417-01 2004-01-05

Comments (1 posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

nd: buffer overflows

Package(s):nd CVE #(s):CAN-2004-0014
Created:January 6, 2004 Updated:January 7, 2004
Description: Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface, whereby long strings received from the remote server could overflow fixed-length buffers. This vulnerability could be exploited by a remote attacker in control of a malicious WebDAV server to execute arbitrary code if the server was accessed by a vulnerable version of nd.
Alerts:
Debian DSA-412-1 2004-01-05

Comments (none posted)

xsok: bad privilege handling

Package(s):xsok CVE #(s):CAN-2003-0949
Created:January 7, 2004 Updated:January 7, 2004
Description: Steve Kemp discovered a problem in xsok, a single player strategy game for X11, related to the Sokoban game, which leads a user to execute arbitrary commands under the GID of games.
Alerts:
Debian DSA-405-1 2003-12-30

Comments (none posted)

Updated vulnerabilities

apache: buffer overflows in mod_alias, mod_rewrite

Package(s):apache CVE #(s):CAN-2003-0542 CAN-2003-0789
Created:October 28, 2003 Updated:February 13, 2004
Description: André Malo discovered buffer overflows in the mod_alias and mod_rewrite modules of the Apache webserver. These occurred if a regular expression with more than 9 capturing parenthesis was configured. To exploit this, an attacker would need to be able to locally create a carefully crafted configuration file (.htaccess or httpd.conf). CAN-2003-0542

Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789.

Alerts:
Whitebox WBSA-2004:015-01 2004-02-12
Fedora FEDORA-2003-004 2004-01-08
Red Hat RHSA-2003:405-00 2003-12-18
Red Hat RHSA-2003:320-01 2003-12-16
Red Hat RHSA-2003:360-01 2003-12-10
Gentoo 200310-03 2003-10-28
Trustix 2003-0041 2003-11-15
Conectiva CLA-2003:775 2003-11-05
Slackware SSA:2003-308-01 2003-11-03
EnGarde ESA-20031105-030 2003-11-05
Mandrake MDKSA-2003:103 2003-11-03
Gentoo 200310-04 2003-10-31
Immunix IMNX-2003-7+-025-01 2003-10-28
OpenPKG OpenPKG-SA-2003.046 2003-10-28

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

bind: cache poisoning

Package(s):bind CVE #(s):CAN-2003-0914
Created:November 26, 2003 Updated:February 19, 2004
Description: A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache.
Alerts:
SCO Group CSSA-2004-003.0 2004-02-19
Debian DSA-409-1 2004-01-05
SuSE SuSE-SA:2003:047 2003-11-28
Trustix 2003-0044 2003-11-27
Immunix IMNX-2003-7+-024-01 2003-10-27
EnGarde ESA-20031126-031 2003-11-26

Comments (none posted)

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
SCO Group CSSA-2004-012.0 2004-03-03
Conectiva CLA-2003:779 2003-11-07
Mandrake MDKSA-2003:104 2003-11-05
Red Hat RHSA-2003:275-01 2003-11-03

Comments (none posted)

ethereal: protocol dissector and other vulnerabilities

Package(s):ethereal CVE #(s):CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 CAN-2003-1012 CAN-2003-1013
Created:December 19, 2003 Updated:February 13, 2004
Description: Serious issues have been discovered in two ethereal protocol dissectors. Both vulnerabilities will make the Ethereal application crash. The Q.931 vulnerability also affects Tethereal. It is not known if either vulnerability can be used to make Ethereal or Tethereal run arbitrary code. (CAN-2003-1012 and CAN-2003-1013)
Alerts:
Whitebox WBSA-2004:002-01 2004-02-12
Fedora-Legacy FLSA:1193 2004-01-31
Red Hat RHSA-2004:002-01 2004-01-05
Mandrake MDKSA-2004:002 2004-01-13
Conectiva CLA-2004:801 2004-01-07
Red Hat RHSA-2004:001-01 2004-01-07
Debian DSA-407-1 2004-01-05
Fedora FEDORA-2003-040 2003-12-18

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 17, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
SCO Group CSSA-2004-006.0 2004-03-01
Trustix 2003-0042 2003-11-15
Mandrake MDKSA-2003:106 2003-11-12
Red Hat RHSA-2003:309-01 2003-11-03
Immunix IMNX-2003-7+-026-01 2003-10-31
Conectiva CLA-2003:771 2003-10-24
Conectiva CLA-2003:768 2003-10-22

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
SCO Group CSSA-2004-009.0 2004-03-02
Debian DSA-429-2 2004-02-13
Debian DSA-429-1 2004-01-26
Gentoo 200312-05 2003-12-12
Fedora FEDORA-2003-025 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Red Hat RHSA-2003:390-01 2003-12-10
Conectiva CLA-2003:798 2003-12-09
SuSE SuSE-SA:2003:048 2003-12-03
Mandrake MDKSA-2003:109 2003-11-28

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

lftp buffer overflows

Package(s):lftp CVE #(s):CAN-2003-0963
Created:December 15, 2003 Updated:February 13, 2004
Description: According to this advisory versions of lftp prior to 2.6.10 are vulnerable to two exploitable buffer overflow problems. Both occur when you connect to a web server with lftp using HTTP or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared directories on the web server.
Alerts:
Whitebox WBSA-2003:404-01 2003-12-17
Conectiva CLA-2004:800 2004-01-06
Debian DSA-406-1 2004-01-05
Gentoo 200312-07 2003-12-16
OpenPKG OpenPKG-SA-2003.053 2003-12-17
Red Hat RHSA-2003:404-01 2003-12-16
Red Hat RHSA-2003:403-01 2003-12-16
Mandrake MDKSA-2003:116 2003-12-15
Fedora FEDORA-2003-034 2003-12-15
SuSE SuSE-SA:2003:051 2003-12-15
Immunix IMNX-2003-73-002-01 2003-12-09
Slackware SSA:2003-346-01 2003-12-12

Comments (none posted)

libnids: remotely exploitable buffer overflow

Package(s):libnids CVE #(s):CAN-2003-0850
Created:October 29, 2003 Updated:January 6, 2004
Description: libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem.
Alerts:
Debian DSA-410-1 2004-01-05
Gentoo 200311-07 2003-11-22
Conectiva CLA-2003:773 2003-10-29

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
Alerts:
SCO Group CSSA-2004-002.0 2004-02-19
Debian DSA-435-1 2004-02-06
Conectiva CLA-2003:781 2003-11-12

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

Net-SNMP: security bugs in versions before 5.0.9

Package(s):Net-SNMP CVE #(s):CAN-2003-0935
Created:December 2, 2003 Updated:February 13, 2004
Description: The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view.

Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs.

Alerts:
Whitebox WBSA-2004:023-01 2004-02-12
Red Hat RHSA-2004:023-01 2004-01-15
Mandrake MDKSA-2003:115 2003-12-11
Red Hat RHSA-2003:335-01 2003-12-02

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

proftpd: remote root shell

Package(s):proftpd CVE #(s):CAN-2003-0831
Created:September 24, 2003 Updated:January 2, 2004
Description: The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
Alerts:
Mandrake MDKSA-2003:095-1 2003-12-31
Conectiva CLA-2003:750 2003-09-29
Gentoo 200309-16 2003-09-28
Trustix 2003-0037 2003-09-27
Mandrake MDKSA-2003:095 2003-09-26
OpenPKG OpenPKG-SA-2003.043 2003-09-25
Slackware SSA:2003-259-02 2003-09-23

Comments (2 posted)

rsync - remotely exploitable heap overflow

Package(s):rsync CVE #(s):CAN-2003-0962
Created:December 4, 2003 Updated:March 3, 2004
Description: An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future.
Alerts:
SCO Group CSSA-2004-010.0 2004-03-02
Immunix IMNX-2003-73-001-01 2003-12-05
Mandrake MDKSA-2003:111 2003-12-04
Red Hat RHSA-2003:399-01 2003-12-04
Red Hat RHSA-2003:398-01 2003-12-04
Fedora FEDORA-2003-030 2003-12-04
Conectiva CLA-2003:794 2003-12-04
Gentoo 200312-03 2003-12-04
EnGarde ESA-20031204-032 2003-12-04
Debian DSA-404-1 2003-12-04
OpenPKG OpenPKG-SA-2003.051 2003-12-04
SuSE SuSE-SA:2003:050 2003-12-04
Trustix 2003-0048 2003-12-04
Slackware SSA:2003-337-01 2003-12-03

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

screen: privilege escalation

Package(s):screen CVE #(s):CAN-2003-0972
Created:November 28, 2003 Updated:March 3, 2004
Description: According to this advisory a buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable.

Alerts:
SCO Group CSSA-2004-011.0 2004-03-02
Fedora-Legacy FLSA:1187 2004-01-26
Conectiva CLA-2004:809 2004-01-20
Debian DSA-408-1 2004-01-05
Mandrake MDKSA-2003:113 2003-12-08
OpenPKG OpenPKG-SA-2003.050 2003-11-28

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

zebra: denial of service vulnerability

Package(s):zebra CVE #(s):CAN-2003-0795 CAN-2003-0858
Created:November 13, 2003 Updated:January 7, 2004
Description: Zebra an open source implementation of TCP/IP routing software.

Jonny Robertson reported that Zebra can be remotely crashed if a Zebra password has been enabled and a remote attacker can connect to the Zebra telnet management port. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0795 to this issue.

Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue.

Alerts:
Debian DSA-415-1 2004-01-06
OpenPKG OpenPKG-SA-2003.049 2003-11-25
Conectiva CLA-2003:786 2003-11-20
Red Hat RHSA-2003:307-01 2003-11-13

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is 2.6.0. Linus released the second 2.6.1 release candidate on January 6 without an announcement; the (relatively small) list of changes can be seen in the long-format changelog. Previously, 2.6.1-rc1 (announcement, changelog) had been released on December 31. It included quite a few fixes, along with a couple of internal API changes (see below), the restoration of the old /proc/pid/maps formatting, the ability to compile with -Os on embedded systems, message signaled interrupt support (covered here last August), and extensible firmware interface (EFI) support.

Linus's BitKeeper tree contains a very small number of fixes added since 2.6.1-rc2 came out.

The latest tree from Andrew Morton is 2.6.1-rc1-mm2. Recent additions of interest include the laptop mode patch (see below), a mechanism for rate-limiting printk() messages, a number of architecture updates, and a great many fixes.

The current 2.4 kernel is 2.4.24, released by Marcelo on January 5. Unusually, Marcelo deferred the patches in the 2.4.24 prepatches and released a kernel containing only the mremap() and RTC security fixes and a couple of other small repairs. The previous 2.4.24 prepatches have been reissued (with the addition of some ext2/ext3 filesystem updates, a number of architecture updates, and various other fixes) as 2.4.25-pre4.

Comments (3 posted)

Kernel development news

Subverting mremap()

The mremap() system call allows a user process to make changes to an existing memory mapping. This call, as exported by the C library, allows changing the size of a mapped region. The underlying call provided by the kernel, however, has an extra parameter which can be used to request that the entire region be moved to a different virtual address. That capability is rarely used, but it turns out to be the key to a new kernel exploit.

The code implementing mremap() makes several checks to ensure that the calling process is not trying to do anything overly strange. The kernel developers forgot to check, however, whether the user has asked to remap a zero-length memory region. In that case, the code does the wrong thing, and creates a new memory area with a length of zero at the requested address. Since numerous places in the virtual memory subsystem code assume that zero-length VM areas do not exist, the creation of such an area is, in effect, a corruption of the kernel's virtual memory data structures.

The existence of a zero-length virtual memory area is not necessarily a problem; since it does not actually cover any memory, it cannot be used directly to access a memory range which should be off-limits to the process. Where things go wrong is when the kernel makes a pass over a process's entire virtual address space. For example, the fork() system call must copy the process's memory space. The code used implements (in a complicated way) a do loop that assumes each virtual memory area contains at least one page. As a result, it copies page table information which does not actually exist.

The situation is complicated by the fact that mremap() is happy to create this zero-length area just above the end of the virtual address range allocated to user space--at the beginning of kernel space, in other words. When fork() tries to copy the page table information for that area, it can get tangled up in the special large page table entries used for the kernel. The result is a mess.

What will usually happen (as people who have tried an exploit posted on Bugtraq have found out) is that the system panics and reboots. It is not clear to many people who have looked at the problem (including Linus) that this bug can be exploited for anything other than a denial of service attack. It is worth noting, however, that the advisory posted by Paul Starzetz claims:

Proper exploitation of this vulnerability may lead to local privilege escalation including execution of arbitrary code with kernel level access. Proof-of-concept exploit code has been created and successfully tested giving UID 0 shell on vulnerable systems.... We have identified at least two different attack vectors for the 2.4 kernel series.

It would not be a good idea to wait and see whether these claims are borne out or not. Prudent administrators will upgrade to the 2.4.24 kernel, or apply the update provided by their distributor. (The 2.6.0 kernel is also vulnerable; the fix can be found in the 2.6.1-rc2 release).

Comments (1 posted)

Two API changes in 2.6

The kernel developers usually try to keep the internal kernel programming interface unchanged over the course of a stable kernel series. There are never any guarantees, however, and things can change at any time. Experience has shown, in particular, that internal APIs can take a little while to stabilize after a new stable series begins. The 2.6 kernel looks like it will follow this pattern; a couple of small changes have already found their way into the code base.

The first is a simple addition:

    int can_request_irq(unsigned int irq, unsigned long flags);

This function will return a non-zero value if an attempt to request the given interrupt number (possibly shared, as directed by flags) would succeed. It is intended to be used in situations where multiple interrupt numbers could be used and the code would like to find an idle one. There are, of course, no guarantees; a kernel routine could get a positive result from can_request_irq(), but find that somebody else had slipped in and allocated the request number immediately thereafter. As of this writing, can_request_irq() is not exported to modules and is not supported by all architectures.

The other change has the potential to create minor trouble for some external modules. Code which implements virtual memory areas (to allow device memory to be mapped into user space, for example) usually provides a nopage() function to handle page faults. The prototype for that function in 2.4.x and 2.6.0 is:

    struct page *(*nopage)(struct vm_area_struct *area, 
                           unsigned long address, 
			   int unused);

As of 2.6.1, the unused argument is no longer unused, and the prototype has changed to:

    struct page *(*nopage)(struct vm_area_struct *area, 
	                   unsigned long address, 
			   int *type);

The type argument is now used to return the type of the page fault; VM_FAULT_MINOR would indicate a minor fault - one where the page was in memory, and all that was needed was a page table fixup. A return of VM_FAULT_MAJOR would, instead, indicate that the page had to be fetched from disk. Driver code using nopage() to implement a device mapping would probably return VM_FAULT_MINOR. In-tree code checks whether type is NULL before assigning the fault type; other users would be well advised to do the same.

Making module code compile cleanly will require changing the prototype of the nopage() function, of course.

As always, the Driver Porting Series has been updated to reflect these changes.

Comments (none posted)

Kernel threads made easy

It is fairly common for kernel code to create lightweight processes - kernel threads - which perform a certain task asynchronously. To see these threads, run ps ax on a 2.6 kernel and note all of the processes in [square brackets] at the beginning of the listing. The code which sets up these threads has tended to be reimplemented every time a new thread is needed, however, and certain tasks (ensuring that the environment is clean, for example) are not always handled well. The current kernel also does not easily allow the creator of a kernel thread to control the behavior of that thread.

Rusty Russell encountered even more trouble as he was doing his "hotplug CPU" work: when processors can come and go, their associated kernel threads must be started or stopped at arbitrary times. To make his life easier, he implemented a new set of kernel thread primitives which simplify the task greatly.

Using the new mechanism, the first step in creating a kernel thread is to define a "thread function" which will contain the code to be executed; it has a prototype like:

    int thread_function(void *data);

The function will be called repeatedly (if need be) by the kthread code; it can perform whatever task it is designated to do, sleeping when necessary. This function should, however, check its signal status and return if any signals are pending.

A kernel thread is created with:

    struct task_struct *kthread_create(int (*threadfn)(void *data),
                                       void *data,
				       const char *namefmt, ...);

The data argument will simply be passed to the thread function. A standard printk()-style formatted string can be used to name the thread. The thread will not start running immediately; to get the thread to run, pass the task_struct pointer returned by kthread_create() to wake_up_process().

There is also a convenience function which creates and starts the thread:

    struct task_struct *kthread_run(int (*threadfn)(void *data),
                                    void *data,
				    const char *namefmt, ...);

Once started, the thread will run until it explicitly calls do_exit(), or until somebody calls kthread_stop():

    int kthread_stop(struct task_struct *thread);

kthread_stop() works by sending a signal to the thread. As a result, the thread function will not be interrupted in the middle of some important task. But, if the thread function never returns and does not check for signals, it will never actually stop.

Kernel threads are often created to run on a particular processor. To achieve this effect, call kthread_bind() after the thread is created:

    void kthread_bind(struct task_struct *thread, int cpu);

Rusty's patch includes a set of changes converting a number of kernel thread users over to the new infrastructure. There has been a fair amount of discussion of the kthread patches, which has resulted in some significant changes. Whether this code will get into the 2.6 kernel remains to be seen, however.

Comments (1 posted)

The future of device numbers

Greg Kroah-Hartman has, it seems, received a fair amount of email from devfs users, many of whom are not pleased with the fact that devfs has been marked "deprecated" in 2.6. Never mind that Greg didn't do that... But Greg is the primary author of udev, which is intended to replace devfs in the future. With the intent of cutting down on hate mail, Greg has posted a lengthy diatribe on why, he thinks, the udev approach is better. It's not at all clear that his posting will have succeeded in that goal, but it does make the current thinking (accepted by most kernel developers, it seems) clearer.

The posting also inspired a lengthy thread on the meaning of Linux device numbers and how they will be handled in the future. For starters, we now have Linus's explanation of why he chose to expand the device number type to 32 bits, rather than the expected 64:

Note that one reason I didn't much like the 64-bit versions is that not only are they bigger, they also encourage insanity. Ie you'd find SCSI people who want to try to encode device/controller/bus/target/lun info into the device number.

We should resist any effort that makes the numbers "mean" something. They are random cookies. Not "unique identifiers", and not "addresses".

Linus's talk of "random cookies" set off some alarms from developers who foresee a world where devices could have different numbers every time the system boots. Linus's response was unrepentant; he claims that (1) that world already exists, and (2) attempts to create relatively stable device numbers just encourage applications to depend on those numbers not changing, and thus create bugs.

Anybody who has plugged two similar USB devices into the same system has already experienced one kind of device number instability. The kernel will assign numbers based on the order in which it discovers the devices; that order depends on a number of things, including, simply, which device was plugged in first. There is no way in the general case to provide stable numbers for this sort of hot-pluggable device. Other devices, such as iSCSI disks, are even worse. Discovering all of the available devices can be a challenge by itself; there is no way that this discovery will happen in a predictable order.

So, for many kinds of devices, variable device numbers is simply a fact of life. So, says Linus, it is better not to even try to keep numbers stable.

Basically, if you cannot 100% guarantee reproducibility (and nobody can, not your hashes, not anything else), then the _appearance_ of reproducibility is literally a mistake. Because it ends up being a bug waiting to happen - and one that is very very hard to reproduce on a developer machine.

To bring that point home, Linus has raised an idea that Greg has presented a few times in the past: making all device numbers random. This change would quickly flush out any code which made assumptions about device numbers, whether it be in the kernel or in user space. Of course, random device number assignment is a feature for a development kernel; Linus acknowledges that, "for simple politeness reasons," device numbers should be kept as stable as possible in stable kernel releases.

In any case, the point of all this is not to confuse users about the organization of their system. But, in a world where device numbers can offer no real clues about the hardware on a computer, something else needs to create stable names by which devices can be identified. That, of course, is the purpose of tools like udev. As a way of showing how flexible udev can be, Greg posted a brief script which makes CD drives available by the name of the disk (as obtained from CDDB) currently inside. This scheme is unlikely to become part of any major distribution in the near future, but it does show how elaborate device naming can be. For some sorts of devices, a conversation with a remote server may well be part of the naming process. As naming gets more complex, it becomes increasingly clear that it simply cannot be done in the kernel.

That, of course, is one of the main objections to devfs - the naming policy is implemented entirely in kernel space. The udev approach moves that policy back out to user space, where it can be easily changed and extended. The remaining devfs users will want to look at switching over, but there is no particular hurry; Andrew Morton has made it clear that devfs will continue to be supported through the lifetime of 2.6 and, possibly, beyond.

Comments (11 posted)

Laptop mode for 2.6

Some months ago, Jens Axboe posted a "laptop mode" patch for the 2.4 kernel. That patch had never been ported forward to 2.6, until now. Bart Samwel has picked up the laptop mode baton and posted several versions of a 2.6 patch; the latest, as of this writing, is version 6.

The purpose of the patch is to allow laptop users to get the greatest amount of time out of their batteries by minimizing the time the disk spends spinning. Any Linux conference attendee who has ever lost the race for the available power outlets can't help but appreciate this idea. To keep the disk idle, the patch (along with an associated script) changes system behavior in the following ways:

  • The amount of time the system is willing to wait before writing dirty pages to disk is expanded to ten minutes. As a result, laptop mode users risk losing up to ten minutes worth of work, but that is a risk many will be willing to take.

  • Any ext3 or ReiserFS filesystems will be remounted with a commit period of ten minutes.

  • Background writeback of dirty pages, normally done when the disk is not busy doing anything else, is disabled.

  • When something does force the disk to spin up, the system writes out all dirty pages regardless of how long they have been in memory. In this way, the kernel tries to accomplish all the work it can during the brief time that the disk is spinning.

There is also a separate mode which can be enabled which creates a log message every time a process forces some disk activity. This feature is useful for solving those "why is the disk spinning up" mysteries. An older version of the laptop mode patch is currently in the 2.6.1-rc1-mm2 tree, which suggests that it may yet find its way into a 2.6 kernel. Thousands of power-starved laptop users will be grateful.

Comments (2 posted)

Patches and updates

Kernel trees

  • Linus Torvalds: 2.6.1-rc1. (December 31, 2003)
  • Andrew Morton: 2.6.0-mm2. (December 29, 2003)

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Memory management

Networking

Security-related

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

A Quick Look at Mandrake 10.0 Pre-Beta

January 7, 2004

This article was contributed by Ladislav Bodnar

With the holidays behind us, all eyes are on the work leading towards the next round of distribution releases around April and May this year. And there is plenty look forward to. In fact, the next round is going to be one of the most exciting ones ever, at least from the desktop Linux point of view, with the new Linux kernel 2.6, XFree86 4.4, KDE 3.2, GNOME 2.6 and many other updates either just released or expected in the near future. As the competition among the major distribution vendors heats up, there is little doubt that their development work will soon translate into some of the most interesting and usable products we've seen to date.

What can we expect? Those of you on distributions' development mailing lists have already had a chance to experience the taste of things to come. As an example, looking through the Fedora development branch, we can see that, at the time of writing, the RPM package of the 2.6.0 kernel has undergone 24 revisions. And although XFree86 is still at version 4.3.0, KDE has been upgraded to 3.2-beta and glibc to (as yet unreleased) 2.3.3. Some other distributions have similarly bleeding edge development trees. A few of them have even released experimental ISO images: Conectiva has put together a single-CD Conectiva 10 Technology Preview, while Mandrake has released a 2-CD Cooker Snapshot 20031231. I have taken the latter for a test drive to see what has been done so far, although the features mentioned below are general enough to apply to other upcoming distribution releases.

Linux kernel 2.6. The changes in the kernel are probably the most far-reaching of them all, especially in terms of system responsiveness and interactivity. One of the interesting new features is the kernel's support for hyperthreading - an ability that allows a single physical processor to masquerade as two or more processors. Some other features that will result in noticeable speed improvements is preemption (the ability to interrupt a kernel process so that other processor intensive tasks can continue to execute), "futexes" (a way for multiple processes and threads to serialize and prioritize events), improvements to input/output subsystems and a number of other changes. On a hardware side of things, the new kernel comes with support for USB 2.0, much improved support for wireless devices and a new structure of the dedicated storage buses; as an example, it is no longer necessary to enable SCSI emulation for IDE CD/RW drives. Improvements in the new kernel are too numerous to mention them all, but the above few examples should give plenty of reasons for the majority of users to want to move to kernel 2.6 as soon as possible.

XFree86 4.4. As always, the new version of the X Window system will have many new and updated video drivers, including new ones for the more recent NVIDIA and SiS video cards, as well as the usual bug fixes. Version 4.4 also supports the IPv6 protocol. On the Xterm side of things, much improvement has gone into international font handling and locale support. The complete changelog and feature list can be found in the latest XFree86 release notes.

KDE 3.2. There is a host of new features and applications in the upcoming KDE 3.2 scheduled for final release on February 7. Some of the more interesting ones include CD burning from within Konqueror, "service menus", or custom context menus in Konqueror, updated khtml engine, a graphical dialog for connecting to Windows machines on a network and a new theme called "Plastic". Among the many new applications in KDE 3.2 one will find KPDF (a PDF viewer based on XPDF), Kontact (KDE's PIM and groupware suite), KSVG (a Scalable Vector Graphics plugins for Konqueror), KGamma (a KControl module for monitor gamma correction), JuK (a jukebox and music manager), Kopete (a multi-protocol instant messaging tool), KWiFiManager (an application for monitoring and configuring wireless LAN connections), Umbrello (a UML Modeller), Kgpg (a frontend for gpg), KMouth (a tool to create sentences for speech synthesizer) and many others. One of the more interesting summaries of the new features, as well as annoyances in KDE 3.2 was recently published by OSNews.

How do all these new goodies feel when integrated together in the Mandrake's latest Cooker snapshot? To put it simply, I have never used a faster and more responsive KDE desktop. Whether it comes to application load times or the time it takes for menus to appear on the screen, everything feels considerably faster than in any distribution using kernel 2.4 and KDE 3.1 on the same hardware. I haven't done any benchmarking to provide some hard figures, but clicking on the taskbar's "K" to bring up the KDE menu takes good 1 - 2 seconds on my Debian Sid installation, while on this Mandrake Cooker snapshot, it appears almost instantly. Konqueror now starts in a flash. It is of course too easy to get used to these new levels of speed: after playing with the Cooker snapshot for a few hours, rebooting into Debian felt as if somebody had replaced my Pentium 4 processor with at least a Pentium II - that's how much slower the whole system felt.

But feelings aside, the fact is that the combined speed enhancements by KDE 3.2 and kernel 2.6 make for a fine and fast KDE desktop. As for other new features in this Mandrake Cooker release, there aren't many at this time, unless one counts application updates as new features. This is not surprising, given that the main purpose of this pre-beta snapshot was to make sure that the main components function together and to test the hardware compatibility of the new kernel. The first beta of Mandrake Linux 10.0 is scheduled for January 15, although the date has now been postponed twice.

Better hardware compatibility, improved scalability and security, substantial advances in system speed and responsiveness - there is a lot to look forward to in the coming months.

Comments (1 posted)

Distribution News

Debian GNU/Linux

Here's the Debian Weekly News for December 30, 2003. This edition looks at some Debian laptops from LinuxCertified.com; the Debian timeline looking back at 2003; a comprehensive report on all the many ways to install Debian; and much more.

The Debian Weekly News for January 6, 2004 is out. This week read about Coordination in Free Software Projects; History of the Social Contract; Planet Debian; Using Kernel Header Files; Debian-Installer Beta 2; and much more.

Comments (none posted)

Fedora News Updates #1

Fedora News Updates is a new online journal looking at what is happening with the Fedora Core distribution. The first issue is now available; it looks at kernel tips, the first Fedora derivative distributions, and several other topics.

Comments (2 posted)

Gentoo Linux

The Gentoo Weekly Newsletter for the week of December 29, 2003 is out. This week marks the first anniversary of the GWN and this issue celebrates with some special content.

The Gentoo Weekly Newsletter for the week of January 5, 2004 is also out; with a look at the December 15th Gentoo Managers' Meeting and more.

Comments (none posted)

Mandrake Linux

Mandrake has an updated drakxtools package that fixes drakbackup's daemon behavior.

Full Story (comments: none)

Slackware Linux

Slackware has upgraded to the 2.4.24 kernel for both slackware-stable and slackware-current.

Comments (none posted)

Xandros to Showcase New Series of Business Solutions

Xandros will have several staff members available at the Xandros booth, #470, during LinuxWorld Expo in New York. Stop by and see the new enterprise products, to be announced during the show.

Full Story (comments: none)

New Distributions

Bluewall GNU/Linux

Bluewall is a GNU/Linux distribution that allows you to install a system from a small set of preconfigured binary packages based on Debian Linux. Bluewall doesn't have any specific installation procedure so that you can install Linux in the way you want, using command line tools. Version 0.1 was released December 26, 2003.

Bluewall followed that announcement with the release of v1.0 with major feature enhancements. "Changes: This release adds Linux kernel 2.6.0 with more networking and character device support compiled in and as modules. Modules for Linux kernel 2.4.23 are included. 98 new packages have been added for post-installation settings, including X server and window manager packages. The initial ramdisk is 5MB bigger for the live CD environment."

Comments (none posted)

SLAX

KDE.News introduces a new Slackware-based LiveCD called SLAX. The latest release features KDE 3.2 Beta 2 and KOffice 1.3 Beta 2. According to the changelog, the current version of SLAX is 3.0.25-2, released January 5, 2004.

Comments (none posted)

Minor distribution updates

Ankur Bangla Live CD 1.0 released (Footnotes)

Footnotes reports that the Ankur Bangla Project has released version 1.0 final of the Ankur Bangla Live CD, running GNOME 2.4.

Comments (none posted)

Astaro Security Linux

Astaro Security Linux has released v4.018 with major security fixes. "Changes: This Up2Date fixes the CAN-2003-0985 kernel bug."

Comments (none posted)

Aurox Linux

Aurox Linux has released v9.2 with major feature enhancements. "Changes: KDE was upgraded to 3.1.4, and GNOME was upgraded to 2.4.1. The installation process now presents a "Light Desktop" choice, comprising fluxbox, mozilla-firebird, rox-filer, and sylpheed. This is a set of applications and desktop software which runs with lower hardware requirements than GNOME or KDE. New versions of movie and music players were added: Xine libs 1.0.0 RC2 and MPlayer 1.0 pre2. The dvd+rw-tools package was added, which allows DVDs to be written with k3b 0.10.2. Other new applications were added, such as Sodipodi, Blender, Scribus, QtParted, and tools for mobile phones (gnokii and gscmxx)."

Comments (none posted)

Buffalo Linux

Buffalo Linux has released v1.0.5 with major feature enhancements. "Changes: This version enhances the install with a hardware lockup patch. Overall, it is a faster, cleaner system. There is better integration with Codeweavers Crossover Office. There are cleanups, minor package updates, and numerous new help pages."

Buffalo has also released v1.1.0rc3 with major feature enhancements. "Changes: The default kernel was updated to 2.4.23. Three other kernel versions are also available. Many packages were upgraded, including gcc 3.3.2 and glibc 2.3.2. Tighter integration with CodeWeavers Office is also included."

Comments (none posted)

cAos

cAos has released beta-1 with major feature enhancements. "Changes: This release adds a complete operating system rebuild, with Web interfaces for package maintainers into the cAos temple to manage their packages, and a preliminary QA engine."

Comments (none posted)

CDLinux

CDLinux has released v0.5.1 (Alpha). "Changes: The development platform has been changed from Slackware 8.1 to Slackware 9.1. initrd has been changed from cramfs to squashfs. devfs has been adopted. NICs are auto-probed, including USB ones. There is a more flexible locale setting schema. Packages have been updated: Linux 2.6.0, module-init-tools 0.9.14, glibc 2.3.2, busybox 1.00-pre4, XFree86 4.3.99.901 (4.4.0 RC1), OpenSSH 3.7.1p2, rdesktop-1.3.0, file 4.07, and lftp 2.6.11."

Comments (none posted)

Coyote Linux

Coyote Linux has released v2.05 with minor feature enhancements. "Changes: This version fixes the broken DHCP Web configuration script, adds new Web administrator control options, and has support for a DMZ interface."

Comments (none posted)

Damn Small Linux

Damn Small Linux has released v0.5.2 with minor feature enhancements. "Changes: This release adds mkisofs, cdrecord, bashburn (an easy to use text mode CD burning utility), gTuxnes (an interactive GUI for tuxnes), smbclient, smbtree, a working /opt that is writable from the CD, and midnight commander (with many features stripped). skel now works for root when installed."

Comments (none posted)

Devil-Linux

Devil-Linux has released version 1.0.4 which fixes the most recent kernel vulnerability. Click below to see the release notes.

Full Story (comments: none)

Feather Linux

Feather Linux has released v0.3.0 with major feature enhancements. "Changes: Feather Linux is now 14 megabytes bigger. Mplayer, LinNeighborhood, aumix, ndiswrapper, and nmap were added. The HD install script was tweaked. Samba was updated. ALSA and aRts sound support were added. CUPS and Foomatic printing support were added."

Comments (none posted)

Gibraltar Firewall

Gibraltar has released v1.1 with minor security fixes. "Changes: This release fixes the brk() local root vulnerability by updating to kernel 2.4.23, altough local users are not used by default on Gibraltar. Additionally, the PAX patch has been applied to the kernel, making it a lot less vulnerable to buffer overflow exploits in general."

Comments (none posted)

LEAF

LEAF has released Bering-uClibc 2.01 with minor security fixes. "Changes: Most notable in this release are a kernel do_brk security fix patch, a new dropbear version with SCP and port forwarding (partly), and an update to shorewall 1.4.8. There are also more cleanups and package updates for the base image."

Comments (none posted)

MoviX

MoviX has released v0.8.1rc2 with minor bugfixes. "Changes: MoviX once again works with as little as 64MB of RAM. Remote Samba and NFS volumes now are correctly mounted, even when no dhcpd server is found. TV-out with Dxr3/H+, Matrox, and Savage cards has been fixed. Two new menus have been introduced for easy tuning to Shoutcast and Icecast radio stations. Support for wireless NICs has been introduced."

eMoviX v0.9.0pre1 is also out, with major feature enhancements. "Changes: The internals have been completely changed (it is now based on Debian), booting is now graphical, and automount has been introduced. Many patches were applied to MPlayer: you can access the MPlayer menu while playing music, use the MPlayer menu to play CDs/DVDs/VCDs/ACDs, switch audio/subs from within the interface, and you get the MPlayer menu after playback is over."

Comments (none posted)

Openwall GNU/Linux

Openwall GNU/Linux has released Linux 2.4.23-ow2 with fixes for two Linux kernel vulnerabilities. Owl 1.1 is available for download for download along with the 2.4.23-ow2 kernel.

Full Story (comments: none)

Recovery Is Possible!

RIP has released v6.8 with minor feature enhancements. "Changes: Some of the software has been updated. Support for a serial console and booting from a USB device have been added."

Version 6.9 has also been released, with minor feature enhancements. "Changes: The kernel was updated to 2.6.0, and some of the software has been updated."

Comments (none posted)

Distribution reviews

Spawn of Debian faceoff: LindowsOS 4.5 (NewsForge)

NewsForge looks at some Debian based distributions, starting with this review of LindowsOS 4.5. "As far as security issues go, the negative "buzz" is wrong. A firewall is installed by default. Users are not encouraged to run as root, but you can see how many will simply because they are not urged strongly enough not to do so. The use of a password is encouraged. LindowsOS does an OK job of keeping a system secure, but not a great one."

Comments (none posted)

Desktop Distro Shootout Part 5 (final) - Xandros 2.0 Deluxe (OSNews)

OSNews reviews Xandros 2.0 Deluxe. "Xandros takes the prize in [documentation] by the simple virtue of actually providing that old fashioned courtesy called a user manual. Astonishing really. Of course an ancient geezer like me can remember the good old days when user manuals were S.O.P. for software packages. No more. Now you generally have to embark on a research project, visit the public library, search the web, ask questions on the user forums, beg help from your local LUG, and go earn a degree in computer science before you are qualified to open a new file and actually do anything constructive. Anyone who is unable or unwilling to jump through these hoops is obviously a stupid newbie and inherently unfit to be trusted with a computer anyway."

Comments (none posted)

Xandros 2.0 - King of the Linux Desktop (MadPenguin)

MadPenguin reviews Xandros 2.0. "Xandros has a wonderful feature built into the distro that I think helps take it another notch higher on my list: CD burning embedded into the Xandros file manager. It's very K3b-like, and has the same functionality, look, and feel for the most part. Furthermore it works just as well, if not easier, for the rookie Linux user."

Comments (none posted)

Page editor: Rebecca Sobol

Development

GNOME Platform Bindings 2.5.1 released (GnomeDesktop)

Version 2.5.1 (the initial release) of the GNOME Platform Bindings has been announced.

This is the first release of the GNOME Platform Bindings release set, which provides a GNOME development platform for programming languages other than C, in the style of those languages. This release set gives some bindings a schedule and rules to work within, so we can endorse those bindings.

The Modules List indicates the current availability of bindings for C++, Java, and Perl, a beta version of the bindings are available for C#. Bindings for Python and other popular languages aren't on the list yet, although they do exist for GTK+. The bindings are to be released according to this release schedule. In order to be accepted, new bindings must adhere to these rules.

The source code for the C++, Java, and Perl GNOME Platform Bindings is available by ftp.

Comments (none posted)

System Applications

Audio Projects

ac3jack launched

The initial release of ac3jack is out. "ac3jack is a tool for creating an AC3 (Dolby Digital) multichannel stream from its JACK input ports. Using this tool, an AC3 stream (up to 5.1 channels) is encoded in realtime and either written to a file or streamed to standard output."

Full Story (comments: none)

Database Software

Firebird 1.5 Release Candidate 8 available

Version 1.5 RC 8 of the Firebird database is available. "The development of Firebird 1.5 release is in final development stage ! The Release Candidate means that we're "almost there", and we turned our focus to remaining known issues and rough edges, final testing and bug squashing. We made a lot of progress with it thanks to your feedback."

Comments (none posted)

phpMyAdmin 2.5.5-pl1 is released (SourceForge)

The patch level 1 release for phpMyAdmin 2.5.5, a web-based database administration tool, is available and features several bug fixes.

Comments (none posted)

PostgreSQL Weekly News

The December 29, 2003 edition of the PostgreSQL Weekly News is out with the latest PostgreSQL database news.

Full Story (comments: none)

PostgreSQL Weekly News

The January 5, 2004 edition of the PostgreSQL Weekly News has been published. Take a look for the latest PostgreSQL database information.

Full Story (comments: none)

Embedded Systems

BusyBox 1.0.0-pre5 released

Version 1.0.0-pre5 of BusyBox, a compressed collection of Unix command line tools for embedded systems, is available. "The most obvious thing in this release is a fix for a terribly stupid bug in mount that prevented it from working properly unless you specified the filesystem type. This release also fixes a few compile problems, updates udhcp, fixes a silly bug in fdisk, fixes ifup/ifdown to behave like the Debian version, updates devfsd, updates the 2.6.x modutils support, add a new 'rx' applet, removes the obsolete 'loadacm' applet, fixes a few tar bugs, fixes a sed bug, and a few other odd fixes."

Comments (none posted)

LAMP Applications

Animal Shelter Manager 1.30 released (SourceForge)

Version 1.30 of Animal Shelter Manager, a LAMP application for running an animal shelter, has been announced. "This release massively improves performance and memory usage for Linux, Windows and MacOS X users. Animal Shelter Manager is a complete computer solution for animal sanctuaries and shelters. Features complete animal management, document generation, full reporting, charts, internet publishing, pet search engine integration, web interface and more."

Comments (none posted)

Libraries

First development version of libburn (GnomeDesktop)

GnomeDesktop.org has the announcement for the first development version of libburn, a library for reading, writing, and mastering optical discs. "Remember this version is not intended for end users, but for frontend developers to start testing it. Many features are still missing, and it's far from reliable."

Comments (none posted)

Mail Software

GPGrelay 0.94 released (SourceForge)

Version 0.94 of GPGrelay has been announced. "GPGrelay is a small email-relaying server that uses GnuPG (the GNU Privacy Guard) to sign/encrypt (SMTP-Relay) or verify/decrypt (POP3-Relay) emails. This enables many email-clients to send and receive emails that are PGP-MIME conform."

Comments (none posted)

Mailman 2.1.4 released (SourceForge)

Version 2.1.4 of GNU Mailman, a mailing list manager, has been announced. "A cross-site scripting vulnerability has been closed, and four new languages have been added: Catalan, Croatian, Romanian, and Slovenian. Header filtering has been expanded for use with upstream virus and spam filters (see Privacy -> Spam Filters). Many other bug fixes have been included as well."

Comments (none posted)

Networking Tools

Enabling IPv6 in Linux (O'ReillyNet)

Ibrahim Haddad explains IPv6 on O'Reilly. "The design philosophy of IPv6 is a scalable protocol that provides a large address space with a simple structure, an original end-to-end environment, a NAT-free network, fast processing, and many features needed by current and future applications. Migrating from IPv4 to IPv6, and IPv6 deployment should not be expensive. IPv6 should inter-operate with IPv4 and provide tools and mechanisms needed by hosts running different IP versions to communicate with each other, and to enable applications to work with both IP versions."

Comments (none posted)

Printing

AFPL Ghostscript 8.13 release

Version 8.13 of AFPL Ghostscript has been released. "This is the third release in the stable 8.1x series and follows closely on last month's 8.12 release. It fixes some build issues and a crashing bug with the ps2epsi script but is otherwise identical to 8.12."

Comments (none posted)

LPRng 3.8.24 available

Version 3.8.24 of the LPRng printing system is available. Change information is in the source code.

Comments (none posted)

Security

adore-ng 0.31 announced

Version 0.31 of the adore-ng root kit is out. Security administrators should take a look. New features include evil-log-tagging, LKM infection, and reboot residency.

Full Story (comments: none)

Web Site Development

gURLChecker-0.7.4 (unstable branch) released (GnomeDesktop)

Version 0.7.4 of gURLChecker, a graphical web links checker, has been announced. Here are the changes: "Project management basics were added. Currently, one can create, modify, and delete a project. It is also possible to rescan a given page. Project management is currently for Web sites only. A "Lastmodified" column was added in the main tree view. The appearance of the settings dialog was updated to be more like GNOME. A toolbar was also added in the main window. A problem with the base href tag was corrected. An HTTP header parsing problem was corrected. UTF-8 enhancements and bugfixes were made."

Comments (none posted)

Zope 3 Newsletter

The Zope 3 newsletter for December 23, 2003 has been published. Take a look to see the latest Zope 3 news.

Full Story (comments: none)

Miscellaneous

GNOME System Tools 0.31.0 has been released (GnomeDesktop)

Version 0.31.0 of the GNOME System Tools configuration utility collection has been announced. "as promised in the last release, most of the work has been dedicated to porting the tools to other distros. The most exciting changes are the Fedora Core 1 support for all tools, the Slackware 9.1 support for all tools except network, and the yaboot support in the boot tool".

Comments (none posted)

Desktop Applications

Audio Applications

Session Exchange 0.0.1 for Ardour

Version 0.0.1 of Session Exchange, an add-on to the Ardour multi-track recording utility, is out. The description says: "It lets people easily manage their ardour sessions, specifically, with sharing snapshots across the internet for collaboration."

Full Story (comments: none)

Gnomoradio 0.8 Released (GnomeDesktop)

Version 0.8 of Gnomoradio has been released. "Gnomoradio finds, fetches, shares, and plays music that is freely available under a Creative Commons license. This version has numerous bugfixes and enhancements".

Comments (none posted)

CAD

PythonCAD release eleven

The eleventh development release of PythonCAD has been announced. "The eleventh release adds a few more fixes for running PythonCAD under Python 2.3 that were missed in the tenth release. This release improves the transfer of entities with associated dimensions from one layer to another. Prior to this release the dimension would be deleted, but now the dimension is preserved. This release also contains a number of file saving and loading cleanups applied to the code. A small number of bug fixes have been applied as well, and the addition of Ellipse and Spline entities has begun, though neither is complete yet."

Full Story (comments: none)

Desktop Environments

XFree86 core team disbands

XFree86 core team leader David Dawes has sent out a message stating that the core team has voted to disband itself. "I believe that this is an acknowlegement that the core team was no longer representative of the active, experienced and skilled XFree86 developers, or a place where technical discussion happens." What comes next is not clear at this point; XFree86 development will probably continue as always, however. (As seen on Slashdot).

Comments (3 posted)

xrestop - go after your application's bloat... (GnomeDesktop)

GnomeDesktop.org looks at the xrestop utility, which can show X window system resource usage. "Some commonly used applications are using (wasting) an amazing amount of resources, for no apparent benefit. Xmms is using > 400 windows and wasting 10 megabytes is surprising, just to name one "interesting" result."

Comments (none posted)

GNOME Development Release 2.5.2 (GnomeDesktop)

Version 2.5.2 of the GNOME Development Release has been announced. "This release is a snapshot of development code. Although it is buildable and usable, it is primarily intended for testing and hacking purposes."

Comments (none posted)

End of December GNOME Summary

The last GNOME Summary for 2003 is out; it looks at improvements in the wireless applet, some GNOME Foundation issues, and more.

Full Story (comments: none)

Gnome Summary

The December 28, 2003 - January 3, 2004 GNOME Summary has been published. This edition features an interview with kernel developer Rob Love, and more.

Comments (none posted)

KDE Traffic

Issue #72 of KDE Traffic has been published. The KDE.News summary says: "KDE Traffic #72 is out featuring an interview with Carlos Leonhard Woelz regarding his Quality Team proposal, integration of non-KDE applications in the KDE environment, last minute 3.2 tweaks and more."

Comments (none posted)

KDE Traffic #73

The December 31, 2003 edition of KDE Traffic has been published. The KDE.News summary says: "KDE Traffic #73 comes to you at the last day of the year, bringing you news ranging from the minimum necessary resolution to run KDE to displaying GNOME applications in the KMenu. Check it out!"

Comments (none posted)

KDE-CVS-Digest

The December 26, 2003 edition of the KDE-CVS-Digest is available. Here's the content summary: "Java binding now generated by build process. You can now mount KIO slaves with the fuse_kio module. Karbon now has snap to grid and curve smoothing. Initial import of the new Theme Manager. You can now create application configuration files with KConfEdit."

Comments (none posted)

KDE-CVS-Digest

The January 2, 2004 edition of the KDE-CVS-Digest is available for your reading enjoyment. Here's the summary: "In KMail, the beginnings of spam filtering. New version of the SSLIODevice and SSLServerSocket code. A alpha version of Debian KDE LiveCD was imported. Speedups in Khtml and KJS. And many bugfixes."

Comments (none posted)

Electronics

gEDA News

The latest releases from the gEDA project include new versions of the gwave waveform viewer, the Savant VHDL analyzer, the Gnucap circuit analyzer, and the Icarus verilog compiler.

Comments (none posted)

Financial Applications

GNUe Traffic

Issue #101 of GNUe Traffic is out with several new GNU Enterprise articles. Topics include AppServer and Moving to svn.

Comments (none posted)

SQL-Ledger 2.2.3 released

Version 2.2.3 of SQL-Ledger, a web-based accounting package, has been announced. This version features several new reports, more translations, and more.

Comments (none posted)

Interoperability

Wine Traffic

Issue #202 of Wine Traffic has been published. Take a look to see the latest Wine development news.

Comments (none posted)

Medical Applications

SQLClinic Releases Version 2.1 (LinuxMedNews)

LinuxMedNews reports on the latest release of SQL Clinic. "We are pleased to announce that SQL Clinic Version 2.1 - Stable is available for download. Unix and Win32 versions can be downloaded at www.sqlclinic.net/pub/."

Comments (none posted)

TEMPO EEG visualization software (LinuxMedNews)

LinuxMedNews has an announcement for TEMPO, an open-source package for 3D visualization of EEG activity. "TEMPO is able to read EEG recordings in standard EDF format and (if enough EEG channels available) to create animation of corresponding topographic maps over 3D human head model."

Comments (none posted)

Multimedia

GStreamer "Mobil Avenue" 0.7.3 released

Version 0.7.3 of GStreamer, a streaming multimedia framework, has been announced. "The GStreamer team is happy to announce our third release in the 0.7.x development series of the GStreamer streaming-media framework. The goal of this release series is to stabilize it towards a 0.8 release series which will be part of the GNOME 2.6 releases and hopefully eventually KDE 4.x."

Comments (none posted)

Music Applications

BEAST/BSE 0.5.6 is out (GnomeDesktop)

Version 0.5.6 of BEAST/BSE, the Bedevilled Audio SysTem / the Bedevilled Sound Engine, has been announced. "This new development series of BEAST comes with a lot of the internals redone, many new GUI features and a sound generation back-end separated from all GUI activities. The most outstanding new features are the demo song, the effect and instrument management abilities, the track editor which allowes for easy selection of synthesizers or samples as track sources, loop support in songs and unlimited Undo/Redo capabilities."

Comments (none posted)

gmorgan 0.21 Released

Version 0.21 of gmorgan, a rhythm station, accompaniment tool, and pattern-based sequencer, has been released.

Full Story (comments: none)

MusE version 0.6.3 released

Version 0.6.3 of MusE, the Linux Music Editor, is available. "Release 0.6.3 is mainly a bugfix release, some bugs more serious than others have been fixed, all users are encouraged to upgrade, especially if you had problems with the prior release."

Full Story (comments: none)

OpenMusic 4.7.1 available

Version 4.7.1 of OpenMusic, a visual programming language based on CommonLisp/CLOS for music composition, is out.

Full Story (comments: none)

Office Applications

Gnumeric 1.2.4 released (GnomeDesktop)

Version 1.2.4 of the Gnumeric spreadsheet has been announced. "With a few more bugs fixed, and some final features enabled for the charting engine Gnumeric has now branched. Version 1.2.3 was not announced due to last minute fixes in xls export. The main extension in this release is the addition of value formats for the axis labels, user defined, auto generated from the source data, or from MS Excel."

Comments (none posted)

Digital Photography

flPhoto 1.2 released

Version 1.2 of flPhoto, an image management and display program, is out. The release notes mention several bug fixes related to the printing of images.

Comments (none posted)

Video Applications

dvbsnoop 1.2 released (SourceForge)

Version 1.2 of dvbsnoop, a dvb/mpeg analyzer, is available. "This version comes with some new helpfull features like bandwidth-snoop for PIDs, pidscan on a transponder, and frequency signal status snooping. Also playback from saved streamfiles is possible."

Comments (none posted)

Web Browsers

Epiphany 1.1.2 available

Development version 1.1.2 of Epiphany, a minimalist web browser for GNOME, has been announced. Many changes and bug fixes are included.

Comments (none posted)

Mozilla Backup 1.2 Released (MozillaZine)

Version 1.2 of Mozilla Backup is available. "Mozilla Backup is a tool for backing up and restoring Mozilla profiles. Version 1.2 adds better backup files, multilanguage support, support for Netscape and some new features. In addition several crash bugs have been fixed."

Comments (1 posted)

Independent Status Reports (MozillaZine)

The January 4, 2004 Mozilla Independent Status Reports are available. The MozillaZine summary says: "The latest set of status reports include updates from Firebird Help, MacroTracker, SearchSidebar, xHermes, Forumzilla, wmlbrowser, MozManual and MozEdit."

Comments (none posted)

mozilla.org Status Update (MozillaZine)

The mozilla.org Status Update for January 5, 2003 is online. The MozillaZine summary says: "It includes news on Mozilla Firebird, ChatZilla, history searches, proxy configuration, internationalized domain names and more."

Comments (none posted)

Mozilla Links Newsletter

The December 23, 2003 Edition of the Mozilla Links Newsletter has been published. Take a look for lots of Mozilla browser information.

Full Story (comments: none)

Mozilla Links Newsletter

The Mozilla Links Newsletter for January 6, 2004 is out. "Do you like games? We do and for all of you who like them too, here is the first part of our take on Mozilla Games. Once again, the Mozilla platform excels in providing great all-purpose development tools. You are just clicks away to charge your Mozilla with some of the most beloved classic computer games. Enjoy!"

Full Story (comments: none)

Word Processors

AbiWord Weekly News

Issue #175 of the AbiWord Weekly News is available with another weekly roundup of AbiWord word processor news. Here's the summary: "AbiWord's first Developers' release in a few months. QNX gets an installer while an update about BeOS comes in. Plus, more information on Revisions and AbiCommand Document Server. Also, users who need your help."

Comments (none posted)

AbiWord Weekly News

The AbiWord Weekly News for December 29, 2003 is out with the following summary: "Follow up on last week, Star/Open Office import/export gets some improvements, Enchant gets an hspell upgrade, Windows gets some installer improvements and a reminder that we need more people helping out with translations. Oh, and some OZ rumour about 2.0.3 to come out possibly as soon as possible."

Comments (none posted)

AbiWord Weekly News

Issue #177 of the AbiWord Weekly News was published on January 4, 2004. "It's been a fairly generic week: a mention in the NYTimes, more NSIS2 development, a brand-spanking-new developer and some minor feature-enrichment for our features. It's the post-holiday hangover/soberfication."

Comments (none posted)

Miscellaneous

GnomeSword2 released - Bible study for GNOME2 (GnomeDesktop)

A new version of GnomeSword2, a bible study application, has been announced. "This is the first stable release of the GNOME2 version, supporting SWORD 1.5.6 and 1.5.7. It represents a major rewrite and features a full port to GTK2, with a new GUI which aims towards HIG compliance. It uses more GNOME functionality (including gnome-print and gnome-spell), and has support for new SWORD features such as preverse headings. A manual is now included, in both the English and French languages."

Comments (1 posted)

JabRef 1.1 released (SourceForge)

Version 1.1 of JabRef, a GUI for managing BibTeX databases, is out. "JabRef 1.1 improves customization possibilities a great deal compared to version 1.0. You now have full control over which fields are displayed in the editor for BibTeX entries, and you can easily define your own entry types. There are also numerous other new features, improvements and bug fixes."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The Caml Weekly News for December 23-30, 2003 is available with the latest Caml language news.

Full Story (comments: none)

Caml Weekly News

The December 30, 2003 - January 6, 2004 edition of the Caml Weekly News is available with another round of Caml language articles.

Full Story (comments: none)

HTML

HTML Parser Integration Release 1.4-20040104 (SourceForge)

A new release of HTML Parser is available. "This can be considered an alpha candidate of the final 1.4 release, and has much improved stability, speed, and HTML page transformation capabilities. HTML Parser is a library, written in Java, which allows you to parse HTML (HTML 4.0 supported)."

Comments (none posted)

Java

ONJava: 2003 in Review (O'ReillyNet)

Chris Adamson reviews the Java activity for year 2003 on O'Reilly.

Comments (none posted)

JSP

Developing Custom Tag Libraries as Tag Files (O'ReillyNet)

O'Reilly has published an excerpt from Hans Bergsten's JSP book. "This excerpt from Hans Bergsten's JavaServer Pages, 3rd Edition describes implementing custom tag library actions as plain text files and packaging them as tag libraries that can be used in JSP pages."

Comments (none posted)

Lisp

GNU CLISP 2.32 released

Version 2.32 of GNU CLISP, a Common Lisp implementation, is available. "This version includes the new modules `berkeley-db' and `pcre', supports files larger than 2 or 4 GB on platforms with LFS, provides a fully customizable prompt and more."

Full Story (comments: none)

SBCL 0.8.7 released

Version 0.8.7 of SBCL (Steel Bank Common Lisp) is available. "This version provides support in threaded builds for the fast userspace mutex facility in Linux kernel 2.6, performance optimizations, changes to the interface for thread arbitration, simple streams enhancements and the usual bug fixes."

Full Story (comments: none)

Pascal Costanza's Highly Opinionated Guide to Lisp 1.3

Pascal Costanza has released version 1.3 of his Highly Opinionated Guide to Lisp. "The document tells how the author got to use Lisp, and provides a short introduction to and some background information about the language. It also discusses some of the obstacles faced by novices."

Full Story (comments: 1)

Perl

This Week on perl5-porters (use Perl)

The December 22-28, 2003 edition of This Week on perl5-porters is out with another week's worth of Perl5 news.

Comments (none posted)

This Week on perl5-porters (use Perl)

The December 29, 2003 - January 4, 2004 edition of This Week on perl5-porters has been published. "At the turn of the year, and in accordance with the grand schedule of things, occurred a code freeze for perl 5.8.3. Read below for the rest of the discussion that took place on perl5-porters."

Comments (none posted)

PHP

PHP Weekly Summary for December 24, 2003

The PHP Weekly Summary for December 24, 2003 is out. Topics include: PHP 5.0.0-beta3, Sandbox capabilities, New OCI8 maintainer, Even more win32 build system tweaks, error_reporting and user defined error handlers.

Comments (none posted)

PHP Weekly Summary for January 5, 2004

The PHP Weekly Summary for January 5, 2004 is out. Topics include: Feature freeze reminder, 2003 - looking back, VS.NET, include() / require() error format, Zend Language Parser source.

Comments (none posted)

Python

Introducing Lython

The Lython project has been created by Miles Egan. "Lython is a new lisp front-end for the Python programming language. It resembles common lisp and compiles directly to Python bytecodes and transparently integrates with existing Python code and libraries."

Comments (none posted)

Python 2.3.3 released

Version 2.3.3 of Python has been announced. The release notes say: "This is a bug-fix release for Python 2.3 that fixes a number of bugs, including a couple of serious errors with weakrefs and the cyclic garbage collector. There are also a number of fixes to the standard library".

Full Story (comments: none)

This week's Python-URL

Dr. Dobb's Python-URL for December 26 is out with the latest happenings in the Python development community.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The Dr. Dobb's Python-URL for December 30, 2003 is out; with weekly new and links for the Python community.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The January 5, 2004 edition of Dr. Dobb's Python-URL! is out with links to more Python language articles.

Full Story (comments: none)

Scheme

Scheme Weekly News

The January 5, 2004 edition of the Scheme Weekly News is available. Take a look to see the latest Scheme language developments.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The December 23, 2003 edition of Dr. Dobb's Tcl-URL is out with another round of Tcl/Tk article links.

Full Story (comments: none)

Dr. Dobb's Tcl-URL!

The December 29, 2003 edition of Dr. Dobb's Tcl-URL has been published. Take a look for another collection of Tcl/Tk articles.

Full Story (comments: none)

Dr. Dobb's Tcl-URL!

The January 5, 2004 edition of Dr. Dobb's Tcl-URL! is available with even more Tcl/Tk articles.

Full Story (comments: none)

XML

Content feeds with RSS 2.0 (IBM developerWorks)

James Lewin discusses RSS 2.0 on IBM's developerWorks. "A lot has happened in the RSS world since developerWorks last looked at RSS: Two new specifications have come out, RSS has become one of the most popular XML standards, and tools and feeds are popping up everywhere. RSS has contributed to the explosion of weblogs, and it is becoming a standard part of other Web sites, too. This article reviews RSS 2.0, looks at new RSS developments, and jump-starts your understanding of this important format."

Comments (none posted)

Getting Started with XForms (O'Reilly)

Bob DuCharme introduces XForms on O'Reilly. "The XForms standard, which became a W3C Recommendation last month, lets us define forms that are much more sophisticated than those of HTML. Perhaps more importantly, it makes it easier for applications that we write to grab and use the data entered into forms, because an XForms client can plug the data directly into any XML structure that you like."

Comments (none posted)

Merge XML documents with StAX (IBM developerWorks)

Berthold Daum explains the merging of XML files using StAX. " Deriving new XML documents from input documents is where the Streaming API for XML (StAX) shines. This tip explores how client applications can utilize the event-based API to efficiently merge two incoming XML documents into one."

Comments (none posted)

Miscellaneous

Six Signs That You Should Use Paper Prototyping (O'Reilly)

Carolyn Snyder writes about paper prototyping on O'Reilly. "This time of year, there's plenty of leftover wrapping paper sitting around. Why not put it to good use? If you create interfaces, you may have heard of paper prototyping. It's a technique that lets you mock up, test, and refine a design -- totally on paper -- before you write a line of code."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

The IT industry is shifting away from Microsoft (Inquirer)

The Inquirer has posted a lengthy article claiming that Linux is truly beginning to push Microsoft aside. "High profile defections like cities, governments, and, gasp, IBM, are just the tip of the iceberg, and almost everyone is looking at the pioneers to see if the trail they are blazing is worth following. If it turns out that these first few companies can make it, expect the floodgates to open, and everyone to follow."

Comments (26 posted)

The Free Software Community After 20 Years: With great but incomplete success, what now? (NewsForge)

NewsForge looks at the 20th anniversary of GNU in an article written by Richard Stallman. "It was twenty years ago today that I quit my job at MIT to begin developing a free software operating system, GNU. While we have never released a complete GNU system suitable for production use, a variant of the GNU system is now used by tens of millions of people who mostly are not aware it is such. Free software does not mean "gratis"; it means that users are free to run the program, study the source code, change it, and redistribute it either with or without changes, either gratis or for a fee."

Comments (11 posted)

Clark Campaign Going Open Source (Wired)

Wired reports that Wesley Clark's U.S. presidential campaign is trying to bring in free software developers to write (and release) code. "Among the projects slated for development are a Friendster-style social-networking application and a tool for campaign field workers to track mailings, donations and door-to-door visits. The Clark technology staff also expects to release the code for several of its internal applications, including a set of tools for managing campaign data and the software used to run Clark's community website. Developers initially will distribute software under the BSD license, which would allow other campaigns to use the code freely."

Comments (12 posted)

Trade Shows and Conferences

Australia government open source conference attracts politicos (AustralianIT)

AustralianIT reports on the first Linux and Open Source in Government conference to be held as part of this year's Linux.conf.au conference. "The government conference is being organised by AUUG in association which Linux Australia, which runs the main conference. AUUG treasurer Gordon Hubbard said the level of political interest in open source issues had risen considerably since AUUG's last conference in September." (Found on Open Sector)

Comments (none posted)

XML 2003 Conference Diary (O'Reilly)

Eric van der Vlist covers the XML 2003 conference on O'Reilly. "I am on my way back from XML 2003 and it's time for me to draw the conclusions from this event which, year after year, remains the major conference of the markup community. For this year's conference has been dominated by schema languages, but I am so biased that this probably doesn't prove anything. Schema languages have become my main focus and I see them everywhere!"

Comments (none posted)

The SCO Problem

IBM's Unpublished Cases (Groklaw)

Groklaw continues to follow the back-and-forth filings in the SCO v. IBM case. In this article, the focus is on IBM's attempts to get some of SCO's affirmative defenses thrown out. "If SCO wishes to admit that it has no specifics to prove fraud and inequitable conduct and wishes to drop those affirmative defenses to that extent, that is fine with IBM. That's what their motion is asking for in the first place. I am guessing they were laughing out loud when they typed that part up."

Comments (20 posted)

Companies

Red Hat bond sales reach $500 million (News-Observer)

Red Hat's home town newspaper has an article on the company's bond sale. "'We believe the time for us as a company to take control of the market is now,' said chief financial officer Kevin Thompson. 'What we've done is capitalize ourselves so that we can react very quickly to opportunities that come up in the marketplace.' Customers are demanding products that Red Hat can't offer, Thompson said. It likely will have to buy other companies to add new products and services."

Comments (28 posted)

Sun hands Cobalt an open-source lifeline (ZDNet)

ZDNet reports that Sun, as it shuts down the Cobalt server line, is doing the right thing with the code. "The release means that all the custom user interface and back-end code for the Qube 3 and RaQ 550 server appliances is now available under a BSD-style licence. Also, the custom BIOS for all x86-based RaQ/Qube products -- which, among other things, let an administrator tap in the device's network settings without having to plug in a keyboard and monitor -- have been released under the GNU Public License." (Thanks to Alastair Stevens)

Comments (5 posted)

Business

Investing in open source companies: Nobody's getting rich -- yet (IT Manager's Journal)

IT Manager's Journal reports on a panel discussion at the SD Forum Open Source Summit. "A panel of people who know about such things agree that if commercial open source software and services companies are to remain profitable, some current business models are going to have to be revisited and/or fine-tuned. Experts at the recent SD Forum Open Source Summit took on this very topic and came up with some cogent advice for would-be investors."

Comments (1 posted)

Linux Adoption

Courts office leaps onto Linux (FCW)

Here's a brief Federal Computer Week article on the adoption of Linux within the U.S. Federal court system. "According to officials, the Linux systems will back several critical applications supported at court locations throughout the United States, including court and probation/pretrial services case management, finance and accounting."

Comments (1 posted)

Israel Suspends Acquisitions Of Microsoft Software (TechWeb)

TechWeb reports on Israel's decision to not upgrade to the latest versions of Microsoft Office. "The Israeli government also will encourage the development of lower-priced alternatives to Microsoft software in an effort to help expand computer use by the public. To that end, the Finance Ministry has cooperated with Sun Microsystems and IBM in designing the Hebrew language version of OpenOffice software, a freely distributed open-source alternative to Microsoft Office."

Comments (none posted)

Asia Loves Linux -- And Microsoft Scrambles (Business Week)

Business Week looks at increasing Linux use in Asia. "Discontent with Windows -- and enthusiasm for Linux -- are increasingly common in Asia these days. Although Microsoft still rules the desktop and racks up healthy server operating-system sales, open-source software is winning fans across the region. Government officials see Linux as a means of cutting costs -- systems using it run as much as 70% cheaper than Windows -- and priming their local software industries."

Comments (2 posted)

London council ditches Linux plans (ZDNet)

ZDNet UK covers the London Newham Borough Council's decision not to use Linux. "The council had been involved in its own Linux trials last year with the Net Project group but council officers decided such a major migration would pose "unacceptable levels of risk" to council services."

Comments (11 posted)

Open Source Database Development Closes In On Microsoft (EDC)

Evans Data Corporation has announced the results of a survey on database usage. "The latest Database Development Survey from Evans Data Corporation has found that Microsoft SQL Server and Access continue to dominate database development but open source databases are gaining strength. Microsoft SQL Server and Access usage has grown by six percent while MySQL usage has increased by more than 30% in the last year."

Comments (none posted)

Legal

Prosecutors let DVD-Jon's victory stand (Aftenposten)

Aftenposten reports that Jon Lech Johansen has finally been acquitted of all charges. "It was widely expected that Norway's white-collar crime unit would appeal the case to the country's supreme court (Hoeyesterett), but prosecutors clearly changed their minds. There was no immediate reason given as to why they dropped the case." (Thanks to haraldt)

Comments (1 posted)

Interviews

Interview: KDE meets Lindows CEO Michael Robertson (KDE.News)

KDE.News interviews Lindows.com CEO Michael Robertson. "How are we going to help KDE? We will look at sponsoring projects on a case by case basis. We bring marketing to the KDE community, often overlooked by technical people. By building marketing channels, building resellers, this will make KDE stronger."

Comments (none posted)

Two new FOSDEM interviews

The continuing series of interviews with FOSDEM speakers adds two more interviews to the list. Today's interviews are with LWN executive editor Jonathan Corbet who will give a talk on the new features in the 2.6 kernel, and Denis Oliver Kropp, one of the main developers for the DirectFB project, who will speak about DirectFB.

Comments (none posted)

FOSDEM interviews: Henning Brauer and Keith Packard

FOSDEM has published two more interviews with upcoming speakers: Henning Brauer and Keith Packard.

Comments (4 posted)

Interview with Nat, Miguel and Chris Stone of Novell/Ximian (Always-on)

Always-on has an interview with Nat Friedman, Miguel de Icaza and Novell VP Chris Stone. "Friedman: Over time, I think more and more parts of Novell will understand how to interact with Linux and open source. It is already happening. There's incredible interest in establishing this as an overall technology direction and strategy for Novell--moving into the open-source world and becoming the number-one Linux player. We've definitely seen over the last two months both changes and a lot of enthusiasm." (Found on Footnotes)

Comments (none posted)

Interview with the MAASK Team (Linux Journal)

Linux Journal intervies the five college students who wrote the MigShm patch for openMosix. "Several barriers exist in the world of clustering, and they need clever solutions. One of them concerns expanding memory allocation throughout the nodes of a cluster, also called distributed shared memory (DSM). Using this method, any process that uses memory sharing for interprocess communications (IPC) no longer is limited and is free to roam (read: migrate). Such a solution, MigShm, now exists in openMosix."

Comments (none posted)

Resources

Putting Linux reliability to the test (IBM developerWorks)

IBM developerWorks covers a study of Linux reliability done by the IBM Linux Technology Center. "The Linux kernel and other core OS components -- including libraries, device drivers, file systems, networking, IPC, and memory management -- operated consistently and completed all the expected durations of runs with zero critical system failures."

Comments (none posted)

Visiting the New World of Linux Sound and Music Software (Linux Journal)

Dave Phillips offers a couple of suggestions in the Linux Journal for people wanting to get started with Linux audio. "Although certain folks might grumble about how much better things were in the Old Days, I must admit that I've become quite happy about easier installation routines, the apt system and colorful work environments. Performance is what really counts, and tuning a system for peak audio performance is a non-trivial task. Planet CCRMA and AGNULA do indeed remove most of the aches and pain suffered while trying to untangle the complexities of kernel latency, JACK, ALSA, the LADSPA plugins and so forth."

Comments (4 posted)

Secure programmer: Keep an eye on inputs (IBM developerWorks)

David A. Wheeler continues his series on secure programming with a look at inputs. "This article discusses various ways data gets into your program, emphasizing how to deal appropriately with them; you might not even know about them all! It first discusses how to design your program to limit the ways data can get into your program, and how your design influences what is an input. It then discusses various input channels and what to do about them, including environment variables, files, file descriptors, the command line, the graphical user interface (GUI), network data, and miscellaneous inputs."

Comments (none posted)

Reviews

Professional Video Editing on Linux with Cinelerra (O'ReillyNet)

Howard Wen reviews Cinelerra, a video editing application. "Cinelerra includes many of the features of the pricey professional editors and some extras: real-time visual effects, FireWire input/output, render-farm capability, and even support for HDTV formats and Ogg Vorbis. The downside is that its hardware demands are quite unforgiving; the recommended configuration has a dual 2GHz Athlon system, with 1GB RAM and a 200GB hard drive."

Comments (9 posted)

'Robot Tarzan' helps forest work (BBC News)

The BBC News looks at a Linux-powered 'Treebot'. "The Treebot, which in scientific terms is a node in a Networked Infomechanical System (Nims), helps [to study interaction between the environment and atmospheric conditions] by being stealthy enough to travel through the forest canopy along specially-constructed cabling, night and day." (Thanks to Paul Sladen)

Comments (none posted)

Open source under the microscope (News.com)

News.com covers an academic study of the open source model. "Scacchi and fellow researchers have found a significant failure rate among open-source projects. But among those that get off the ground, research has shown not only that the open-source approach can yield better software more quickly and for less money than traditional methods but also that volunteering for an open-source project can be an effective way to get a job."

Comments (4 posted)

Miscellaneous

2004 Predictions (San Jose Mercury News)

Dan Gillmor mentions Linux and open-source software in his predictions for 2004 article in the San Jose Mercury News. "Ardent proponents of Linux and other open-source software will (a) stave off insidious legal and political moves designed to kill the genre; (b) make dramatic inroads on desktop computers, not just servers and embedded devices; (c) inspire people in other kinds of endeavors to use community-building projects to advance larger goals; (d) proclaim that their way is the only way."

Comments (6 posted)

Predictions for 2004 (IT-Director)

IT-Director looks forward to 2004. The first prediction is that desktop Linux will succeed, but that's not all. "Finally, I believe that 2004 will be the year of the MySQL database. Unlike Linux and Apache, MySQL has not been a publicity magnet, but its use is growing and it stands on the verge of being taken seriously as a database to compete with Oracle, DB2 and SQLServer. It is already eating into their market share through the word-of-mouth marketing that turned Linux and Apache into formidable forces in their own right."

Comments (6 posted)

The Best of ONLamp 2003 (O'Reilly)

O'Reilly has published the Best of ONLamp 2003, which lists the most popular articles in the LAMP (Linux, Apache, MySQL, [Perl, Python, PHP]) category. "Without further ado, here are the 25 most popular articles we published in the past year, in approximate order of popularity. I'm ranking them based on our internal statistics of page views, not any inherent goodness, controversy, or number of people who agreed with the views in the articles."

Comments (none posted)

Protecting Against Open Source Legal Risks (TechWeb)

TechWeb is running a lengthy piece on how companies should manage the risks said to come with free software. The idea seems to be to make free software as obnoxious and difficult to deal with as the proprietary alternatives. "Even after you've instituted rigorous controls and policies to limit and manage the risks of open-source software, you're not out of the woods. You face a second thorny problem: how to identify and deal with open-source software embedded in commercial software."

Comments (18 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

FreeB Bounty Program Announced (LinuxMedNews)

A cash bounty has been announced for developers who contribute to the Free Medical Billing Project (FreeB). "In order to encourage developers to ta[c]kle this challenge I am allowing users to donate to a bounty fund for various practice management systems. The first developer to submit working implementation of FreeB for a particular Practice Management System gets all the money."

Comments (none posted)

FSF India on electronic government

The Free Software Foundation of India has submitted a lengthy opinion to India's Department of Information Technology on a proposed electronic government initiative. In particular, the group argues against the use of PDF files. "Please note that our objections are not to use of the PDF format; we accept and recognise PDF as a free format -- 'free as in freedom'. Our objections are based on the control over the format; and the inappropriateness in a democratic and sovereign government legislating mandated use of a format controlled by a corporate body, thus giving virtual legislative powers to that corporation."

Comments (8 posted)

Irish Free Software Organization goes live

The Irish Free Software Organization (IFSO) has been launched on the 20th anniversary of the beginning of the GNU project.

Full Story (comments: none)

COE Linux Platform Review Comments Available

The Open Group has announced the availability of comments and proposed resolutions for its COE Linux Platform Review.

Full Story (comments: none)

Wikimedia.org receives some funding

The Wikimedia Foundation sent out an open letter to request funds for much needed hardware and bandwidth. Twenty-four hours later the Foundation had raised over $20,000.

Comments (none posted)

Commercial announcements

Novell's Updated Ximian Desktop 2 Supports Latest SUSE LINUX

Novell has announced that Ximian Desktop 2 now supports SUSE LINUX Desktop and SUSE LINUX 9.0. The update also includes the Ximian Edition of OpenOffice.org 1.1, GAIM instant messenger client and updated Ximian Red Carpet 2.0 configuration management client software.

Full Story (comments: none)

Astaro to Bundle its Security Software with Toshiba Servers

Astaro has announced extended support for Toshiba's server platforms. Astaro Security Linux will be available loaded and sold on the Toshiba Digital Solutions Division's compact Magnia SG25 server, the Magnia SG30 server and the Magnia Z310 microtower or rack server.

Full Story (comments: none)

New Books

Building Software with Apache Jakarta Commons

Charles River Media has announced the release of Applied Software Engineering Using Apache Jakarta Commons, a software engineering-based guide to the Apache Jakarta Commons components and other Apache projects. The book includes a companion CD-ROM with samples and source code.

Full Story (comments: none)

Exploiting Software: How to Break Code

Addison-Wesley has published the book Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw.

Full Story (comments: none)

Resources

AGNULA launches Libre Music project

The Libre Music project has been announced. "The AGNULA IST-Project is proud to announce its new "Libre Music" (aka the "muzik" project) project, whose goal is to create a publicly accessible database of Libre Music, i.e. music licensed under either the Creative Commons licenses or the EFF Open Audio License. One of the objectives of the AGNULA-IST project is help spreading sensibility on the topics of Libre Software, with specific attention paid to audio/video applications and content distribution."

Full Story (comments: none)

LDP Weekly News for December 30, 2003

The December 30, 2003 edition of the LDP Weekly News is out with another collection of new and changed documentation.

Full Story (comments: none)

Decatur Jones' SCO Analysis (Groklaw)

Groklaw has come up with a copy of a research report on SCO prepared by Dion Cornett at Decatur Jones. It's available in PDF format. This report is very much worth a read; this analyst has at least one eye open. "Furthermore, other courts have ruled that software interfaces are not protected in that their 'fair use' allows for interoperability. Finally, the fact that these header files contain definitions but not functional code sheds more doubt on SCO claims, in our view."

Comments (9 posted)

Contests and Awards

Nominees selected for the 2004 Benjamin Franklin Award

Bioinformatics.Org has announced the nominees for their 2004 Benjamin Franklin Award. "The Benjamin Franklin Award is presented annually by Bioinformatics.Org to an individual who has, in his or her practice, promoted free and open access to the materials and methods used in the scientific field of bioinformatics."

Comments (none posted)

Event Reports

Linux Bangalore 2003 presentation slides available

The slides from talks given at Linux Bangalore 2003 are now available on the net; click below for the full details.

Full Story (comments: none)

Upcoming Events

UKUUG LISA Winter Conference and Tutorial

The UK Unix User Group has announced its LISA/Winter Conference and Tutorial. The event will be held in Bournemouth, UK on February 25 and 26, 2004.

Full Story (comments: none)

GSA and GWU Co-Sponsor Open Source in Government Conference

The Center of Open Source & Government and the General Services Administration are co-sponsoring a conference in Washington, DC, March 15 - 17, 2004 at George Washington University. The conference will focus on the question, "How does Open Source provide an Innovative Solution for E-Government?"

Full Story (comments: 3)

Call For Submissions: Digital Media Project (Linux Journal)

Linux Journal has a call for submissions for a workshop covering the Traditional Rights and Usages (TRU) of media users. The workshop is presently being planned by the Digital Media Project and is to be held in Los Angeles April 26 - 27, 2004.

Comments (none posted)

PaWS PHP and Web Standards UK 2004

The PaWS PHP and Web Standards UK 2004 conference will be held on February 20-24, 2004 in Manchester, UK.

Comments (none posted)

Vancouver PHP Conference

The Vancouver PHP Conference will be held in Vancouver, BC, Canada on January 22 and 23, 2004.

Comments (none posted)

FSF to host Free Software Licensing Seminars

The Free Software Foundation has announced two seminars in New York. "The Free Software Foundation (FSF) will host two seminars on Free Software Licensing and the GNU GPL and a series of conversations with Professor Eben Moglen on the SCO v. IBM lawsuit. These events will take place at Columbia Law School in New York City on January 20 and 21, 2004."

Full Story (comments: none)

Events: January 8 - March 4, 2004

Date Event Location
January 12 - 13, 2004Linux.Conf.au MiniconfsAdelaide, Australia
January 12 - 13, 2004EducationaLinux 2004Adelaide, Australia
January 14 - 17, 2004Linux.conf.auAdelaide, Australia
January 20 - 23, 2004LinuxWorld Conference & Expo 2004(Jacob K. Javits Convention Center)New York, New York
January 20 - 21, 2004FSF Free Software Licensing Seminars(Columbia Law School)New York, NY
January 22 - 23, 2004Vancouver PHP Conference(SFU Harbour Centre)Vancouver, BC, Canada
January 31 - February 1, 2004WineConf 2004(Court International Building)St. Paul, Minnesota
February 2 - 6, 2004EclipseCon 2004(Disneyland Hotel)Anaheim, CA
February 2 - 4, 2004Open Standards and Certification Conference(San Diego Marriott Mission Valley)San Diego, CA
February 3 - 5, 2004Linux Solutions 2004Paris, France
February 9 - 12, 2004O'Reilly Emerging Technology Conference(ETech)(The Westin Horton Plaza)San Diego, CA
February 20 - 22, 2004CodeCon 2004(Club NV)San Francisco, CA
February 20 - 24, 2004PaWS PHP and Web Standards UK 2004Manchester, UK
February 21 - 22, 2004Mozilla Developers Meeting in Europe 4.0Brussels, Belgium
February 21 - 22, 2004FOSDEM 2004(SOLBOSCH)Brussels, Belgium
February 23 - 27, 2004PostgreSQL Bootcamp(Big Nerd Ranch, Inc.)Atlanta, GA
February 25 - 26, 2004UKUUG LISA/Winter Conference and Tutorial(Lansdowne Campus, Bournemouth Univ.)Bournemouth, UK
March 1 - 5, 2004PHP|CruiseThe Caribbean

Comments (none posted)

Web sites

InstallSlash.org Launched

For people using the slashcode content management software, the new installslash.org site is online. "This is a new community site whose goal is make it as easy as possible to install slash, while at the same time provide support and valuable information on modifying slash to your liking, no matter what skill level you may reside."

Full Story (comments: none)

New KDE Application Database Online

KDE-Apps.org, a new online database for KDE applications, has been announced. "KDE-apps.org is the new database for KDE applications. Since the site is still very fresh Frank would like to hear your suggestions for improvements. The database is also still a bit empty but YOU can change that by submitting the KDE applications that you have written to the site."

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

Patents outside of the US

From:  Paul Sheer <psheer-AT-icon.co.za>
To:  letters-AT-lwn.net
Subject:  Patents outside of the US
Date:  Sun, 28 Dec 2003 17:35:56 +0200


I am curious about the attention that the Free software
community gives to patents. It seems that the US has the
luxury of a patent office that can referee patents PRIOR
to them being filed. Here in South Africa (as I am sure is
similar in other countries) one is free to submit ANY
patent, even a completely bogus one. The onus is on oneself
to defend that patent IF a challenge arises from a third
party.

The Free software community is effectively claiming that
the patent office has the job description of ensuring that
patents are unchallengable. But is this really their job?
Considering that some countries do NO refereeing of patents
prior to their filing, it would seem that the US patent
office is merely there to do some cosmetic work in the
face of an over-subscribed patent system.

My question is: since when is the patent office SUPPOSED
to be screening patents as thoroughly as you desire? If
they really did have the capability to do this, wouldn't
the cost of filing a patent become prohibitive? (I.e.
they would have to hire so many experts as to make patents
prohibitively expensive to offset the this cost.)

Best wishes

-paul

Paul Sheer . . . . . . . . . . . . . . . . .  Tel  . . +27 (0)21 6869634
Email . . . http://2038bug.com/email.gif . .  Work . . +27 (0)21 6503467
http://www.icon.co.za/~psheer . . . . . . . . .  http://rute.2038bug.com
L I N U X . . . . . . . . . . . . . . . . The Choice of a GNU Generation

Comments (4 posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds