LWN.net Weekly Edition for April 1, 2004 [LWN.net]

A look at GNOME 2.6

March 31, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

With the GNOME 2.6 release pushed back a week due to GNOME Web Server intrusion, we decided to take an early look at 2.6 with the 2.5.92 test release. For this preview, GNOME 2.5.92 was built using GARNOME on a system running SUSE Linux 9. The GARNOME GNOME distribution is based on the GAR Architecture; it allows a user to build bleeding-edge software without impacting their current system setup, and without having to check releases out of CVS. This is very handy when using a single system for software testing and everyday work that requires a stable desktop.

GARNOME took the better part of an afternoon to build the GNOME 2.5.92 desktop and basic GNOME components on a machine with an Athlon XP 2600+ CPU and 1 GB of RAM. The basic desktop build consumed a little more than 300 MB of space.

The first thing that most users will notice about GNOME 2.6 is that it seems much faster than previous releases, particularly at startup. The Nautilus shell is also much faster than previous releases, but the default behavior has changed for the worse. When navigating through a directory structure using Nautilus, the default is now for Nautilus to open a new window each time the user opens a directory. Needless to say, this behavior rapidly results in a cluttered desktop. It is possible to override this behavior by using the "--browser" option, but it would be preferable for the default behavior to be the least annoying.

Epiphany 1.2 is speedy, and quite streamlined. Perhaps a little too streamlined, in fact. Epiphany's limited feature set may be less confusing for new users who would be overwhelmed by Mozilla's vast array of options. However, users who have become accustomed to Mozilla may find that Epiphany's minimal features are a bit constrictive. The absence of site-specific pop-up blocking could be a problem for some users who have used Mozilla and Firefox's pop-up blocking features. Epiphany also requires that the user close each browser window individually rather than offering the user the ability to exit all browsers. This may save a user from accidentally closing all of their browser windows when they wish to close only one, but it also requires quite a bit of clicking when a user wishes to exit multiple browser windows.

A smaller annoyance is that Epiphany 1.2 does not allow the user to scroll through recently visited sites via the location toolbar. It's unclear what advantage there is to removing such a simple and commonplace feature. The user is able to select from similar URLs after clicking on the location bar and typing a few letters of the URL, but there is no button to allow the user to simply click and highlight a recently visited URL that remains in the location bar history.

A short while ago I tested the Evolution 1.5 release included in the first Fedora Core 2 test release. GNOME 2.6 includes Evolution 1.5.5, which seems far more stable than it was back in February. They are still including a dialog that warns users that 1.5.5 is test software and recommends that the user download 1.4 if they wish to use a stable branch of Evolution. Evolution 1.5 has a few new features, and loses a few as well. The most notable new feature in 1.5 is junk mail filtering. Notably absent is Evolution's "Summary" panel.

GNOME 2.6 also includes the GTK+ 2.4.0 release. This release introduces a new file browser dialog that, in this writer's opinion, is a vast improvement over the "standard" file dialog. When the user navigates into a directory tree, the file browser creates navigation buttons for each directory. For example, if a user navigates into "local/mozilla/chrome" under their home directory, the dialog will create buttons for "local," "mozilla," and "chrome," in addition to the ever-present "Home" button in the dialog. When the user navigates upward in the directory tree, the sub-directories will still be represented as long as they are in the same hierarchy. This allows the user to navigate through the directory structure much more quickly.

Another application included in GARNOME, though not part of the default desktop build, is Totem movie player based on Xine. It's a nice little media player that plays a wide variety of media, including CDs, VCDs and DVDs (providing libdvdcss is installed for encrypted movies), MPEG video, Ogg files and MP3s. Having used Ogle a great deal in the past, this writer is far happier with Totem for DVD playback. It should also be noted that this author spent more than an adequate amount of time testing Gnometris 2.5.9, and can verify that it is fully ready for deployment.

There are, of course, far too many useful applications in the GNOME arsenal to mention here or to test in a reasonable amount of time. It should suffice to say that GNOME/GARNOME 2.5.92 includes a wide array of useful applications for desktop use, including Gnumeric, the Conglomerate XML editor, gLabels (a handy label-making program), Sodipodi, and many others.

For the most part, the 2.5.92 release is ready for widespread use. There were a few glitches here and there, but it's likely they will be ironed out by the final 2.6 release. One also wishes that it were possible to change certain GNOME settings without having to resort to using the GConf editor. One is unpleasantly reminded of the Windows Registry when tinkering with GConf.

Aside from small glitches and minor annoyances, GNOME 2.5.92 was extremely stable and pleasant to use. Pleasant enough, in fact, to cause this writer to seriously consider switching from XFce to GNOME on a permanent basis. Though one may not agree with all of the interface decisions made by GNOME's developers, it is obvious that the GNOME developers have been working hard to make GNOME a useful and user-friendly desktop environment.

Comments (18 posted)

The Aberdeen Group looks at free databases

The Aberdeen Group has put together an "analyst report" on free databases, as typified by MySQL, PostgreSQL, and Berkeley DB. The report is available for download, in PDF format, from the SleepyCat site, but one must get through a moderately obnoxious registration screen first. For those who don't want to do that, here's a quick summary.

The report starts with a set of reasons why free databases are of interest; they include control over maintenance and support, source availability, cost, flexibility, and reliability. A quick summary of the three covered systems follows, with the "key features" which are supported or missing. The report summarizes the situation in this way:

All of today's open source databases are seen today as lacking especially in scalability, and to a lesser extent in robustness, flexibility, and programmer support. Therefore, they are not classified as "enterprise." Many are clearly deficient in at least the first three aforementioned technologies - they do not offer (or offer limited) stored procedures, do not offer two-phase commit, and do not offer exceptional multiprocessing support.

The free database systems have reached "enterprise" levels of scalability and robustness, however.

The free database market, says Aberdeen, is currently worth about $100 million per year - compared to $10.5 billion for the proprietary variety. Free databases have mostly been making inroads at the low end of the market (the report doesn't say this, but that is how disruptive technologies usually get their start). Aberdeen mentions several times in particular that free databases on Linux are displacing SCO installations. The biggest area for free databases, however, is "new in-house applications." Displacing entrenched systems in other applications is currently too hard, but new applications typically do not have legacy issues to deal with. The best markets for free databases have been in retail and telecommunications.

As for the future:

Over the next two years, the market will reach a "tipping point" at which a larger range of vertical application and line-of-business programmers will find open source databases' low cost and association with other open source software such as Linux a good reason to include open source databases in their plans. At that point, open source databases will begin to have a significant impact on the overall database market, on database pricing, and on the readiness of the market for an "enterprise-scale open source database."

The authors of the report talked with free database users, and found that those users are well pleased with the level of programming help and support available for the software. If you use a free database system, you can actually talk with the engineers who wrote it, which is not possible with large, proprietary systems. Thus, notes the report, if you're using a free database, you should expect to communicate with the development community, and not just with a vendor.

The talk of licensing is remarkably FUD-free:

Users should also note that open source licenses are different from proprietary ones. Users should understand the differences and then rejoice in the ease of maintenance of open source licenses, which do not require extensive administration.

The report concludes by saying that free database adoption will stay slow for the next couple of years before beginning to ramp up. The authors state the the lower-level programming tools offered with free database systems will slow down adoption somewhat. Over time, however, the advantages of free databases will lead to those systems having a "moderately bright" future.

Comments (13 posted)

Test releases - be careful out there

The announcement for the second Fedora Core 2 test release went out right on schedule. We hope to have a review of this release done in the near future. In the mean time, it's worth noting that the interest in this release appears to be relatively high, and that some testers are encountering significant difficulties with this release.

Some of the problems being encountered are not surprising to anybody. FC2t2 is the first test release which has SELinux enabled. The incorporation of SELinux into a multipurpose distribution like Fedora is simply guaranteed to generate a fair number of surprises. Working with SELinux in the test release is, in fact, likely to be relatively obnoxious; it is, after all, a fundamentally different security model. There will be a lot of glitches to shake out. Anybody who is even thinking about going near Fedora SELinux in the near future should have a good look at the FC2 SELinux FAQ first. Then read it a second time.

Adding SELinux is certain to be disruptive. Some users will no doubt be unhappy about the fact that they are, in some sense, helping Red Hat debug this feature so that it can be incorporated (with less pain) into the Enterprise Linux products. Bringing in SELinux is an important thing to do, however; we have to improve the security of our systems, and SELinux has the potential to help in the containment of compromises. The Fedora Project is doing us all a favor by blazing this particular trail.

The FC2t2 installation disk has also surprised a number of testers by refusing to boot on their systems. The workaround is fairly straightforward: boot from an earlier Fedora disk, then swap CDs at the boot prompt. But this failure, combined with some other difficulties, has led some potential testers to criticize Red Hat in a loud and public way. The claim is that insufficient quality control on Red Hat's part led to them wasting a bunch of time and bandwidth downloading a release that they cannot even install, much less test.

What may be happening here is that Fedora is bringing in some new users who are unaccustomed to testing bleeding-edge software. New participants in the development process are more than welcome, but they do need to realize that they are exactly that: participants in the development process. No product as complicated as a Linux distribution is going to reach a steady state without a great many testers giving it a try and shaking out the bugs; this is true even of distribution releases which do not include little novelties like the 2.6 kernel and SELinux. If you install (or attempt to install) a test release, you have to be prepared for surprises. When a surprise finds you, it's time to pick up the pieces and help the developers figure out what's going on. But it helps nobody if testers criticize those developers when the test release they have provided (for free) has problems.

Comments (4 posted)

A quick SCO update

There has been action in a couple of the SCO Group's legal cases, so it's time for an update.

IBM has amended its counterclaims in response to SCO's second amended complaint. One of the patent claims has been dropped, and quite a bit of strong language has been added. For example, paragraph 60:

SCO further persisted in maintaining for nearly a year the unsound claim that IBM had misappropriated its trade secrets. Yet when pressed to identify a single trade secret that IBM allegedly misappropriated, SCO could not, even after being ordered to do so by the Court. SCO finally (and properly) abandoned this claim, upon which SCO's entire lawsuit was initially premised, in its Second Amended Complaint.

Several paragraphs describing Novell's claims and actions, including the claims to have retained the Unix copyrights, have been added. Some new claim language states:

IBM is entitled to a declaratory judgment pursuant to 28 U. C. 9 2201 that IBM does not infringe, induce the infringement of, or contribute to the infringement of any SCO copyright through its Linux activities, including its use, reproduction and improvement of Linux, and that some or all of SCO' s purported copyrights in UNIX are invalid and unenforceable.

If IBM obtains such a judgment, SCO's case is essentially over; all that will be left is SCO's defense against IBM's counterclaims.

SCO, meanwhile, has filed a motion to bifurcate the IBM trial. SCO would like to split IBM's patent charges into a separate, trial with its own schedule. SCO's claims that the patent case is unrelated to the Linux-related charges are not entirely without merit; this motion might just be granted.

In the Novell case, SCO has been trying to get the trial moved back to Utah state court where, one assumes, it believes it will get a more favorable hearing. Novell has filed a memorandum in opposition of this motion (available in PDF format) that minces no words; from the opening paragraph:

This Court has jurisdiction over SCO's slander of title action because in order for SCO to prevail, it must prove it owns the copyrights at issue, and its claim of ownership turns on an issue of federal law. SCO claims it owns these copyrights through assignment from Novell. Therefore, in order to prove its case, SCO must point to documents that transferred the copyrights from Novell. Federal copyright law determines the adequacy or inadequacy of documents as a legal instrument to transfer copyrights.

Novell then dedicates several pages of legalese to the destruction of SCO's arguments. From an outside point of view, Novell's arguments look hard to answer.

In the Red Hat case: nothing has happened, as usual.

Finally, SCO has announced that SCO Forum 2004 will be held August 1 to 3 in Las Vegas. Even here, the company is rather economical with the truth: "SCO Forum 2004 will highlight the company's 25th anniversary in bringing powerful UNIX software solutions to businesses around the world." The SCO Group, originally Caldera, has been incorporated since 1998 (though Caldera, in a different form, had been around since the early 1990's). This company will not be celebrating its 25th anniversary anytime soon.

In any case, the event could be amusing; one can well imagine that, by August, the tone will not be particularly upbeat. Mark your calendars.

Comments (9 posted)

Page editor: Jonathan Corbet

Security

Utah's anti-spyware law

March 31, 2004

By Pamela Jones, Editor of Groklaw

There oughta be a law, as they say, and now there is one in Utah. Yes, Utah is first state in the US to pass legislation banning certain kinds of spyware, the Spyware Control Act, and they took a heap of criticism from the likes of Microsoft and even cuddlier companies like Google, Novell and Amazon, who tried to block it from being passed, but failed. The governor just signed it last week.

Why? What is in this bill that such a broad coalition of companies took a look at it and didn't like what they saw? The best place to go to understand the new law is Ben Edelman's page, A Close Reading of Utah's Spyware Control Act (H.B.323). He has a clear chart showing in a creative way what the law says, with all its subclauses visually laid out. He consulted with the Utah legislators who prepared the bill, and his take on it is worth reading.

He was mightily surprised to see companies like Yahoo and AOL and Amazon and all the rest united against this bill. He concludes they have misunderstood the bill, and after researching it, I think that is indeed part of the problem. Novell's Vice President and Deputy General Counsel Ryan Richards wrote an Op Ed piece for the local paper about the bill in mid-March, "'Spyware' Bill Would Hurt Net Use", where he lays out the objections that he had to the bill and what he felt would be its unintended consequences. Here's a bit of what he wrote: ". . . the bill in its current form could potentially criminalize some of the most popular consumer software on the market, including popular media players, anti-virus programs, internet services, e-mail programs, and networking software."

After reading the bill itself, however, I believe he misunderstood the law, and I have concluded that the consequences are not unintended but rather precisely what the legislators meant to achieve. They intended that hidden spyware that transmits information about users without their consent, be outlawed. It's a bit like the definition of spam. "Legitimate" advertisers would like us to exempt their mailings from that definition. Now they want us to exempt them from the definition of spyware. The Utah legislators passed a bill that doesn't make that distinction. They are telling all companies to just quit it.

Because Ed Felton's analysis of the bill included the statement, "I have not seen specific examples of legitimate software that would be affected," I asked Novell's Bruce Lowry what products of theirs might be impacted by this bill, if any. He replied that while the bill is written in a vague enough way that he wasn't quite sure, one product might be ZENworks, used to configure machines and update software, including security patches, remotely. You can see a demonstration of ZENworks in a video on Novell's coverage of its recent Brainshare conference. I thought it looked like a wonderful product, but it does have to monitor computer usage to work and it sends reports back to a remote server, "both actions that would appear to make ZENworks 'spyware' under the terms of the legislation," Lowry worries. "The language doesn't distinguish between this type of high value, legitimate monitoring of computer activity from those actions that the legislation is ostensibly targeting - i.e. unsolicited advertising."

That would be an understandable worry, if he were correct that the law outlawed that product and others like it. But my reading of the statute convinces me that the bill only requires companies to let users know how products like ZENworks do what they do, get user consent, which presumably they already do, and make it possible to uninstall ZENworks, if users want to later. How burdensome is that? Further, Section 5 specifically excludes "software designed and installed solely to diagnose or resolve technical difficulties."

The strong reaction to this modest bill -- and you can read a PDF letter written by the companies and organizations that united to oppose it -- makes me heart-sinkingly sure that companies currently do quite a bit of monitoring and that the bill is designed to solve a runaway problem. Obviously, currently there is no law against spyware, except in Utah, although there is a bill being prepared on the federal level, and the FTC is holding hearings in April. Europe is considerably ahead of the US on privacy issues, maybe because Madison Avenue is an American phenomenon.

Might Mr. Richards be referring to that popular media player of the same name that the EU Commission just ordered Microsoft to unbundle, for example? Considering Microsoft Media Player's calling-home features, I'd say "probably." And while everyone has been talking about "benign" and "important and beneficial Internet communication software", that perennial favorite "stifling innovation", and the bill burdening users with notices, as if anybody cared about us anyhow, the truth is more likely to be elsewhere. Might it be that advertisers are worried about their income stream, and that at least some of the objecting parties - who are also entertainment purveyors - want to know exactly what everybody is up to with their music and DVDs and intend to spy to the extent they think they can get away with?

There is also a chilling statement in the letter listing reasons the signatories oppose the bill: "The bill also would create serious barriers to collection of data that Internet companies and security companies use to analyze and prevent hacker attacks on the Internet. This security problem is exacerbated by the fact that computer hackers, and other criminals could refuse to consent to use the software that law enforcement officials need to be able to conduct investigations." What are they saying? That instead of getting court orders to track criminals, which doesn't require their permission, law enforcement officials currently track everybody with commercial spyware? That's the kind of revelation, if that's what they meant, that gives privacy lovers hives.

So, what does the bill outlaw?

First, what it doesn't outlaw. It doesn't say they can't spy on us customers. They just have to tell us, in plain language, what they intend to do and get our consent, and make it possible for us to uninstall whatever we let them put on our computers, if we later change our minds. Before you say no one would ever give consent, think about Google's toolbar. A lot of folks trust Google, and they say yes when Google asks if they can track them. And no, Google's toolbar is not outlawed by this bill, because they comply with the notice and uninstall requirements already. Maybe that's why many trust them.

Excluded from the definition of spyware, are programs that diagnose or resolve technical problems, cookies, HTML code, and JavaScript used to report info stored on the user's computer, and operating systems. Plenty of wiggle room there. Anti-virus software and firewalls typically come with licenses that tell you what they do and thus get the necessary consent. The bill also outlaws intrusive ads that block the user's view of "legitimate" paid ads and website content. The liability for those who do it anyway is $10,000 per ad displayed, and that is tripled if the jury thinks they did it on purpose.

There is a catch. The victim can't bring a lawsuit. Only website owners, advertisers, and copyright and trademark owners (that elite bunch that legislators adore to write laws for) can sue. The rest of Utah's citizens must report violations to the Division of Consumer Protection, and the agency follows through, hopefully. The Utah legislators need to vote some funding if they are serious about stamping out spyware in Utah.

Ben Edelman tells me it wouldn't surprise him to see exactly that happen in coming years. "I think the bill reflects a good initial attempt to protect consumers and web sites from the many negative effects of spyware programs," he says, "and I think it offers a sensible and workable framework for doing so."

Comments (22 posted)

New vulnerabilities

courier - Remote buffer overflow vulnerabilities

Package(s):

Courier

CVE #(s):

CAN-2004-0224

Created:

March 29, 2004

Updated:

April 1, 2004

Description:

Remote buffer overflow vulnerabilities have been found in Courier-IMAP and Courier MTA. These exploits may allow the execution of arbitrary code, allowing unauthorized access to a vulnerable system.

Alerts:

Gentoo

200403-06

2004-03-26

Comments (2 posted)

emil: Buffer overflow and format string vulnerabilities

Package(s):

emil

CVE #(s):

CAN-2004-0152 CAN-2004-0153

Created:

March 25, 2004

Updated:

March 31, 2004

Description:

The emil mail filter utility has buffer overflow and format string vulnerabilities that can be exploited locally and remotely, It may be possible to craft an email that exploits the vulnerability and executes arbitrary code.

Alerts:

Debian

DSA-468-1

2004-03-24

LWN.net Weekly Edition for April 1, 2004

courier - Remote buffer overflow vulnerabilities

emil: Buffer overflow and format string vulnerabilities

ethereal - multiple vulnerabilities

monit: buffer overflow and DOS

oftpd - denial of service

openldap: denial of service

pam-pgsql - missing input sanitizing

squid - vulnerability in URL decoding

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

apache2: Denial of Service vulnerability

ecartis: several vulnerabilities

Filename disclosure vulnerability in fam

fetchmail may crash on specially crafted message

gtkhtml: malformed messages cause crash

httpd - vulnerabilities fixed in Apache HTTP Server v2.0.49

iproute: local denial of service

kdelibs: cookie disclosure

kdepim: VCF file information reader vulnerability

kernel: local root exploit in 2.4.22

Linux kernel 2.2.10 failing function and TLB flush vulnerability

kernel-utils: setuid vulnerability

libpng, libpng3: buffer overflow

libxml2 - arbitrary code execution

mailman denial of service

mc: arbitrary code execution

metamail: integer and buffer overflows

mikmod: buffer overflow

mod_python: denial of service vulnerability

mozilla: multiple vulnerabilties

mpg321: format string vulnerability

mplayer: remotely exploitable buffer overflow vulnerability

mutt: buffer overflow

Nessus NASL scripting engine security issues

netpbm: insecure temporary files

openssh: timing attack leads to information disclosure

OpenSSL: denial of service vulnerabilities

perl information leak

postfix: denial of service vulnerabilities

PWLib: possible Denial of Service

python: buffer overflow

samba privilege escalation

sysstat: temporary file vulnerability

File overwrite vulnerability in tar and unzip

tcpdump: flaws in the ISAKMP decoding routines

Multiple vendor telnetd vulnerability

util-linux: information leak in the login program

uudeview temp file problem

The User Interface

Text Management

Scripting changes

What's Missing

Summary