LWN.net Weekly Edition for January 15, 2004 [LWN.net]

Open Source in Politics

January 12, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Two of the Democratic candidates for president have announced open source efforts to help their campaigns. Howard Dean's campaign has launched DeanSpace, a software package for running websites for Dean supporters. Wesley Clark's campaign recently announced the creation of Clark's TechCorps, which is supposed to provide "a framework for involving open source software developers in the Clark campaign."

Since both campaigns are boasting their use of open source, we decided we should get in touch with the Clark and Dean campaigns to see where they stand on open source and related issues. The high-profile usage of open source by the Dean and Clark campaigns may have given the open source community the impression that 2004 might be "the year" that open source and tech issues will become a high profile issue in election-year debates. It might also cause people to get the impression that both candidates are staunch supporters of open source usage.

Unfortunately, that doesn't seem to be the case. We managed to get in touch with representatives from both campaigns, to find out if their use of open source would translate into advocating open source in government, and saner polices regarding tech policy We also wanted to get a lead on their positions on other issues, such as software patents and the Digital Millennium Copyright Act (DMCA). Due to the rigors of the campaign trail, neither candidate was personally available for questions.

We first spoke with Josh Lerner, who is the director of technology for the Clark campaign. Lerner said that they have "no bias in favor of, for or against any particular model, we can't afford to be religious about it." Lerner said that the Clark campaign had decided to use open source out of "expedience."

We didn't have the time to do a lot of evaluation of software, you go with what works. The OS and tools and all that stuff just works for the most part... we are [also] using proprietary software where it makes sense.

According to Lerner, Clark is "putting together a bunch of heavy-weight technology people" to form a policy on technology use in government. At this time, however, Clark has not yet put forth an official policy on tech issues and it may be some time before any policies are forthcoming. We also asked Lerner if he thought that these issues would play a big part in the upcoming election. He said that he thought it might be an issue, and that "people in the campaign are talking about it. Not everything makes it out the door."

Unfortunately, we were unable to schedule a phone interview with anyone from the Dean campaign. However, we did manage to track down Zephyr Teachout, the director of Internet Organizing & Outreach for the Dean campaign via e-mail. We asked why the campaign had chosen open source software for DeanSpace, whether cost was a factor or if proprietary software wasn't up to the task.

Cost is only one of the factors in our use of open-source software. We also greatly value the reliability and security that is inherent in mature open-source software. Additionally, using open-source allows us to focus our resources more effectively. Recently, we launched an official Dean web site for every state. Rather than building all of the site functionality from scratch, we chose to build on top of DeanSpace (an open-source tool developed by our grassroots supporters for creating Dean-related community websites). DeanSpace itself was built on top of the open-source Drupal community system. This is just one example of how open-source software has allowed us to focus our energy on getting Howard Dean elected.

Not everyone is a fan of the use of open source by the campaigns. Dave Winer had some harsh words for both campaigns, which elicited a response from Jim Moore -- the Director of Internet and Information Services for the Dean campaign:

At Dean for America, it is our policy to purchase software rather than to make it, and to work with vendors large and small to help them be successful while also pursuing our own success as a grassroots-powered presidential campaign. We strongly support small businesses for a variety of reasons, including that they are the major contributors to employment growth in our nation.

...Like most enterprises we prefer to buy software and services, but sometimes must make our own. The make/buy decision can be tough. In many cases, vendors do not provide solutions that integrate the features that campaigns need, and companies may not see campaigns as a particularly attractive market. In such cases we sometimes need to make internal changes to existing software and services or develop our own. This is particularly the case in a campaign like ours that is innovating in grassroots philosophy and the use of information and communication technology.

We asked the Dean campaign about Moore's response, and asked if they had a position on the use of open source in government.

We do not have a position on open-source in government.

Within our campaign, we use a mix of open-source and commercial software. Often, we work with commercial vendors when deploying open-source tools. We recently put our main website into the open-source Bricolage content management system, but did so with the assistance of Kineticode a vendor that supports this open-source product. Our primary goal is to focus our human and financial resources on winning the Democratic nomination and the election next November. Sometimes this goal is best accomplished by buying a commercial product, often it means deploying open-source, and other times it means developing tools in-house.

We also asked if the Dean campaign had a position on the DMCA or digital rights, and got this response:

Issues of intellectual property are very important to a knowledge-based society. Ultimately we are going to need to find a solution that both encourages innovation and protects consumers from out-of-control corporate tactics.

Finally, since open source development is based on collaboration, we asked both campaigns if there was any cross-pollination between DeanSpace and TechCorps. At the moment, it would appear not. Neither campaign was aware of any collaboration between the two efforts. Lerner did say that his group is "hoping we can get some of these other independent efforts to join up, and we'll announce it as it happens." He also said that he wants to see TechCorps continue, even past Clark's campaign. "Our stuff is out there and it's going to stay out there... as a separate issue, we want the TechCorps site to live on and be self-sustaining."

Comments (34 posted)

G'Day from Linux.Conf.AU

Linux.Conf.AU (LCA) is the down-under implementation of the classic Linux developers' conference pattern. This conference takes an interesting approach in that it is organized by a different group of people, in a different city, every year. Linux Australia helps to ensure the continuity of the operation, and Rusty Russell, organizer of the first Linux.Conf.AU, maintains an influential presence. But the real work falls to a new set of volunteers each year. That organization ensures a steady supply of organizers with fresh energy, and gives each event a distinct feel.

The 2004 Linux.Conf.AU landed in Adelaide (2005 will be in Canberra; the rumor mill says that New Zealand is being considered for 2006). The conference facility, provided by the University of Adelaide, is beautiful, even if they won't let the attendees play with the gorgeous pipe organ in Elder Hall. Attendance, at just over 500 people, is the highest yet for this event. Just as significantly from the organizers' point of view, it seems, a dozen journalists have signed up to attend this year. Much of the media interest was due to the "open source in government" mini-conference held before LCA proper. But the simple fact is that Australia is a country with a large and increasing interest in Linux and free software.

As conference organizer Michael Davies stated in his opening remarks, the real purpose of LCA is to have fun. Sure, there is a whole series of technical talks, hacking sessions, etc. But the events that attendees are really looking forward to include the "dunk the speakers" tank (with non-speaker Linus as the guest of honor), the water gun wars, and the IBM-sponsored "penguin dinner." What other conference would hand out a ticket for four free ice creams? LCA does, indeed, look like fun.

LWN editor Jonathan Corbet is privileged to be here at LCA, thanks some generous support from HP. The conference is just getting started as the LWN Weekly Edition deadline hits, so there is not (yet) much opportunity for substantial reporting. That will come later, stay tuned.

Comments (2 posted)

Novell News

January 14, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Novell has been fairly busy on the Linux front the last few days. The company wrapped up its acquisition of SUSE Linux and announced an indemnification program for its enterprise Linux customers on Tuesday. The company has also released its correspondence with the SCO group from May 12, 2003 to January 7, 2004 concerning SCO's suit against IBM and other issues related to the suit.

For the most part, it would seem to be business as usual for SUSE. Novell spokesperson Bruce Lowry said that there are no changes afoot, at this time, for SUSE's product line as a result of the acquisition. Though some have expressed concern about SUSE's commitment to KDE now that Novell owns both SUSE and Ximian, Lowry said that there are no plans to cease the inclusion of KDE in SUSE's Linux distribution or SUSE's work on KDE.

We're about empowering choice, not eliminating it...it's something that we will be looking at, but our DNA would say that we want to continue to support choice. Both are great desktop solutions. We'll just have to evaluate how we want to proceed in the coming months.

Apparently, Novell has decided it needs to go ahead with an indemnification plan to assure its customers. The plan does not apply to all SUSE Linux customers. Instead, the plan covers customers who are using SUSE Enterprise Linux Server 8 and obtain "upgrade protection" from Novell and a technical support contract from Novell or SUSE channel partner. According to this article the indemnification is capped at 1.25 times the purchase price, or $1.5 million. It is interesting to note that Novell's indemnification plan announced this week covers claims of copyright infringement only, not patent suits. Since many have speculated that patent suits will be the next legal hurdle for Linux, Novell customers may not receive quite as much joy from the indemnification program as they might have hoped.

Naturally, SCO CEO Darl McBride couldn't resist commenting on Novell's indemnification plan:

We believe Novell's indemnification announcement is significant for a couple of reasons. By announcing the program they are acknowledging the problems with Linux. Through the restrictions and the limitations on the program, they are showing their unwillingness to bet very much on their position.

Lowry said that Novell's indemnification is not "to protect people from SCO, it's to give software buyers the same level of comfort" that they receive when purchasing proprietary software. Lowry said that Novell has no plans to contribute to the Open Source Development Labs' (OSDL) legal fund, though they are a member of OSDL, since they are offering their own indemnification plan.

Novell also released 31 pieces of correspondence between Novell and the SCO Group concerning Novell's contractual and ownership rights over UNIX. The filings are, to say the least, interesting reading. (LWN readers can find many of the letters in plain text format in this Groklaw posting.) Much of the correspondence is one-way, with no response from SCO on several issues raised by Novell.

After it was made public that Novell was planning to acquire SUSE, McBride said in a conference call that they would "take measures to enforce the noncompete agreement with Novell. I don't know that it will turn into a lawsuit. That depends upon how they respond, and if they put a competitive product in the marketplace."

One of the pieces of correspondence to SCO from Novell is a letter dated November 19, 2003, taking issue with McBride's claims that the acquisition would violate any non-compete provisions, and noting that SCO has not raised the issue directly with Novell. There is no response from SCO regarding that letter in the correspondence released by Novell. Despite a number of public threats of legal action made by SCO, and threats contained in SCO's correspondence with Novell, Lowry said that no legal filings had taken place in either direction at this time.

One concern that Linux users and companies might have is that, if Novell does have claim to the UNIX copyrights and other intellectual property, Novell could someday cause the same kinds of legal troubles that SCO has. Lowry said that he acknowledges that is a theoretical possibility, but notes that Novell has done nothing to indicate that it would want to harm Linux. "Novell has shown with its words and actions that it is 100 percent committed to promote Linux, not impede it."

At the moment, Novell's acquisition of SUSE appears to be a good thing for SUSE and the Linux community as a whole. Novell appears to have taken a mostly "hands-off" approach with Ximian, and may be prepared to do the same with SUSE. Novell's position in the industry is also likely to open doors for Linux that might not have been open otherwise.

Comments (3 posted)

The Secret Novell-SCO Correspondence

January 14, 2004

By Pamela Jones, Editor of Groklaw

[Editor's note: This article may seem similar to the previous article, however we believe it adds further clarification to the SCO/Novell dispute.]

There is a new front in the SCO wars, or more accurately a newly revealed front. The new player, stage front and center, is Novell. Some of SCO's otherwise puzzling decisions in the last nine months have become more comprehensible, now that Novell's behind-the-scenes role has come to light.

It turns out that Novell strongly challenged SCO each step of the way, based on contractual rights Novell says it retained in its 1995 deal with the Santa Cruz Organization (now Tarantella), which subsequently sold certain Unix assets to Caldera, which is now the SCO Group. SCO denies Novell retained those rights. Nevertheless, its decision not to go forward with mailing invoices in the fall and not to sue SGI, or file copyright infringement claims against IBM may be at least in part influenced by Novell's claims.

Some now expect legal action between the two companies, if only because Novell's asserted rights could pull the rug out from under SCO's law suit against IBM and prevent any copyright infringement action against Linux end users, if Novell's rights prove solid.

Everything came to light this week when Novell announced it had completed its SuSE acquisition and said that it will offer enterprise SuSE customers indemnification, covering legal fees and damage awards up to $1.5 million or 125% of a customer's contract with Novell. It also put up on its web site its increasingly cold correspondence with SCO, going back to May of 2003, when SCO sent it a Letter to Linux Customers. There is a connection between the correspondence and the indemnification. The foundation of Novell's confidence in offering indemnification is found in the legal analysis it sets forth in the correspondence.

Jack Messman, CEO of Novell, says the company is in a unique position and is able to indemnify customers because it retained the copyright to Unix in that 1995 deal and also has a contractual right to license Unix to its customers. In October, when SCO said it was about to send invoices to Linux users, Novell reminded them of the "Technology License Agreement", which it says gives Novell the license to not only use the "licensed technology" but also to "authorize its customers to use, reproduce and modify" it and to sublicense and distribute same "in source and binary form". Further, Novell points to a section II.B., where restrictions on Novell cease to exist in the event of a change of control of SCO, which Novell says the agreements define as such an event as Santa Cruz selling the assets it got from Novell to Caldera.

If you were wondering why SCO didn't sue SGI, an October 7 letter and another letter, dated October 10, shed some light. Novell first directed SCO "to waive any purported right SCO may claim to terminate SGI's SVRX license" and to "waive any purported right SCO may claim to require SGI to treat SGI Code itself as subject to the confidentiality obligations or use restrictions of SGI's SVRX license", saying that Section 2.01 of the license specifically states that 'ATT-IS claims no ownership interest in any portion of such a modification or derivative work that is not part of a SOFTWARE PRODUCT.'" SCO failed to waive as directed, so on October 10, Novell waived all SCO's purported rights to terminate SGI's license.

Novell flexed its muscles, based on its interpretation of the 1995 Asset Purchase Agreement, the Technology License Agreement, and Amendment 2, to the APA. On that basis, Novell in its June 9, 2003 letter says SCO has no right to unilaterally terminate IBM's SVRX Licenses and that it is inappropriate for SCO to make such threats. Amendment No. X granted IBM the "irrevocable, fully paid-up, perpetual rights". It eventually waived SCO's "termination" of IBM's license.

Additionally, as the annoyance level rose on both sides, each claiming the other was harming its business, hints of legal action began to appear. Aspects to their contract that Novell had apparently let slide for years, such as their right to audit SCO's collection of royalties for Novell, are now scrupulously being required by Novell. They began an audit of SCO in August, something that had not happened since 1998, for example. Novell also demanded SCO supply copies of the source and binary code for all versions of UNIX and UnixWare under SCO's control.

More significantly, Novell demanded copies of the Microsoft and Sun licenses with SCO and asked SCO to explain why SCO thinks the Asset Purchase Agreement allows them to do this. Novell demanded it cease "all such negotiations and other communications with licensees concerning any such transaction without Novell's prior written consent and continued participation". After they address any "violation of the Asset Purchase Agreement", there will be the matter of "royalties and other amounts owed to Novell based on the above-mentioned license agreements" to discuss. Insofar as the demand is to licensees of SVRX, SCO has, it believes, no right to proceed without Novell's approval, reminding SCO of Novell's 95% interest in revenues from preexisting SVRX licenses.

In turn, SCO has put up some documents on its web site. In the letter of June 11, SCO writes that it "acquired all of Novell's right, title and interest: (a) to the AT&T Software and Sublicensing Agreements, including the AT&T/IBM Software Agreement, and (b) to all claims against any parties. SCO therefore acquired all right, title and interest to enforce the Software and Sublicensing Agreements against IBM, without answering to Novell."

Not so, Novell replies. Novell retained certain rights "critical to protecting the interests that Novell retained as part of the Asset Purchase Agreement (including its interests in royalty payments and the contractual commitments Novell made in return for royalty payments)." SCO acquired certain assets from Novell but acquired those assets subject to certain rights of Novell. "You can't have one without the other," Novell asserts. "We don't agree with your interpretation of our contracts," SCO writes back. It appears to them, it says, that Novell "is acting in concert with IBM to destroy the value of SCO UNIX and UnixWare intellectual property acquired from Novell in the Asset Purchase Agreement."

SCO's copyrights in Unix are now in dispute. Novell lists all of its registered copyrights on its web site. What we now learn is that they have been in dispute consistently from day one. In a letter dated August 4, Novell writes to Darl McBride, SCO CEO, that according to their agreements, copyrights were not to be transferred to Santa Cruz Operation unless SCO could demonstrate that such a right was required. They never did that and they don't need copyrights, Novell says, "in order to exercise the limited rights granted SCO" and so unless or until SCO demonstrates such a need, all copyrights remain with Novell. Of course, SCO disagrees with Novell on this utterly.

Finally, Novell on SCO's behalf "waives any purported right SCO may claim to require IBM to treat IBM Code, that is code developed by IBM, or licensed by IBM from a third party, which IBM incorporated in AIX but which itself does not contain proprietary UNIX code supplied by AT&T under the license agreements between AT&T and IBM, itself as subject to the confidentiality obligations or use restrictions of the Agreements."

SCO's position regarding Novell's waivers on behalf of SGI and IBM? In an October 13 letter: "Novell is without authority to make such a waiver and thus it is of no force and effect."

So now you know the rest of the Novell-SCO story.

Comments (8 posted)

Page editor: Rebecca Sobol

Security

Brief items

Vulnerabilities and updates in 2003

Sometimes it is worthwhile to step back and look at a condensed picture of the Linux and free software security situation. To that end, we have thrashed up our security database and produced a big table listing the vulnerabilities exposed in 2003 and the alerts issued by several major distributors in response. We turned up over 300 vulnerabilities which resulted in over 1200 security alerts. In other words, 2003 was a busy year.

Glancing through the table, one sees that certain packages are responsible for relatively large numbers of vulnerabilities; these include apache (6 vulnerabilities), ethereal (6), glibc (5), KDE (6), the kernel (6), and sendmail (5). The kernel wins the prize for the most security alerts, having been responsible for 47 of them - almost 4% of the total. The full picture, however, shows a vast number of security problems afflicting a wide range of packages. The security of our free operating system has some ground to cover yet before it will be something we can be truly proud of.

Here's the first part of the table:

Vulnerability	Conectiva	Debian	Fedora	Gentoo	Mandrake	Red Hat	SuSE
apache
apache
apache
apache
apache
apache
apcupsd
at
atari800
atftp
autorespond

Those are all of the packages beginning with "A". The full table, in all its browser-straining glory, can be found on this page.

Comments (3 posted)

New vulnerabilities

inn: vulnerability in INN 2.4.0

Package(s):

inn

CVE #(s):

Created:

January 8, 2004

Updated:

January 15, 2004

Description:

A buffer overflow has been discovered in a portion of the control message handling code introduced in INN 2.4.0. It is fairly likely that this overflow could be remotely exploited to gain access to the user innd runs as. INN 2.3.x and earlier are not affected. The INN CURRENT tree is affected. See this advisory for more details.

Alerts:

Slackware	SSA:2004-014-02	2004-01-14
OpenPKG	OpenPKG-SA-2004.001	2004-01-08

LWN.net Weekly Edition for January 15, 2004

inn: vulnerability in INN 2.4.0

mod-auth-shadow: password expiration

phpgroupware: missing filename sanitizing, SQL injection

vbox3: privilege leak

jitterbug: improperly sanitized input

apache: buffer overflows in mod_alias, mod_rewrite

apache2: Denial of Service vulnerability

bind: cache poisoning

CUPS: denial of service

cvs: possible root compromise

ethereal: protocol dissector and other vulnerabilities

Filename disclosure vulnerability in fam

fetchmail may crash on specially crafted message

fileutils/wu-ftpd: denial of service

fsp: buffer overflow and directory traversal

glibc: DNS stub resolvers contain buffer overflow vulnerability

GnuPG: ElGamal signing keys compromised

gtkhtml: malformed messages cause crash

iproute: local denial of service

jabber: denial of service

kernel: two vulnerabilities in 2.4.23

kernel: local root exploit in 2.4.22

kernel-utils: setuid vulnerability

lftp buffer overflows

libpng, libpng3: buffer overflow

mikmod: buffer overflow

mpg123: heap overflow

mpg321: format string vulnerability

mplayer: remotely exploitable buffer overflow vulnerability

nd: buffer overflows

Nessus NASL scripting engine security issues

Net-SNMP: security bugs in versions before 5.0.9

nfs-utils xlog() off-by-one bug

openssh: timing attack leads to information disclosure

postfix: denial of service vulnerabilities

rsync - remotely exploitable heap overflow

Multiple-use vulnerability in Safe.pm

sane-backends: several vulnerabilities

screen: privilege escalation

File overwrite vulnerability in tar and unzip

Multiple vendor telnetd vulnerability

vim - modeline vulnerability

xsok: bad privilege handling

zebra: denial of service vulnerability