| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LWN.net Weekly Edition for August 29, 2002Red Hat as the "next Redmond" By now, many readers are likely to have encountered this eWeek article comparing Red Hat to Microsoft. It includes nice quotes like:
"There is a backlash against Red Hat from many consumers and
government agencies, who fear it is increasingly becoming the
Microsoft of the Linux world with respect to its dominance and
attitude," said David Turek, IBM vice president of Linux Clusters,
in Somers, N.Y.
Is this "backlash" real, and should it be? Red Hat is certainly the Linux distributor with the highest profile and the most evident success. But success does not make a monopoly. To justify charges like this, it is necessary to point out where Red Hat has tried to use its strong market position to force out competitors and extract monopoly prices from its customers. So let's look at a few things from Red Hat's record:
This is not the sort of behavior that one normally expects to see coming out of Redmond. Anybody wanting to criticize Red Hat need not look too far. It would be nice if the company had supported the Linux Professional Institute rather than creating its own certification program. The company's software patent policy is not to everybody's liking. Red Hat has pushed its users toward bleeding-edge versions of gcc while providing (and requiring) ancient versions of Python. They have blown a couple of attempts at coordinated, multi-distributor security updates with too-early releases. And so on. Complaints like these, however, show only that Red Hat is not perfect. But every free software user has benefitted greatly from Red Hat's work, and will continue to do so, whether or not they have ever bought anything from Red Hat. Linux users are not suffering under the yoke of some Red Hat monopoly, and it is difficult to see how such a monopoly could develop anytime soon. Charges that Red Hat is the next Microsoft look more like FUD designed to divide the Linux community against itself than like anything based in fact. Let's keep an eye on Red Hat - all free software companies can benefit from some vigilance to keep them honest. But let's not get taken in by people trying to create fears of a monopolist where none exists.
BT fails to patent the Web Back in June, 2000, the company then known as British Telecom exhumed an old patent that, it claimed, covered the hyperlinking used in the World Wide Web - at least, in the United States. Seeing a potential gold mine, the company sent its lawyer squads off to the U.S. to shake down ISPs, all of which, it claimed, were violating this hyperlink patent. Prodigy got the dubious honor of being the first company to be targeted with an infringement suit.Prodigy, happily, did not choose the "pay them off and hope they go away" response; instead, the company fought the claim in court. And, on August 22, the company was vindicated: U.S. federal Judge Colleen McMahon dismissed the suit outright, ruling that there is no way that a jury could find that infringement had taken place. The company now known as BT has the right to appeal the ruling, but, one way or another, BT looks unlikely to prevail. We can continue to make links without writing checks to BT. This result is a victory for the Web, but it is a limited victory. The judge has simply determined that this patent, filed in 1980, does not cover the technologies used on the web. Had the patent been written differently, the result could easily have been different. Other patents with claims on fundamental technologies will certainly surface in the coming years, and they will not all be so easily disposed of. (See also: the text of the judgement, in PDF format).
LWN, credit cards, and subscriptions First the good news: it appears that most of the issues with credit card donations have been worked out. With luck, we will actually get our hands on the bulk of the money that you all donated to us a month ago, with the rest due to arrive in September. Hopefully, this particular unneeded hassle is just about behind us.We are, however, still without a credit card account we can use to sell subscriptions, which puts a bit of a damper on our plans. We're still working on that one. If any of you have experience with a merchant bank that is friendly toward online subscription services, we would sure appreciate any pointers you could send our way. We need to get this one solved, or it's all going to fall apart before too long. We'll keep you posted as things happen; meanwhile, we're trying to keep the news coming as best we can. Thanks, yet again, for your support. (Note that we didn't get any letters to the editor this week, so there is no letters page this time around).
Page editor: Jonathan Corbet Security Security news IPv4 mapped address considered harmful Jun-ichiro itojun Hagino has submitted this draft to IETF urging vendors who ship IPv4/v6 dual stack nodes/routers, to consider "if they have made a secure choice."At a glance, it appears that at least some of the problems can be addressed with appropriate filtering rules. Given the current deployment of IPv4/v6 dual stacks changing the protocol definition may not be necessary or desirable.
Security reports PHP: vulnerabilities in the mail() function Wojciech Purczynski reports arbitrary code execution and open-relay script vulnerabilities in PHP 4.x up to 4.2.2.
Two vulnerabilities exists in mail() PHP function. The first one allows to
execute any program/script bypassing safe_mode restriction, the second one
may give an open-relay script if mail() function is not carefully used in
PHP scripts.
Lynx CRLF injection vulnerability Ulf Harnhammar reports a CRLF injection vulnerability in Lynx which may be used to break out of restricted realms and communicate with other types of servers than HTTP servers.The problem is also present in links and elinks.
Both the links and the elinks maintainers were notified on the 13th of
August, but as they both live in the Czech Republic, they have been
affected by the recent floods in Central Europe. Because of this dilemma,
it is possible that they would appreciate a patch for this security hole
from some experienced C programmer.
Information disclosure vulnerabilities fixed in Mantis 0.17.5 Mantis 0.17.5 fixes information disclosure vulnerabilites described in Mantis Advisories 2002-06 and 2002-07.
Mantis is an Open Source web-based bugtracking system, written in PHP, which
uses the MySQL database server. It is being actively developed by a small
group of developers, and is considered to be in the beta stage.
Abyss 1.0.3 directory traversal and administration vulnerabilities Auriemma Luigi reports directory traversal and administration vulnerabilites in Abyss 1.0.3. A patch is available to close the administration vulnerability is available from Aprelium Technologies.
Abyss is a free webserver that runs on Win32 and Linux x86 systems.
It is tiny and it has some interesting features like for example the
use of a "console" for administrate the server remotely.
Unfortunately the usage of this console is the most dangerous thing in
this webserver because an attacker can do what he want without any
password.
This bug was found by Aprelium in June and has been fixed in the
patch 2 release.
Arbitrary code execution vulnerability fixed in Achievo 0.8.2 Achievo is a web-based project management tool for business-environments. Versions prior to 0.8.2 are vulnerable to an arbitrary code execution attack.
This vulnerability allows an attacker to execute arbitrary PHP code under
the permissions of the web server. The only condition is that the attacker
must be able to store code on a server that is accessible by the web server.
Unless the web server is behind a firewall which blocks outbound connections
from the web server, this is usually not a problem.
New vulnerabilities Locally exploitable buffer overflow in linuxconf
Remote arbitrary code execution vulnerability in gaim
Mailman 2.0.12 closes cross-site scripting vulnerability
Buffer overflow vulnerabilities in PostgreSQL
Light remotely-exploitable code vulnerability
Local arbitrary code execution vulnerability in Python
Kernel update for RedHat 7.3 i810 video
Denial of service vulnerability in irssi IRC client
Updated vulnerabilities Heap corruption vulnerability in at
bind buffer overflow vulnerability in DNS resolver libraries
Numerous vulnerabilities in bugzilla
Potential unauthorized root access vulnerability in dietlibc
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
Filename disclosure vulnerability in fam
GNU fileutils race condition
Buffer overflow vulnerability in the Jabber plug-in module for gaim
Potential remote root exploit in glibc
Buffer overflow in groff
HylaFAX 4.1.3 fixes multiple vulnerabilities
UW imapd remotely exploitable buffer overflow
Inadequate digital certificate verification in Konqueror
XDR vulnerability in krb5
Kerberos 5 unauthorized root access to KDC host vulnerability
Buffer overflow in libpng
LPRng accepts jobs from any host.
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
Multiple vulnerabilities in mantis
Remote arbitrary code execution vulnerability in mantis
PHP Remote Compromise/DOS Vulnerability
Mozilla XMLHttpRequest file disclosure vulnerability
String format bug in pam_ldap logging
OpenSSL remotely-exploitable buffer overflow vulnerabilities
Safemode vulnerability in PHP
Remotely exploitable vulnerability in pine
Sharutils potential privilege escalation using uudecode
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
Tcl/Tk local root vulnerability
Malformed NFS packet buffer overflow vulnerability in tcpdump
Multiple vendor telnetd vulnerability
Multiple vulnerabilities in SNMP implementations
Local root vulnerability in chfn
webalizer: reverse DNS buffer overflow vulnerability
Webmin/Usermin vulnerabilities
Problems with libgtop_daemon
Wwwoffle remote privilege escalation vulnerability
xchat IC server based dns query vulnerability
Denial of service vulnerability in xinetd
Resources Linux Security Week and Advisory Watch The August 26th Linux Security Week and August 24th Linux Advisory Watch newsletters from LinuxSecurity.com are available.
Metis 1.4 released Sacha Faust announces the release of Metis 1.4. "This is a tool I wrote to collect information from web servers." Metis was written for the Open Source Security Testing Methodology (OSSTM). .
Internet anonymity for Linux newbies (Register) The register has published a tutorial for newbies on how to secure your home system. " For most home PC users, fairly secure is perfectly adequate, and that's what we'll be concentrating on below. In a week or two I'll get into details for power users, but for now I'm going to concentrate on a particular presumed reader: a home user who's fairly new to the Linux desktop, who's using a packaged distro, and who's not intimately familiar with PC security -- a 'recovering Windows user', let's say."
Events ToorCon Computer Security Conference 2002 Pre-registration Closing ToorCon 2002 has "recently released our finalized speaker lineup and it looks like it'll be one of ToorCon's best years yet. Pre-registration and RSVP will be closing shortly, so register today!"ToorCon 2002 will be held September 27-29th in San Diego, CA, USA.
Upcoming Security Events
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Kernel development Release status Kernel release status The current development kernel is 2.5.32, released by Linus on August 27. It includes, of course, the IDE code replacement (see last week's LWN Front and Kernel pages). In this (large) patch you'll also find the asynchronous I/O core (covered in the August 1 LWN Kernel page), a bunch more device model work, IA-64 and PPC64 updates, the beginning of the NFSv4 merge, a bunch of input layer changes, Ingo Molnar's thread performance work, and an incredible number of other fixes and updates. The long-format changelog is also available.Linus's current BitKeeper tree, which will become 2.5.33, contains a number of memory management performance fixes from Andrew Morton, some partition and IDE work by Alexander Viro, a set of network driver improvements, and a big pile of typo and designated initializer fixes. The current 2.5 status summary from Guillaume Boissiere is dated August 28. The current stable kernel is 2.4.19; Marcelo has released no 2.4.20 prepatches over the last week. The current prepatch from Alan Cox is 2.4.20-pre4-ac2. The -ac series is now the staging area for ongoing IDE work which, by most accounts, is going well.
Kernel development news The 2.5 device model A constant feature of development kernel summaries is "device model work." Perhaps it's time to take a look at what the device model actually is, and where it's going.The device model effort has its roots in the 2001 Kernel Summit. It had become clear, at that point, that support of advanced power management would require a more structured approach to the management of devices in the Linux kernel. There has traditionally been no centralized registry of devices in the kernel - no way to just ask the system what devices were connected to it. Power management needs not only the answer to that question, but also some idea of how all the devices are plugged together. It doesn't do to shut down a SCSI controller before stopping all of the peripherals connected to that controller, for example. So the device model work, done mainly by Patrick Mochel, started by adapting the existing PCI device scheme to represent a full system. At the center of the scheme is struct device, which, of course, represents a single device in the system. This structure contains quite a few fields, including no less than six different list heads; some of these fields will be examined shortly. One type of device, of course, is a bus. There is a device structure for each bus, along with a bus_type structure for each type of bus. Almost every device on a system is reached via (at least) one bus, and the device model topology reflects that. Each bus device maintains, via the children list in its device structure, a list of all devices plugged into that bus. By looking at the bus_list field of any device in the system, the kernel can find all other devices attached to the same bus. Each device structure also maintains a parent pointer (to another struct device, of course), and an entry into another list (called simply node) of all its siblings under the same parent. This hierarchy may look a lot like the bus lists already mentioned, but that is not the case. A device may be on a USB bus, but its parent may be the USB hub to which it is connected. Similarly, a SCSI tape drive may be reached through a PCI bus, but its parent is the SCSI host adaptor. Thus, it is the parent and node lists that model the true hierarchy of the devices in the system. One could suspend a computer by starting at the top-level devices and doing a depth-first traversal of the device hierarchy via each device's children list. In fact, the device model makes this sort of traversal easy by maintaining a separate "global device list" which contains every device on the system, in the depth-first order. As an example, your editor's system is represented in the driver model with a hierarchy like the following:
root
pci0
PCI host bridge
ISA bridge
IDE interface
USB controller
USB bus
Lexar SmartMedia reader
ACPI bridge
SCSI adaptor
SCSI bus 0
Target 0 (disk drive)
Partition 1
Partition 2
Target 1 (DAT tape)
st0
nst0
...
Target 4 (CDRW)
Audio controller
MIDI port
Ethernet controller
Graphics card
sys
Interrupt controller
8253 Interval timer
floppy controller
Each entry in the hierarchy above is one device structure in the model; each device's children list holds each indented entry below that device. The global device list, instead, contains the full hierarchy shown above, in order from top to bottom. ("sys" is a virtual bus for devices not otherwise connected to a system bus). The model, as described so far, shows the hierarchy of the system, but does not allow the kernel to actually do much with those devices. The next step involves a new generic structure: struct device_driver, which is registered for each driver in the system. This structure tells the system what type of bus the driver expects to work with, and provides a set of useful functions. One of those functions is probe; when a new device is discovered on the system the base code calls the probe function of every likely-looking driver for the relevant bus until a driver agrees to manage the device. The system then sets the driver pointer in the device structure, and knows how to find the right driver for the device from then on. This driver pointer is not used for normal, user-space accesses to the device - that is still handled through the device arrays (indexed by the device's major number). What that pointer can be used for, however, is power management and hotplug events. If the kernel has been told to suspend the system, for example, it now need only pass through the global device list, calling the suspend function found in the device driver structure for each device. Similarly, if the user unplugs a device, the kernel can call that device's remove function to let the driver know. The above is sufficient to handle the basic functions needed by power management and to support hotpluggable devices. It also unifies much of the device probing and accounting logic in the kernel, allowing the removal of a great deal of duplicated code. The device model work has not stopped there, however. One recent (2.5.32) addition is the notion of device classes and interfaces. The "class" of a device is the basic function that it performs - it could be an "input" or "storage" device, for example. Not much is done with the class information currently, but the structure is there for class-level drivers to affect how the device is managed. "Interfaces" are paths to the device from user space - normally entries in /dev. Devices which implement a given interface can be expected to respond in certain, well-defined ways. As with classes, about all that is done with interfaces, for now, is to remember them. But that could change. This discussion, so far, has left out an important subsystem which, while technically not part of the device model, is intimately tied in with it. "driverfs" is a virtual filesystem which provides a userspace representation of the driver model data structure. This filesystem, normally mounted at /devices, contains (currently) three top-level directories:
Some readers may be noting a certain similarity between driverfs and devfs. They do resemble each other in that they are both kernel-generated virtual filesystems which contain entries for the devices in the system. They differ, however, in that driverfs is intended to be a physical representation of the system, while devfs is intended to provide user-space access to the devices themselves. A devfs user can mount /dev/discs/disc0; somebody perusing driverfs can, with sufficient typing pain, find the directory /devices/root/pci0/00:0e.0/scsi0/0:0:0:0/0:0:0:0:p1, but there's nothing there to mount. Instead, a bunch of information - including the device's major and minor numbers - is available. So devfs and driverfs serve different purposes, but driverfs (with /sbin/hotplug) could conceivably supplant devfs in future kernels. While driverfs is not intended to be the way users access devices, all the information needed to create /dev nodes is (or can be) there. In the future, the /sbin/hotplug script may be used to configure all devices as they are discovered in the system; there is no reason why that script can not use the driverfs information (including class and interface information) to create /dev nodes implementing whatever policy the system administrator likes. The result would be a flexible device naming and administration scheme which removes policy from the kernel code. That all remains in the future, however; the device model and driverfs are still works in progress. Most driver code does not yet interface with the device model; thus far, there has been little need to change the drivers themselves, since the PCI code has done the necessary device registration. Full implementation of classes and interfaces, however, is likely to require digging into the driver code, and that could take a little while. It could yet happen for 2.6, however.
The scheduler and hyperthreading Hyperthreading is a hardware technique where a single CPU behaves as if it were multiple (usually two) virtual processors. When one virtual processor stalls (on a cache miss, for example), the other runs. Hyperthreading can yield significant performance improvements (numbers of around 30% have been floated) for a very small silicon investment. And the software side is free: a hyperthreaded processor is almost indistinguishable from a pair of real, physical processors, and the current Linux (or whatever) SMP code works.However, a scheduler which handles SMP, but which is unaware of hyperthreading, will not obtain optimal performance. If you have two processes running on two virtual processors on the same physical CPU, they will be contending with each other in a way that processes on separate CPUs will not. A naive scheduler, such as the one currently found in the Linux kernel, does not understand the difference between the two situations, and will thus make wrong decisions. Ingo Molnar has posted some scenarios where the current scheduler gets things wrong, along with, of course, a patch that makes everything right. Consider a system with two physical CPUs, each of which provides two virtual processors. If there are two running tasks, the current scheduler would happily let them both run on a single physical processor, even though far better performance would result from migrating one process to the other physical CPU. The scheduler also doesn't understand that migrating a process from one virtual processor to its sibling is cheaper (due to cache loading) than migrating it across physical processors. The solution is to change the way the run queues work. The 2.5 scheduler maintains one run queue per processor, and attempts to avoid moving tasks between queues. The change is to have one run queue per physical processor which is able to feed tasks into all of the virtual processors. Throw in a smarter sense of what makes an idle CPU (all virtual processors must be idle), and the resulting code "magically fulfills" the needs of scheduling on a hyperthreading system. The actual patch involves a bunch of tricky details, of course, but the end result is that a relatively simple idea yields a 10% or greater performance improvement.
A change in the BitKeeper license Larry McVoy recently posted a note to the Linux kernel list regarding changes in BitKeeper licensing. The big change is that the new license gives BitMover the right, if you are using the free (beer) version of BitKeeper, to require you to make your repository available under a free license. The point is that the free version of BitKeeper is meant to help free software development; it's not meant for proprietary work.Larry also states that BitMover may about to make a sale which can be tied to the kernel developers' use of BitKeeper; should that happen, he'll set aside $25K in BitKeeper developer time. Linus can use that time to cause the implementation of features he wants, regardless of whether that's something BitMover otherwise would have done.
Linux Journal 2002 Editors' Choice We'll now take a brief moment for editorial self indulgence... The Linux Journal's 2002 Editors' Choice awards have been announced. The selection for "best technical book" was one Linux Device Drivers, 2nd Edition by Alessandro Rubini and Jonathan Corbet.
Patches and updates Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Kernel building
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions News and Editorials Caldera International becomes The SCO Group Earlier this week Erik Ratcliffe sent LWN a note, saying only to check out the Caldera International website. We did, and found the familiar Caldera logo gone, and a new SCO logo in its place. Caldera International is now, or will be after shareholder approval, The SCO Group. The change reflects where the company's money is made, explains this News.com article. Not in its Linux products, but in the proprietary Unix technology acquired from SCO 2000. A complete rebranding such as this can be expensive, but the company obviously feels that the SCO products will sell better, under their former names. So, SCO Unixware, briefly called Caldera OpenUnix, will once again be SCO Unixware.What does this mean for Caldera OpenUnix? Well, it won't be called that anymore. The latest distribution, about to enter beta testing, is called SCO Linux 4.0 powered by UnitedLinux. Much of what was once OpenLinux will remain, but elements are changing. Exactly what and how much remain to be seen, but these changes will have less to do with the name change, and are very dependent on the UnitedLinux product. For example, SuSE's YaST (Yet another Setup Tool) program will be integrated with Caldera technology for the UnitedLinux (and SCO) installation and configuration program. There will be a closed beta of SCO Linux (limited to a small number of testers) followed by an open beta. In this post to the Caldera user's group SCO's John Boland explains the process and how to get registered.
Distribution News Debian GNU/Linux Here is the Debian Weekly News for August 27, 2002. Topics include the Debian constitution, OpenLDAP, GCC 3.2, Python 2.2, Gnome 2, Wordlists, and the debian-installer.We also have an update on the debian-installer status.
Mandrake Linux The Mandrake Linux Community Newsletter for August 22, 2002 is now available. This edition contains information on the Beta 3 release; a summer special at MandrakeStore; Mandrake's LSB certification; Star Trek Actor Wil Wheaton recommends Mandrake; and much more.
Beta 4 of the upcoming Mandrake Linux 9.0 is available.
Changes and improvements based on previous reports include: Mandrake has a new French language website for the discussion of Linux-Mandrake at Mandrakefr.org.
Red Hat Linux IBM developerWorks has a tutorial on Tuning Red Hat for maximum performance. Free registration is required.Here's a Linux Journal how-to on getting Red Hat 7.3 running on a Compaq Presario 711 laptop computer. "Linux has made great progress on desktop systems. Installing a modern operating system like RH 7.3 on a desktop is almost easy enough for Aunt Minnie, as Jerry Pournelle likes to call the everyday computer user. But laptop installs are a different matter. The hardware on laptops is less generic than what's on the desktop, but with the move to ATX-style motherboards with integrated peripherals, this has become less of a problem."
New Distributions DOSSLACK DOSSLACK is a bootable FreeDOS disk image which has been designed to boot into a Slackware 8.1 install. It can boot any of the kernels in the Slackware 8.1 CD's kernels/ directory. It supports most common ATAPI (IDE interface) CD-ROM drives. The Slackware 8.1 ISO image used a "no-emulation" boot image. Most recent BIOS's are capable of booting that CD, but many older (and some not-so-old) systems cannot. So if you have had problems installing Slackware 8.1, DOSSLACK may be the answer.
Minor distribution updates Arch Linux Arch Linux has released 2.1 of the package manager Pacman.
Cool Linux CD Cool Linux CD has released v1.33. This version adds CDRW software, VoIP software, and the PSI Jabber client. There are also some changes to the bootup procedure.
DMZS-Biatchux Bootable CD Distro turns to FIRE The distribution formerly known as the DMZS-Biatchux Bootable CD Distro has changed its name to FIRE. The first release since the name change is FIRElite release v0.2b. (Thanks to JR Gimblet)
NSA Security Enhanced Linux NSA Security Enhanced Linux has released v2002082308 with minor feature enhancements, including kernel updates to 2.4.19 and 2.5.31.
ROOT Linux ROOT Linux has released v1.3 with major feature enhancements. "This release features big improvements to the installer, support for devfs and PAM, the latest versions of KDE and GNOME (3.0.3 and 2.0.1), GCC 3.2, and PureFTPd as the default FTP daemon. The 'agetty' program has been replaced with the smaller 'mingetty'. Non-free packages has been moved to a 'nonfree' folder."
SmoothWall SmoothWall has released Smoothwall GPL 2.0 beta1 (metro).
TA-Linux TA-Linux has released TA-Linux 0.2.0-Beta2 (i386) with minor feature enhancements.
Topologilinux TopologiLinux has released v1.0 with lots of shiny new packages.
<tt>ttylinux</tt> ttylinux has released v2.4 with minor bugfixes. including updating isdn4k-utils, modutils, and util-linux to their latest versions. The filesystem was recreated with less inodes to make some extra space.
uClinux uClinux has released v 2.4.19-uc0 with major feature enhancements, including an upgrade from 2.4.17 to 2.4.19.
VectorLinux VectorLinux has released 2.5 (SOHO). The SOHO branch containes preinstalled productivity software such as KDE 3.x, OpenOffice 1.0, and several other productivity applications. The installation program does not ask which packages should be selected, and instead simply installs its preselected set of software.
Webfish Linux Webfish Linux has released 1.2 (Fishwall) with minor feature enhancements.
xbox-linux xbox-linux has released v0.2 with major feature enhancements, including Framebuffer support..
Page editor: Rebecca Sobol
Development The OpenPKG cross-platform software packaging facility Version 1.1 of the OpenPKG cross-platform software packaging facility has been announced.The announcement states:
OpenPKG is a project founded 2000 by the Development Team from Cable
& Wireless Germany's Internet Services division. In January 2002
it was released by Cable & Wireless to the public as Open Source
software. Since then OpenPKG is maintained and improved by its original
developers and contributors from the Open Source community and is a
mature technology in production use.
OpenPKG has been released under an MIT style license. The aim of the OpenPKG project is to create a software packaging facility that works across a wide variety of Unix flavors. Currently it supports FreeBSD, RedHat Linux, Debian GNU/Linux, Debian GNU/Linux, and Sun Solaris. NetBSD, OpenBSD, and Compaq Tru64 are partially supported. OpenPKG is based on code from version 4 of RedHat's RPM package manager, organized as a self-contained system so that RPM does not need to be installed in order to use the system. An interesting feature is the way in which OpenPKG handles the modification of system files, changes are recommended, but the administrator has to manually make the changes. This should please security conscious admins, although it sounds like a big slow-down for automated installations across many machines. Version 1.1 of OpenPKG adds more supported platforms, more packages, more granularity in user and group selection, better security for handling system files, support for package activation via software switche variables, and support for proxy packages, which allow multiple packages to share resources with base packages. Currently, there are over 200 packages available for OpenPKG, conveniently organized into numerous groups. See the package repository for the list. OpenPKG appears to be very well documented, here are some pointers: Systems administrators who deal with multiple versions of Unix should consider using OpenPKG, it looks like the kind of utility that could greatly increase productivity.
System Applications Audio Projects Ogg Traffic for August 20, 2002 The August 20, 2002 edition of Ogg Traffic covers the Ogg Speex file format, using Ogg for doing online voice chat, a VP3 Patch for Xine, OggShell v1.0, WebSiteRobot support for Ogg, and more.
Database Software Which Table, Which Column? (O'Reilly) Jonathan Gennick gives some tips on using designing SQL tables. "Many potential problems lurk when you do not fully qualify column names using either table names or table aliases. In this article, I'm going to focus on just one such problem recently brought to my attention by a perplexed reader."
Electronics Gaf development snapshot 20020825 A new development snapshot of Gaf (Gschem and Friends) is available from the gEDA project. This version includes big changes to the underlying attribute definition syntax. See the release notes for the details.
Networking Tools Release of iptables-1.2.7a iptables version 1.2.7a is now available. This release fixes some bugs that were introduced in version 1.2.7.
Printing HPIJS 1.2.1 is released! (LinuxPrinting) LinuxPrinting mentions that version 1.2.1 of the HPIJS PCL printer driver is now available. This release includes improved grayscale performance, paper tray selection, and support for more printers.
Web Site Development Connecting middleware to Apache 2.0 (IBM developerWorks) Uche Ogbuji explains how to use an Apache 2.0 filter module on IBM's developerWorks. "Apache became the most popular Web server in part because of the rich availability of third-party extensions for the server, and because its open architecture made it quite easy to roll your own extensions. Of course, nothing is ever just easy enough, so in developing Apache 2.0, one of the main goals was to improve the Apache API to make it even easier to develop extensions."
ZEO 2.0 beta 1 released Version 2.0 beta 1 of the ZEO, the Zope Enterprise Objects, has been released. "ZEO turns the Zope object system into a distributed architecture, allowing multiple processors, machines, and networks to act as one website."
First Beta of Mod_python 3.0 available The first beta release of mod_python 3.0 for Apache 2.0 is available.
Zope Members' News This week, the Zope Members' News covers Zope performance on Solaris, XMLTransform 0.8, CVSFile 0.8.1, ExternalFile 1.1.0, Wing IDE 1.1.5 final, Ordered List Product version 2.0, and more.
Desktop Applications Audio Applications WaveSurfer version 1.4.3 released Version 1.4.3 of the WaveSurfer sound visualization and manipulation tool has been released. "The new version of WaveSurfer uses Snack v2.2, which incorporates code from the ESPS speech analysis library. ESPS was recently licensed to the Centre for Speech Technology by Microsoft and AT&T, with the aim to make it available to speech researchers again." See the changes document for the full story.
Desktop Environments KDE 3.1 Beta 1: Hot off the Servers KDE.News has an announcement for KDE 3.1 Beta 1. "This release, which marks the second testing release of the KDE 3.1 branch, offers many improvements and bug fixes over KDE 3.0.x. New features include improved OpenPGP handling in KMail, handy tooltips that provide details of files in Konqueror quickly, and even new ways to be less productive thanks to four new games."
KC KDE #43 is available Issue #43 of Kernel Cousin KDE is available. "featuring everything from KDE 3.1's new look, the future of multimedia in KDE, a refitted Konqi, math app news, mouse news, and much more."
Office Applications Release of GnuCash 1.6.8 GnuCash version 1.6.8 has been announced. Several project compile bugs have been fixed.
Gnumeric 1.1.8 released Version 1.1.8 of the Gnumeric spread sheet has been released. Click below for a detailed list of changes.
Kernel Cousin GNUe #43 Issue #43 of Kernel Cousin GNUe covers the specification for Supply Chain Management, the GNUe data dictionary and open standards, and other GNU enterprise development issues.
AbiWord Weekly News #106 Issue #106 of the AbiWord Weekly News looks at AbiWord use from within a web browser, replacing Microsoft's formerly free fonts with CoreFonts, a new font preview project, and more.
Web Browsers Mozilla 1.1 released Mozilla 1.1 is now available. Changes include improved stability and performance, better compatibility with more web sites, improved CSS, DOM and HTML standards support, and more. See the release notes for the list of changes.Also, see MozillaZine for links to a number of articles on Mozilla 1.1.
Galeon2 status update A Galeon2 development synopsis has been posted. "While all may seem quiet in galeon world, we are working hard on Galeon 2, a new major version based on Gnome 2. We decided to do a full rewrite of the our code base because of the huge changes in Gnome architecture, to improve maintainability and stability. The new code is already pretty stable and all the major features of Galeon 1 have been reimplemented. Many people are using it as their full time browser. We tried to improve the usability of the user interface and the integration with the desktop."
Miscellaneous Privoxy 3.0.0 released Privoxy is a "privacy-enhancing proxy" server; the just-announced 3.0.0 is the first stable release of this package. "Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk."
Languages and Tools Caml The Caml Hump This week, The Caml Hump covers Caml and OCaml exercises, MetaOCaml, Cameleon, Cash, SpamOracle, camllets, the Ensemble Juke Box, and more.
Java Robocode Rumble: Tips from the champs (IBM developerWorks) IBM's developerWorks covers a virtual Java-based robot contest. "The Robocode Rumble opened with programmers around the world using their coding skills to create the most fearsome Java "robots" they could, and releasing their 'bots to battle it out in a virtual arena. With names like TheArtofWar, BienatorII, SandboxLump, BulletMagnet, and Cake, these robots were a little more fierce and a lot more entertaining than your ordinary Java objects. When the dust cleared, only a few 'bots were left standing. Dutch programmer Enno Peters had taken the overall victory."
JSP Overview, Part 1 (O'Reilly) Hans Bergsten covers Java servelets in an excerpt from his book on Java Server Pages. "JSP is the latest Java technology for web application development and is based on the servlet technology introduced in the previous chapter. While servlets are great in many ways, they are generally reserved for programmers. In this chapter, we look at the problems that JSP technology solves, the anatomy of a JSP page, the relationship between servlets and JSP, and how the server processes a JSP page."
Lisp Pascal Costanza's Highly Opinionated Guide to Lisp Pascal Costanza's Highly Opinionated Guide to Lisp is an online document that has been placed in the public domain. Check it out for a good introduction to the history and ideas behind Lisp. Thanks to Paolo Amoroso.
Perl Damian Conway publishes Exegesis 5 (Perl.com) Damian Conway has published Exegesis 5 for Perl 6, an examination of Larry Wall's Apocalypse 5 document.
This Week on perl5-porters (use Perl) The August 19-25, 2002 edition of Perl 5 Porters is out. Topics include a Config.pm discussion, a threads tutorial, a Perl 5.8.0 memory leak with PerlIO for sockets, problems with B::SV::FLAGS, Regex optimizations, Valgrind bug fixes, p5p patches, Copy-On-Write issues, and a fix for shift // 0.
Web Basics with LWP (O'Reilly) Sean M. Burke shows how to perform common tasks with LWP. "LWP (short for "Library for WWW in Perl") is a popular group of Perl modules for accessing data on the Web. Like most Perl module-distributions, each of LWP's component modules comes with documentation that is a complete reference to its interface. However, there are so many modules in LWP that it's hard to know where to look for information on doing even the simplest things."
PHP PHP Weekly Summary Issue #100 of the PHP Weekly Summary covers PHP 4.2.3 RC 1, mysql_db_query(), Pcntl extension updates, problems with ob_gzhandler, Nicer Alpha-blending for GD, using UDP from within PHP, test suite updates, support for WebDAV, a Streams filter API, and more.
Pear Weekly News This week's Pear Weekly News is out. "With 5 new releases this week, including the Second MDB Release Candidate, along with 2 new packages PEAR continues to grow, heavily benefit from new contributors sending code, bug fixes and new ideas. The eternal problem of documenting this growing collection of tools is being attacked on many fronts with phpdoc to docbook tools, and openoffice converters. This week, existing classes like Auth/Permissions, Config have been re-examined and plans are underway for major improvements. Meanwhile, Rasmus has been helping out with the issues of licensing conflicts with GPL code."
Python The Daily Python-URL This week's Daily Python-URL entries include articles on XMLdiff, omniORBpy 2.0, XMail Library 1.00, using PDF for presentations, doclifter, Easy Publisher 1.7, cPickle, the Python Bibliotheca, and more.
Ruby The Ruby Garden This week's Ruby Garden looks at a faster IO#read interface.The Ruby Weekly News items include FXRuby-1.0.13, ZenWeb 2.12.0, the TCLink credit card processing extension, scanf for Ruby, Amrita 0.8.5, and more.
Scheme Scheme Weekly News The August 27, 2002 edition of the Scheme Weekly News is out. Topics include SRFI support in Guile, Guile 1.5.8 beta, Quack.el 0.6, and more.
Tcl/Tk Dr. Dobb's Tcl-URL! The August 26, 2002 edition of Dr. Dobb's TCL-URL is out.
Page editor: Forrest Cook
Linux in Business Press Releases Open Source Announcements
Software for Linux
Hardware with Linux support
Java Products
Books and Documentation
Trade Shows and Conferences
Partnerships
Investments and Acquisitions
Financial Results
Miscellaneous
Page editor: Rebecca Sobol
Linux in the news Recommended Reading The Linux developer lifestyle, exposed (ZDNet) ZDNet examines the "typical" Linux hacker. "According to a new survey, open-source software developers are mostly men in their twenties, and they vastly favor the Debian operating system distribution. The "Free/Libre and Open Source Software (FLOSS)" report also found that although many might not make a living from their open-source activities, they spend a serious amount of time on them."
UK's DMCA: there ain't no sanity clause (Register) The Register reports on a critique of the European Copyright Directive. "The UK's take on the "European DMCA" - the European Copyright Directive - will make criminals out of ordinary computer users, according to a new critique by the UK Campaign for Digital Rights. And it will also fail to protect researchers, says Julian Midgley who penned the report."
Study: Governments need open source (ZDNet) This ZDNet article follows up on the FLOSS report, showing why governments need open source. "The FLOSS report argues that open-source software, by its nature, better fulfils certain governmental responsibilities than software to which source-code access is restricted. These responsibilities include the public's right to public information and to know how that information is processed; the permanence of public data; and the security of that data."
XVID GPL violation issues resolved Apparently, there was a recent GPL license violation involving a company known as Sigma Designs' and the XVID video codec project. The issue centered around code that was modified, but was not released, as per the GPL licensing requirements. The XVID designers reacted by freezing development of the project. After a period of silence, Sigma Designs' eventually complied with the request to release the code. This is one example of how the GPL was successfully used to protect open-source code.Thanks to Mike Hopper.
Trade Shows and Conferences More Business, Less Boothness (Linux Journal) Doc Searls gives his views on the recent LinuxWorld Expo in a Linux Journal article. "We have an interesting irony here: while Linux gets bigger than ever, and its leading tradeshow gets more popular than ever, the show itself gets physically smaller. So where did all the old booths go? Well, a lot of companies went out of business with the dot-com crash. A few more left Linux altogether. A few more moved into the Big Boys' booths, which was the case with Ximian and Linuxcare."
Companies AMD pushes ahead with new server chips (News.com) News.com covers AMD's release of two new Athlon processors, which are aimed at the server market.
A Rose by Any Other Name--Is It Still the Same? (Linux Journal) The Linux Journal reports (from GeoFORUM) on the Caldera name change. "Now for the the simple financial facts. Say your company has no debt to speak of. You have a distribution channel of 14,000 SCO dealers. These dealers are on target to sell $60 million (US) for the year 2002. SCO products generate positive cash flow, while Linux products cost $2.00 of marketing for every $1.00 of sales. Maybe these facts are enough collectively to make you rethink your business plan."See also this followup article on where Caldera/SCO is going from here. "Well, if you are Darl McBride, the new CEO of The SCO Group, you use Harley-Davidson as a model."
Caldera name change puts Unix first (News.com) Erik Ratcliffe pointed out that Caldera International is now called SCO Group. News.com covers the name change. "Analysts said the name change reflects simple market economics: Nearly 95 percent of the company's revenues come from its Unix products, not from Linux."
Russian Coding Firm Back for More (Wired) Wired News looks at what Russian software firm ElcomSoft has been up to lately. "But despite the courthouse angst, ElcomSoft plans to continue to market exactly the sorts of products that led to their entanglement with the U.S. legal system."
Lindows faces a reality check (News.com) News.com reports on a change of corporate strategy for Lindows.com. "A representative for Lindows.com confirmed that while some Windows applications will run on LindowsOS, this compatibility is no longer the company's top priority. "Our product does not target the user who wants to save a few dollars on the operating system, but then still run out and spend thousands of dollars on Microsoft Office, Photoshop, etc," she said. Instead, Lindows.com will focus on making Linux applications easy to download and install. However, where there is no Linux-based alternative to a Microsoft application, LindowsOS will support "some 'bridge' programs, file types and network devices to help people interact with the legacy Microsoft world," the representative said."
MandrakeSoft to warrant holders: Show us the money (News Forge) News Forge reports on efforts by MandrakeSoft to raise capital. "MandrakeSoft CEO Jacques Le Marois says it is hard to raise money these days. "The biggest challenge we face is the current depressed state of the financial markets." In fact, since MandrakeSoft introduced the increase of capital initiative in May, the Nasdaq has dropped from around 1700 to 1395, a decrease of about 18%. "Even with MandrakeSoft's recent positive financial results and an attractive valuation, most people are difficult to convince. Just two years ago, we could have raised all the necessary funds in only four days with a similar operation.""
Fighting Linux the Microsoft way (iTnews) The Australian publication iTnews covers various strategies used by Microsoft to convince its customers not to switch to Linux. "At Fusion 2002, Microsoft’s partners and resellers forum, principal technology specialist for Microsoft, Mark O’Shea, outlined strategies for fending off the Linux threat. O’Shea highlighted to the assembled resellers, recent research by IDC showing Windows to be cheaper to maintain and manage despite Linux’s perceived lower acquisition cost." Thanks to Con Zymaris.
Business Landscaping the server OS field (ZDNet) This ZDNet article looks at the Gartner group's predictions of change in the server OS market. "Linux will impede the progress of Windows in the midrange (up to at least 16 CPUs during the five-year period). By 2006, Linux will be a key foundation for a strategic, cross-development-platform development environment, accelerating Unix server consolidation, while creating a powerful alternative to Windows .NET."
Swedish government mulls Linux (Register) The Register reports on the consideration of open-source software by Sweden. "Despite signing a recent deal with Microsoft, Sweden has become the latest country to investigate the benefits of free software. In a report entitled "The state wants to save money" in Swedish magazine Ny Teknik, the Statskontoret, (Swedish Agency for Public Management) is setting up a working group to investigate the value Linux could provide."
AUUG calls for adoption of open-source software by the Australian Government The Australian Unix and Open Systems Group has sent out a press release calling for the adoption of open-source software by the Australian government sector. "AUUG is calling on the Government sector to review all areas of IT procurement and information standards to ensure that there is no bias against Open Standards based Open Source solutions. This would allow government IT managers to calculate the true ROI for each software acquisition and deployment - enabling the comparison of open and closed solutions on an equal footing. A comparison that AUUG believes Open Source will win. Ultimately delivering major savings to Australian tax payers."
Linux, StarOffice in frame for 45k Oz desktop deal? (Register) The Register writes about a possible platform change at Australia's Telstra telecom company. "Australian telco Telstra is looking at Linux as a possible new standard platform for its 45,000 desktops, according to a report by ITnews Australia. Telstra at the moment is just considering Linux and Sun StarOffice as possible candidates for its corporate standard, but a deal of this size would be a major boost for open source on the desktop, particularly as, ITnews reports, Telstra is Microsoft's biggest Australian customer."
Interviews Pouring over the Facts: Andreas Pour on KDE (Open for Business) Open for Business interviews KDE hacker Andreas Pour. "Governments, of course, need also worry about national security, and it is hard to see how they can be fulfilling their obligations with reliance on a monopolist's proprietary computers and networks. Being totally dependant on one vendors' systems - systems which can be disabled remotely or possibly simply by the absence of remote commands - is a most serious national security threat."
Unplugged: Sun chief engineer Rob Gingell (ZDNet) ZDNet interviews Sun chief engineer Rob Gingell. "Gingell talks about his desire to open source Solaris and intermarry it with Linux. He also discusses his focus on other parts of the software stack, especially Java, and why he believes Sun will succeed at a time when Solaris and SPARC are no longer the company's crown jewels."
Resources Embedded Linux Newsletter for August 22, 2002 The August 22, 2002 edition of the Linux Devices Embedded Linux Newsletter is out with the latest Embedded Linux news.
Linux, the GPL, and a new model for software innovation (LinuxDevices) LinuxDevices.com is carrying a white paper with a detailed look at the GPL. "This license 'promises' cannibalization of intellectual property, but does not quite deliver on this promise, and so has attracted the affection of mammoth electronics companies (normally IP-protective) who see Linux as their key to the future. In turn, this most 'anti-IP' of licenses is arguably doing more to foster innovation than patents or copyrights ever have."
Reviews Mozilla upgrade sees need for speed (ZDNet) ZDNet reviews Mozilla 1.1. "The release of Mozilla 1.1 comes relatively quickly after Mozilla 1.0, which arrived in June after years in development. The browser is the result of an experiment by Netscape Communications, now part of AOL Time Warner, in which the company released its next-generation software to the open-source community in exchange for the volunteer efforts of developers around the world."
Miscellaneous Briefing Book: Development Tools (TechWeb) Tech Web has a story about the rise of open-source development tools. "The development tool market is going through an interesting transition. Just as browsers, Web servers, and operating systems have been reinvigorated by the introduction of open source alternatives, so has the development tool market. It makes sense; IDEs, editors, and other tools lie closest to a developer's heart; it's not surprising they are looking for -- and of course in some cases creating -- the tools they themselves would like to see."
Why Larry Lessig gets an 'F' in software (News.com) Here's a News.com article about free software advocate Lawrence Lessig. "But Lessig is also going further. In his latest book, "The Future of Ideas: The Fate of the Commons in a Connected World," he draws a distinction between the intellectual property developed by, say, an Ernest Hemingway, and the intellectual property created by a code jockey."
Dot Compost and the Danger to Your Privacy (Linux Journal) In this Linux Journal article Dave Sifry looks inside some computers he bought on eBay. "I pulled out my Linuxcare Bootable Business Card, a disk I helped develop that I often use when doing forensics of unknown systems. It's a utility that allows me to quickly and easily bypass the operating system and retrieve data, a task critical for performing data recovery of corrupted systems or for performing forensic analysis of systems that have been compromised by intruders. Within 45 seconds I was looking at the data on the computer's hard drive, and what I saw shocked me. It turns out that the first computer I bought used to be the main e-mail server for a highly visible startup."
Linux and the corporate desktop Several of this morning's articles have focused on getting Linux onto the corporate desktop. ZDNet says Desktop Linux is for real and talks with industry analysts about corporate adoption of desktop Linux. ZDNet also takes a look at how Ximian Evolution fuels interest in desktop Linux.On the practical side, Linux Journal looks at Creating Web Pages with OpenOffice.org.
Page editor: Forrest Cook
Announcements Resources Digital DJing with TerminatorX tootorial (Quick Toots) Quick Toots has a new tootorial on TerminatorX, a utility that turns your computer into a digital DJ mixer. "If you've ever wanted to DJ/CJ with your machine take a toot on this one. Here we explain step by step how to set up a session in terminatorX. You will learn how to play multiple audio files at once, how to use the various FX to manipulate the soundz and how to scratch it up phat like a true Grandmaster."
Upcoming Events 2nd Open Source CMS Conference The second Open Source CMS conference will be held in Berkeley, California from September 25-27, 2002.
RSA Conference 2003 CFP A call for papers has been issued for the RSA Conference 2003 security conference, to be held on April 13-17 in San Francisco, CA.
Events: August 29 - October 24, 2002
Software announcements This week's software announcements Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
Miscellaneous Finalists for the XML Application Awards 2002 The finalists have been announced for the first international XML Application Awards 2002.
LPI-News August 2002 The August, 2002 edition of the LPI-News is out with the latest news from the Linux Professional Institute.
Page editor: Forrest Cook
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||