Your editor did much of his early programming on a large, 60-bit computer.
"Large" as in "you could walk around inside it." Its six-bit character
set was challenged by exotic characters - like lower case. But it sure had
a fast card reader. Your editor has started a few articles by saying that
recent "progress" has made things worse, rather than better, but he won't
be saying that this time.
By the early 1980's, 32-bit systems had taken over much of the computing
world. And, with certain exceptions, 32 bits has been the way of things
for a good two decades. Processor speeds have gone up by three orders of
magnitude, as have disk sizes; main memory has grown by even a bit more.
But most systems sold today still use 32-bit words and addresses. The fact
is, 32 bits suffice for almost every quantity we need to manipulate with
computers. The exception, increasingly, is memory. We have hit the point
where we are running out of address space. The need to work with ever more
memory to run our increasingly bloated applications will eventually push
much of the industry over to 64-bit processors.
Your editor decided to be ahead of the curve, for once. So he ordered up a
new motherboard and Athlon64 processor. Before the process was done, he
also ended up buying a new video card, power supply, and disk drive. In
fact, the only original component left in the case (a holdover from when LWN
thought it might be a training company) is the diskette drive. But, the
new system is now up and running, and your editor has had a chance to get a
feel for what the 64-bit world has to offer.
The hardest question, perhaps, was the choice of distribution to run. The
new system replaces a Debian unstable box, so Debian was the obvious first
choice. The state of the Debian x86_64 port is a
little discouraging, however. Installation requires starting with the
basic x86 distribution, coming up with 64-bit versions of gcc and glibc,
building a new 64-bit kernel, booting that, and piecing together the rest
of the system with the other x86_64 packages that have become available.
More than ten years ago, your editor converted, by hand, his first Linux
box from a.out to ELF binaries; installing Debian x86_64 looks like a
similar process. Somehow, what looked like an interesting and instructive
adventure in the early 1990's is distinctly less appealing now.
MandrakeSoft and SUSE both offer x86_64 versions of their distributions. The
Gentoo port seems to be coming along reasonably well, but some time spent
digging through the Gentoo package
database shows that much of the software base still lacks x86_64 support. Your editor,
in the end, went with the Fedora Core 2 test 2 release, at least for
now. FC2t2 gives good visibility into the development process (as do
Mandrake and Gentoo), a familiar, Red Hat core, and the ability to play
around with some bleeding-edge features like SELinux. It also is designed
around the 2.6 kernel, which is an important feature.
When one leaves the x86 mainstream, it does not take long to realize that
the well-trodden pathways have been left behind. Mirrors for the x86_64
architecture are relatively scarce and often behind the times. Most
applications do not, yet, come prebuilt for this architecture.
Documentation on how to get x86_64 systems up and running is minimal. It
is all a bit of an adventure.
That said, the FC2t2 distribution works well - as well as could be expected
on any architecture for a development release. And the really nice thing
about the x86_64 architecture is that most 32-bit x86 binaries work just fine,
as long as you have 32-bit versions of the relevant libraries around. That
fact alone makes the transition to this architecture relatively easy.
The need for 32-bit libraries complicates system administration, however.
An x86_64 Fedora system has many duplicated packages installed, and working
with rpm can, occasionally, be a bit confusing. The rpm interface was not,
perhaps, designed for dealing with a world where two packages have the same
name and version number, but are still distinct. Unless you plan to leave
the 32-bit world behind entirely, however, you will need two versions of
the libraries. Chances are that most x86_64 systems will want to run
32-bit binaries for some time - in some cases, they perform better, and, in
any case, some programs in FC2t2 (e.g. OpenOffice.org) are still built that
way.
Building applications can also be a bit of a challenge, at least a first.
Quite a few makefiles and configure scripts assume that libraries live in
/usr/lib. On a Fedora system, /usr/lib has the 32-bit
versions of the libraries; the native versions live in
/usr/lib64. A makefile which uses the default gcc (which compiles
in 64-bit mode) and tries to explicitly link against things in
/usr/lib will fail. Once you learn to recognize this problem, it
gets easy to fix.
Your editor was naturally interested in performance issues. To that end,
he built a version of bzip2 in both 64-bit and 32-bit mode and compared the
results. Both compression and decompression ran about 10% faster in the
64-bit mode. With the x86_64 processor, better performance is generally expected in
the native mode, mainly due to the additional registers which
are available. The executable size and memory usage in 64-bit mode were
larger, but not by much. A second test, using the SoundTouch
library yielded a surprise, however: changing the tempo of a large sound
file ran in less than 1/5 the time in 32-bit mode. The Athlon64 processor,
it would seem, runs certain operations far more slowly in 64-bit mode; your
editor has not, yet, had the time to track this one down.
Despite the paucity of mirrors, the glitches, and the surprises, the x86_64
platform makes for a very nice Linux system. The kernel support for this
architecture is outstanding, the performance is good, and the expanded
address space renders concepts like "high memory" obsolete. After all,
we'll never need more memory than can be addressed with 64 bits...
Seriously, however, this architecture has helped to realize one of the
great promises of Linux: a freedom of choice in hardware as well as
software. 64-bit systems are now available at a price even an LWN editor
can afford. This editor, who just shifted his old Pentium 450 box over to
sacrificial kernel testing duty, is distinctly less grumpy.
Comments (41 posted)
A new version of the much-hyped Nvu "Web Authoring System" is out, as well
as an updated version of the popular Bluefish editor. Since Web development
is an essential component to the success of Linux on the desktop, we
thought we'd take a look at these two releases as a gauge of Web
development tools available for Linux users.
The Nvu web site promises "A
complete Web Authoring System for Linux
Desktop users to rival programs like FrontPage and Dreamweaver." How
close does Nvu come to delivering on that promise?
To evaluate Nvu, one must first install the software. At the time of this
writing, the Nvu website offers packages for Lindows, Fedora Core 2 test 1
and Windows. Other interested parties must compile the application from
source. While this does not usually present a major hurdle for Linux users,
Nvu is not available in anything so straightforward as a source
tarball. The instructions, such as they are, instruct the user to pull
Mozilla from CVS, save a modified .mozconfig into the Mozilla source
directory, download a separate patch from Nvu and finally compile the
software. One almost gets the impression that the Nvu developers are
looking to make life difficult for non-Lindows users.
After jumping through the numerous hoops required to compile Nvu, we set
about evaluating the software. Since Nvu is derived from Mozilla's
Composer, we decided to open both applications up side-by-side to see what
improvements had been made to Composer. Nvu is not drastically different
from Composer, but there are a few new features worth noting. Nvu has some
obvious cosmetic differences, and offers an improved tabbed interface for
multiple document editing. It also includes a "Site Manager" Sidebar, which
is not available in Composer.
Another feature touted for Nvu is the ability to create templates that have
read-only sections and editable sections. Unfortunately, our attempts to
work with templates were less than successful. After creating and saving a
template, an attempt to create a new document based on a simple template
caused Nvu to promptly crash.
Nvu also includes "CaScadeS," a CSS editor that allows fine-grained control
over the styles applied to elements in your documents. The feature is
interesting, but slightly counter-intuitive. To invoke the editing menu for
a specific element, the user must right-click on an element displayed in a
menu displayed at the bottom of the editor. If the user is unaware of the
feature, it's quite likely that it will go completely unnoticed. Once one
is aware of the feature, it is easy to use. However, it would be much more
intuitive if the user was able to right-click on the element itself in the
editing pane to bring up the CaScadeS menu.
Nvu shows a great deal of promise, but it's not quite ready for a showdown
with Macromedia's Dreamweaver.
The Bluefish Web development
tool takes a different approach with its
"What You See is What You Need" interface. Users who wish to try out the
recent 0.13 release will appreciate that Bluefish is provided in a
straight-forward source tarball. Unlike Nvu, Bluefish's feature set is more
appropriate for the experienced Web developer working on more advanced
projects, including dynamic sites that make use of PHP, Perl, Python and
other scripting languages. Bluefish includes syntax highlighting for a host
of languages, everything from HTML to ColdFusion is represented.
It takes some time to fully explore Bluefish and all its features. Bluefish
provides a number of wizards and dialogs that make it much easier to add
forms, tables and so forth to a document. This writer particularly likes
Bluefish's custom menu, which allows the user to create their own dialogs
to generate snippets of code. The "Quickbar," which allows users to add
frequently-used buttons from other toolbars, is also a favorite.
Bluefish offers Web developers as much, or as little, assistance as they
need. A user can opt to use Bluefish as a souped-up text editor with
excellent syntax highlighting, or rely on Bluefish to generate much of
their code through wizards and dialogs.
Another nice thing about Bluefish is that it integrates well with other
tools that Web developers often use. Users can pipe their files in Bluefish
through HTML Tidy, Weblint and other programs to validate their HTML, or
easily configure Bluefish to open their work in their browser(s) of choice.
Despite the low version number, Bluefish is fairly mature and very
stable. It's well worth a look for users who want a flexible Web
development environment.
There are, of course, a number of other open source Web development tools
for Linux. The Screem website
development package is fairly popular, as is Quanta Plus, which we touched on when KDE 3.2
was released. For many, no IDE or GUI-based tool can replace Emacs or Vim
for churning out websites.
None of the tools available for Linux are quite slick and polished as
Dreamweaver, but there are certainly plenty of options for users who are
looking for a suitable open source Web development tool.
Comments (3 posted)
The CEO of Green Hills Software, a proprietary embedded software company,
has sent out
an
amazing press release on how the use of free software in defense
systems "violates every principle of security." The PR tells us about how
"developers in Russia and China" are contributing to Linux, and the
horrible fate that awaits us:
Linux in the defense environment is the classic Trojan horse
scenario -- a gift of 'free' software is being brought inside our
critical defenses. If we proceed with plans to allow Linux to run
these defense systems without demanding proof that it contains no
subversive or dangerous code waiting to emerge after we bring it
inside, then we invite the fate of Troy.
The strident tone of the release, combined with the focus on threats from
Russia and China, makes it look like something from the Reagan
administration. It's hard to take this thing seriously.
The press release has been quickly written off as a desperate outburst from
a proprietary company that is losing business to Linux. And that is
probably exactly what it is. It would be interesting to hear how Green
Hills would explain this
Cisco security alert which came out on the same day as the anti-Linux
press release. Some of Cisco's products, it would seem, were shipped with a back
door which gives attackers full access; "there is no workaround." It is
also worth noting that the InterBase backdoor
existed in the proprietary product for years, but was discovered when the
product went open source. The remote shutdown "feature" found in a number
of software products is also relevant here. Proprietary software is not
immune to backdoors and Trojan horses; indeed, the opaque nature of
closed-source programs would seem to encourage that sort of misfeature.
Another point worthy of note: attempts to place back doors in free software
have mostly been carried out via the distribution network. Last year's kernel backdoor attempt tried to slip the code
in after compromising a CVS server. Trojan horse attacks on tcpdump, sendmail, OpenSSH, and others have worked by corrupting
distribution files, again via a compromised server. On the other hand, it
is very hard to find any record of an attempt to insert any sort of back
door via the free software development process. Such an attack, it would
seem, is not that easy to carry out; if it were, why would attackers prefer
direct assaults on infrastructure and distribution files - an approach
which is certain to lead to quick detection?
The free software development process is, perhaps, more robust than its
detractors would have people believe. But, once we're done patting
ourselves on the back (and let's not be too long about it) we have to face
a fundamental fact: code containing security vulnerabilities is committed
to project repositories every day. These vulnerabilities do not result
from deliberate attacks; they are, instead, simple bugs. But they get
into the code base, despite our heavily promoted review process.
It is also true that, sooner or later, somebody will certainly attempt to
get bad code accepted by a free software project. That code may contain a
back door, or it may be one of those "intellectual property" violations
that some people would so dearly love to find in Linux. Given that we
prove on a daily basis that insecure code is able to survive our
development process, how confident are we, really, that we'll trap a
deliberate, well-hidden hole? There are reasons to believe that our
processes are better than the proprietary variety; at least some outsiders
are looking at the code, and the chances that a backdoor will lurk for
years are small. But we cannot simply write off this threat; sooner or
later, it is going to come back to us.
Comments (17 posted)
Page editor: Jonathan Corbet
Security
Brief items
When a security vulnerability is found, the right thing to do is to prepare
a patch and circulate it as quickly as possible. At least, that would
appear to be the prevailing wisdom.
This
ComputerWorld article, however, takes a different approach: in many
cases, patch circulation should be slowed down, not sped up.
The author is talking, in particular, about vulnerabilities which are found
by "white hat" hackers, as opposed to those which are already being
actively exploited. These vulnerabilities are, presumably, unknown to the
cracker community at the time the patch is prepared. But a security patch
provides an instant road map for anybody looking for vulnerabilities.
Rather than put in some honest work digging through and understanding a
large program, a cracker need only look at the piece of code which is
fixed. The release of a security patch allows administrators to close a
hole, but it also tells the world about the existence and location of that hole. At that
point, the race begins: administrators try to get the patch deployed before
the crackers get their exploits working.
What's needed is a way to give the defenders a larger window of time to
obtain patches before information about the vulnerability they fix is
distributed. Various approaches have been tried to accomplish that goal.
The "vendor-sec" mailing list, for example, helps Linux distributors and
other operating system vendors to all have their updates ready by the time
a vulnerability is announced. Vendor-sec helps, but it does not solve the
problem of actually distributing an update to millions of users.
The OpenSSH project once took a different approach and pushed a major update on users in an attempt to
deploy a security fix without saying what it was; this move was received
poorly, however.
What the ComputerWorld article suggests is that patches should be
distributed in encrypted form. For some period of time, the encrypted
patch is just a useless pile of bits sitting on the disk. This time would
be the window which allows the patch to be distributed without disclosing
the problem which is being fixed. After a given period of time, a key is
distributed which enables the decryption of the patch; at that time, clear
versions of the patch could also be made available. In theory, this
approach would enable the security-conscious users on the net to update
their systems nearly simultaneously as soon as the nature of the problem is
disclosed.
This is a solution which could perhaps work, though steps would have to be
taken to fend off denial-of-service attacks aimed at preventing the
distribution of the decryption key. The provision of encrypted patches
does go somewhat against the spirit of the free software community, and it
could, by some readings, be taken as a violation of the GPL. For almost
all of the security vulnerabilities which are reported, the encrypted patch
mechanism would be far more trouble than it would be worth. The next time
an easily-exploitable vulnerability turns up in a utility like bind or ssh,
however, it might be a nice option to have.
Comments (9 posted)
New vulnerabilities
apache - denial of service in mod_ssl
| Package(s): | apache |
CVE #(s): | CAN-2004-0113
|
| Created: | April 13, 2004 |
Updated: | May 25, 2004 |
| Description: |
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49. |
| Alerts: |
|
Comments (none posted)
automake: symbolic link attack
| Package(s): | automake |
CVE #(s): | |
| Created: | April 8, 2004 |
Updated: | April 14, 2004 |
| Description: |
Automake may be vulnerable to a symbolic link attack which may allow an
attacker to modify data or escalate their privileges. This is due to
the insecure way Automake creates directories during compilation. An
attacker may be able to create symbolic links in the place of files
contained in the affected directories, which may potentially lead to
elevated privileges due to modification of data. |
| Alerts: |
|
Comments (none posted)
cvs: client-side file overwrite vulnerability
| Package(s): | cvs |
CVE #(s): | CAN-2004-0180
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: format string vulnerabilities
| Package(s): | neon |
CVE #(s): | CAN-2004-0179
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. |
| Alerts: |
|
Comments (none posted)
Scorched3D: format string vulnerability
| Package(s): | Scorched 3D |
CVE #(s): | |
| Created: | April 9, 2004 |
Updated: | April 14, 2004 |
| Description: |
The server from the game Scorched 3D is vulnerable to a
format string attack that can lead to a denial of service and
possibly to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | |
| Created: | April 7, 2004 |
Updated: | April 7, 2004 |
| Description: |
The Clam AntiVirus utility through version 0.68 is vulnerable to a denial of service attack. |
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 17, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fte buffer overflows
| Package(s): | fte |
CVE #(s): | CAN-2003-0648
|
| Created: | April 5, 2004 |
Updated: | April 7, 2004 |
| Description: |
Steve Kemp and Jaguar discovered a number of buffer overflow
vulnerabilities in vfte, a version of the fte editor which runs on the
Linux console, found in the package fte-console. This program is
setuid root in order to perform certain types of low-level operations
on the console. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
heimdal cross-realm vulnerability
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0371
|
| Created: | April 6, 2004 |
Updated: | April 9, 2004 |
| Description: |
According to a security
advisory from the heimdal project: All releases prior to 0.6.1 and
0.5.3 have a cross-realm vulnerability allowing someone with control over a
realm to impersonate anyone in the cross-realm trust path. |
| Alerts: |
|
Comments (none posted)
interchange missing input sanitizing
| Package(s): | interchange |
CVE #(s): | CAN-2004-0374
|
| Created: | April 2, 2004 |
Updated: | April 7, 2004 |
| Description: |
A vulnerability was discovered recently in Interchange, an e-commerce
and general HTTP database display system. This vulnerability can be
exploited by an attacker to expose the content of arbitrary variables.
An attacker may learn SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
monit: buffer overflow and DOS
| Package(s): | monit |
CVE #(s): | |
| Created: | March 31, 2004 |
Updated: | April 19, 2004 |
| Description: |
The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.
Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
perl information leak
| Package(s): | perl |
CVE #(s): | CAN-2003-0618
|
| Created: | February 2, 2004 |
Updated: | April 21, 2004 |
| Description: |
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PWLib: possible Denial of Service
| Package(s): | PWLib |
CVE #(s): | CAN-2004-0097
|
| Created: | February 13, 2004 |
Updated: | April 9, 2004 |
| Description: |
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
samba privilege escalation
| Package(s): | samba |
CVE #(s): | CAN-2004-0186
|
| Created: | March 15, 2004 |
Updated: | April 20, 2004 |
| Description: |
Samba, a LanManager-like file and printer server for Unix, was found
to contain a vulnerability whereby a local user could use the "smbmnt"
utility, which is setuid root, to mount a file share from a remote
server which contained setuid programs under the control of the user.
These programs could then be executed to gain privileges on the local
system. |
| Alerts: |
|
Comments (none posted)
shar: buffer overflow
| Package(s): | sharutils |
CVE #(s): | |
| Created: | April 7, 2004 |
Updated: | April 7, 2004 |
| Description: |
The shar utility (as found in the sharutils package through version 4.2.1) suffers from a stack-based buffer overflow vulnerability; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
squid - vulnerability in URL decoding
| Package(s): | squid |
CVE #(s): | CAN-2004-0189
|
| Created: | March 29, 2004 |
Updated: | April 20, 2004 |
| Description: |
A bug was found in the processing of %-encoded characters in a URL in
versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses
Access Control Lists (ACLs), a remote attacker could create URLs that would
not be correctly tested against Squid's ACLs, potentially allowing clients
to access prohibited URLs. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: flaws in the ISAKMP decoding routines
| Package(s): | tcpdump |
CVE #(s): | CAN-2003-0989
CAN-2004-0057
CAN-2004-0055
|
| Created: | January 15, 2004 |
Updated: | April 6, 2004 |
| Description: |
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user. |
| Alerts: |
|
Comments (none posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
util-linux: information leak in the login program
| Package(s): | util-linux |
CVE #(s): | CAN-2004-0080
|
| Created: | February 3, 2004 |
Updated: | April 8, 2004 |
| Description: |
The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.
In some situations, the login program could use a pointer that had been
freed and reallocated. This could cause unintentional data leakage. |
| Alerts: |
|
Comments (1 posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
Resources
James Grimmelmann
reports
from the
Digital Cops in a
Virtual Environment conference held last month. "
One estimate of
MyDoom's effects puts its total damage at $38 billion. Oh, really? Well,
Hurricane Isabel did 'only' $4 billion. These oft-quoted estimates of virus
damage are, shall we say, perhaps overstated?"
Comments (none posted)
The Call for Papers has gone out for Phrack #62; submissions are due by the
beginning of July.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 kernel is 2.6.5; there have been no 2.6.6 prepatches
yet. Linus's BitKeeper repository is overflowing with patches for 2.6.6,
however, including much of the material from
2.6.5-mc4, the last "merge candidate" tree from
Andrew Morton. A great deal of new stuff is going into 2.6.6; see the
separate article below for more information.
The current -mm tree is 2.6.5-mm5; recent
additions to -mm include more CPU scheduler work, some of Hugh Dickins's
"prepare for object-based reverse mapping" patches (see below), a new
memory binding API for NUMA systems, and lots of fixes.
The current 2.4 kernel is 2.4.26, which was released on April 14. Among other things,
this release includes the fix for the
iso9660 filesystem buffer overflow vulnerability. Overall, changes in
2.4.26 include the "forcedeth" nVidia Ethernet driver, a big bonding
network driver rework, a lot of XFS work, various architecture updates
(including Intel "IA32e" support), TCP
Westwood support, an ACPI update, and lots of fixes.
Users of x86_64 systems may want to note that, as of 2.4.26, no more development will be done for that
architecture in 2.4.
Comments (3 posted)
Kernel development news
While Linus took a week off, Andrew Morton maintained a "merge candidate"
tree full of patches which were to be added to the mainline on Linus's
return. Linus is back; he has been quiet on linux-kernel, but his
BitKeeper repository shows that he has been busy: over 700 patches have
been merged in the first half of this week. Quite a few of these are
significant; there will be a lot of changes in the 2.6.6 kernel. Here's a
quick list of some of the more important additions.
- The usual pile of architecture updates, including x86_64, PPC, ARM,
ia64, m68k-noMMU, S/390, and others.
- POSIX
message queue support.
- Changes to the ext2 and ext3 filesystems which provide significant
speedups for the fsync() and fdatasync() calls.
Various other performance improvements have been added to those
filesystems as well.
- The addition of the fcntl() method to the
file_operations structure (see the March 24 Kernel Page).
- The "laptop mode" patch. This patch has evolved somewhat since we
last looked at it, but
the basic idea remains the same: avoid spinning up the disk whenever
possible, but, when you do have to perform disk activity, do
everything you can.
- 4KB kernel stacks for the i386 architecture. This patch reduces the
kernel's per-process overhead, which is useful for people trying to
run thousands of threads. It also removes one of the few places where
the kernel needs to allocate multiple, physically-contiguous pages.
In 2.6.6, there is a configuration option allowing the continued use
of 8KB stacks, though the plan is to eventually remove this option.
The configured stack size is stored in modules, so it will not be
possible to load a module which was built for the wrong size stack.
- Non-executable stack support for several architectures. This is not
the full "Exec shield" patch from Ingo Molnar, though parts of that
patch appear here.
- A big reiserfs update, including data=ordered support, space
preallocation, laptop mode support, and more.
- IPv6 support in SELinux.
- The lightweight auditing framework.
- A mechanism which allows block drivers to respond to queries about the
congestion state of their queues. This is useful for higher-level
drivers (i.e. the device mapper) which have a complicated queue state.
- The per-device unplugging patch which
makes some significant changes to the block layer, but which yields
significant performance improvements. This patch has evolved a lot
since it was originally posted, mostly to deal with complexities in
the device mapper, RAID, and swapping code.
- The "completely fair queueing" (CFQ) I/O scheduler (covered here last November). This scheduler tries to
evenly divide disk bandwidth among all processes on the system. The
CFQ scheduler can be chosen with a configuration option, or by booting
with the elevator="cfq" option.
- Some software suspend fixes, including support for systems with high
memory.
- The external module support patch (described in a separate article
below). The behavior of "make clean" has also been reworked
to do a more thorough job while, simultaneously, leaving behind enough
information to allow the building of external modules.
- A new configuration option allowing the building of kernels without
sysfs support. Be sure to read the help text before disabling sysfs,
however; without sysfs the kernel needs more explicit help in finding
its root partition.
- Various libata (serial ATA) improvements and fixes.
- A long list of NFS cleanups and improvements.
- Some cosmetic fixes, such as running devfs and the floppy driver
through lindent.
- Some significant page cache and virtual memory changes, which we will
get to in the next article.
Overall, one might be forgiven for thinking that 2.6.6 looks much like a
development kernel release. In fact, most of more intrusive patches listed
above have been around and tested for some time now; they have just finally
made their escape from the -mm tree. With the exception of the CPU
scheduler patches (which we hope to cover here next week) and, perhaps, the
reverse mapping VM changes, 2.6.6 looks likely to contain the bulk of the
work that most developers are still hoping to see added to 2.6. 2.6.6
contains enough big changes that its chances of containing an unpleasant
surprise or two are fairly high. Within a few more releases, however, 2.6
may well have stabilized to the point that it can be more widely deployed
and the bulk of developer attention can move on to 2.7.
Comments (5 posted)
Among the patches merged into the upcoming 2.6.6 release is a set of
virtual memory changes. Changes to such a fundamental subsystem are always
of interest, especially in the middle of a "stable" kernel series. Here,
then, is a quick discussion of what has transpired.
In response to the reverse mapping VM discussions over the last month or
so, Hugh Dickins has posted a series of patches which prepare the kernel
for a full object-based reverse-mapping scheme and the removal of the
per-page PTE chains. Hugh's patches carefully leave room for the inclusion
of either his anonmm patches or Andrea
Arcangeli's anon_vma work,
though he seems to expect that anon_vma will win out. The full set of
patches posted so far can be found in the "memory management" part of the
"patches and updates" section, below.
Of those patches, the first three have been merged as of this writing. rmap 1 simply creates a new
include file (linux/rmap.h) and moves much of the reverse-mapping
declarations there. The second patch (rmap 2) changes the way the
swap subsystem keeps track of swap cache pages; this change is needed to
free up a couple of struct page fields for reverse mapping tasks.
Finally, rmap 3 finishes
out the struct page work for various architectures.
Later patches in Hugh's series get more ambitious; rmap 7 adds object-based reverse mapping
for file-backed memory. Those patches have not been merged as of this
writing, however.
A completely different set of patches which changes how the page cache
works has been merged. The description of
this work, as written by Andrew Morton, reads:
The basic problem which we (mainly Daniel McNeil) have been
struggling with is in getting a really reliable fsync() across the
page lists while other processes are performing writeback against
the same file. It's like juggling four bars of wet soap with your
eyes shut while someone is whacking you with a baseball bat.
This work made some fundamental changes in how page cache pages are
tracked. The struct page structure has long included a field
called "list", being a list_head structure used to track
the state of the page. When the page is marked dirty, or placed under I/O,
it is put on a list with other such pages. Unfortunately, managing those
lists as the state of the page changes proves to be difficult; hence the
juggling analogy.
In response, the page lists have been removed altogether; as a
side-benefit, this change shrinks struct page by eight bytes - a
significant savings, considering that there is one such structure for every
physical page in the system. The lists have been replaced with an enhanced
radix tree which supports "tagging" of pages. When a page is dirtied, it
is simply marked dirty in the radix tree, rather than being added to a
list. Similarly, pages which are currently being written back to disk are
marked. A new set of radix tree operations allows the kernel to find these
pages when the need arises. Searching the tree is not as fast as following
a dedicated list, but the radix tree implementation appears to be fast
enough that few people will notice the difference.
These changes required touching a lot of VM and page cache code; every user
of the page->list field had to be fixed. As a result of the
changes, the order in which dirty pages are written to disk has changed;
writing always happens in file-offset order now. This change appears to be
an improvement for many applications; Andrew reports as much as 30% faster
benchmark results. I/O can slow down for some situations involving
parallel writes on SMP systems, however.
Comments (3 posted)
Changes in the kernel build process have yielded a number of benefits in
2.6. They have, however, exposed a few rough edges for people building
external modules. The
required procedure is
a bit inelegant, forces the user to ignore warnings from the build code
("you messed with SUBDIRS, do not complain if something goes wrong"),
and does not support modversions. It also requires the presence of a
configured and built kernel source tree, something which was not necessary
with previous kernels, and a build of an external module will often try to
rebuild things in the main tree as well. Fixing up the external module
build process has been on the "to do" list for some time.
Finally, somebody has done it. Sam Ravnborg has posted a patch which improves the external module
build process in a number of ways.
The basic form of a makefile for an external module will not change much.
It should still look something like:
ifneq ($(KERNELRELEASE),)
obj-m := module.o
else
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD)
endif
The change has been underlined above; the parameter that once read
SUBDIRS=$(PWD) has changed to M=$(PWD). The
older SUBDIRS= format will still work, however. It is
also no longer necessary to specify the modules target when
invoking the kernel build system.
When the kernel build system is invoked with the M= parameter, it
does a number of things differently. It will make no effort to ensure that
the built files in the kernel source tree are current; if a developer makes
a change to the main tree, it is his or her responsibility to rebuild it
before trying to make any external modules. Only a few targets
(modules, clean, modules_install) are supported
when building external modules. And the modpost program
now maintains a file (Module.symvers) containing the symbol
version information if modversions is in use; this file is used when
postprocessing an external module to note the symbol versions expected by
that module.
Among other things, the new scheme will allow distributors to package
sufficient information for the building of external modules without the
user having to actually configure and build the full kernel source tree.
That information can be stored under /lib/modules by replacing the
build symbolic link (which currently points back to the source
tree) with a directory containing just the required information. That
should make life simpler for everybody involved.
Comments (1 posted)
Fedora Core 2 is
scheduled to ship
in just over one month. This distribution will be a high-profile
deployment of the 2.6 kernel. Red Hat has often shipped highly-patched
kernels, and there have been occasional criticisms that the company's
kernels are so divergent from the mainline that they are incompatible with
other Linux systems. Since we have been messing with the second Fedora
Core 2 test release anyway, it seemed like a good time to look and see
what sort of kernel it includes. To that end, we pulled down a copy of
2.6.5-1-321 from
Arjan van
de Ven's directory.
As it turns out, the number of patches contained in this kernel is
relatively small. That is not entirely surprising; vendor kernel patch
lists tend to get longer as the current development kernel progresses; some
vendors, at least, have a tendency to backport features from the
development tree. There is no development tree currently, so there
is nothing to backport.
That said, the first patch is a big one: it's the full 2.6.5-mc1 tree from Andrew Morton. Now that
the merge candidate patches are finding their way into 2.6.6-pre, Red Hat
will not need to apply that particular patch itself.
The 2.6.6 kernel will feature an option (on by default) to use 4KB kernel
stacks on the i386 architecture. The Fedora kernel has that patch, of
course; it also includes a separate patch which takes away the option of
using the traditional 8KB stacks. This change has upset some Fedora test
users; the 4KB stacks break certain proprietary device drivers
(e.g. nVidia) and some users of those drivers would prefer to have the
ability to build a kernel that supports them. Red Hat seems determined to
follow this path, however, on the assumption that nVidia will fix its
drivers (and the general attitude that breaking binary modules is a
low-priority problem at best).
Then, there are patches which are true Red Hat stuff. These include "exec shield," which makes buffer overflow
attacks harder by enforcing no-execute permissions; the 4G/4G patch which provides expanded 32-bit
virtual address spaces to both user space and the kernel; and TUX, the
kernel-based high-performance web server. There is also an
SELinux/security module patch which allows the kernel to bypass permission
checks when creating sockets internally; this one changes the security
module interface.
Then, there are various cleanup and safety patches. For example, gcc 3.4
supports a "warn_unused_result" attribute on functions; the compiler
will complain when code calls a function marked with this attribute and
fails to check the return value. The Red Hat kernel applies that attribute
to a few functions (copy_from_user(),
pci_enable_device(), etc.) to trap places where the proper checks
are not made. Various functions which use too much kernel stack space have
been fixed up. There is a patch which fixes some remaining
sleep_on() calls and warns about others. The driver for
/dev/mem has been fixed to disallow access to most of main
memory. And there is a driver for a "crash" device which provides direct
read access to main memory, seemingly for use by a crash dump utility.
Finally, there is a small set of bug fixes and patches to ease the build
process on various architectures.
Overall, the Fedora kernel suggests that, in Red Hat's view, not a whole
lot needs to be added to the 2.6 kernel (the upcoming 2.6.6 version, at
least) for it to be ready for wide use.
Comments (7 posted)
Patches and updates
Kernel trees
Build system
Development tools
Device drivers
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Page editor: Jonathan Corbet
Distributions
News and Editorials
Remember Progeny Debian? It was a Linux distribution that set out to cure the
ails of Debian proper, such as its unattractive installation program, many
tedious steps requiring detailed knowledge of one's hardware, the unintuitive
interface of
dselect, and other annoyances that were seen as major
obstacles in the way of wider adoption of Debian (and Linux) among the
computing public. When Progeny released version 1.0 in April 2001, many users
were impressed: "
I really want to point out that this distribution was
very, very easy to install. My first installation just awed me..."
wrote
one reviewer.
The project was buried some 6 months later. Ian Murdock, the founder of
Progeny (and Debian) explained:
From a business perspective, our customers consistently ask for
Debian, not Progeny Debian, and while Progeny Debian is technically just a
'release' of Debian (akin to 'potato' or 'woody' from the Debian project),
the appearance of maintaining a separate or 'forked' version is a
liability.
The company itself survived by switching its focus to
providing services and commercial support for the Debian distribution.
Then this week, all of a sudden, Progeny announced the
release of Progeny Debian 2.0!
Why the sudden revival of the Progeny distribution, rejected 3 years ago as a
liability? Of course, Linux has come a long way since 2001 when it was a lot
harder to sell. More importantly though, Ian Murdock has been promoting a
radical new idea, a so-called "Componentized Linux", as a novel way of
developing a Linux distribution as a collection of components, rather than as
a monolithic whole. Progeny Debian 2.0 is the first released based on the
concepts of Componentized Linux.
Before we go any further, let's try to explain these concepts: what exactly is
Componentized Linux and why is it better than the traditional development
model? In doing so, we'll skip the definition on the Componentized Linux home page, which is too
abstract to make an impact, and go straight to the directory
listing the currently available components:
- audio
- cups-1.1
- evolution-1.4
- gnome-2.4
- graphics
- linux-2.4
- linux-2.6
- lsb-1.3
- lsb-2.0
- lsbdev-2.0
- mozilla-1.5
- mozilla-firefox-0.8
- openoffice.org-1.1
- python-2.3
- tcl
- xfree86-4.2
- xfree86-4.3
- xml
The components can be added to /etc/apt/sources.list like this:
deb[-src] http://archive.progeny.com/progeny/linux cl [components]
Each component represents a collection of packages. We can see a number of
base components, such a linux-2.6 or lsb-2.0, essential for a core Linux
system, and also a number of specialized components, e.g. audio or graphics.
The important point of this "componentization" is that all components are
self-dependent, in other words, all dependencies must be satisfied within the
component itself, or a component has to explicitly specify another component
that it depends on (e.g. one cannot install the gnome-2.4 component without
one of the xfree86-* components).
It should be noted that this componentized structure is completely transparent
to the end user. Taking Progeny Debian 2.0 as an example, the user can simply
apt-get install or apt-get remove any package without
having to think about the components; in fact, there is no way to install or
remove an entire component with one command. The "componentization" only
affects developers, it affects the way package maintainers create binary
packages. For example, let's take a complex package with many dependencies,
such as GnuCash. In standard Debian, the GnuCash package merely specifies
which other packages must be installed on a system prior to installing
GnuCash. However, in Componentized Linux, the developer will have to create a
"gnucash" component, with all the dependent packages either inside the
component itself, or specified in another component (such as the gnome-2.4
component).
How will this makes things easier and better? The way Ian Murdock envisages
the role of components is that package maintainers will be able to create
logical entities for specific uses. As an example, if a group of developers
in Japan decides to add Japanese language support to a distribution, all they
need to do is to create a complete self-contained component providing all
packages needed for the language support. The component would include an
input server, fonts, dictionaries, spellchecking applications and other
relevant packages. Although it is hard to quantify the benefits of such
approach until we have more exposure to the technology, there is no denying
that a componentized structure does sound more logical, not to mention
portable, than the present system of thousands of individual interdependent
packages found in Linux distributions.
If you are interested in trying out this approach, Progeny Debian 2.0 provides
an early taste of things to come. It is an alpha release, so expect a few
problems here and there, but the cl-workers mailing
list is a good platform for discussions, both technical and
philosophical. Besides seeing the "componentization" effort in practice, the
release is an evidence that the developers have put a lot of effort into the
Anaconda for
Debian port - unlike Progeny's early ISO image from 2 months ago, it is
now possible to install the distribution in text mode. Also of interest to
some should be the Progeny-enhanced version of apt, with support for
SSL/HTTPS, HTTP cookies, interactive authentication, and redirects.
Although at present only Debian-based components have been created, the
developers are planning to build components based on Fedora Core in the near
future.
Comments (4 posted)
April 13, 2004
This article was contributed by Joe Klemmer
The number of "Live" Linux distributions have been growing
like weeds over the last two years. It's not surprising when you
think about it. Live CD's give you the flexibility of running
Linux on any system without the need to actually "install"
it.
There's also another advantage to Live CD's, you can have
custom functionality configurations designed for specific
purposes. There are Live CD's for Desktops, Servers, Clusters,
Gaming, Multi-Media, and, of course, Security. In fact the Live
CD format lends itself to Security tasks extremely well. One of
these Security focused distributions is Plan-B. Here is an interview
with the projects creator, J. McDaniel, on his background, the
history & future of Plan-B.
Joe Klemmer: Who is J. McDaniel? (What does the "J"
stand for?)
J. McDaniel: The J stands for Jeremy. It never occurred
to me, during the entire course of creating the CD and the
website, that I hadn't used my first name. I have no reason why,
I just didn't.
# whoami
jmcdaniel
# _
Sorry couldn't resist=)
JK: What's your background?
JM: I'm from a small town in West Virginia. My freshman
year in high school, I took what I thought was a keyboarding
class. As it turned out, it was actually a programming class for
an IBM with BASIC. (Or was it BASICA? I can't remember for sure.)
It wasn't long before I had a Commodore 64 at home with a 13" TV
and a tape drive (audio tape that is). A couple of years later, I
got a PC with DOS 3.0. I still have the 386DX and BIOS chip as a
souvenir. I joined the Army after high school and started out in
Signal Corp. I was a Radio and Teletype (RATT) Operator, and then
I luckily got switched to a computer tech. They were running
SunOS then, now called Solaris. After my eight years were up, I
jumped ship and it was almost the end of the computer scene.
JK: When/How did you get involved in Linux and Open
Source?
JM: Still interested in computers outside the service,
around late `96, I was informed of an OS Project that allowed you
to connect a PC to an amateur ham radio rig - best of all, it was
free. I immediately grabbed the first copy I could find, and
Debian v1.0 became my best friend and enemy as we developed a
love/hate relationship. Although I never did get the radio to
work right with it, I did realize I had to get back into the IT
field. In `98, when I got discharged, I was working any job I
could get. None of my jobs were in IT, though. I quickly learned
I needed a degree, and fast. I finally managed, in 1999, to start
a program at a local school in Fairmont, WV called Computer
Tech., working toward an Associates Degree. By the time I
graduated, three years later, they had changed their name to
IADT. I also quickly learned college costs money. Now things are
better though. I'm working there as an Adjunct Instructor
teaching Introduction to Unix and Unix Administration, and I'm
working part time on the side for an accounting firm (T and T
Inc.) as their Network Admin. Meanwhile, I'm attempting to
complete a Bachelors then Masters in IT at AIU.
JK: What is Plan-B Linux?
JM: Finding it harder to locate a machine away from
home with Linux installed, I resorted to a few "floppy based"
distributions. I outgrew them in record time, though. Looking for
a bit more, I started toying with several Live CDs. A Live CD is
an OS that allows you to run it from the CD without having to
install it first. After having to change all of them to suit me
in one-way or another, I decided to create one made just for me.
I know there are close to 150 or more of them now, yet they
didn't address my personal needs (OK, wants.) I also decided I
had to learn something from the experience. I found that most
were based on Knoppix at their root, which is Debian Linux
underneath. Knoppix is definitely the most popular and easy to
use. At the same time I found it included tons of software I
would never use, and very little of what I wanted. However, what
I was trying to find was a CD using a modified Red Hat Install.
It had to have as many, if not all, of the typical server daemons
included in an installable distribution, root user authority by
default, a small and easy to configure X Windows interface,
hardware recognition and configuration, utilities for security
scanning, auditing, and system recovery. It should also have, if
necessary, forensic analysis and read/write access to as many
file systems as possible, along with the ability to do everyday
tasks i.e. email, browse the web, chat, write a report, shutdown
and go home. I found a page that listed a CD created by H. Peter
Anvin, the "SuperRescueCD". This was it, the perfect groundwork
for I what I wanted. It was based in Red Hat 6/7 and was
primarily built for recovery. I used a stripped installation of
Red Hat 9 and reorganized the build structure Anvin used. After
months of trial and error caused by the read/write permissions
required on a lot of the software, along with countless coasters
burned, I had a working model.
JK: What makes Plan-B unique?
JM: Tough question. It's unique to me, I suppose,
because I've gotten to know it intimately over the last couple
years while I molded it into something usable. I believe, out of
the swarm of Live CDs available, there isn't too much unique
about it on the surface. I would have to say it would be the
closest to running an installed version of Red Hat. That is to
say if you're currently a Technician or Administrator of Red Hat
systems, you should feel right at home in Plan-B. It might
disappoint you, though, if you are expecting to see KDE or GNOME.
I chose a lightweight desktop (BlackBox) instead for the Window
Manager. I didn't see an advantage of using anything more
elaborate. It also uses a file compression I rarely see used on
other CDs of its kind (not that I've researched the matter). I
used zisofs, another project by Anvin, which lets me fill ~1.4GB
of data on the CD.
JK: How did you go about deciding what to include or
not include in Plan-B?
JM: I started with the basic necessities and a server
class installation of Red Hat 9. After thinning the install of
rarely used files, I started a log of the software I used most
often. Then I began to stage a step-by-step scenario of routines
I would use as a starting point for auditing systems and
networks. Versions 0.1.0 through 0.8.0 were built and rebuilt
again based on the ability to reenact each scenario. All software
needed to work without failure and using the least amount of
resources possible. The most precious resource on a project such
as this, of course, is "Space". I scoured the Internet &
reviewed hundreds of software projects looking for applications
that provided the same capability of large "Feature Rich
Applications," yet with smaller file sizes. Practically, as long
as it works, it's great. Once I had reached what I felt was the
space limit, I rebuilt the CD and used it as a desktop for a week
or so to evaluate what I actually use and what was just wasting
space. As for the Field Study Applications (Forensics, Security,
and Auditing) I had a few that I use most often. However, knowing
not everyone works under the same conditions or uses the same
approach that I do, I requested information for resources from
several authorities in each profession. After getting a list
compiled of all the recommendations, I proceeded to add them a
few at a time, rebuild the CD, test, and iterate ad nausea.
JK: What are your plans for the future Plan-B?
JM: Currently the Plan-B Project as a whole is being
moved to the school here at the International Academy of Design
and Technology (IADT) and will become a Student Project. Students
will be offered the chance to become part of the development
team. This would give them an opportunity to work in an Open
Source Environment. They will be working at each phase of the
development process for both the CD and the website. IADT has
courses involving Network/System Administration, Programming, and
Website Design, all of which fit in with the nature of the
project perfectly. Research and Development, Software/Hardware
Testing, Programming, System and Network Analysis, Project
Management, etc. are only a few possibilities. Now, at a
technical level, I will be compiling a list of known issues with
version one and assessing all of the field requests for software
additions. Those will be the primary changes to begin with. It is
also time to make the switch to Fedora. You can also expect to
see PB2 sporting a new kernel, actually one of each version - 2.4
and 2.6. I'd like to begin work on special software made
specifically for Plan-B such as the ability to save a users or
system configuration with ability to automatically load that
configuration during the boot process. We will be researching the
individual applications to see if it's possible to make them more
intuitive. The less you have to setup, the faster you can get to
work.
The biggest news at the moment, though, is that recently I
exchanged a few emails with H. Peter Anvin, the creator of the
SuperRescueCD and several well know Linux Utilities, about his
plans for continuing with his project. After finding that he
wished to continue and create a version 3 of SuperRescue, but
doesn't have the time, I offered our project to jump in and begin
work on it. He agreed happily. As a result, we now will also be
building and maintaining the next SuperRescueCD. I'll be the
first to admit I am very honored to do so. If it hadn't been for
Anvin's project, ours may not exist. We only covered briefly
changes in the current process used to create a custom version of
either CD. We agree the current method is very difficult to
manage or add personal files with and it is even harder to remove
them. This is another area high on the to do list. We might,
possibly, build from an rpm repository instead. The differences
between the two will mostly deal with your need for use.
While PB2 will continue to move forward in Security,
Forensics, and Auditing, SR3 will add a greater base of supported
hardware and utilities for system diagnosis at a hardware and
software level.
JK: Is there anything you'd like to see happen with
Plan-B?
JM: For now, the projects will be worked on internally.
However, I would like to see them grow out to the community here
as well. I can see a benefit of having a LUG or Open Software
Group locally to promote and aid in the use of Linux for home and
small business use. I believe if we're going to see Linux in
those areas it will be due to organizations such as those who
apply the effort to make its existence known. I recall a
conversation in which I was discussing some of the technology and
offered, "Personally I run Linux." In reply, the gentleman said,
"I've heard of that, Toyota or Honda make it, right?" It appears,
then, that in the small business world one of the obstacles we
face is just the awareness that there are alternatives in the
market for Operating Systems and Software. Despite this, I still
have high hopes for us yet.
Comments (1 posted)
Distribution News
Mandrakesoft has
announced the availability of
Mandrakelinux 10.0 Official. "
10.0 Official provides increased
performance with Linux kernel 2.6, an enhanced desktop experience with KDE
3.2, GNOME 2.4 and Mandrakegalaxy II, unbeatable hardware recognition, and
support for Serial ATA, USB2 and IEEE 1394."
Mandrakelinux 10.0 updates:
- kdenetwork: fixes a problem in
knewsticker.
- kdeutils: fixes a problem in kgpg.
- qt3: fixes a kuickshow problem
displaying an image in fullscreen.
Comments (none posted)
Here's the
Debian Weekly News for April 13,
2004, with a look at non-free components in the Linux kernel; an
experimental request tracker; Martin Michlmayr re-elected DPL; Debian
powered satellite routers; and much more.
The results are in: Martin Michlmayr has been
re-elected as the leader of the Debian Project.
Join the bug squashing party, April 16 - 18,
and help stomp out those release critical bugs in sarge.
Preparation of the next stable update of
Debian 3.0 (woody) continues.
Comments (none posted)
The Gentoo Weekly Newsletter for the week of April 12, 2004 is out. This
week's issue looks at the newsletter reorganization, and its search for new
team members; the Gentoo Linux Project is looking for developers with Samba
experience; and more.
Full Story (comments: none)
Lindows, Inc. has
announced
that a Spanish version of LindowsOS, customized for laptops, is now
available pre-loaded onto two laptop models through PC Club.
Comments (none posted)
Slackware current has plenty of fixed and upgraded packages this week;
including e2fsprogs-1.35, hdparm-5.5, pcmcia-cs-3.2.7,
dvd+rw-tools-5.19.4.9.7, audiofile-0.2.5, esound-0.2.34,
ImageMagick-5.5.7-17, xchat-2.0.8, and more. There are X.Org x11R6.7.0
packages in testing. As usual see the
slackware-current
changelog for complete details.
Comments (none posted)
Here's the
DistroWatch
Weekly for April 12, 2004.
Comments (none posted)
New Distributions
eLearnix is a free, self contained,
Linux operating system that runs from CDROM or Compact Flash card. It
creates a desktop environment that will help people learn Linux. The
newest version is also Wireless enabled, with a 2.6 Linux kernel, GNOME
2.4, lots of applications, and an install script to install to a dedicated
hard drive or a 256MB+ Compact Flash card.
Once
upon a time a distribution called Embedded Freedom Linux was in the
embedded section of our list; version 1 of EFL was released December 15,
2002. EFL turned into FreeLoader Linux before morphing into eLearnix, now
found in the Education section of the list.. eLearnix 2.6.5 was released
April 13, 2004.
Comments (1 posted)
Minor distribution updates
Ark Linux has issued
a press release for
the release of Ark Linux version 1.0 alpha 11.
Comments (none posted)
Astaro Security Linux has released
v5.001 with major bugfixes. "
Changes: This version includes
virus protection for HTTP, intrusion protection, L2PT VPN-support,
ISP-uplink failover, spam protection for SMTP and POP3, SMP support, and
stateful failover functionality in high availability installations. Many
small improvements were also made."
Comments (none posted)
Buffalo Linux has released
v1.2.0
with major feature enhancements. "
Changes: This release of Buffalo
uses the new 2.6.5 kernel exclusively. Six kernels are provided for i586,
ipent2, ipent3, ipent4, K6, and K7 (Duron/Athlon). There were major package
upgrades (74) including OpenOffice-1.1.1. There is also a GNOME package
that contains another 73 packages. 44 little used packages were
deleted."
Comments (none posted)
Local Area Security Linux
has released
v0.5 with major feature enhancements. "
Changes: All packages
have been upgraded to current in the 210MB version. The theme and
background have changed to the new standard. There are usability fixes amd
fixes for broken menu links."
Comments (none posted)
NSA Security Enhanced Linux has
released
v2004040714 with minor feature enhancements. "
Changes: The
current prototype and the experimental NFS code are now based on Linux
kernel 2.6.5. IPv6 support has been added. A new sestatus utility is
available. A number of bugs have been fixed, and many updates have been
made to the example policy."
Comments (none posted)
Warewulf has released
v2.1
with major feature enhancements. "
Changes: Version 2.1 is the first
official release of W\2, and it includes a major rewrite of almost all of
the tools, as well as architecture changes to make it much more flexible
and easier to maintain."
Comments (none posted)
Distribution reviews
Linux.com
reviews
Vector Linux 4.0 SOHO edition. "
One thing that kept the installation
so short was a lack of any questions about the packages that were
installed. Vector decided for me what needed to be installed and didn't
trouble me with the task of choosing."
Comments (none posted)
MadPenguin
reviews
the soon to be released SUSE LINUX Professional 9.1. "
SUSE LINUX
9.1 is an excellent Linux distribution for the price. At $89.95 USD, you
would be hard pressed to find a better package. Sure, you can download
Linux all day long from the Internet for free, but in no way does that give
anything back to the developers who innovate. You are showing support for
them by running and promoting their software to others, but nothing helps
keep development flowing like cold hard cash. SUSE is worth the price. For
the 90 days of installation support, online and email support, as well as
the plethora of packages that are included, you simply can't go wrong. One
thing people frequently miss when comparing Linux distributions and pricing
is the included applications. I'm not just talking about the quantity, but
the quality. So many distros these days have apps that are just 'broken',
not working, and trouble to work with. I visited as many apps as possible
during my review and everything worked. This to me is a huge selling
point."
Comments (1 posted)
DesktopOS
reviews
the latest version of Lycoris Desktop/LX. "
If we had to sum up
Lycoris Desktop/LX Update 3 in a single word it would be mighty difficult
-- yet words such as perfect, impressive, and wonderful, do come to
mind. We would without a doubt struggle to find people to agree with such a
conclusion however, as a result of the experiences encountered here; so we
will not settle on any of those words. On the other hand, if we had to sum
up this operating system in a few words, we would have to say " a work in
progress.""
Comments (none posted)
Page editor: Rebecca Sobol
Development
A new release (version 0.6.2) of
PyX,
the Python Graphics Package was released this week.
PyX is a Python package for the creation of encapsulated PostScript figures. It provides both an abstraction of PostScript and a TeX/LaTeX interface. Complex tasks like 2d and 3d plots in publication-ready quality are built out of these primitives.
PyX version 0.6.2 features several bug fixes in the graphing module,
the details are available in the
changes document.
Some of the primary PyX capabilities include:
- Plotting of basic X/Y graphs.
- The ability to overlay graphics.
- Plotting of 2D and 3D grid-based data.
- Provision of an abstracted PostScript functionality.
- Support for the powerful TeX and LaTeX typesetting languages.
- Publication quality output.
- An easy to use Python API.
The online
examples
show PyX in action, a wide variety of useful graphics are shown.
With the ability to combine many types of data plotting with
the scientific typesetting capabilities of TeX/LaTeX,
PyX looks like an excellent tool for the creation of mathematical
texts, both online/interactive and printed.
See the
PyX documentation page for more information.
The PyX source code is available
here.
Comments (none posted)
System Applications
Audio Projects
The
latest changes from the
Planet CCRMA audio utility packaging project include
new versions of Noteedit, Lilypond, and SND, and the addition of
Qdu, a graphical disk space management tool.
Comments (none posted)
Database Software
Version 4.2.52 (stable) of the embedded
Berkeley Database
is out.
Comments (2 posted)
Version 2.6.4 of CLSQL, a Common Lisp interface to SQL databases,
is available.
"
This version adds a
CommonSQL compatibility layer, which becomes the default API, and a
metaobject protocol compatibility layer."
Full Story (comments: none)
Version 1.6.2 of PEAR DB
has been announced.
"
PEAR DB is a database abstraction layer for 13 of PHP's database drivers. The latest version has some fixes in the PostgreSQL driver."
Comments (none posted)
The PostgreSQL Weekly News for April 12, 2004 has been published,
here's the content summary:
"
A quiet week of development on the main project, but several
interesting developments took place in the world at large. Probably one of
the more meaningful items was the release of the SQL:2003 spec. Anyone
interested in database design should probably keep an eye out as more
articles appear discussing some of the changes involved; I've included a link
to a synopsis below."
Full Story (comments: none)
Embedded Systems
Version 1.0.0-pre9 of
BusyBox,
a condensed collection of command line utilities for embedded systems, is out.
"
Here goes the final BusyBox pre-release... This is your last chance for bug fixes. With luck this will be released as BusyBox 1.0.0 later this week. Please do not bother to send in patches adding cool new features at this time. Only bug-fix patches will be accepted. It would also be very helpful if people could help review the BusyBox documentation and submit improvements."
Version 1.1.0-pre10 was released a few days later.
"Ok, I lied. It turns out that -pre9 will not be the final BusyBox pre-release. With any luck however -pre10 will be, since I really want to get BusyBox 1.0.0 released this week."
Comments (none posted)
Mail Software
Robert Bernier
performs data mining on an email archive using Perl.
"
Thousands of useful facts lie inaccessible on your hard drive, hidden within
email messages and attachments. How much more productive would you be if you
could extract, index, and search that information? Robert Bernier
demonstrates how to store data from emails into a database, where you can use
data-mining techniques to analyze it."
Comments (none posted)
Version 0.1 beta of HamCannon is available.
"
HamCannon is a Zope/Plone Product for managing outbound email marketing.
HamCannon is for sending ham, not spam - it has much support for helping
users unsubscribe and none for hiding from them. Please don't use
HamCannon to send spam."
Full Story (comments: none)
This week's new mail filtering software on the
milter.org site include
announcement for the new SPF Milter a call for discussion on Java-based
milters, and version 0.17 of milter-spamc.
Comments (none posted)
Printing
Version 1.0 rc 2 of the CUPS Driver Development Kit
has been announced.
"
The CUPS Driver Development Kit (DDK) provides a suite of standard drivers, a PPD file compiler, and other utilities that can be used to develop printer drivers for CUPS and other printing environments. CUPS provides a portable printing layer for UNIX-based operating systems. The CUPS DDK provides the means for mass-producing PPD files and drivers/filters for CUPS-based printer drivers."
Comments (none posted)
Web Site Development
The 0.2 beta release of Aiakos is available.
"
Aiakos is an innovative distributed authentication system, based on Zope
and Plone. Much of the heavy lifting is done using the LDAPUserFolder
product by Jens Vagelpohl.
Aiakos allows you to provide a central sign-on system for a network of
websites. All login and registration activity takes place on the central
Aiakos server."
Full Story (comments: none)
Version 3.2.16 of the
mnoGoSearch
web site search engine has been released. The
changes
include improved operation on non-English language sites,
bug fixes, and performance improvements.
Comments (none posted)
Version 1.0 beta 1 of the
Quixote
web development platform has been announced. See the
changes file for details.
Comments (none posted)
Mark Eagle
writes about Java-based web applications on O'Reilly.
"
This article will discuss how to combine several well-known frameworks to achieve loose coupling, how to structure your architecture, and how to enforce a consistent design across all application layers."
Comments (none posted)
Alexander Prohorenko and Olexiy Prohorenko
introduce JavaServer Faces on O'Reilly.
"
Swing developers enjoy a well-defined set of high-level components for
building GUI applications, but what about web applications? JavaServer Faces
attempts to bring the same kind of toolkit to the web-app space."
Comments (none posted)
Robert Jones
writes about disaster recovery issues and LAMP systems on O'Reilly.
"
The beauty of LAMP systems is that you can develop them as formally or
informally as you like. Unfortunately, when it comes time to plan for
disaster recovery, that informality can work against you. Robert Jones
presents several guidelines for development and configuration that can make
recovery easier."
Comments (none posted)
Miscellaneous
Version 3.1-test1 of the Real Time Application Interface (RTAI) is
available; this is the first version which supports the 2.6 kernel.
Full Story (comments: none)
Desktop Applications
Audio Applications
A new version of the JACK bitscope diagnosis tool has been released.
"
As its name might
suggest, the bitscope operates at the bare metal of JACK's I/O layer,
looking at the 32 binary digits in each individual sample. It's basically
functional, and its release and subsequent announcement were delayed most
by the need to provide some adequate examples in the documentation."
Also, the GL Mixer, a 3D sound mixing widget for JACK, is out.
Full Story (comments: none)
Dave Phillips has updated
his list
of new Linux audio software releases.
Comments (none posted)
Data Visualization
Version 0.9.1 of the Aqsis Renderer toolkit
is available.
"
Aqsis is a Renderman(tm) compliant 3D rendering toolkit. Aqsis is
based on the Reyes rendering architecture. Features include : Programmable
Shading True Displacements NURBS CSG Motion Blur Subdivision Surfaces."
Comments (none posted)
Derek Fountain
explains how to generate data graphs in Perl with GD::Graph.
"
Perl's GD::Graph module is a tool that allows a software developer to quickly and easily generate graphical representations of data. Originally written by Martien Verbruggen in 1995, the package has matured into a very flexible and popular tool. It is ideally suited to any situation where a dynamic data set, from a database or elsewhere, needs to be fetched and represented on the fly. It is widely used in corporate intranets, where many a webmaster has used it to generate graphs that show data in exactly the format management likes."
Comments (none posted)
Desktop Environments
GnomeDesktop.org has
announced dropline GNOME 2.6.
"
As stated on gnome.org, GNOME 2.6 has arrived! Now Slackware users can enjoy crisp, GNOME 2.6 goodness, including the overhauled GTK+ File Chooser and the new Spatial Nautilus file management system. Other changes include new software such as the Beep Media Player and Screem Website Editor, new artwork, and a new windowing system. With the license change to XFree86 4.4, Dropline GNOME has also joined the revolution and moved to X.Org's X11 server (don't worry, the nVidia and ATI binary drivers still work). Finally, the Dropline Build System has also been revamped, making it easier than ever to build the desktop from source, or contribute enhancements back to the community."
Comments (none posted)
Version 0.3.0 of Gaphor, a UML modeling tool for GNOME, is available
with class diagrams, a new GUI, a UML 2.0 compliant data model, and more.
Full Story (comments: none)
Version 0.3 of GNotify, a GTK+ notification service daemon, is available.
Full Story (comments: none)
Version 1.01 of libxklavier, a GNOME keyboard application, is out.
"
The version 1.01 provides build-time compatibility with the latest X.Org
X server (which renamed the default xkb rules set from xfree86 to xorg)."
Full Story (comments: none)
O'Reilly is
looking for GNOME
hacks for an upcoming book, "Linux Desktop Hacks".
Comments (2 posted)
The April 9, 2004
KDE-CVS-Digest is available.
Here's the content summary:
"
KJSEmbed adds support for KParts and QComboBox. Beginnings of next generation user guide. More IMAP and icon view optimizations. Kexi now supports forms. KIMProxy, a library to enable IM from any application. CSS emca bindings added in KDOM."
Comments (none posted)
KDE.News
reports on the
progress of the KDE Quality Teams Project. "
Remember, in Quality
Teams you can do as little or as much as you want. No experience is
required, and you can contribute code, documentation, artwork, discuss user
interfaces and usability, manage bugs and bug reports, manage the wiki
pages, communicate between developers and the wider community, and promote
KDE through the media. There's something for everybody :-)"
Comments (none posted)
The XFree86 project
has announced
a new experimental snapshot, version 4.4.99.3.
"
With the 4.4.0 release done, we are now in the experimental (development) phase for the 4.5.0 release."
Comments (none posted)
Electronics
Version 1.3 of
gerber2pdf is available. The program is a Python script that converts
Gerber CAD files into PDF format. This is a bug fix release:
"
Fixed a problem with Python 2.3 by removing line termination characters from strings supplied to the eval function."
Comments (none posted)
Financial Applications
Stable version 1.8.9 of GnuCash, a financial application,
has been announced. This version includes a long list of new
features and bug fixes.
Comments (none posted)
Games
The
PyGame site lists the release
of version 1.0 of
Funki.
"
Funki is a hot new Pygame Action Puzzle. It is Lemmings meets your standard block pushing game. High quality entertainment."
Comments (none posted)
The April 9, 2004 edition of the
WorldForge Weekly News is available with the latest development
news from the WorldForge game project.
Comments (none posted)
Graphics
Version 0.38 of Inkscape, a cross-platform SVG-based graphics editor,
has been released.
"
In addition to a slew of new features, we've analyzed and closed over
130 bug reports for this release. Improvements have been made to text,
fonts, paths, gradients, usability, and much more."
Version 0.38.1
was also announced and features bug fixes and a few new
features.
Full Story (comments: none)
GUI Packages
Version 2.4.0 of gtkmm 2.4.0, the C++ interface to GTK+,
and a new version of the associated glibmm have been released.
Changes include several new widgets and an improved API.
Full Story (comments: none)
Version 1.1.5 rc 1 of FLTK, the Fast, Light ToolKit,
has been announced.
"
The FLTK 1.1.5 release is primarily a bug-fix release including documentation updates, fixes for 64-bit platforms, FLUID, several widgets, and GLUT emulation, and fixes for several platform-specific issues. The new release also adds project files for Visual C++.NET and supports KDE 3.x icons."
Other News from the FLTK project includes
an Updated Configuration Management Plan, and the release of the Geert
extensions to FLTK.
Comments (none posted)
Roberto Alsina
explains PyQt with a tutorial.
"
Everyone who has programmed applications knows that sometimes you create a gadget that can be reused in other situations, and that code reuse is good.
In the specific case of GUI applications, often what you would want to reuse is a widget.
For example, you took one of the toolkit's widgets and extended its functionality in a way you think has wide application, and you intend to reuse it on future work.
So, what we will try to do is figure out how we can create easy-to-reuse custom widgets using PyQt."
Comments (none posted)
Version 0.7.3.1 of
PythonCard,
a cross-platform GUI construction kit that uses wxPython, has been released.
Comments (none posted)
Imaging Applications
Version 2.12 of
CamlImages, an image processing library for the Objective Caml
language, has been released. The
Caml Hump
listing describes it as:
"
An image processing library, which provides loading and saving various image formats with an interface for the Caml graphics library. It has also an interface with the freetype library to draw texts using truetype fonts."
Comments (none posted)
Interoperability
Development release 20040408 of Wine
has been announced.
New features include the ability to configure DOS devices through
symbolic links, improvements to shell32, a new task manager, the new
wineprefixcreate tool, and bug fixes.
Comments (none posted)
The April 9, 2004 edition of
Wine Traffic has been published.
Comments (none posted)
Multimedia
Version 2.0.0 of the GIMP Animation Package, a set of plugins for the
purpose of creating animations,
has been released.
"
There are a couple of new features including a new bluebox plug-in, onion skinning and a video preview."
Comments (none posted)
Version 0.99.10 of Totem is available.
"
Totem is movie player for the Gnome desktop based on xine. It features a
playlist, a full-screen mode, seek and volume controls, as well as a
pretty complete keyboard navigation."
Full Story (comments: none)
Version 1.0 of XMMS LADSPA, an XMMS effect plugin, has been announced.
"
This version adds save & restore functionality so that if you use XMMS
LADSPA with the same plugins all the time you don't need to laboriously
re-start those settings when you restart XMMS, they will be remembered
as will all their parameters."
Full Story (comments: none)
Music Applications
A new open-source audio project has been announced.
"
ClearScale is an open source GPL-based project to bring high quality
time stretching and pitch shifting to the Linux platform. The goal is
to create an open standard for a commercial grade algorithm that allows
changing the pitch and speed of music and sound independently of each
other. It should achieve this in an artifact-free, sonically pleasing
manner, comparable to commercial algorithms on the MacOS and Windows
platform available today."
Full Story (comments: none)
Version 0.016 of sfc, a MIDI router that emulates a synthesizer,
is out with new MIDI capabilities, bug fixes, and efficiency improvements.
Full Story (comments: none)
Version 1.1z of wcnt (Wave Composer Not Toilet) is available.
Wcnt is a modular synthesizer, sequencer, sampler, and wav file generator.
This version features a long list of changes.
Full Story (comments: none)
PDA Software
Version 0.5 of the
Palm4Python
project has been released.
"
The goal of this project is to have a suite of open source python modules to access Palm OS databases. It is intended to provide a full set of robust functionality to manage all aspects of interfacing with Palm OS hardware and software"...
Comments (none posted)
Peer to Peer
Version 0.0.3 of BTQueue
is out.
"
According to major problem in BitTornado 0.1.3, BTQueue 0.0.3 is the fixed
bug release. The core engine has been upgraded to BitTornado 0.1.4. Some
minor bugs are also fixed. BTQueue is a console-based BitTorrent Client with
built-in scheduler for handling multiple sessions."
Comments (none posted)
Version 0.11 of Gnomoradio, a peer-to-peer music playing system,
has been released.
"
Version 0.11 improves stability, fixes several minor bugs, and improves
the UI. It is recommended that all users upgrade."
Since this announcement came out, Gnomoradio releases 0.11.1 and 0.11.2
have come out to address several bugs.
Full Story (comments: none)
Video Applications
Version 0.7.1 of the Kino Digital Video editor
has been announced.
"
Major new features of this updated GNOME2 application include metadata
editing, 3 point insert editing, some dvdauthor integration, mouse wheel
support, and numerous user interface enhancements."
Comments (none posted)
Web Browsers
MozillaZine
covers a
mailing list thread calling for alliances between Mozilla and other open
source technologies. "
Brendan [Eich] sees Mozilla developing into an
open cross-platform alternative to forthcoming Microsoft technologies such
as XAML and is looking to collaborate with other open-source projects to
make this happen." The GNOME project is mentioned explicity."
Comments (18 posted)
The Mozilla Links Newsletter for April 8, 2004 is available.
"
In this special international edition, we pay tribute to our
international contributors and developers who make Mozilla one
of the most popular software worldwide."
Full Story (comments: none)
The April 14, 2004
Mozilla.org Status Update has been published.
"
It
includes news on the new stable branch, Quality Feedback Agent (Talkback)
reports, junk mail controls, the spellchecker, bookmark keywords, Mozilla
Thunderbird and more."
Comments (none posted)
The April 13, 2004 edition of the Mozilla
Independent Status Reports are available.
"
As part of international month, a special set of international status reports
focussing on internationalisation and localisation projects has been
published. Updates from L10Nzilla, Mycroft, kairo, l10ntools and Gaeilge are
included."
Comments (none posted)
Miscellaneous
Version 0.1.0 of
Alexandria,
a GNOME application for managing book
collections, is out. This is the first public release.
Version 0.1.1 of Alexandria was released later in the week, it fixes a bug
that is caused by a missing directory.
Full Story (comments: none)
Languages and Tools
Caml
The April 6-13, 2004 edition of the Caml Weekly News is online.
Take a look for four new Caml language articles.
Full Story (comments: none)
Java
Version 0.17.0 of gnome-gcj, the GCJ bindings to GNOME, is out.
"
Gnome-GCJ 0.17.0 is the first release that supports Glib/Gdk/GTK+ 2.x.
It currenly doesn't deliver lots of wrapped libraries as the main goal
for this release was to compile and install cleanly using the GTK
libraries 2.2."
Full Story (comments: none)
O'Reilly has published
part two of an excerpt from
Java
Examples in a Nutshell.
"
This second installment in a two-part series of excerpts from Java
Examples in a Nutshell, 3rd Edition follows last week's (on playing streaming
sounds in both sampled audio and MIDI formats) with examples of how to read a
simple musical score and convert it into a MIDI sequence. Author David
Flanagan also shows you how to make music by directly controlling a
MidiChannel of a Synthesizer."
Comments (none posted)
Richard Hightower
introduces Hibernate and Spring on IBM's developerWorks.
"
Just when you think you've got your developer tools all sorted out, a fresh crop is sure to emerge. In this article, regular developerWorks contributor Rick Hightower uses a real-world example to introduce you to two of the most exciting new technologies for the enterprise. Hibernate is an object-relation mapping tool and Spring is an AOP framework and IOC container. Follow along as Rick shows you how to combine the two to build a transactional persistence tier for your enterprise applications."
Comments (none posted)
Perl
The April 5-11, 2004 edition of
This Week on perl5-porters is online.
"
Spring is here, at least in the northern hemisphere, and perl 5.8.4 is approaching. This doesn't stop the Perl 5 porters from pursuing their usual job: proposing exciting new ideas, and fixing bugs. Read on for the details."
Comments (none posted)
The April 4, 2004 edition of
This week on Perl 6 is available with the latest Perl 6 development news.
Comments (2 posted)
Maciej Ceglowski
compares Perl's lookup hash to Bloom filters on O'Reilly.
"
Many people don't realize that there is an elegant alternative to the lookup hash, in the form of a venerable algorithm called a Bloom filter. Bloom filters allow you to perform membership tests in just a fraction of the memory you'd need to store a full list of keys, so you can avoid the performance hit of having to use a disk or database to do your lookups. As you might suspect, the savings in space comes at a price: you run an adjustable risk of false positives, and you can't remove a key from a filter once you've added it in. But in the many cases where those constraints are acceptable, a Bloom filter can make a useful tool."
Comments (none posted)
PHP
Release Candidate 3 of PHP 4.3.6
has been announced.
"
This release addresses 2 major bugs introduced in the 4.3.5 release. One of these bugs caused problems when loading dynamic extensions on Windows and thread-safe (ZTS) builds and the other involves incorrect handling of daylight savings time. A few other minor bugs were fixed as well."
Comments (none posted)
Python
David Mertz
writes about unit testing in Python on IBM's developerWorks.
"
In this installment, David looks at Python's two standard modules for unit testing: unittest and doctest. These modules expand on the capability of the built-in assert statement, which is used for validation of pre-conditions and post-conditions within functions. David discusses the best ways to incorporate testing into Python development, weighing the advantages of different styles for different types of projects."
Comments (none posted)
Scheme
The April 8, 2004 edition of the Scheme Weekly News is online
with a new set of Scheme language articles.
Full Story (comments: none)
XML
Version 2.6.0 of libxml++ is out.
"
libxml++ is a C++ wrapper for the libxml XML parser library."
Full Story (comments: none)
Fabio Arciniegas A.
writes about typography under Scalable Vector Graphics
(SVG) on O'Reilly.
"
Mixing the worlds of documents, programming, and visual design is a familiar experience for XML developers, especially when dealing with presentation technologies like SVG. Such mixtures can produce exciting new representations of information. They can also become ugly messes if one fails to learn the relevant aesthetic and design principles."
Comments (none posted)
Editors
Version 0.13 of the Bluefish html editor
has been announced.
"
Bluefish 0.13 features a new bookmarks functionality, much improved project management, auto tag closing, better navigation trough opened documents, a much more responsive user interface, again many user interface improvements, many bug fixes and much, much more!"
Comments (none posted)
Version 2.4.2 of
DrPython
is out.
"
DrPython is a clean and simple yet powerful and highly customizable editor/environment for developing programs written in the Python programming Language. It is written in Python, and uses the wxWidgets GUI Library." The
ChangeLog file
lists a number of bug features.
Comments (none posted)
IDEs
Version 1.2.2 of Anjuta, a C and C++ Integrated Development Environment,
has been announced.
"
Release note: Major bug fixes. Resolved many debugger, build, project, fonts, print and wizard related critical bugs. Also added a new Anjuta advanced tutorial in documentation."
Comments (none posted)
Miscellaneous
Version 0.6 of regexxer is out with support for gtkmm 2.4.
"
Regexxer is a nifty GUI search/replace tool featuring Perl-style regular expressions. If you need project-wide substitution and you're tired of hacking sed command lines together, then you should definitely give it a try."
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
This
Sydney Morning Herald story is one of many taking issue with just how
the Yankee Group performed its survey "proving" that Linux is more
expensive than Windows. "
At the time the Yankee Group made its
findings publicly known, it made no mention of the fact that the survey had
been done in association with Sunbelt Software, a Windows NT/2K/XP Tools
Provider.... The survey was done through an online form, which is not a
medium known to generate reliable data unless some controls are
implemented."
Comments (1 posted)
NewsForge
talks
with David A. Wheeler about the usefulness of TCO (Total Cost of
Ownership) studies. "
NewsForge: Who can we trust to do
independent studies? Is anyone truly independent and unbiased?
Wheeler: In the end, the only way to be really sure that you have unbiased
results is to do the comparison yourself -- which you have to do anyway,
because some measures like total cost of ownership (TCO) and performance
are incredibly sensitive to specific environments."
Comments (3 posted)
Last Thursday Green Hills Software sent out a FUD missile (covered
here). Now Groklaw has
statements from Dr. Inder Singh, CEO of Lynuxworks, and Victor
Yodaiken, CEO of FSMLabs in response. "
You may remember that in
November of 2003, someone tried to do what O'Dowd posits, attempt to bypass
the normal submission procedures for Linux code in an attempt to get a back
door incorporated into the kernel. Alert Linux coders quickly spotted the
alterations in a routine file integrity check and picked up on their hidden
intent, despite the clever way they were coded to obfuscate their purpose,
before the code got anywhere near the kernel, and the attempt
failed."
Comments (1 posted)
Trade Shows and Conferences
Dave Phillips
gives a preview of the upcoming Linux Audio Developers conference
in Karlsruhe, Germany, and also covers the progress of several important
Linux audio software projects.
"
Without a doubt, the two most important development tracks are the ALSA and JACK projects. Both supply the foundation for much of the most interesting application development happening today, and support for ALSA/JACK rapidly is becoming de rigeur in new sound software for Linux."
Comments (none posted)
The SCO Problem
Groklaw
has published the latest order for Red Hat in the ongoing SCO litigation.
"
As you will see, Darl's mouth is why she dismissed SCO's Motion to Dismiss. I get a lot of satisfaction from that. However, she doesn't seem to understand that there are issues outside of the IBM lawsuit that are particular to Red Hat. Rather, she concludes that the IBM contract issues are the core of the dispute and that the copyright claims are dependent on how that plays out. I disagree."
Comments (none posted)
Here is
a detailed article on Groklaw about Red Hat's case and what, exactly, is required to obtain a declaratory judgment.
"
The judge was just saying that isn't the case here, that there is a real controversy, that SCO's words and behavior qualify as sufficiently menacing that Red Hat has a reasonable anticipation of being sued, something SCO in its attempt to have the matter dismissed fervently denied was the case. The judge found that Red Hat was right and SCO was ... well, you know."
Comments (none posted)
Melanie Hollands
explores the ups and downs of SCO's stock price.
"
Well, stocks don't always trade rationally and in a straight line with what the underlying fundamentals would suggest. Over the long term, I believe stocks move rationally, but there are short-term moves that do not seem rational. In the case of SCOX (and Enron, WorldCom, and many others), I believe the primary long-term direction continues to be down. But on the way down, there are short-term "secondary" moves that are often counter-intuitive to the primary trend."
Thanks to Leon Brooks.
Comments (none posted)
Companies
The Economist has
an
article about the Sun/Microsoft deal, complete with a scary picture of
Scott McNealy and Steve Ballmer. "
When Mr Ballmer gives Mr McNealy a
hug and says that 'we do both believe in intellectual property', this is
a not-so-veiled jab at the open-source Linux, which both men consider, in
essence, communistic. Microsoft and Sun happen to be the only major backers
(in the form of licence payments) of Linux's gadfly, a firm called SCO,
which is trying to obtain money from Linux users with threats of
litigation."
Comments (9 posted)
Microsoft is using it's time-proven
embrace and extend strategy
on open-source licenses, according to
this article on eWeek.
"
So, what's going on here? Is Microsoft converting to the open-source religion? Hardly. I think they're continuing to implement plans for battling open source that Microsoft staffers first outlined back in 1998's Halloween memo.
In that strategy memo, Microsoft staffers suggested that by embracing and extending open protocols, Microsoft could freeze open source out of the marketplace."
Thanks to Jay R. Ashworth.
Comments (5 posted)
News.com is running
a lengthy look at MySQL - both the software and the company. "
Travel reservations provider Sabre Holdings has replaced the mainframe computer and high-end Unix servers that underpinned its customer-facing Web site with about 45 Intel servers running a variety of open-source software, including Linux and MySQL. Going to a 'farm' of multiple relatively cheap servers has saved the company millions of dollars in database licenses alone, according to company executives."
Comments (6 posted)
Linux Adoption
NewsForge
takes a
look at efforts across the US to recycle old computers and supply
families, schools, and nonprofits with IT connectivity.
"
[Collaborative Technologies coordinator Ron] Braithwaite said the
open source model is proving its worth as his group looks to tailor the
solution to the different community resource organizations. "Open source
isn't just about software, it's about a way of working together
collaboratively," Braithwaite said. "All of a sudden, we can leverage the
work we've done. Because we've templated the hell out of it, we can tune it
and enable and disable [portions] to specifically serve community mental
health programs quickly and easily.""
Comments (3 posted)
Should you know any CIO types looking for guidance on how to use free software, News.com has run
a column from Forrester Research to help them out.
"
Arm your open-source advisory group with the funnel and decision
tools. Fund a multidisciplinary team comprised of developers, managers,
lawyers and procurement specialists to evaluate the risks of an open-source
component and community. Quantitative assessment tools can help companies
make informed decisions about the health of the community and the quality of
the commercial support."
Comments (2 posted)
Interviews
SearchEnterpriseLinux
interviews
Ximian's Nat Friedman. "
What misconceptions exist concerning Linux desktops that may be holding back enterprise adoption?
Friedman: The No. 1 misconception is that usability is a major barrier to
adoption and that's not true. It used to be. There was a study done
recently with a group of 20 users who had never used a computer before. Ten
were put at a Windows PC, 10 at a Linux PC and they were given a list of
simple tasks like sending an e-mail, surfing to a Web page and the
usability results were pretty much the same. The real problem is getting
your work done if the applications don't exist." (Found on
Footnotes)
Comments (14 posted)
This week in the People Behind KDE series, Tink
talks with Adriaan de Groot.
KDE enthusiast Philippe Fremy interviews Eirik Eng, CEO of
Trolltech, and Matthias Ettrich, founder of the KDE project and CTO of
Trolltech, on KDE.News..
Comments (none posted)
Search Enterprise Linux
talks
with a Cray CTO at ClusterWorld. "
Despite assertions made by
Linux vendors, a Linux cluster is not a high performance computer, said
Dr. Paul Terry, CTO of Cray Canada. "At best, clusters are a loose
collection of unmanaged, individual, microprocessor-based computers."
Businesses shouldn't expect supercomputer performance from Linux clusters,
Terry warned."
Comments (17 posted)
OS News
talks with
Mike Hjorleifsson, one of the founders of Element Computer. Element is
bundling its hardware with its own ION Linux distribution. "
Is your
distro going to be sold seperately, or only part of your hardware? Is your
hardware going to be sold on other retail outlets except your own store as
well?
Element Computer: ION is sold only with the hardware, our
strategy is to provide a truly turnkey point-click-work experience. We
welcome retail outlet partners to join our efforts, though initially we are
launching via our own facilities and the Internet."
Comments (none posted)
Reviews
Brice Burgess
tests and compares several Linux distributions on an older IBM
laptop.
"
Linux may be cutting-edge software, but it runs just fine on hardware that would make Microsoft's current operating systems beg for relief. I took four different distros and installed them on a five-year-old rebuilt IBM ThinkPad 600E supplied by LinuxCertifed. They proved that Linux on older hardware can be a cost-effective combination."
Comments (none posted)
LinuxWorld
introduces
CoLinux. "
21 year-old Dan Aloni, a graduate of an IDF [Israel
Defence Force] computer unit, has developed a Linux application - called
Cooperative Linux ("CoLinux" for short) - that is a port of the Linux
kernel that allows it to run cooperatively alongside another operating
system on a single machine. For instance, it allows one to freely run Linux
on Windows without using a commercial PC virtualization software such as
VMware, in a way which is much more optimal than using any general purpose
PC virtualization software."
Comments (none posted)
OSNews
reviews
GNOME 2.6 on Fedora. "
Epiphany became the default web browser for
GNOME in the last release. Before that, people generally gravitated towards
Galeon, as it was the only worthwhile GNOME browser for a while. However,
recently, when the time came for people to actually choose a browser that
should be part of the GNOME Desktop and Developer Platform, Epiphany was
chosen because of its commitment to the HIG. Here is a lesson to be learnt,
it you want your app to be part of GNOME, learn to love the HIG. It is one
of the points of pride for the project."
Comments (40 posted)
O'Reilly's Linux DevCenter
examines
OSDL's Carrier Grade Linux specifications. "
The CGL working
group includes network equipment providers, system integrators, platform
providers, and Linux distributors. All members contribute to the
requirement definition and current requirement projects or work on new open
source projects to meet the requirements. Many of these members have
contributed technology previously missing from the Linux Kernel to make it
a more viable option for telecom platforms. Two distributors already
provide distributions based on CGL requirement definitions. Several
telecom-related companies are deploying CGL or at least evaluating or
experimenting with it."
Comments (none posted)
Use Perl has
a review of the book
Perl Medic by Peter Scott.
"
Peter Scott's Perl Medic is presented as a book for "Transforming Legacy Code", but it could also be called "Perl Best Practices" or "The Things Every Perl Programmer Should Know.""
Comments (none posted)
Miscellaneous
Wired
digs up
the dirt on Gopher. "
According to a list on Floodgap.com, over
250 active gopher servers are currently online, serving documents ranging
from lawyer jokes to the text of the Shays-Meehan campaign finance reform
bill. Almost half these servers are affiliated with American colleges and
universities, but servers are also located on every continent but Africa
and Antarctica."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Open Group has sent out a press release on The Open Group Conference.
"
At The Open Group's recent conference, key executives from the
federal government, industry and technology consortia discussed their
vision of the IT of the future, and emphasized the importance of standards
and certified conformance for achieving global interoperability."
Full Story (comments: none)
The Open Group has launched its COE Linux Platform certification program.
"
Based on the DISA Cross Platform Compliance criteria for Linux systems, the program provides assurance that conforming systems provide services to COE applications software through conforming APIs. The program also assures that the systems present a specific appearance and behavior at the Human-Computer Interface level, have demonstrated interoperability and data interchange requirement, and meet a set of security requirements."
Full Story (comments: none)
A Call for Papers has gone out for the online magazine Phrack #62.
"
As in previous issues, we will showcase selected tools from
the hacking community. Send us your toolz, links and logs for warez
that are worthy of being mentioned in our holy magazine."
Full Story (comments: none)
The
OpenCollector site lists a new release of the
Ronja Twister interface design from the
Ronja Project.
"
Ronja connects two PC's point-to-point, using a common red-orange visible light from a car brake light LED. The design is simple, building is easy and complete from-scratch building guide is online. Suitable for anybody who wants to communicate entirely freely in a direct line of sight. Building is cheap and requires only common tools available in home workshop. Communicates 10Mbit/sec. full duplex over 1.4km."
Comments (none posted)
A group of gaming enthusiasts are making an attempt to get a game company
to port one of their products to Linux.
"
An e-petition is being started invoking all Linux users to request VUGames
and Blizzard Entertainment so they port World of Warcraft to Linux.
Blizzard has been known in the past for their support to PC and Mac users
with hybrid games. The aim of the petition is to have a PC/Mac OS X/Linux
hybrid."
Full Story (comments: none)
Commercial announcements
KDE.News
covers the release of
KD Executor 2.0.
"
KD Executor is a record and playback tool for Qt and KDE applications. In addition, it contains a test environment which uses this record and playback tool for testing Qt and KDE applications. We are proud to release a free version (free as in beer, not as in speech) of this tool to the KDE community."
Comments (none posted)
Lindows has
announced that its distribution (formerly known as "LindowsOS") is now called "Linspire." Perhaps this means we are done with tiresome "Lindows v. Microsoft" press releases now.
Comments (11 posted)
LynuxWorks has sent out
a press release responding to the Green Hills attack on the use of Linux in the military.
"
The rapid proliferation of open standards software continues to
illicit responses from software vendors attempting to spread fear,
uncertainty and doubt (FUD) as they find their business models
threatened by the global open standards movement. Vendors have
attempted to thwart Linux through lawsuits and legal actions and,
most recently, are fueling the FUD surrounding Linux and the security
threat it poses to our nation's defense systems." Do note the careful wording: this PR is all about "open standards" and says nothing about free (or open source) software; these people could just as well be pushing UnixWare.
Comments (7 posted)
Red Hat has issued a
press
release about the many applications that work with RHEL, and a new
online, searchable catalog to showcase compatible applications.
Comments (5 posted)
Secluda Technologies has announced the final beta of BlockMaster, its new
spam blocking product. They are also looking for Mandrake, SUSE, or Red
Hat test sites to help test the Linux version of the product.
Full Story (comments: none)
New Books
O'Reilly has published the book
Network Security Assessment
by Chris McNab.
Full Story (comments: none)
No Starch Press has published the book
The Spam Letters
by Jonathan Land.
"
Besides poking fun at spammers, Jonathan Land is also an accomplished
stick figure artist and a participant in the experimental musical group
Negativland."
Full Story (comments: none)
A free, downloadable PDF version of the book
Rapid Application Development with Mozilla
has been announced.
"
Wily Yuen writes: "Nigel McFarlane's Rapid Application Development with
Mozilla is now available as a PDF download from Bruce Perens' Open Source
series at InformIT. Please support the author and buy the book if you find it
to be useful."
Displaying a keen sense of irony, InformIT have ensured that their download
page does not work in Mozilla."
Comments (none posted)
The
Samba site
mentions the release of a new book by John H. Terpstra,
Samba-3 By Example: Practical Exercises to Successful Deployment.
Also:
"Prentice Hall PTR is pleased to announce that the full source of both books, The Official Samba-3 HOWTO and Reference Guide and the new publication Samba-3 by Example have been posted to Samba.Org samba-docs public code tree. All books in the Bruce Perens' Open Source Series are published under the OPL."
Comments (none posted)
Resources
Linux Audio luminary Dave Phillips has put together three tutorials
for the AGNULA (A GNU Linux Audio distribution) documentation project.
The new documents include:
an Open Music tutorial,
a SuperCollider 3 tutorial, and
a "making music without X" tutorial.
Full Story (comments: none)
William Kendrick
has announced
the online availability of his LUG presentation
KDE 3.2: A User's Perspective.
"
The talk was well
received, and left some people (even KDE users) overwhelmed with new
information. It just goes to show that I wasn't the only one who knew KDE
was a great environment, but hadn't even scratched the surface yet!"
Comments (none posted)
The April 7, 2004 edition of the Linux Documentation Project Weekly News
documents the latest new documentation releases.
Full Story (comments: none)
The LDP Weekly News for April 14, 2004 is available with more new
documentation.
Full Story (comments: none)
The minutes are available from the Austin Group's April 8, 2004
teleconference.
Full Story (comments: none)
Event Reports
The following announcements came out of the ClusterWorld Expo 2004
on Friday:
The winners of the Excellence in Cluster Technology Awards
were announced.
PathScale, Inc.
announced
what it claims to be the World's Fastest Linux Compiler Suite for
AMD64 Systems.
Comments (none posted)
Upcoming Events
The ACCU conference panel on software patents will convene on Thursday
April 15, 2004 in Oxford, England.
Full Story (comments: none)
The "International Linux Standards and Application Symposium and the first
National Linux Standards Feedback Session" is being held in Beijing on
April 14 and 15. This event, which will be attended by
representatives of various Chinese companies and agencies, along with some
folks from the Linux Professional Institute and the Free Standards Group,
will look at ways of standardizing and promoting Linux for the Chinese and
international markets. Click below for the details.
Full Story (comments: 4)
Registration is open for the EuroPython conference. Submissions for
talks are due by April 15.
Full Story (comments: none)
A news update is available for the EuroPython 2004 conference.
The event will be held in Göteborg, Sweden from June 7-9, 2004
Full Story (comments: none)
The Object Management Group will be holding a series of
OMG Information Days across Europe in the latter part of April, 2004.
Full Story (comments: none)
Registration has begun for the
2004 Ottawa Linux Symposium
(July 21
to 24, Ottawa, Canada). This event often sells out, so, if you're
thinking you want to be there, registering sooner rather than later might
be a good idea. The price also goes up after May.
Full Story (comments: none)
Registration for the 2004 GCC Summit is open. The event will
be held in Ottawa, Canada on June 2-4, 2004.
Full Story (comments: none)
Workshop Pure Data will be held in Amsterdam, the Netherlands on
May 26-29, 2004.
"
This workshop is meant for beginners and will focus on Open Source
software for the real-time manipulation of audio and video. The dual
package of Pure Data and GEM, offer a complete set of tools for sound,
multimedia and VJ purposes. Topics will include: real-time audio and
video processing with PD and GEM, RRADical PD, PDP and an overview of
other free and open source audio and video tools for Linux."
Full Story (comments: none)
Members of the AGNULA project will be present at the
Week of Freedom in Siena and Turin, Italy. The event will take place
on April 17-22, 2004.
"
The Week of Freedom is an event promoted and organized by Hipatia
and Free Software Foundation Europe with a plethora of local
associations and organizations - a 6-days long tour around Siena,
Florence, Milan, Turin and Rome with conferences, workshops, speeches
on free (as in free speech) knowledge."
Full Story (comments: none)
Representatives of the AGNULA Linux Audio distribution will be present
in Padua, Italy on May 6-8, 2004 at the Webb.It 2004 conference.
Full Story (comments: none)
The AGNULA team will be present at the 2nd Linux Audio Conference in
Karlruhe, Germany on April 29 - May 2, 2004.
Full Story (comments: none)
LinuxMedNews
has announced the open-source presence at the medinfo2004
conference. The event will take place in San Francisco, CA in
September, 2004.
Comments (none posted)
| Date | Event | Location |
| April 15, 2004 | Real World Linux 2004 Conference & Expo | (Metro Toronto Convention Centre)Toronto, Ontario, Canada |
| April 15 - 16, 2004 | MySQL Users Conference and Expo 2004 | (Peabody Hotel Orlando)Orlando, FL |
| April 15 - 17, 2004 | ACCU Spring Conference 2004 | (Randolph Hotel)Oxford, England |
| April 16 - 18, 2004 | Penguicon 2.0 | (Detroit Sheraton Novi Hotel)Novi, MI |
| April 16 - 17, 2004 | Python UK Conference | (Randolph Hotel)Oxford, England |
| April 18 - 21, 2004 | XML Europe 2004 | (RAI Centre)Amsterdam, the Netherlands |
| April 20 - 21, 2004 | LinuxUser & Developer Expo | (Olympia)London, England |
| April 22 - 23, 2004 | 2004 Desktop Linux Summit | (Del Mar Fairgrounds)San Diego, California |
| April 26 - 27, 2004 | Digital Media Project Traditional Rights and Usages Workshop | Los Angeles, CA |
| April 29 - May 2, 2004 | 2nd Linux Audio Developers Conference | (Institute for Music and Acoustics)Karlsruhe, Germany |
| May 3 - 5, 2004 | International PHP Conference 2004 Spring Edition | Amsterdam, Netherlands |
| May 6 - 8, 2004 | TheServerSide Java Symposium | (The Venetian)Las Vegas, NV |
| May 6 - 8, 2004 | Web.It 2004 | Padova, Italy |
| May 11 - 12, 2004 | LinuxWorld Conference & Expo | (Hotel Istana)Kuala Lumpur, Malaysia |
| May 16 - 18, 2004 | European Firebird Conference 2004 | Fulda, Germany |
| May 17 - 20, 2004 | Fifth LCI International Conference on Linux Clusters | (University of Texas)Austin, TX |
| May 17 - 19, 2004 | Enterprise Software Summit | (The Palace Hotel)San Francisco, CA |
| May 17 - 20, 2004 | Black Hat Briefings Europe 2004 | (Grand Hotel Krasnapolsky)Amsterdam, the Netherlands |
| May 17 - 21, 2004 | Apache Boot Camp | Atlanta, GA |
| May 20 - 22, 2004 | Austrian Perl Workshop | Vienna, Austria |
| May 25 - 26, 2004 | LinuxWorld Conference & Expo | (Suntec)Singapore |
| May 26 - June 6, 2004 | DebConf4 | Porto Alegre, Brazil |
| May 26 - 29, 2004 | 2nd International Symposium on Computer Music Modeling and Retrieval | Esbjerg, Denmark |
| June 2 - 4, 2004 | 2004 GCC and GNU Toolchain Developer's Summit | (Ottawa Congress Centre)Ottawa, Canada |
| June 3 - 4, 2004 | Web.It 2004 | Milano, Italy |
| June 6 - 7, 2004 | French Perl Workshop | Paris, France |
| June 7 - 9, 2004 | EuroPython | (Chalmers University of Technology)Göteborg, Sweden |
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook