LWN Weekly Edition
Leading itemsSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->Multipage format
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for March 18, 2004The GPL and library codeThe GNU General Public License (GPL) is an unforgiving beast; if you distribute something derived from GPL-licensed code, the whole derived product must be distributable under the GPL's terms. This provision effectively prevents the use of GPL-licensed in proprietary, closed-source products. That is an inconvenience for proprietary software vendors, but is clearly what the authors of the GPL intended.In fact, the terms of the GPL work very well for some software vendors as well. Consider this press release from MySQL AB, Sleepycat Software, and Trolltech AS. These companies claim that their 2003 software licensing revenues were up 65% over the previous year. Not bad for companies which make their software available for free. Each of these companies is a provider of "library" code - tools which can built into an application to give it new capabilities. MySQL and Trolltech make their offerings available under the GPL; Sleepycat has its own license which requires source availability (though in a weaker form than the GPL). In each case, however, there is a twist: for a fee, the company will make the same software available under a license which allows closed-source distribution. When this model works, it works well. The free software community gets access to high-quality software, and the company gets the benefits of the free development process. At the same time, the company is able to extract money from others who are making money with the code. This model will only work in some situations; the software in question must be attractive as a component of a larger application, and external contributors must be willing to transfer copyrights or otherwise allow their work to be distributed in closed-source form. But, when those conditions apply, the dual-licensing model appears to work well. There is one interesting problem which occasionally comes up, however; licensing this sort of library code under the GPL can block its use with other software which is available under a free, but GPL-incompatible license. This conflict has been highlighted by the fact that the GPL-incompatible PHP license means that PHP and MySQL 4 cannot be used together (or, more correctly, an application combining the two cannot be redistributed). Since MySQL and PHP are a popular combination, this restriction hurts a lot of people; it also led to a number of distributors sticking with the older MySQL 3 release, which did not have this problem. The GPL-incompatibility of the new XFree86 license is another high-profile example; in that case, the license conflict may be the final straw that signals the end of XFree86 as a viable project. MySQL AB has now acted to mitigate the problem of free but GPL-incompatible licenses; the company has extended the MySQL client library license with the "MySQL FOSS License Exception." This exception provides a series of licenses which can be applied to parts of derived works involving the MySQL client libraries; it includes the PHP license and several others. With this extension, the PHP license conflict is no more. The stated intent of the GPL is to ensure that all derived products remain free software. This extension of the license is clearly compatible with that goal; it still does not allow the covered code to be distributed in a non-free manner. If this sort of exception is adopted more widely, it may point toward a need for a new form of the GPL. If the end result is more free software, that would be a good thing.
SCO UpdateLast week, we looked at SCO's stock price as a sort of public referendum on the company's prospects. Shortly thereafter, the SCO Group made it clear that company management, too, is watching the stock price closely, and is not pleased with what it is seeing. Thus, SCO has announced a stock buyback program in the hopes of raising the price somewhat - or, at least, halting its decline.What the company has announced is that the board of directors has given its OK for management, "at its discretion," to buy up to 1.5 million shares of SCO stock over the next two years. Board chairman Ralph Yarro is quoted as saying:
At current prices, we believe our stock represents an attractive
investment opportunity and that this action reflects our ongoing
commitment to improving long term stockholder value. We believe we
will have sufficient capital resources to undertake this buyback
program and continue to pursue our strategic initiatives.
The interesting thing, of course, is that capital resources is one thing the SCO group lacks. From the latest quarterly report filed with the SEC, we read that "Our cash and equivalents balance decreased from $64,428,000 as of October 31, 2003 to $57,945,000 as of January 31, 2004." $58 million is not a small cash pile, but one should bear in mind that this pile has to sustain the company in litigation for over a year until the IBM case comes to trial. Delays in that trial seem likely; if SCO should somehow win some sort of judgment, an appeal also seems likely. SCO's ability to stay afloat long enough to see its various lawsuits through is doubtful as it is, without spending millions of dollars on stock buybacks. Company management understands this; that is why the same quarterly report includes this text:
If we repurchase a substantial number of shares during this
24-month period, and we do not generate off-setting revenue form
our UNIX and SCOsource businesses, our cash position could decrease
significantly and our ability to fund future operations could be
adversely impacted.
Spending SCO's scarce cash on SCO stock would thus seem an absurd thing to do. So one might well wonder what is really going on. If one were given to wild speculation, one might come up with either of the following scenarios:
The first scenario looks like a "go directly to jail, do not pass 'Go'" card for the people involved. One never knows, but looting the company in that way looks extreme even for SCO. The second option (issue a PR, do nothing), on the other hand, is something we've seen from this company before. We will find out for sure in future SEC filings, but the odds are that SCO will not be buying back those 1.5 million shares. Meanwhile, the public confirmation from BayStar that Microsoft did, indeed, direct them toward investing in SCO has had its own effect on how the whole SCO case is seen by the wider public. SCO has, at this point, definitively lost the public relations battle. Finally, a related development is the announcement of the launch of Open Source Risk Management and its "open source risk protection services." OSRM will sell you an indemnification policy for free software, and will even allow customers to modify that software. The company's offering is based on "sophisticated code-scanning technology and a set of best practice protocols," along with the results of Groklaw's efforts to track down the origins of the code in the Linux kernel. We can only welcome a company which is trying to make free software users sleep better at night, but it should be noted that this sort of insurance policy needs a risk to insure against. As SCO goes down in flames, potential customers might well wonder if they really need this sort of protection. Let's hope that some other hungry, litigious corporation does not answer that question for them.
MandrakeSoft springs backWhen MandrakeSoft filed for the "declaration de cessation des paiements" (similar to Chapter 11 bankruptcy in the U.S.) on January 13, 2003, there was some concern about the future of MandrakeSoft and the Mandrake Linux distribution. A little more than a year later, the company and the distribution seem to be doing well. MandrakeSoft recently filed its "redressement judiciaire" plan to emerge from bankruptcy with the French courts, and its stock has already resumed trading on the Marché Libre. This seemed like a good time to ask MandrakeSoft co-founder Gaël Duval for an update on the company's health and its plans for the future.The bankruptcy exit plan has not yet been approved, but Duval said that the company expects the plan will be approved before the end of March. The plan calls for MandrakeSoft to repay €4.1 million over 9 years from revenues, rather than borrowing the money to repay the debt. If the plan is approved before April 15, MandrakeSoft also stands to sell an additional 358,000 shares at €2.10 apiece, according to their shareholder newsletter. What led up to the bankruptcy? Duval said that the main problem was that the company's expenses were too high, as opposed to unsuccessful products. He did single out MandrakeSoft's e-learning venture as an "unprofitable venture." What has the company done to improve its financial picture?
Since 2002 we worked hard to reduce expenses. This included closing some
offices, be more careful about where money goes to, and unfortunately,
reduce the number of employees...We had to re-center Mandrakesoft's
strategy in line with its initial philosophy, which is building easy-to-use
and friendly Linux products and making a business from these products.
After the layoffs, MandrakeSoft is now down to about 60 employees. There are still quite a few people backing the Mandrake Linux distribution, however. Duval noted that there are about 800 registered contributors for the Mandrake Linux Cooker, about 600 for the Cooker-i18n, and approximately 150 for Cooker-AMD64. Duval said that the company has focused on products with better revenue potential, with an increased focus on sales directly through MandrakeSoft's online store rather than sales through distributors that take a larger cut of the profits. The company has also looked to the MandrakeClub, which now has nearly 20,000 subscribers. Duval also noted that MandrakeSoft, like other Linux distributors, saw a marked decline in sales of boxed product as high-speed Internet connections became more common. MandrakeSoft has also been working on "OEM activities," with companies like HP. HP has been offering Mandrake Linux on PCs for some time, and the company recently rolled out new PC models with Mandrake Linux. Duval didn't provide specifics on the deal with HP, but said that it provides a "good income" for the company. For the first time since its 1998/1999 fiscal year, the company can claim a "good income." MandrakeSoft's revenues have increased by 8.4 percent since the first quarter of the last fiscal year. The total revenues for the first quarter total €1,421,000 , with a net profit of €271,000. MandrakeSoft's results might have looked even better if the dollar had held its value against the Euro. MandrakeSoft reports its financial results in Euros, but most of its income is in dollars. Currently, the dollar is worth about €0.82. As the company heads toward its exit from bankruptcy, Duval says it they plans to "reinforce" its business offerings. Duval said that the company's Multi-Network Firewall and Corporate Server products are doing well, and that MandrakeSoft is planning to launch a new version of the Corporate Server product soon. The company is also planning to introduce a Corporate Desktop product in the near future. There may be some growth in the near future as well. Duval noted that MandrakeSoft is planning "a few mergers, small ones to begin." Specific merger targets were not mentioned. Though there is no shortage of Linux distributions on the market, it's good to see MandrakeSoft making a healthy recovery. The company's return to profitability, without abandoning its commitment to free software, demonstrates that there is indeed money in free software for those who find the right formula.
Security Brief items A new Adore root kitFor your cracking pleasure: a new version of the Adore root kit has been announced. This code is, of course, "for educational purposes only." On the notion that it's best to look at code like this when one has downloaded it explicitly, rather than when one has found it on one's system, we grabbed a copy.Adore is a kernel module which is intended to give a cracker the full run of a compromised system without detection. To that end, it installs itself into several key parts of the kernel and lurks until somebody comes along who knows the right "key," where a key is a special process ID. If you do not know this key, finding signs of an Adore installation will be difficult, to say the least. The module starts by hooking itself into various filesystems. It digs up the inode for the root filesystem, and replaces that inode's readdir() function pointer with one of its own. The Adore version performs like the one it replaces, except that it hides any files owned by a specific user and group ID. If you are a Black Hat trying to keep installed files out of the eye of the system administrator, this is the way to do it. Similarly, Adore hooks itself into the lookup function for /proc. An attempt to read /proc/KEY, where KEY is a predefined key value, will give the current process the ability to access other Adore functions. A process which has been "authenticated" in this way can then, by accessing other special /proc filenames, give itself full root privileges or tell Adore to hide other processes from view. The module keeps a list of such processes; once a process appears in that list, it will never appear in /proc, and thus it will not by displayed by utilities like ps or top. The only way to find such processes, it would seem, would be to dig through the entire kernel task list and check to see if any of them are not represented in /proc. People who crack into systems may well want to run network services on those systems. To cater to their needs, Adore replaces the show() function for /proc/net/tcp; the new version edits out any connections involving ports that the person installing Adore would rather others didn't know about. A hidden server process, running from a hidden executable, and sitting behind a hidden port could be very hard for a system administrator to find. For good measure, Adore will also filter out entries made into files like /var/log/utmp or syslog on behalf of hidden processes. The one thing Adore does not do is hide itself; it will show up in the list of loaded kernel modules. To address that, a separate module called "cleanup" is provided. If cleanup is loaded immediately after Adore, it will patch Adore out of the list of loaded modules, thus hiding it altogether. All of this functionality has been implemented in a kernel module which is a mere 600 lines long. This module is scary; it is a living demonstration of what an attacker can do once he gets root access on a system. A careful attacker could, using this module, maintain undetected control of a compromised system indefinitely.
New vulnerabilities calife: buffer overflow
OpenSSL: denial of service vulnerabilities
samba privilege escalation
uudeview temp file problem
xitalk missing privilege release
Updated vulnerabilities apache2: Denial of Service vulnerability
Filename disclosure vulnerability in fam
fetchmail may crash on specially crafted message
gdk-pixbuf: buffer overflow
gtkhtml: malformed messages cause crash
iproute: local denial of service
kdelibs: cookie disclosure
kdepim: VCF file information reader vulnerability
kernel: local root exploit in 2.4.22
kernel-utils: setuid vulnerability
libpng, libpng3: buffer overflow
libxml2 - arbitrary code execution
mailman denial of service
mc: arbitrary code execution
metamail: integer and buffer overflows
mikmod: buffer overflow
mod_python: denial of service vulnerability
mozilla: multiple vulnerabilties
mpg321: format string vulnerability
mplayer: remotely exploitable buffer overflow vulnerability
mutt: buffer overflow
Nessus NASL scripting engine security issues
netpbm: insecure temporary files
openssh: timing attack leads to information disclosure
perl information leak
postfix: denial of service vulnerabilities
PWLib: possible Denial of Service
python: buffer overflow
sysstat: temporary file vulnerability
File overwrite vulnerability in tar and unzip
tcpdump: flaws in the ISAKMP decoding routines
Multiple vendor telnetd vulnerability
util-linux: information leak in the login program
wu-ftpd: two vulnerabilities
Resources March CRYPTO-GRAM newsletterBruce Schneier's CRYPTO-GRAM newsletter for March is out. It looks at the "V-ID card," centralized security, and the Microsoft code leak. "Any bad guys who want the code now have it, and won't be deterred by any lawyer letter. The only thing Microsoft's lawyers are doing is preventing any good guys from looking at the code, and maybe finding vulnerabilities that Microsoft can then fix. But if you realize that Microsoft's primary fear is probably other attorneys, then their move makes sense. They want to limit the number of good guys that can access the code, because they're afraid of what might be found."
Events Computer Security Mexico 2004Computer Security Mexico 2004 is happening May 27 and 28 in Mexico City. Click below for details and a list of keynote speakers.
Page editor: Jonathan Corbet Kernel development Brief items Kernel release statusThe current 2.6 prepatch is 2.6.5-rc1, which was announced by Linus on March 15. This prepatch includes the incorporation of the netpoll interface (see below), some virtual memory performance improvements, the new "kref" reference counting mechanism (see below), a big ALSA update, a new Prism54 wireless driver, an NFS update, a DMA API change (see below yet again), and many fixes. See the long-format changelog for the details.2.6.4 was released on March 10; very few fixes went in after the last release candidate. Changes since 2.6.3 include support for the Intel "ia32e" architecture, a UTF-8 tty mode, dynamic PTY allocation, sysfs support for SCSI tapes and bluetooth devices, support for large numbers of groups, a generic kernel thread infrastructure, an HFS filesystem rewrite, an R128 DRI driver security fix, the groundwork for the hotplug CPU code, and many, many fixes. The the long-format changelog has the details. Patches in Linus's BitKeeper repository include several architecture updates, a set of fixes to make the Intermezzo filesystem work again, an IDE update, asynchronous I/O support for reiserfs, and lots of fixes. The current tree from Andrew Morton is 2.6.5-rc1-mm1. Recent additions to the -mm tree include a plug-and-play subsystem update, a patch to enable 4K kernel stacks on the x86, the per-address-space block queue unplugging code (discussed here last week), an NFS update, a bunch of page cache work ("It seems to work OK here, but I suggest people not rush out and convert all of the corporate finance department's servers to 2.6.4-mm1."), and many fixes. The current 2.4 kernel is 2.4.25; Marcelo released two 2.4.26 prepatches over the last week. 2.4.26-pre3 included a fair number of architecture and networking fixes; 2.4.26-pre4 (released March 16) is a much smaller patch with just a few fixes.
Kernel development news The DMA API changesThe 2.6 kernel is a stable series which, in theory, should be dedicated to the fixing of bugs rather than changing APIs. Anybody who risks thinking that things have become too stable, however, need only look at this massive patch from David Miller, which changes the DMA API and touches a full 100 files. This patch had done a little time in the -mm tree, but had never really been discussed on the mailing lists before its inclusion.The change is in the "synchronization" calls that the DMA layer provides for streaming mappings. A streaming mapping is a short-lived structure set up to support one or more direct memory access operations; depending on the architecture, setting up a streaming mapping can involve creating bounce buffers, programming I/O memory management unit (IOMMU) registers, flushing processor caches, and more. These mappings have strict rules about the "ownership" of the buffer; when a streaming mapping is created, it is owned by the device, and the processor cannot touch it. If a device driver ignores that rule, it risks corrupting data in a number of ways. It is sometimes necessary, however, to allow the processor to access a mapped streaming DMA buffer. To that end, the DMA layer has long provided a set of functions (like dma_sync_single() and pci_sync_single()) which transfer ownership of the buffer to the CPU. What has always been lacking, however, is a way to transfer ownership back to the device. To fill in that gap, the various synchronization functions have been split in two; instead of dma_sync_single() a driver must now call one or both of:
dma_sync_single_for_cpu(struct device *dev,
dma_addr_t dma_handle,
size_t size,
enum dma_data_direction direction);
dma_sync_single_for_device(struct device *dev,
dma_addr_t dma_handle,
size_t size,
enum dma_data_direction direction);
dma_sync_single_for_cpu() gives ownership of the DMA buffer back to the processor. After that call, driver code can read or modify the buffer, but the device should not touch it. A call to dma_sync_single_for_device() is required to allow the device to access the buffer again. The other synchronization functions (for scatter/gather and DAC mappings) have been changed as well. As might be expected from a change like this, the result was a lot of broken drivers. The patch fixes the in-tree users of the discontinued DMA functions. Out-of-tree and binary-only drivers, however, will have to be fixed separately.
The debut of krefWhen Patrick Mochel added the "kobject" type to the 2.5.45 kernel, he described it this way:
This is not meant to be fancy; just something simple for which we
can control the refcount and other common functionality using
common code.
In the 2.6 kernel, the kobject type has become, via its kset and parent pointers, the glue which holds the entire device model structure together. It is the core object implementing every entry in the sysfs virtual filesystem. Kobjects also handle the generation of hotplug events when devices come and go. Oh, yes. Kobjects also handle reference counting. The kobject type has clearly grown past its original mandate into something fairly fancy. To address the needs of kernel hackers who only want a simple reference counter, Greg Kroah-Hartman has created a new type called kref. A kref is, indeed, a simple thing:
struct kref {
atomic_t refcount;
void (*release)(struct kref *kref);
};
A kref comes with the usual functions one would expect: kref_init() to set it up, and kref_get() and kref_put() to manage the reference count. Once that count drops to zero, the release function is called to clean things up. All told, it's quite simple. In fact, it would appear to be too simple for some kernel hackers, who have questioned whether there is any need for kref at all. Why not simply manipulate a reference count directly with atomic_t operations and avoid adding the space required for the release() pointer to every reference-counted object? The answer that comes back is that buggy reference counting implementations in the kernel are far from unknown, and that the overhead of using kref is tiny. As Andrew Morton put it:
I care more about being able to say "ah, it uses kref. I
understand that refcounting idiom, I know it's well debugged and I
know that it traps common errors". That's better than "oh crap,
this thing implements its own refcounting - I need to review it for
the usual errors".
Andrew's approval is sufficient; the kref patch showed up in 2.6.5-rc1. For the future, Greg has a patch which converts the kobject reference counting mechanism over to krefs. That change may be a harder sell, however; it will expand the size of every kobject in the system (because kobjects, currently, do not store the release() function pointer directly). So that change will wait for 2.7, and may be part of a larger-scale cleanup and refactoring of the kobject type.
Lots of SCSI disksOne of the motivations for increasing the size of the dev_t device number type in 2.6 was to allow the use of huge numbers of SCSI disks. In the 2.6.4 kernel, however, that promise remains unfulfilled; the SCSI subsystem makes no use of the expanded device number range. That will change in 2.6.5, however; a patch has been merged which allows the enumeration of up to 1 million SCSI disks.The authors of this patch had an interesting problem to solve: they wanted to be able to enumerate all of those disks without breaking existing systems. In other words, all of the existing SCSI device numbers have to work as they do in 2.4 and prior kernels. The solution is expressed in the following macro, which turns a device index (the "nth disk") and a partition number into its associated device number:
static unsigned int make_sd_dev(unsigned int sd_nr, unsigned int part)
{
return (part & 0xf) | ((sd_nr & 0xf) << 4) |
(sd_major((sd_nr & 0xf0) >> 4) << 20) | (sd_nr & 0xfff00);
}
LWN readers will, no doubt, immediately understand what is going on here. Your editor, however, had to stare at it for a little while. Then, as a way of avoiding doing real work, he made the following diagram to show how a device index and partition number are transmogrified into a device number.
![[SCSI numbering diagram]](/images/ns/scsi-numbers.png)
The "remap" operation takes four bits from the device index and uses them to index into an array of the 16 major numbers which have been assigned for some time to SCSI disks: 8, 65-71, and 128-135. The lowest four bits of the device index move directly down into the minor number. The result is that the first 256 SCSI disks will get exactly the same major and minor numbers that they have in 2.4 kernels. Once that space has been exhausted, however, the four red bits in the diagram will return to zero, the major number will go back to 8, the highest-order bits in the device index are routed back into the minor number, and, as a result, the 257th disk will be given device number 8:256. The 273rd disk will advance again to the next major number; it will be given number 65:256. Additional disks will be distributed across the available major numbers indefinitely until their combined power load flips a breaker somewhere. The result is a scheme which might be a little hard for humans to follow, but, when you are dealing with thousands of disks, that will be the case anyway. Meanwhile, most of the main design goals - support lots of disks without breaking existing systems - have been met. There is one remaining issue, however: some SCSI users have been asking for the ability to have more than 15 partitions on one drive. Supporting a larger partition space and simultaneously preserving compatibility is not currently possible because the block layer expects partitions to be assigned contiguous minor numbers. Fixing that will require tweaks to the gendisk code.
Netpoll is mergedOne of the many new things merged into 2.6.5-rc1 is the "netpoll" infrastructure. Netpoll exists to support low-level kernel functions which may need to be able to send and receive packets over the network without involving the entire networking subsystem and without enabling interrupts. Examples include kgdbeth (which allows kernel debugging over the net), and netconsole, which enables remote, network-based consoles. The patches have been around (and in the -mm tree) for some time, but have only now found their way into the mainline. Netconsole was merged as well, but kgdbeth users will still have to apply patches for now.Supporting netconsole in network drivers turns out to be relatively easy - for most adaptors. There is a new net_device method called poll_controller(); its job is to catch up with whatever the device has been doing. For many devices, this method looks like this:
static void poll_my_card(struct net_device *dev);
{
disable_device_interrupts();
call_interrupt_handler(dev);
reenable_device_interrupts();
}
Netpoll, in other words, is simulating device interrupts from within the kernel. Some device interrupt handlers may need tweaks to ensure that they do all of the necessary work without a real hardware interrupt, but most seem to work as they are.
Which is the real software suspend?Laptop users may well have noticed that there are no less than three competing software suspend implementations for the 2.6 kernel. Two of them (pmdisk and swsusp) are in the kernel itself; the third (swsusp2) is not, but is also the implementation which has seen the most work over the last several months. Unfortunately, none of these implementations could be said to be production-level code. It is possible to make a Linux system suspend to disk and resume into something that still runs, but making it work is not yet for the faint of heart.The software suspend discussion began anew when Pavel Machek, the maintainer of the in-kernel swsusp code, asked where things were going. Pavel's preference, not surprisingly, would be to remove the pmdisk code and stick with swsusp. Pavel is not alone in feeling this way. The pmdisk implementation is a fork of the swsusp code created by Patrick Mochel, who was not enjoying good relations with Pavel at the time. By some accounts, the pmdisk code is better, but it suffers from a major problem: Patrick has gotten a new job and has vanished from the kernel development world. As a result, pmdisk has seen no development work for several months, and it is a rare user who can make it work reliably. Unless Patrick surfaces and starts working on the code again, it is likely to go away fairly soon. The real question is what to do about swsusp2. This version of the suspend code has seen significant work by Nigel Cunningham and others. It has a number of features that others lack: the ability to abort a suspend operation, a "nice display," compression of the saved image (which can speed suspends and resumes on systems with slow disks), etc. The real difference, though, is that swsusp2 is, for many people, the only version that works at all reliably. So there is some real desire to see the swsusp2 work merged into 2.6, and further development efforts concentrated there. The hangup seems to be the fact that the swsusp2 patch is large, and it touches a great many core files. Many of those changes are aimed at making the "refrigerator" work better. Before a system can be suspended, all processes must be put into a quiet, known state. This works by setting a "freeze" flag and sending a signal to every process telling it to put itself into the refrigerator. Once all processes are nicely chilled, the system can save its state and suspend itself. Processes will not refrigerate themselves immediately; they must first get to a point where they hold no important resources. Sometimes, a process must get something from another process before it can be refrigerated; the example that is often raised is a process waiting for a response from an NFS server process. If the NFS server is refrigerated first, the other process will never get to where it can be frozen, and the suspend operation will fail. To avoid this sort of situation, the swsusp2 developers have gone to great lengths to identify places where a process should not, yet, be refrigerated. The result is a great many macros with names like SWSUSP_ACTIVITY_STARTING sprinkled widely though the code. If software suspend is not configured into the kernel, these macros simply vanish, so the actual changes to the core kernel are smaller than a look at a simple diffstat listing would indicate. Swsusp2 remains a large patch, however. Nigel has offered to provide a version of swsusp2 which lacks the intrusive refrigerator changes, though he warns that it will eventually become clear that those changes are needed. Andrew Morton has indicated that this would be a step in the right direction, but he is asking for more:
Even happier would be a series of small, well explained patches
which bring swsusp into a final shape upon which more than one
developer actually agrees.
These wholesale replacements and deletions are an indication that something has gone wrong with the development process here. What clearly needs to happen is that the swsusp2 work needs to be broken down into a long series of patches of the type that the kernel developers like to see: small and focused. That will be a significant effort, and the swsusp2 developers appear to lack the time to do that anytime soon. Now, perhaps, is the time for people who are concerned about a working software suspend solution (which Linux really does need) to get together to bring an end to the current, confused situation.
Patches and updates Kernel trees
Core kernel code
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet Distributions News and Editorials EnGarde and Trustix - Distributions for the ParanoidNew recent releases from EnGarde and Trustix should be of interest to the more paranoid users among us, as both of them include the word "secure" in their product names. The latest version of EnGarde Secure Linux (1.3) was announced early last month, while the new release of Trustix Secure Linux (version 2.1) was released just over two weeks ago. Despite the presence of a common word in the their respective product names, the two distributions take very different approaches towards security: the EnGarde developers concentrate their efforts on various kernel patches preventing common exploits, as well strict mandatory access control policies, while the developers of Trustix prefer simplicity and sensible defaults as their product's main features.EnGarde Secure Linux EnGarde Secure Linux has consistently managed to impress reviewers, especially when compared to other secure solutions. It is a product of Guardian Digital, Inc, an open source security company based in Allendale, New Jersey. The latest release is essentially a security update of EnGarde Secure Linux 1.3, originally released in April 2003. Users who are running the original release with updates are not required to upgrade. How does EnGarde ensure a high level of security? Firstly, the distribution uses a hardened kernel provided by the Openwall project, together with Linux Intrusion Detection System (LIDS) to enforce strict mandatory access control. Secondly, it provides a host of preconfigured tools to monitor suspicious activity on the server, such as Tripwire and Snort. And thirdly, detailed attention is paid to simple, but effective security measures, such as preventing normal users from accessing system-wide configuration and log files, forcing users to explicitly enable services they need, or disallowing boot into a single user mode and logging in as root altogether. All system configuration in EnGarde Secure Linux is done remotely via GD WebTool, a Webmin-like interface developed by Guardian Digital (see screenshots). This is an impressive utility that allows even non-expert administrators to configure various aspects of their server, such as managing users and services, setting up individual server components, viewing logs and monitoring system activity. Needless to say, it also provides an easy way to keep the system up-to-date with the latest security updates. To experience the features of GD WebTool, you can register for a demo account on the distribution's web site. EnGarde Secure Linux comes in two editions: Professional and Community. The pricing for the Professional edition ranges from $729 to $1629 depending on the level of required support, while the Community edition is available for free download (registration is required to obtain details about activating the product). Besides the price, the two products differ in the number of available features: the Community edition excludes Engarde's Secure Suites (although they can be purchased separately), and its web, mail and DNS services are limited to 10 domains. Trustix Secure Linux In contrast to the wealth of features found in the EnGarde distribution, Trustix Secure Linux is a lot less ambitions when it comes to preventing buffer overflows. Instead, the developers have focused on creating a product that can be deployed with minimum of effort on servers in a variety of common scenarios, and on providing security updates in record-breaking time. The installation program lists several classes depending on the purpose of the server, including web server with PHP, mail server with either Courier or Cyrus imapd, FTP server with vsftpd, firewall, DNS server, MySQL/PostgreSQL database servers and other classes. Applications not required for a particular installation class are not installed. Once the system is installed, it is up to the users to enable all required services, as none of them, not even networking, is brought up automatically. This is one way to ensure that no unnecessary service is active. One of the most interesting feature of Trustix is SwUp, the secure SoftWare UPdater for Trustix. Written in Python, SwUp is a command line utility designed to keep a Trustix installation up-to-date of security and bug fixes with minimal effort. In fact, installing and configuring a package called "swupcron" ensures that the system is kept up-to-date without any human interference. SwUp provides for automatic resolution of dependencies, poll-only functionality (without any actual package installation), strong authentication with GnuPG, filter and search capabilities, caching of downloads and use of HTTP proxies. The development of Trustix Secure Linux has now entered a period of stability after the turmoil last year when the distribution's commercial entity, Trustix AS, declared bankruptcy. At first, the developers continued their work under the name of Tawie Server Linux, before the distribution, and the right to use the product's original name, was acquired by a UK-based Internet security company Comodo. The next version, Trustix Secure Linux 2.2, is scheduled for release in September 2004.
Distribution News Debian GNU/LinuxThe Debian Weekly News for March 16, 2004 covers a proposed task for Ada development, a bug closed by spam, a new proposal to distribute non-free, and more.The Debian popularity contest: As the Debian project drifts slowly toward its next stable release, it has a bit of a problem: this release looks like it will include over 13,000 packages on 13 binary CDs. The project is hoping to optimize downloads and installations by putting the most popular packages together on the low-numbered CDs. To make that happen, they must find out which packages are installed most often. So the call has gone out for Debian users to install the "popularity-contest" package and allow it to phone home with information on what they have installed. The results end up on the Debian Popularity Contest page. The second call for votes is out, for the general resolution concerning non-free. Votes must be received by Sunday, March 21 23:59:59 UTC 2004. The platforms for the candidates for the project leader are available on the on the web. There will be no IRC debate this year as the debian-vote mailing list has been extremely active with both election and non-free issues. There will be a Bug Squashing Party this weekend, March 19 - 21, to help fix the release critical bugs in sarge. The third beta release of the Debian sarge installer is now available for testing.
Bruce Perens on UserLinux (LinuxWorld)LinuxWorld talks with Bruce Perens about UserLinux. "UserLinux is taking the approach of "let's have a lot of support companies working together as equals on UserLinux, so that you can find the expert that you need, and so that competition drives quality up and prices down. Let's encourage service providers to differentiate themselves by specializing in niche markets that they know well. I want there to be so many UserLinux service providers that you'll be able to find a company that specializes in supporting dentists in Minnesota. And I don't want to own any part of that company - I just want to be its equal partner in developing the UserLinux system." And when you think of it this way, it turns out to be an approach that is particularly good for the more technically challenging markets because those are the markets that a Red Hat or SUSE can't go to. Red Hat is bound by strategies that enhance shareholder value, so they have to focus on the big market."
Progeny Transition Service attracts Japanese partnerProgeny announced that it is partnering with Clara Online, a Japanese hosting provider, to offer a localized version of the Progeny Transition Service.
Xandros Business Desktop and Operating System Now ShippingXandros has announced it is now shipping the Xandros Business Desktop and Operating System (OS) for enterprise customers.
Immunix stops selling secure Linux OS, concentrates on security appliances (NewsForge)According to this NewsForge article, Immunix plans to discontinue its secure distribution. "The most recent version of the Immunix OS, 7.3, was released in December, 2003, and it looks like it will be the last standalone one released, although [Immunix COO Frank] Rego says the company will continue to support current users." This 7.3 press release (PDF) promises support through March 2005.
TimeSys Ships 2.6 Kernel-Based Embedded Linux DistributionTimeSys Corporation has announced TimeStorm Linux Development Kits, the Eclipse-powered IDE and a complete embedded Linux distribution based on the Linux 2.6 kernel for the PowerPC 8260 processor.
DistroWatch Weekly NewsThis week the DistroWatch Weekly news looks at Mandrakelinux 10.0, creating new distributions, and more.
New Distributions LinuxConsoleLinuxConsole is a "live" Linux distribution that comes from France. You can boot it from CD, HD, USB, or PXE. There is a "core" ISO image (55MB), with all the drivers (3D and ADSL included) needed to install it or just try it. LinuxConsole is initially based on Mandrakelinux 9.1 and it joins the list at version 0.4RC2, released March 10, 2004.
Minor distribution updates Astaro Security LinuxAstaro Security Linux has released beta v4.744 with major bugfixes. "Changes: This new snapshot fixes the install issues (all Pentium and VIA CPUs), High Availability Config and Up2Date sync, Interface type PPPoA/PPTPC issues, and a Group definitions bug. It also includes fixes for 'Store logfiles remotely' via SMB and SSH, IPSec CRL fetching via LDAP, Surf protection (profile assignment via LDAP), and a lot of small bugfixes and improvements."
Aurox LinuxAurox Linux has released Aurox Live v1.4.1 with minor feature enhancements. "Changes: This release is based on a full (installable) version of Aurox Linux 9.3. It includes graphical environments such as KDE 3.1.5 and FLUXBOX, ACPI power management, FAT32 and NTFS support, OpenOffice.org 1.1, Flash plug-in for Mozilla, nVidia drivers, games such as Tuxracer, Neverball, and Glaxium, audio and video (DVD) players, and many other applications from Aurox 9.3."
BLAG9002 ReleasedBLAG Linux And GNU by the Brixton Linux Action Group has released BLAG9002. "BLAG9002 (trike) is a significant update of BLAG9001. The major changes are lots of RedHat updates (kernel, XFree86, apache), many BLAG package updates, and piles of new packages."
Buffalo LinuxBuffalo Linux has released v1.1.5 with major feature enhancements. "Changes: The default kernel is now 2.6.4, with 2.4.24 still available for use. There are new optional packages: MySQL with mysqlcc and Scribus 1.1.5. There are a total of 9 new packages and 21 package upgrades. An Update from 1.1.4 to 1.1.5 is available. Separate downloads for the optional extra packages are available."
Coyote LinuxCoyote Linux has released v2.10 Beta3 with minor feature enhancements. "Changes: This release adds the option of DHCP reservations to the Web admin and has several script cleanups."
Devil-LinuxDevil-Linux has released v1.0.5 with minor security fixes. "Changes: This release fixes the mremap vulnerability, adds a patch for"Rusty's broken brain" error/failure, and updates a few applications."
Linux Live ScriptsLinux Live has released v4.0.2 with minor bugfixes. "Changes: It was necessary to modify scripts from /tools to look for liblinuxlive functions in two directories: ./ and /usr/lib."
NSA Security Enhanced LinuxNSA Security Enhanced Linux has released v2004031009 with minor feature enhancements. "Changes: Experimental SELinux NFS code has been made available. The base kernel version for 2.4 has been updated to 2.4.25. The base version for 2.6 remains 2.6.3, but the SELinux patch has been updated. Fine-grained boolean labeling support has been merged. The userspace AVC has been enhanced to handle netlink selinux notifications. MLS improvements have been merged, as well as updates to slat and the example policy."
PXES Linux Thin ClientPXES Linux Thin Client has released v0.8-9 with major feature enhancements. "Changes: The memory footprint has been reduced by about 50% (squashfs), which solved some of the reported problems in memory constrained clients. This release adds USB flash disk support (coldplugging), an lpd server and local spool, rdesktop 1.3.1, Samba 2.2.8a, a local configuration tool, UDHCP 0.9.91, and a new style."
New Quantian release 0.4.9.5 availableQuantian has released v0.4.9.5 which fixes many bugs.
wrt54g-linuxwrt54g-linux has released v0.4 with minor feature enhancements. "Changes: This release adds full support for current Linksys firmware. The release has been tested on version 2.02.2, but it should work with all official Linksys firmware versions. Installation has been tested on Linux and OS X."
Distribution reviews Guide to Linux on the Business Desktop Part 1 (LinuxWorld)LinuxWorld examines the desktop features of several distributions. "When you're picking a distribution for your business you should consider a number of things: not only the user interface, but also vendor support and complementary offerings to the base desktop, especially with regards to applications and system updates."
Product Review: Xandros 2.0 Business Edition (Linux Journal)Linux Journal reviews Xandros 2.0 Business Edition. "Is Xandros Desktop 2.0 Business Edition a viable option for the corporate desktop? I would have to say a resounding yes. I was given a pre-release copy of the Business Edition to review, and I was able to install it on a spare laptop. The moment I finished the setup, I shutdown my Window 2000 workstation and have not used it since. The base O/S is rock solid, and the list of standard applications is impressive. If you do need a Windows-based application, you still have CrossOver Office installed to run MS Office, Quicken, or a host of other Windows-based applications."
Mandrake Linux 10 Community Edition: The Potential is Now Obvious (OSNews)OSNews reviews Mandrakelinux 10. "My biggest welcome surprise was the fact that Mandrake now installs by default a video editor, KDEnLive! At last, a distribution that is sensitive enough to the sign of the times and includes a solution -- even if that solution is still very alpha."
Mandrake 10 - An outstanding effort (MadPenguin)MadPenguin reviews Mandrakelinux 10.0. "Security control for the system is handled very well by using the Level Checks tool in the Mandrake Control Center. I was thoroughly impressed by the degree of fine tuning you are able to administer on your systems. From very basic options allowing/disallowing services and actions to complete granular control over permissions, logs, and alerts, the Level Checks applet is an appreciated addition to the system."
Page editor: Rebecca Sobol Development Subversion: Is the jump from CVS worth it?CVS (Concurrent Versions Systems) (http://www.cvshome.org) is by far the most widely used source control program in the open source community. Though it tends to suffice for most projects, CVS is considered by many to be antiquated, lacking features and abilities which would be very valuable to most open source projects. Subversion (http://subversion.tigris.org) is a project which attempts to replace CVS, adding new features where needed, and changing existing functionality only when necessary.The most notable change for CVS users is Subversion's repository handling of atomic commits. In CVS, every file was individually versioned according to its changes; in Subversion the entire repository is versioned. While conceptually different, the advantage to this change quickly becomes apparent: the entire repository can be returned to a known state. As an added bonus, the addition of special keywords allows one to view changes between file versions quickly without knowing the revision number. Subversion adds two commands not present in CVS: "move" and "copy". With these, revision histories for files and directories are preserved between location changes. This feature is a boon for most CVS users, who commonly complain about the inability to rename files and directories easily. In Subversion, branches and tags are nothing more than copies of a directory, making them easier to work with than their CVS counterparts. After becoming accustomed to the concept, one quickly realizes that branches in a Subversion repository are parallel to one another, whereas in CVS the branches feel orthogonal. The branching operation is considerably faster by design, and Subversion's "merge" command is more intuitive than CVS's "update -j". Additionally, Subversion caches more meta information in the local working copy, eliminating the need for client-server communications for commands like "status", "diff", and the new "revert". Commits are processed by only sending the differences and not the entire file like in CVS, making the commit process considerably faster. Even binary files stored in the repository are handled using a binary diff, making storage more efficient. Finally, Subversion adds new features that aren't readily available with CVS. Properties, such as MIME types or the execute permission bit can be attached to files. "Hook" scripts can be triggered to run based on certain events, such as a "commit". From the server side, repository control is more fine tuned, and many nice maintenance features have been added, without compromising ease of use. One of the biggest concerns that many have when considering Subversion is the requirement for Apache2. It is worth noting, however, that Subversion has no requirement for Apache2. It can use the WebDAV protocol through Apache2 for repository access, but also works fine through a standalone server daemon. These fundamental changes offer newer, and arguably better ways of working with the repository than with CVS. With so many great changes, the authors of Subversion truly have created a viable drop-in replacement for CVS. As more projects start to embrace Subversion for what new features it offers, it is sure to become the new standard for open source project revision control systems.
System Applications Audio Projects alsa-lib 1.0.3b releasedVersion 1.0.3b of alsa-lib is available. The change information says: "it fixes SIGSEGV problem for dmix plugin (when a specific GCC version is used)".
jack.plumbing announcedA new version of Jack-plumbing, a JACK connection daemon, is out. "The JACK plumbing daemon has a new rule to dramatically reduce ordinary rule set sizes, a new system wide configuration file, and a new version number to indicate progress."
Planet CCRMA ChangesThe latest changes from the Planet CCRMA audio utility packaging project include new versions of Open Music for Linux, CMUCL Common Lisp, CLM, and CMN. Also: "added a new section documenting how to configure multiple soundcards, and also another one on extra stuff for configuring USB soundcards."
Database Software PostgreSQL 7.4.2 Now AvailableVersion 7.4.2 of the PostgreSQL database is out. "After several fixes were backpatches to the 7_4_STABLE branch, we have now released a 7.4.2. As the list of Changes since 7.4.2 is quite small, they are included in this email".
PostgreSQL Weekly NewsThe PostgreSQL Weekly News for March 15, 2004 is available.
Networking Tools Net-SNMP 5.1.1.rc1 is available (SourceForge)Net-SNMP version 5.1.1.rc1 has been released. "It is the, hopefully, final pre-release before the real 5.1.1 on Friday. Please let us know on the -coders list if you see any show-stopping bugs. net-snmp provides tools and libraries relating to the Simple Network Management Protocol".
Printing The CUPS Driver Development KitThe CUPS printer project has released version 1.0 rc 1 of the Driver Development Kit. "The CUPS Driver Development Kit (DDK) provides a suite of standard drivers, a PPD file compiler, and other utilities that can be used to develop printer drivers for CUPS and other printing environments. CUPS provides a portable printing layer for UNIX®-based operating systems. The CUPS DDK provides the means for mass-producing PPD files and drivers/filters for CUPS-based printer drivers."
Web Site Development Two new releases of TikiTwo new releases of Tiki, a CMS/groupware suite, are out. Version 1.7.6 of the stable series and version 1.8.1 are available. The SourceForge announcement says: "Release 1.7.6 marks the end of the Tiki 1.7 family. 1.8 now officially replaces the 1.7 family."
Miscellaneous realtime-0.0.4 with 2.6.4 kernel supportVersion 0.0.4 of the realtime Linux Security Module is available. "This version handles the new concurrent groups mechanism Linus introduced in 2.6.4. It still works with earlier 2.6 kernels. There are no functional changes. Unless you are running 2.6.4, there is no reason to upgrade."
Desktop Applications Audio Applications Rhythmbox 0.7.1: ''On The Road Again'' (GnomeDesktop)Version 0.7.1 of Rhythmbox, an integrated music management application, has been released. "There's a number of cool things in this release, many of them brought to you by Christophe Fergeau, so you should thank him a lot :) Most notable of those is the iPod support, which is still experimental."
Desktop Environments GNOME Summary (GnomeDesktop)The March 6, 2004 edition of the GNOME summary is online. "Featuring news about F-Spot, the coming deep freeze and more!"
GNOME 2.6 Beta-2 Released (GnomeDesktop)Version 2.6 Beta 2 of the GNOME Desktop & Developer Platform has been released. "The second BETA release of the GNOME 2.6 Desktop & Developer Platform! That's right - it's almost here, and it's your chance to have a sneak preview, and hopefully beat out some of the last remaining bugs before our final release."
XFce 4.0.4 is out !Version 4.0.4 of the XFce lightweight desktop environment is available. "This is a maintenance release." See the change log for details.
Electronics XCircuit 3.2.14 ReleasedVersion 3.2.14 of the XCircuit electronic schematic drawing package is available. Change information is in the source code.
Financial Applications Kurush 0.10 Released (GnomeDesktop)GnomeDesktop.org has an announcement for version 0.10 of Kurush. "Kurush aims to be an easy to use personal finance tool for GNOME Desktop and it is built around Mono and GTK# with the help of the Montant IDE."
Games Pydance 1.0.1 releasedVersion 1.0.1 of Pydance is available. "Pydance is a dancing game based on ideas from dancing games in the arcade. Dance with your body (or your fingers) and try to keep the beat. The better you do, the higher you score."
ScummVM 0.6.0 released (SourceForge)ScummVM 0.6.0, a cross-platform interpreter for point-and-click adventure engines, has been announced. "This release includes the usual load of bugfixes and major feature enhancements. Among other changes, there are two new graphics scalers (HQ2X/ HQ3X), an improved launcher/options dialog, and support for a number of new games."
Eye on performance: MegaJogos scales up with NIO (IBM developerWorks)Jack Shirazi and Kirk Pepperdine write about Java game performance issues on IBM's developerWorks. "Marcos Fonseca, the main man behind the MegaJogos multi-player game site and a member of the Java Games community, recently altered the application behind the site to use the NIO package to enhance its scalability. Though successful, the migration was not without its challenges. In this installment of Eye on performance, Kirk Pepperdine and Jack Shirazi follow Marcos's journey as he discovers some of the finer points of NIO performance"
GUI Packages GTK+ user interface libraries, version 2.4The GTK+ team has announced the release of version 2.4 of the GTK+ widget toolkit and its associated libraries (GLib, Pango and ATK).
Imaging Applications More graphics from the command line (IBM developerWorks)Michael Still does graphics work from the command line on IBM's develoerWorks. "There's nothing quite like command-line tools for handling large batches of tasks, and image manipulations are no exception. Web developers and administrators will appreciate the ability to handle large numbers of files easily, either at the command line or in scripts. Programmer Michael Still presents more examples of the ImageMagick suite, this time demonstrating how to put curved corners, logos, or frames and borders on your images, as well as how to convert to and from multipage file formats including Adobe's PDF format."
Interoperability Samba 3.0.2a AvailableSamba version 3.0.2a has been announced. "Samba 3.0.2a is a minor patch release for the 3.0.2 code base to address, in particular, a problem when using pdbedit to sanitize (--force-initialized-passwords) Samba's tdbsam backend. This is the latest stable release of Samba."
Wine Release 20040309Release 20040309 of Wine has been announced. Changes include an improved winegcc tool, drive configuration simplification, multimedia dll improvements, bug fixes, and more.
Medical Applications FreeMED 0.7.0 Beta 2 Released (LinuxMedNews)Version 0.7.0 Beta 2 of FreeMED, an electronic medical record and practice management system has been announced. "As FreeMED is in feature freeze for the upcoming release, this release features critical bugfixes in the billing and reporting systems, as well as some critical UI fixes. It has working FreeB support, as well as fixing problems in the claims manager."
OpenEMR Announces 2.5, Videos, and Prescriptions (LinuxMedNews)LinuxMedNews covers recent changes in the OpenEMR project. "For those of you that are unfamiliar with OpenEMR, it is an open source practice management and electronic medical record application. We are creating OpenEMR to compete with and be a replacement for Health Pro, MegaWest and Medical Manager. We are now in the process of finalizing billing using FreeB and anticipate having those features implemented and tested by the end of April 2004."
Music Applications Hydrogen 0.8.2 is outVersion 0.8.2 of Hydrogen, a drum machine, is out. Changes include better MIDI input support, JACK transport improvements, bug fixes, and more.
SpiralModular 0.2.2 releasedVersion 0.2.2 of spiralmodular, "an object orientated music studio with an emphasis on live use", has been released. Changes include: "loads of fixes and features, most notably a new GUI design and improvements in LADSPA and ALSA support."
Office Applications Evolution 1.4.6 released (GnomeDesktop)Version 1.4.6 of Ximian Evolution, a personal and workgroup information management application, has been announced. "This update includes bug fixes as a result of community and customer feedback received since version 1.4.5."
Gnumeric 1.2.8 released (GnomeDesktop)Version 1.2.8 of the Gnumeric spreadsheet has been released. "This is a medium priority release. It works around a few cosmetic issues. Additionally we finally tracked down which theme (6nome) was crashing, and fixed that. Unfortunately that patch promptly broke Industrial/Gorilla forcing 1.2.7 to become 1.2.8. There was some work to tune the charting engine and support bubble plots, along with some improvement in xls import for embedded text boxes (XL95 and XP)."
Video Applications GnomeMeeting's PC Conferencing Alternative (GnomeDesktop)The first release of GnomeMeeting has been announced. "Version 1.0 of the GnomeMeeting software package is a H.323 videoconferencing application for Linux PCs that allows users to make audio and video calls over the Internet, as long as recipients are equipped with H.323-compatible equipment. (H.323 (define) is a set of communications protocols used to transmit and receive audio and video information over the Internet.)"
Web Browsers mozilla.org Status Update (MozillaZine)The March 16, 2004 mozilla.org Status Update is available. "It includes news on a Windows installer for Mozilla Thunderbird, Mozilla Forefox profile migration, the Mozilla Firefox Roadmap, branding, JavaScript controls, the IMAP IDLE command, cookies, spoiler protection, Extensible Tag Framework (XTF) and more."
Independent Status Reports (MozillaZine)The March 14, 2004 Mozilla Independent Status Reports are available. "The latest set of status reports includes updates from mozdev, Googlebar, Firebird Help, Dictionary Search, Mnenhy, the Metagrams Toolbar and cuneAform."
Mozilla Foundation open letter on trademark useThe Mozilla Foundation has posted a copy of a letter it is sending to vendors selling Mozilla-oriented merchandise. The Foundation, it seems, is serious about its trademarks and won't let just anybody make use of them. "The Mozilla project uses Mozilla, Firefox, the fox-on-the-globe and other names and logos to brand its products and goods. We like to think that it's a mark of quality.... We'd like to be certain that what's being sold with our logos on is the good stuff. And (let's be honest here) it's only fair that we get a cut, to contribute towards keeping the Foundation going."
Miscellaneous Pyro AI and Robotics System 2.2.1 releasedVersion 2.2.1 of the Pyro AI and Robotics System is available. See the whats new document for change information.
Languages and Tools Caml Caml Weekly NewsThe Caml Weekly News for March 9-16, 2004 is available with the latest Caml language articles.
Java BlackMamba: A Swing Case Study (O'Reilly)Ashwin Jayaprakash writes about GUI design under Java with his BlackMamba project. "In this article we'll discuss how to develop a desktop application using many of the architectural principles in the proverbial Book of OOAD. BlackMamba, shown in Figure 1, will be our case study. We will also list some of the common pitfalls that one encounters when developing such an application in Java Swing and learn how to overcome them."
HTML Parser Production Release 1.4 available (SourceForge)Production version 1.4 of HTML Parser has been released. "Ten months of development have culminated in a very robust, extensible product that has been tested, and is already being used, by thousands of developers. HTML Parser is a library, written in Java, which allows you to parse HTML (HTML 4.0 supported)."
Lisp CL-Ncurses 0.1.1 releasedThe initial release of CL-Ncurses, an Ncurses interface for Common Lisp, is out.
Perl Simple IO Handling with IO::All (O'Reilly)Brian Ingerson explains Perl's IO::All on O'Reilly. "Being quite satisfied with my new idiom, I sat down for a few more weeks, and wrote a few hundred lines of code, and hid it in a module called IO::All and uploaded it to CPAN. Now I can do my 5-line slurp in 1 line. Phew!"
This Week on perl5-porters (use Perl)The March 8-14, 2004 edition of This Week on perl5-porters is online. "This week was the can-of-Unicode-worms-festival week for the Perl 5 porters. Regular expressions were another recurrent topic."
This week on Perl 6The March 7, 2004 edition of This week on Perl 6 is available. "Time marches on, and another summary gets written, sure as eggs are eggs and chromatic is a chap with whom I will never start a sentence. We start, as always, with perl6-internals."
Python Billy the Kid updateA new update of Billy the Kid is available with bug fixes. "Billy the Kid is a Python Extension Module providing you with all kinds of more or less usefull stuff at the raw packet level. It allows you to create raw UDP/TCP/ICMP packets and it also includes a nice interface to libpcap. It gives you the ability to do all those nasty things you've always dreamed about. But this time you can do it from within Python! No more hasseling with C, messy pointers and other stuff. Billy the Kid takes care of that from you."
PyGTK 2.2.0 released (GnomeDesktop)GnomeDesktop.org has the announcement for version 2.2.0 of PyGTK, the Python bindings to GTK+.
PyQt 3.11 ReleasedVersion 3.11 of PyQT, the Qt bindings for the Python language, is out.
Python-dev SummaryThe Python-dev Summary for February 1-29, 2004 is available with lots of Python development news.
Dr. Dobb's Python-URL!The March 14, 2004 edition of Dr. Dobb's Python-URL! has been published. Take a look for many Python article links.
Ruby ORE v0.1 released! (GnomeDesktop)GnomeDesktop.org mentions the release of version 0.1 of ORE, the Ruby Editor for GNOME.
A Tribute to RubyDavid Heinemeier Hansson presents a positive view of Ruby. "Ruby doesnt make new things possible, but many things desirable. It also affords continous simplification and occasional breakthroughs at an for me unprecedented level. Theres an immense sense of satisfaction in making less code do more on a regular sometimes even daily basis."
Tcl/Tk Dr. Dobb's Tcl-URL!The March 16, 2004 edition of Dr. Dobb's Tcl-URL! is out with the latest Tcl/Tk article links.
XML XBRL: The Language of Finance and Accounting (O'Reilly)Dale Waldt looks at XBRL on O'Reilly. "The eXtensible Business Reporting Language (XBRL) is a language for capturing financial information throughout a business' information processes that will eventually be reported to shareholders, banks, regulators, and other parties. The goal of XBRL is to make the analysis and exchange of corporate information more reliable and easier to facilitate."
XML Namespaces Support in Python Tools, Part 1 (O'Reilly)Uche Ogbuji covers XML namespace processing on O'Reilly. "I have covered a lot of tools for processing XML in Python. In general I have deferred discussion of each tool's handling of XML namespaces in order to stick to the basics in the individual treatments. In this article I start to examine the support for XML namespaces in these packages, with a look at SAX and DOM from the standard Python library. "
Page editor: Forrest Cook Linux in the news Recommended Reading Mainstream means more malicious code for Linux (SearchSecurity.com)SearchSecurity.com warns that as Linux becomes more mainstream it will become more of a target for malicious hackers. "On Windows, most of the viruses are e-mail borne. On the Linux side, today and in the future, viruses are network-aware, and [they] take advantage of vulnerabilities in networks or systems to infect machines. The Slapper worm, for example, attacked vulnerabilities in OpenSSL and Apache."
MySQL lifts restrictive licensing terms (Silicon.com)Silicon.com looks at new licensing terms for the MySQL database. "On Thursday night, MySQL published a licence exception that, the company said, permits PHP to resume its previous practice of bundling MySQL components called libraries, said Zack Urlocker, MySQL's vice president of marketing."
The Morality of Open Source (Internet Week)Internet Week asks whether free software is morally correct. "SCO has argued that open-source supporters are hell-bent on putting for-profit companies out of business. Nonsense! What ails SCO and other proprietary software vendors is nothing more than a changing business environment. Wake up to the real world, folks."
Trade Shows and Conferences Hunting Penguins in the Desert: The CES Report (Linux Journal)Doc Searls has posted another in a series of reports from the Consumer Electronics Show over at the Linux Journal. "So here's a question. Out of 2,300+ exhibitors, how many do you think mentioned 'Linux' in their descriptions of what they were up to at the show? A couple hundred? Fifty? Try eleven."
Growing with Gentoo (O'ReillyNet)This O'ReillyNet article covers a talk by Daniel Robbins, Gentoo's chief architect. "Robbins acknowledged twice in his talk that Gentoo users have a reputation for pestering upstream open source developers with bug reports. Some have been legitimate -- the idiosyncratic configurations permitted by Gentoo often shook out obscure problems in the most stable packages. There's a general feeling among some developers that Gentoo users are identifying problems caused not by upstream bugs, but by aggressive optimization or other poor configuration choices that the users themselves have made."
Will Mono Become the Preferred Platform for Linux Development? (O'ReillyNet)Edd Dumbill examines the growth of Mono, and reports on a recent Mono developer meeting. "The Mono project has a clear goal: to become the first-choice platform for Linux software development. Considering that Mono is an implementation of Microsoft's .NET framework, that goal might sound particularly audacious to many Linux fans."
Matt Asay introduces Open Source Business Conference (NewsForge)NewsForge takes a look at the first Open Source Business Conference, which will take place in San Francisco this week. " The renowned legal scholar Lawrence Lessig will give a keynote entitled "The Creators' Dilemma: Open Source, Open Society, Open Innovation." Other keynoters include Chris Stone, the driving force behind Novell's acquisition of SUSE Linux; Scott Handy, IBM's VP for Worldwide Linux Strategy and Market Development; and HP's VP for Linux, Martin Fink. Another renowned legal scholar, Eben Moglen, a professor at Columbia Law School and General Counsel for the Free Software Foundation, was originally slated to speak, but has had to withdraw for personal reasons."
The SCO Problem SCO's Suit: A Match Made in Redmond? (BusinessWeek)BusinessWeek has read the Anderer memo and investigated further. "Lawrence Goldfarb, managing partner of BayStar, says that senior executives at the software giant [Microsoft] had telephoned him about two months before the investment. Would he be interested in investing in SCO, they asked?" This would appear to be a different story than what we have been hearing so far.
S2 'mystery man' Anderer speaks on MS, SCO, and licensing (NewsForge)NewsForge has published a statement by Mike Anderer, CEO of S2 and author of the Halloween X memo. "I think one real issue, that people are skirting, is who will be the ultimate guarantor of IP-related issues in a world that is governed by the GPL and GPL-like licenses. I could easily see IBM, HP, Sun, and many of the other large hardware players solving this problem tomorrow by settling the dispute with SCO and maybe even taking the entire code base and donating it into the public domain. I know this is what I originally thought would happen, at least the settlement part. I am not certain what people who paid tens of millions for licenses would say if what they paid for was now free, but that is a different issue."
Microsoft and SCO: FUD Brothers (eWeek)eWeek has some strong words about the Microsoft/SCO connection. "Thanks to Microsoft's funding, both indirect and direct (in the case of the Unix license purchase), SCO probably has the cash to keep its head above water and its stock price in the $10 range. And, thanks to Microsoft's funding, we'll continue to see SCO spreading Linux FUD. The Evil Empire lives."
Darl McBride-Dan Farber ZDNet Interview - Transcript (Groklaw)For anybody who hasn't had enough Darlspeak recently, Groklaw has put together a transcript of his interview with Dan Farber. "You have the drug, the biotech, companies. You go and put together a new drug formula, and because it's software and touches GPL, if you're not careful, that gets destroyed. So I think it's a very dangerous setting we're talking about."
Companies HP expands Linux PC line to Asia (News.com)News.com reports that HP will be selling Linux PCs in Asia. "HP's desktop models, the dx2000 and cd5000, were announced--barely--last week. In that news release, HP avoided touting the Linux option, saying that the systems were available with Microsoft Windows "or alternative operating systems." In interviews, though, HP said the models came with MandrakeSoft's version of Linux."
Microsoft Asks Court to Level Fine Against Lindows, Inc. (Newsalert)Microsoft is making an attempt to levy a large fine from Lindows, Inc according to this press release. "Lindows, Inc. has received copies of papers filed against the company in the Netherlands by Microsoft Corporation asking the court to fine Lindows 100,000 euros per day for permitting its website to be reachable by visitors from the Benelux countries (Netherlands, Belgium and Luxembourg)."
XML guru joins Sun software (News.com)News.com reports that Tim Bray will be working for Sun, in a project that will incorporate blogging software and content syndication based on the RSS format. "Although Bray does not have responsibility over any Sun products, he said Sun's Java Desktop System would be a likely recipient of his work in search and syndication. Java Desktop System is Sun's bundle of open-source desktop software, which includes Linux and the OpenOffice productivity applications."
Linux Adoption Popularity Growing For Open-Source Databases (Information Week)Information Week notes the growing popularity of free database systems. "Doug Heintzman, director of IBM software group technology strategy, disputes the notion that IBM is on the defensive about open-source databases. 'The marketplace decides which open-source projects are going to succeed,' not IBM or any other company, and IBM has a track record of heeding those decisions, he says. At the moment, it doesn't view open-source databases as competing for the same customers as IBM's DB2."
Linux at Work Linux brings Mars Rover images to earth (vnunet)Linux is being used to host a high volume web site that contains Mars imagery, according to this article on Vnunet. "The company said it has created the largest Linux-based distributed network to provide the resilience and scalability needed to deal with the huge traffic demands on the websites it hosts. According to Nasa, the number of hits on its website has exceeded 7.5 billion during the first two months of 2004, with traffic peaking at nearly 7Gb per second in January alone."
Resources VLANs on Linux (Linux Journal)Linux Journal takes a look at using Virtual LANs on Linux. "Configuring VLANs under Linux is a process similar to configuring regular Ethernet interfaces. The main difference is you first must attach each VLAN to a physical device. This is accomplished with the vconfig utility. If the trunk device itself is configured, it is treated as native."
Reviews Project of the month: GNU Mailman (SourceForge)SourceForge has a look at GNU Mailman. "GNU Mailman has been with SF.net since the very beginning. SF.net now has (as of March 2004) over 75,000 projects; Mailman was registered when the site had just 102. The SF.net team is proud to make GNU Mailman the March 2004 SourceForge.net Project of the Month. We couldn't run the site without it."
Miscellaneous Network Administration Thermodynamics (Linux Journal)Sean D. Conway presents an amusing user classifications system on Linux Journal. "I have developed three categories using my limited knowledge of physics and chemistry to classify the many masters that administrators are required to serve. The three categories are endothermic users, exothermic users and toxic users."
Page editor: Forrest Cook Announcements Non-Commercial announcements Austin Group Teleconference MinutesThe minutes are available from the Austin Group's March 11, 2004 Teleconference.
LPI invites participationThe Linux Professional Institute is updating exams and working on new certification tests. There are four active projects in which the community is invited to participate.
Portlock Joins OSDLThe Open Source Development Labs has announced that Portlock, a storage management solution provider, has joined OSDL and will participate in the Lab's Data Center Linux Working Group.
Commercial announcements Database Companies Prove Strength of Dual-License ModelThree companies have jointly announced the successes of using the dual-license model, according to this press release. "Sleepycat Software, Trolltech AS and MySQL AB today jointly announced that 2003 software license revenues for the companies increased an average of 65 percent over the previous year, largely due to their use of the dual-license business model. This increase is 10 times the overall growth of U.S. IT industry spending in 2003, measured at only 6.4 percent, according to the U.S. Department of Commerce."
Carly Fiorina Opens Door on New Enterprise Linux LabThe China Ministry of Information Industry (MII) and Hewlett-Packard (HP) have signed a memo of understanding to cooperate in establishing a Linux Software Lab.
HP's Asian desktops to feature TurbolinuxRemember Turbolinux? The company has surfaced with this press release stating that HP's new Asian desktop systems will be running the Turbolinux 10 Desktop distribution. Among other things, Turbolinux 10 Desktop is based on the 2.6 kernel.
Mandrakesoft returns to the stock exchangeAs a follow-up to the recent announcement regarding Mandrakesoft's return to profitability, MandrakeSoft now announces that Mandrakesoft stock has resumed trading on the European Euronext stock exchange.
How to trade MandrakeSoft sharesMandrakeSoft has put up a page describing how interested parties in Europe and the US can buy and sell its newly relisted shares.
Nature's Linux Alliance consortium formed in JapanA new Japanese Linux consortium called Nature's Linux Alliance (NLA) has been formed. "A group of 14 information technology (IT) companies said Friday they have established a consortium to develop an advanced information system using a Linux-based operating system (OS)." The group aims to use Linux to provide a network services infrastructure to government offices and corporations.
Red Hat Embarks on World Tour with IBM and HPRed Hat, Inc. has announced a seven-city international tour to meet, educate, and present to customers and users around the world. The tour is sponsored by IBM and HP, with stops in Tokyo, Brisbane, Sydney, Munich, London, Boston and Toronto.
SCO announces stock buyback programThe SCO Group has announced that the company will be buying up to 1.5 million of its own shares. "'This action reflects our strong belief in the fundamental value of our intellectual property and core business,' said Ralph Yarro, chairman of the board, The SCO Group. 'At current prices, we believe our stock represents an attractive investment opportunity and that this action reflects our ongoing commitment to improving long term stockholder value.'" Right.
SGI Declares Linux as Driving Force in InnovationSGI has put out a press release on its role as a Gold Sponsor in the upcoming Open Source Business Conference.
Turbolinux to become Livedoor subsidiaryMaya Tamiya has sent us this Turbolinux announcement (in Japanese), along with this partial translation: "Turbolinux's parent company, Livedoor, the largest toll-free ISP in Japan, also Lindows' Japanese exclusive agency, announced that Livedoor would acquire Turbolinux in a stock swap. Turbolinux will become a wholly owned subsidiary of Livedoor."
New Books Perl Medic: Transforming Legacy Code publishedThe book Perl Medic: Transforming Legacy Code by Peter Scott has been published by Addison-Wesley/Prentice Hall.
Resources The LDP Weekly News (NewsForge)The March 10, 2004 edition of the Linux Documentation Project Weekly News is out with the latest new documentation releases.
The LDP Weekly NewsThe March 16, 2004 edition of the Linux Documentation Project Weekly News is available with the latest new documentation.
Milter Introduction and Products ListSome new documentation on the MILTER mail filtering system is available. "MILTER is a great API but really deserves more "exposure". Hence, a contributed document offering an Introduction to Milter and lis of Products based on it. Comments/suggestions/help welcomed."
Upcoming Events KDE Presence at CeBIT 2004 (KDE.News)KDE.News has an announcement that details the KDE presence at CeBIT in Hannover on March 18-24, 2004. "The KDE Project will be present and showcasing the latest developments of the innovative KDE 3.2 desktop. The KDE Team can be found in the booth of Linup Front, come around and visit the developers, translators and representatives who are there."
Novell's Chris Stone and Apache Founder Brian Behlendorf to Deliver Keynotes at MySQL Users ConferenceMySQL AB has announced the keynote speakers for the MySQL Users Conference, coming to Orlando in April.
French Perl Workshop (use Perl)A French Perl Workshop will be held in Paris on June 6 and 7, 2004.
Italian Perl Workshop - Call for Papers (use Perl)A call for papers is online for the First Italian Perl Workshop. The event will take place at the University of Pisa, on July 19-20, 2004.
SALPA - Pisa forum on open source in governmentA gathering called SALPA ("Sapere Aperto e Libero nella Pubblica Amministrazione") will be held March 22 and 23 in Pisa, Italy. The Forum is organized by the Pisa provincial government; it is intended to provide space for "political debates, best practices, tutorials for public employees, and an exposition area." Click below for the details, or see the SALPA web site (both in Italian).
Events: March 18 - May 13, 2004
Software announcements This week's software announcementsHere are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
Page editor: Forrest Cook Letters to the editor gwdg.de contains unsigned rpms: risk of apt repository compromise?
Dear Editor,
You've been mislead a bit here and there, Jim
Quoting:
Page editor: Jonathan Corbet
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||