The SCO Group, a little while back, filed a motion asking for a delay in
the trial of its suit against IBM. According to SCO, IBM's foot-dragging
had slowed things to the point that SCO could not get its act together in
time. IBM has now responded; the full filing can be read
in PDF format. It is not particularly
surprising that IBM opposes this delay.
In fact, IBM has taken this filing as an opportunity to stiffen its
language against SCO in general:
Since this suit began in March, 2003, SCO has publicly touted its
evidence of IBM's alleged misconduct, but has resisted disclosing
the supposed evidence to IBM. In fact, SCO's Chief Executive Darl
McBride commented in an interview that SCO was 'fine to go to court
just on what we have before discovery.' ... In contrast to its
public assertions, SCO's conduct during discovery reflects a
remarkable pattern of delay and obfuscation.
It's not clear when the judge will rule on this motion.
A hearing will be held on June 9 on SCO's suit against
DaimlerChrysler, with a focus on Daimler's motion for a summary dismissal
of the case. As reported
in Groklaw, this case appears to have drawn a no-nonsense judge who
will try to see things through to a resolution in relatively short order.
The Free Software Foundation received a subpoena from SCO last year; they
have now posted
the subpoena on their site with some related discussion. It will
surprise few to see that the subpoena is impossibly broad; the FSF has no
intention of fulfilling it in its entirety. Being the FSF, they cannot
stop with just the subpoena, however:
In addition to answering and/or disputing the subpoena, we must
also educate the community about why it is that Linux was attacked
and GNU was not. For more than a decade, FSF has urged projects to
build a process whereby the legal assembly of the software is as
sound as the software development itself. Many Free Software
developers saw the copyright assignment process used for most GNU
components as a nuisance, but we arduously designed and redesigned
the process to remove the onerousness. Now the SCO fiasco has shown
the community the resilience and complete certainty that a good
legal assembly process can create.
The FSF is right to emphasize the importance of ensuring that stolen code
is not merged into free software projects; there is no doubt that more care
is called for in that regard. Claiming that the FSF's
copyright assignment policies headed off a legal attack from the SCO Group
seems a little strong, however. It seems just as likely that SCO was
repelled by the FSF's small bank balance. IBM, too, has strong rules
covering its code contributions; armies of lawyers are involved. Those
rules did not keep SCO from suing IBM, however.
Expect some fun around June 2, when SCO will announce its second
quarter results. One can only assume that said results will not be of
a kind that will revive the company's stock price, which fell below its
one-year low this last week. It will be interesting to see what the
company comes up with as a way of distracting attention from these matters.
Comments (5 posted)
The United States and Australia recently negotiated a trade agreement
which, like many US-driven agreements these days, requires Australia to
follow America's lead on numerous intellectual property issues. In
particular, the agreement forces the adoption of software patents and DMCA-like copyright
laws. Needless to say, free software advocates have been concerned about
this agreement; they have also been doing something about it.
On May 17, The Australian Senate Select Committee on the Free Trade
Agreement between Australia and the US heard testimony on the effects that
the agreement would have. The transcript is available as a 700KB PDF
file. Included therein are several pages of testimony from kernel
hacker Rusty Russell, representing Linux Australia.
Open source is particularly important to Australia because we are
good at it. We develop it, we distribute it, and our expertise
gives Australian business a competitive advantage over
international competitors--not just IT business but all businesses
that use IT. The Boston Consulting Group in a survey a few years
ago found that eight per cent of open source developers are in
Australia--hugely disproportionate to our population. We are in a
prime position to take advantage of the growth opportunities
provided by these projects especially the benefits of better, more
open infrastructure that open source provides. On the other hand,
the cost of chilling competition in this area will affect us
greatly now and we will lament the loss of our lead in years to
come.
Unfortunately, there is no picture of Rusty in his suit and tie.
Many other witnesses appeared, including representatives of Electronic
Frontiers Australia, and the Australian Digital Alliance. Whether this
testimony will have an effect on the eventual ratification of this treaty
is to be seen; the fact that these issues were heard in this forum is a
good start, however. (Thanks to Michael Neuling for the transcript
pointer).
Comments (3 posted)
Toward the end, it appeared that the European Council might not approve
software patents after all. Representatives of the German and Italian
governments had expressed reservations, and an objection from Luxembourg
forced a discussion on what was supposed to be a fast-track vote. But, on
May 18, the Council voted in favor of a patent directive which strips
out the European Parliament's changes, and which thus legitimizes software
patents in Europe.
Believe it or not, this lengthy process is still not complete, however.
The directive must return to the Parliament one last time for final
approval; this vote is likely to happen sometime in the (northern
hemisphere) autumn. If the Parliament rejects the Council's draft, then some
sort of compromise will be hammered out. Thus, it is not time for
anti-patent activists to rest, even though they are likely to be tired and
discouraged. Software patents in Europe are not yet a done deal, but
heading them off will require efforts to educate members of Parliament in
all EU member countries.
It is also worth remembering that elections to the Parliament are happening
in June. Voter turnout in European Parliament elections tends to be low,
so those who do vote have a relatively strong voice.
If you are able to vote in these elections, you may want to consider learning the
candidates' positions on software patents and voting accordingly. There is
yet time to make a difference on this issue.
Comments (4 posted)
May 19, 2004
By Pamela Jones, Editor of Groklaw
If you read about Microsoft's
patent number 6,727,830, "Time based
hardware button for application launch," issued on April 27, 2004,
you're probably thinking that now you've heard everything. A patent on
double-clicking and on holding down an application button? How can the
Patent Office issue such a patent, since you can probably think of
several instances of prior art off the top of your head?
Here is
the abstract, explaining the patent:
A method and system are provided for extending the functionality of
application buttons on a limited resource computing device. Alternative
application functions are launched based on the length of time an
application button is pressed. A default function for an application is
launched if the button is pressed for a short, i.e., normal, period of
time. An alternative function of the application is launched if the
button is pressed for a long, (e.g., at least one second), period of
time. Still another function can be launched if the application button
is pressed multiple times within a short period of time, e.g., double
click.
It drones on a while longer, but although they expend a great many
words, what they have patented is simply this:
- You have a device with a button. If you press the button quickly, you
get different behavior than if you hold the button down. Electric
typewriters have worked that way for decades, and portable CD players
for
many years.
- Press the button twice in a short period, and you get different
behavior. This, of course, is the "double click."
Linux systems are full of software which implements the claimed
behavior.
Double-clicking is found everywhere. The "hold the button for different
behavior" can be found in places like the CD player.
The patent specifies a "limited resource" computing device, so they are
talking about PDA-type systems. The simple fact is that all computing
devices are "limited resource," however.
I asked my right-hand man on Groklaw, Dr Stupid, if he could think of
any prior art and he had no trouble in about 10 minutes coming up with
these possibilities:
The general concept of short press and long press doing different
things is not new at all - many embedded devices use it. What the
patent is about is a particular use of this concept for launching
programs on a device. That is, clicking once on the icon launches the
program with one command line parameter, and a double-click a different
command line parameter. Or a hold down is yet another.
The very old FVWM window manager for Linux has a 'maximize' button
which works like this:
- Click-and-hold: stretches the window vertically.
- Single Click: stretches the window but does not cover the taskbar
or
button bar.
- Double Click: stretches the window to cover the entire
screen.
So you have normal action, hold-it-down action, and double-click
action. It's still shipped with SuSE and most distributions to this day, I
believe...
To me, it fails the 'not obvious' test. Another one that I wonder if
it might be relevant is here:
'If you wish, you can distinguish single, double, and triple clicks.
A double click means clicking a mouse button twice in approximately the
same place. The first click generates an ordinary click event. The
second click, if it comes soon enough, generates a double-click event
instead....'
Microsoft listed 8 prior art documents, each slightly different from
theirs. But then you find a long list of what they asserted was unique
to this patent. But, without analyzing this one in great depth,
certainly we can agree there are patents issued that should not be
issued, and the real question is: why does the Patent Office issue
them? And why do companies want them?
The answer to the first question is simple: they are understaffed and
there is a general policy that you do your best and later the courts
can determine if the patent was valid or not.
Why do companies want them? I asked that question of patent attorney
Dan Ravicher, head of PubPat, the
organization that is dedicated to going after patents that were wrongly
issued, and also asked about this specific patent, and here is what he
told me:
When I read those claims, I was like, sure, nice try. I
doubt
Microsoft would ever assert this patent. But, there is still value in
building up a portfolio because many valuations are based purely on the
objective factor of how many patents or how many claims one has, despite
the fact that a wide swath of them are useless. The valuation experts
aren't that sophisticated, yet.
A patent, in other words, is an
intangible, and you look good to valuation experts if you have a big
pile of them.
Does that mean there is no danger? Should something be done? He told
me that until Microsoft begins to assert the patent, which so far it
seems not to have done, the best thing is just to monitor it. "If
Microsoft begins
to assert this patent specifically, then we'll review the situation and
make a decision about how best to protect the public," he says.
Comments (8 posted)
Page editor: Jonathan Corbet
Security
The
Hardened PHP project has
recently announced its existence; naturally, a
Gentoo
package is already available. The PHP language is highly popular for
the creation of web applications, but it has long suffered from a
reputation for poor security. This reputation is perhaps not entirely
fair; the number of sites which have actually been compromised as a result
of PHP vulnerabilities is small. Nonetheless, PHP has tended to have more
holes than it really should, given its wide deployment.
Hardened PHP is attempting to address that
problem by adding patches to the language implementation which close off a
number of potential security problems.
Those interested in the actual changes being made can learn more on
this page. These changes include:
- The addition of "canaries" to the internal memory manager. PHP uses a
variant of malloc() which tracks all allocated memory, making
it easy to reclaim everything after the completion of a web request. The
Hardened PHP patch adds special, random values at the beginning and
end of each allocated block and checks to see whether those values
have been overwritten when the memory is freed. These checks should
help defend against bugs in the PHP system which allow heap overflow
attacks.
- Canaries are also added to PHP's internal linked list structures.
- The "%n" format specifier has been removed from (some of)
PHP's internal string printing functions in an attempt to head off
certain types of format string attacks.
- The PHP include directive has some additional restrictions
which prevent the inclusion of program text from remote sources.
- Checks are made for strings with embedded NULL characters.
This effort is worthy and worthwhile, but it is also inadequate for a
couple of reasons. Exploitable buffer overflows in PHP are relatively
rare; instead, PHP programs tend to suffer from different classes of
vulnerabilities, such as cross-site scripting, SQL injection, and command
injection. A truly hardened PHP would attempt to address these problems
through tighter restrictions on what scripts can do and enforced checking
of input strings.
The fact that there needs to be a "hardened PHP" project in the first place
is also a bad sign, unless this project is simply a staging area for
patches on their way into the mainline. PHP is used to implement an
unbelievable number of web sites; any vulnerabilities in PHP put vast
numbers of systems at risk. Security should be at the top of the PHP
project's goals; every PHP installation should be hardened. The
Hardened PHP project is a good thing; lets hope its work is quickly picked
up by the main PHP distribution.
Comments (2 posted)
New vulnerabilities
cvs: heap overflow
| Package(s): | cvs |
CVE #(s): | CAN-2004-0396
|
| Created: | May 19, 2004 |
Updated: | June 11, 2004 |
| Description: |
CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites). |
| Alerts: |
|
Comments (none posted)
heimdal: missing input sanitizing
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0472
|
| Created: | May 18, 2004 |
Updated: | May 27, 2004 |
| Description: |
Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4
component of heimdal, a free implementation of Kerberos 5. The
problem is present in kadmind, a server for administrative access to
the Kerberos database. This problem could perhaps be exploited to
cause the daemon to read a negative amount of data which could lead to
unexpected behavior. |
| Alerts: |
|
Comments (none posted)
icecast: denial of service
| Package(s): | icecast |
CVE #(s): | |
| Created: | May 19, 2004 |
Updated: | May 19, 2004 |
| Description: |
The icecast server has a read error in its authorization code which can enable a denial of service attack; upgrading to version 2.0.1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
kde: URI Handler Vulnerabilities
| Package(s): | kde Opera |
CVE #(s): | CAN-2004-0411
|
| Created: | May 17, 2004 |
Updated: | June 15, 2004 |
| Description: |
iDEFENSE identified a vulnerability in the Opera Web Browser that could
allow remote attackers to create or truncate arbitrary files. The KDE team
has found that similar vulnerabilities exists in all version of KDE, up to
KDE 3.2.2 inclusive. See this advisory for
more information. |
| Alerts: |
|
Comments (none posted)
kernel: integer overflow in the SCTP code
| Package(s): | kernel |
CVE #(s): | |
| Created: | May 17, 2004 |
Updated: | May 18, 2004 |
| Description: |
There is an integer overflow in the SCTP code in the Linux kernel starting
with 2.4.23-pre5 and up to and including 2.4.25. This could allow for a
local root exploit. See this
advisory for more details. |
| Alerts: |
|
Comments (none posted)
libuser: problems in libuser library
| Package(s): | libuser |
CVE #(s): | |
| Created: | May 17, 2004 |
Updated: | May 18, 2004 |
| Description: |
Steve Grubb discovered a number of problems in the libuser library that
can lead to a crash in applications linked to it, or possibly write 4GB
of garbage to the disk. |
| Alerts: |
|
Comments (none posted)
mah-jong: missing argument check
| Package(s): | mah-jong |
CVE #(s): | CAN-2004-0458
|
| Created: | May 13, 2004 |
Updated: | May 18, 2004 |
| Description: |
A problem has been discovered in mah-jong, a variant of the original
Mah-Jong game, that can be utilized to crash the game server after
dereferencing a NULL pointer. This bug be exploited by any client
that connects to the mah-jong server. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Pound format string vulnerability
| Package(s): | pound |
CVE #(s): | |
| Created: | May 18, 2004 |
Updated: | May 19, 2004 |
| Description: |
There is a format
string flaw in Pound, allowing remote execution of arbitrary code with
the rights of the Pound process. |
| Alerts: |
|
Comments (none posted)
subversion: buffer overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0397
|
| Created: | May 19, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of the subversion source management package up to and including 1.0.2 suffer from a remotely exploitable buffer overflow vulnerability in their date parsing code; see this advisory for details. "Exploiting this vulnerability on not heavily protected servers is trivial
even for beginners, therefore it is strongly recommended to update
immediately." |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache - denial of service in mod_ssl
| Package(s): | apache |
CVE #(s): | CAN-2004-0113
|
| Created: | April 13, 2004 |
Updated: | May 25, 2004 |
| Description: |
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49. |
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2003-0993
CAN-2003-0020
CAN-2003-0987
CAN-2004-0174
|
| Created: | May 12, 2004 |
Updated: | May 26, 2004 |
| Description: |
Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details. |
| Alerts: |
|
Comments (none posted)
clamav: improper string checking
| Package(s): | clamav |
CVE #(s): | |
| Created: | May 12, 2004 |
Updated: | May 12, 2004 |
| Description: |
Versions of clamav prior to 0.70 fail to check filenames when responding to viruses; with certain configurations, this failure can allow an attacker to execute arbitrary commands. |
| Alerts: |
|
Comments (none posted)
cvs: client-side file overwrite vulnerability
| Package(s): | cvs |
CVE #(s): | CAN-2004-0180
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. |
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
exim: stack-based buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2004-0399
CAN-2004-0400
|
| Created: | May 7, 2004 |
Updated: | May 14, 2004 |
| Description: |
Georgi Guninski discovered two stack-based buffer overflows.
CAN-2004-0399: When "sender_verify = true" is configured in exim.conf a
buffer overflow can happen during verification of the sender. This problem
is fixed in exim 4.
CAN-2004-0400: When headers_check_syntax is configured in exim.conf a
buffer overflow can happen during the header check. This problem does also
exist in exim 4. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils |
CVE #(s): | CAN-2004-0403
|
| Created: | April 26, 2004 |
Updated: | July 29, 2004 |
| Description: |
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
kernel - root exploit in MCAST_MSFILTER
| Package(s): | kernel |
CVE #(s): | CAN-2004-0424
|
| Created: | April 22, 2004 |
Updated: | June 11, 2004 |
| Description: |
A locally exploitable integer overflow has been found the multicast code
of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A
successful exploit could lead to full superuser privileges. |
| Alerts: |
|
Comments (1 posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
kolab: password disclosure
| Package(s): | kolab |
CVE #(s): | |
| Created: | May 5, 2004 |
Updated: | May 27, 2004 |
| Description: |
Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information. |
| Alerts: |
|
Comments (3 posted)
LHA: stack buffer overflows and directory traversal flaws
| Package(s): | LHA |
CVE #(s): | CAN-2004-0234
CAN-2004-0235
|
| Created: | April 30, 2004 |
Updated: | June 11, 2004 |
| Description: |
LHA is an archiving and compression utility for LHarc format archives. Ulf
Harnhammar discovered two stack buffer overflows and two directory
traversal flaws in LHA. See this advisory+patch for more details.
CAN-2004-0234: An attacker could exploit the buffer overflows by creating a
carefully crafted LHA archive in such a way that arbitrary code would be
executed when the archive is tested or extracted by a victim.
CAN-2004-0235: An attacker could exploit the directory traversal issues to
create files as the victim outside of the expected directory. |
| Alerts: |
|
Comments (2 posted)
libpng: denial of service vulnerability.
| Package(s): | libpng |
CVE #(s): | CAN-2004-0421
|
| Created: | April 29, 2004 |
Updated: | June 11, 2004 |
| Description: |
The PNG library can accesses memory that is out of bounds when
creating an error message, this can be exploited by a malformed
PNG image file. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
mc: multiple vulnerabilities
| Package(s): | mc |
CVE #(s): | CAN-2004-0226
CAN-2004-0231
CAN-2004-0232
|
| Created: | April 29, 2004 |
Updated: | May 26, 2004 |
| Description: |
Midnight Commander
has multiple vulnerabilities including buffer overflows,
insecure temp files, and format string problems. |
| Alerts: |
|
Comments (none posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: format string vulnerabilities
| Package(s): | neon |
CVE #(s): | CAN-2004-0179
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
passwd: various problems
| Package(s): | passwd |
CVE #(s): | |
| Created: | May 17, 2004 |
Updated: | June 2, 2004 |
| Description: |
Steve Grubb found some problems in the passwd program. Passwords given to
passwd via stdin are one character shorter than they are supposed to be.
He also discovered that pam may not have been sufficiently initialized to
ensure safe and proper operation. A few small memory leaks have been fixed
as well. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
proftpd privilege escalation
| Package(s): | proftpd |
CVE #(s): | |
| Created: | April 30, 2004 |
Updated: | May 19, 2004 |
| Description: |
A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD. As a side-effect, CIDR based
(aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like
an "AllowAll" directive and so FTP clients are granted access to files and
directories although the server configuration might explicitly deny this.
See this bug
report. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
rsync remote file write attack
| Package(s): | rsync |
CVE #(s): | CAN-2004-0426
|
| Created: | April 30, 2004 |
Updated: | July 12, 2004 |
| Description: |
See the rsync homepage for the
April 2004
advisory: "There is a security problem in all versions prior to
2.6.1 that affects only people running a read/write daemon WITHOUT using
chroot. If the user privs that such an rsync daemon is using is anything
above "nobody", you are at risk of someone crafting an attack that could
write a file outside of the module's "path" setting (where all its files
should be stored). Please either enable chroot or upgrade to 2.6.1. People
not running a daemon, running a read-only daemon, or running a chrooted
daemon are totally unaffected." |
| Alerts: |
|
Comments (none posted)
SUSE Live CD: no-password root access
| Package(s): | SUSE Live CD |
CVE #(s): | |
| Created: | May 12, 2004 |
Updated: | May 12, 2004 |
| Description: |
The SUSE 9.1 live CD boots with ssh connections enabled and no root password; as a result, a remote attacker can gain privileged access simply by logging in as root. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
utempter problems with symlink and strncpy
| Package(s): | utempter |
CVE #(s): | CAN-2004-0233
|
| Created: | April 19, 2004 |
Updated: | June 11, 2004 |
| Description: |
Steve Grubb discovered two potential issues in the utempter program:
- If the path to the device contained /../ or /./ or //, the program
was not exiting as it should. It would be possible to use something like
/dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to
another important file, programs that have root privileges that do no
further validation can then overwrite whatever the symlink pointed to.
- Several calls to strncpy without a manual termination of the string.
This would most likely crash utempter.
|
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-lib: malicious code execution
| Package(s): | xine-lib |
CVE #(s): | CAN-2004-0433
|
| Created: | May 3, 2004 |
Updated: | May 28, 2004 |
| Description: |
A vulnerability exists in xine-lib where playing a specially crafted Real
RTSP stream could run malicious code as the user playing the stream. More
details can be found in this
advisory. The problem has been fixed in xine-lib 1-rc4. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for May is out. Topics this month
include warrants as a security measure, airport security, security
consumers, and more. "
Being a smart security consumer is hard, just as being a good citizen
is hard.... We need to become informed. Otherwise it's no different
than walking into a car dealership without knowing anything about the
different models and prices -- we're going to get ripped off."
Full Story (comments: none)
Events
The Detection of Intrusions and Malware & Vulnerability Assessment conference is happening July 6 and 7 in Dortmund, Germany. Registration is now open; click below for the details.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 release remains 2.6.6; no 2.6.7 prepatches have been
released as of this writing.
Linus's BitKeeper repository contains over 650 changesets, however,
indicating that work is proceeding even in the absence of formal releases.
These patches include a generic msleep() function for
millisecond-scale waits, a CPU frequency control update, a set of autofs4
patches, del_singleshot_timer() (covered here last week), a set of patches to shrink the
heavily-used dentry structure, the "filtered wakeup" mechanism
(see the May 5 Kernel Page), a
libata update, some architecture updates, the scheduling domains patch set
(covered here last month), the removal of
the Intermezzo filesystem due to lack of use and support (see below), a
sysctl variable
giving "huge page" access to a administrator-specified group),
the ability to re-enable interrupts while waiting in
spin_lock_irqsave() (for all architectures now), support in
reiserfs for quotas and external attributes (added over Hans Reiser's objections), and lots of
fixes.
The current kernel prepatch from Andrew Morton is 2.6.6-mm4. Recent additions to -mm include the
anon-vma reverse mapping code (see below), a fix for the
"phenomenally broken" ramdisk driver, the reservation of a system call
number for the "kexec" functionality, and lots of fixes.
The current 2.4 prepatch is 2.4.27-pre3, which was released by Marcelo on May 18. Changes
this time around include a JFS update, some driver updates, a big serial
ATA update, and a number of fixes.
Comments (none posted)
Kernel development news
The discussion has been quiet in recent times, but work on replacing the
low-level reverse-mapping virtual memory code in the 2.6 kernel continues.
When we last
looked at the new, object-based reverse mapping ("objrmap") approach, there
were two competing implementations:
- Andrea Arcangeli's anon-vma, which adds
a data structure creating a connection between each physical page and
the virtual memory area (VMA) structures which reference it.
- Hugh Dickins's anonmm, which associates
pages with the top-level memory management ("mm") structure instead.
The two approaches are conceptually similar, but each has its strong and
weak points. Their performance is essentially equivalent. Thus far, there
has not been any sort of spirited debate over which should be included;
most kernel developers, if they have a preference, have kept it to
themselves.
Hugh has been busy over the last few weeks, however, creating a series of
40 patches aimed at slowly moving the reverse mapping code over to the
object-based approach. The first five of those patches, which are
restricted to cleanup and preparatory work, have been merged into the 2.6
mainline. "rmap-10" added anonmm; it was promptly merged into the -mm
tree. This action did not imply that anonmm had been chosen over anon-vma,
however; it was simply the first step in the testing process which would
lead to a final decision.
Hugh's final series of patches (rmap-34 to rmap-40) completes the process
by replacing anonmm with anon-vma; these patches are present in 2.6.6-mm4.
Hugh introduces the patch set by saying:
Judge for yourselves which you prefer. I do think I was wrong to
call anon_vma more complex than anonmm (its lists are easier to
understand than my refcounting), and I'm happy with its vma merging
after the last patch. It just comes down to whether we can spare
the extra 24 bytes (maximum, on 32-bit) per vma for its advantages
in swapout and mremap.
As Hugh notes, anon-vma should have better swapping performance, since its
structures make it easier to find the VMA for a given page. Additionally,
the anonmm code works best when shared anonymous pages have the same
virtual address in each address space that uses them; if a process moves
pages with mremap(), some relatively complicated work must be
performed to make things work. The anon-vma solution does not have that
particular problem.
On the other hand, expanding the VMA
structure is not something which should be done lightly; some loads can use
huge numbers of VMAs, and they must all be located in low memory. That
said, either reverse mapping scheme should free far more low memory than it
consumes; that is, after all, one of the main points behind this entire
exercise.
There still has been no public word on which scheme will be chosen, or when
it might be merged. The current state of affairs suggests, however, that
anon-vma will be the one that goes in unless some sort of major problem
turns up. As for timing: enough major work has already gone into 2.6.7
that it's hard to imagine throwing major VM surgery into the mix. So 2.6.8
is the earliest such a merge could possibly happen. A couple of 2.6
releases after that, the forking of the 2.7 tree might just become a
possibility.
Comments (4 posted)
Last week's Kernel Page talked about the
push toward 4K stacks on the i386 architecture. While most of the problems
with the smaller stack size have been worked out, a few remain. Witness,
for example,
this problem report; it would
appear that the 2.6.6 Radeon framebuffer driver is overflowing the 4K
stack.
The problem was quickly narrowed down to a
couple of new fields added to the radeon_regs structure:
struct radeon_regs {
....
u32 palette[256];
u32 palette2[256];
};
If one of these structures is placed on the kernel stack (as happens in the
radeonfb driver), those two arrays, by themselves, take half of the
available space. If that weren't sufficiently annoying, there is the
little fact that those arrays are part of an ongoing development and are
not actually used for anything in 2.6.6.
Fixing this particular problem is relatively easy, but this episode has
reawakened interest in finding large stack users automatically. One never
knows when a developer will expand a data structure without realizing that
it is used on the stack in some other place; rather than letting users find
this sort of mistake the hard way, it would be better to look for them
explicitly earlier in the development process. To that end, several
scripts have been posted which seek out large stack users in a compiled
Linux kernel. A quick look at these scripts makes it clear that kernel
code is, by no means, the scariest code out there:
objdump --disassemble "$@" | \
sed -ne '/>:/{s/[<>:]*//g; h; }
/subl\?.*\$0x[^,][^,][^,].*,%esp/{
s/.*\$0x\([^,]*\).*/\1/; /^[89a-f].......$/d; G; s/\(.*\)\n.* \(.*\)/\1 \2/; p; };
/subl\?.*%.*,%esp/{ G; s/\(.*\)\n\(.*\)/Dynamic \2 \1/; p; }; ' | \
sort | \
perl -e 'while (<>) { if (/^([0-9a-f]+)(.*)/) { $decn = hex("0x" . $1);\
if ($decn > 400) { print "$decn $2\n";} } }'
(from a script by Keith Owens and Arjan van
de Ven). Several variants have been posted, most of which are trying to
support multiple architectures. None yet have solved the full problem,
however: finding full call chains whose cumulative stack usage exceeds the
space available. With or without that feature, some sort of stack usage
checker is likely to be merged into the kernel build system before too
long. That should help the developers to trap the most obvious problems
before they find their way into a released kernel.
Comments (4 posted)
In the 2.6 kernel, parameters to loadable modules are set up with the
module_param() macro:
module_param(name, type, perm);
The perm parameter was set aside for the sysfs representation of
this parameter but has, until now, been unused; almost every declared
parameter simply sets it to zero in the 2.6.6 kernel. A new patch has been posted, however, which
makes module parameters in sysfs a reality.
This patch creates a new /sys/module directory; a subdirectory
will be created for each module loaded into the system. For unloadable
modules, a read-only parameter (called refcnt) will be set up
which contains the module's current reference count. There will also be
attributes for every module parameter whose perm value is not
zero; that value will, as expected, set the permissions mask for that
parameter.
If the permissions mask allows, module parameters will be writable. In
theory, this will give module authors an easy way to export
administrator-tweakable knobs to user space. It is worth noting, however,
that there is no mechanism for notifying a module that one of its
parameters has been changed. Module authors, thus, will have to be careful
to ensure that their modules will properly detect and respond to changes to
parameters at any time before exporting those parameters in a writable
mode. Even so, this patch represents the tying-up of yet another 2.6 loose
end.
Comments (none posted)
One of the most important tasks in kernel maintenance is not the addition
of new code, but removal of old code that is no longer useful. Unused code
bloats the kernel and, potentially, becomes a breeding ground for bugs and
security problems. Getting that code out of the way helps keep the kernel
cruft level down.
In recent times, the ax has fallen on two subsystems. The first is the InterMezzo filesystem, which has
been removed for 2.6.7. InterMezzo is a distributed filesystem from Peter
Braam and company with a number of interesting ideas, but, apparently, few
users. Maintenance has been lacking, and Mr. Braam finally agreed that it should be removed, noting
"In the past 4 years nobody has supported InterMezzo sufficiently for
it to become successful." The Lustre
filesystem, which is Mr. Braam's current project, appears to be headed for
greater success.
A patch has been posted which removes
support for the PC9800 architecture. There have been a few small
objections to this removal, drawing this
response from Alexander Viro:
So are you volunteering to maintain the port? Maintainers are MIA;
the damn thing doesn't compile; all patches it gets are basically
blind ones ("we have that API change, this ought to take care of
those drivers and let's hope that possible mistakes will be caught
by testers"). Considering the lack of testers (kinda hard to test
something that refuses to build), the above actually spells in one
word: "bitrot".
There has been a rather conspicuous shortage of people stepping up to
maintain the PC9800 port, so chances are that it will be going away
soon.
Comments (4 posted)
Patches and updates
Kernel trees
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
In the midst of all the excitement surrounding the release of Fedora
Core 2 this week, some of the smaller projects that announced new
versions at about the same time might have escaped attention.
One of them was
Linux
From Scratch 5.1.
As the popularity of Linux increases, many people ask: "Is there a fast
and fun way to learn the ins and outs of the Linux operating system?
Are there any entertaining alternatives to conventional training
courses and books?" For many, the answer might very well be Linux From Scratch (LFS), a
book that provides step-by-step instructions to build a complete Linux
operating system from source code available for download on the
Internet.
Linux From Scratch is a mature project. Its beginnings date back to
December 1999 when version 1.0 was released. In it, the book's author
Gerard Beekmans explains
the purpose of the new "distribution":
I started this document about 6 months ago. I
tried a few Linux distributions and came to the conclusion that there
wasn't a distribution I totally liked. Every distribution has its own
advantages and disadvantages, but I was never satisfied with what I had
(although Debian comes very close to what I want), so I decided to
explore the possibility of building my own Linux distribution using
nothing but source code of programs. As I found out there's quite a bit
of work involved, but it's also a lot of fun and you really learn a lot
by doing it, since you need to configure every single aspect of the
system. This forces you to read a lot of manuals on how to configure
various software. It also gives you total control over your system
(well, that's the idea). You know exactly what software is installed,
how it is configured and where all the configuration files
reside.
Yes, Linux From Scratch is primarily about learning. Although the final
product can indeed be used as a distribution in its own right, the road
that one has to walk in order to get to the destination is too tedious
to turn it a regular routine. Installing Linux From Scratch is even
harder than installing Gentoo: there is no Portage to do the hard work
and all compiling has to be done with the classic UNIX tools of
configure, make and make install. But this
is where the educational value of Linux From Scratch manifests itself.
The process is possibly the most practical way to learn about every
detail regarding file structures, processor optimizations,
configuration files, security matters and thousands of other issues.
How much would you pay for a commercial Linux training course? Linux
From Scratch is a great resource which will not only teach you the very
basics of Linux, it will do so in a most entertaining way, all for
free.
If you decide to embark on this experience, consider these
prerequisites:
- Make sure that you have an existing Linux installation on your hard
disk. Any recent distribution will do, as long as it is complete with a
GCC compiler and relevant development tools.
- Download the LFS packages. All the required LFS packages can be
downloaded from LFS mirrors, either individually, or as one complete
tarball. Alternative methods using P2P networks or a wget script are
also available.
- Download the LFS book. The LFS book contains around 200 pages and
can be downloaded in HTML or PDF formats.
Although trying to absorb 200 highly technical pages split into 9
chapters might sound like a lot of hard work, the truth is that a great
deal of the book consists of reference information, such as package
descriptions and listings of program files and their dependencies. The
preface and the first chapter can be skimmed over - they contain little
beside a foreword, acknowledgment, conventions, changelog and other
general information. Chapter 2 explains how to create a new partition,
format it with an ext2 file system and mount it. Chapter 3 lists
packages needed to build LFS, while chapter 4 details the final
preparations before the actual build, inclusive of setting up the build
environment.
The real meat of the book starts in Chapter 5, which contains
instructions about compiling and installing a minimal Linux system. At
this stage, all compilation is done with tools "borrowed" from the host
environment, but with static linking to system libraries to gain
"independence" from the host system. This will ensure that the newly
compiled tools still work in a subsequent, "chroot-ed" stage. The
compile process starts with GNU Binutils and continues with GCC, Linux
header files, Glibc, Tcl, several essential GNU utilities, and Perl.
After installing Glibc, both Binutils and GCC have to be recompiled for
the second time to link them against the new Glibc. The compiling of
most packages will only take a minute or two, with the exception of
Glibc and GCC, which will take a lot longer. However, the time it takes
to compile the packages can be utilized for reading the relevant
sections in the book, which provide detailed information about such
interesting matters as the purpose of the many available GCC compiler
flags and other related topics.
Chapter 6 starts with mounting the proc and devpts
file systems, followed by a chroot into the newly compiled
base LFS partition. The next step is to create a standard UNIX
directory structure. If you are fairly new to the world of Linux, this
is a great chapter to learn about file permissions, passwords, users
and groups, log files, and also about creating devices in the
/dev directory. Next comes a detailed explanation on compiling
Glibc, including notes on locales, how to configure the dynamic loader,
and a list of commands provided by Glibc. A very useful chapter indeed!
In order to enable dynamic linking to system libraries, all
applications compiled in the previous chapter need to be recompiled
here for the second time (or, in the case of Binutils and GCC, for the
third time). The remaining system packages will also be compiled in
this chapter. Interestingly, beside GCC 3.3.3, the book also recommends
installing GCC 2.95.3, which will be used exclusively for compiling the
Linux kernel; the well-tested older compiler is said to be more
suitable for building a rock-solid kernel than any of the new GCC 3.x
series.
The full Linux kernel is finally compiled in chapter 8. However, to get
there, one still needs to go through the short, but important chapter 7
- another invaluable section of the book providing all the necessary
bootscripts and filled with information about setting up the system
clock, the syslog daemon, and networking. The kernel compilation
chapter does not deal with kernel configuration issues; it merely
provides instructions to compile a default kernel, with a suggested
alternative of copying an existing kernel configuration file from a
known working system. The very final step of the book is to configure
the Grub boot loader (previous versions of LFS used lilo, but version
5.1 switched to Grub) to make the newly compiled Linux system bootable.
Completing all the steps in the book will probably kill a whole weekend,
but besides the freshly acquired knowledge and experience, the brand
new Linux system on your hard disk is very bare-bones and not
particularly useful. So how can you make it useful? By moving on to the
next book - the 413-page Beyond Linux
From Scratch (BLFS). This is a priceless resource with detailed
instruction on how to compile many common applications, including
essential utilities, server packages (Apache, MySQL, Samba...), desktop
environments (XFree86 + KDE, GNOME, XFce...), OpenOffice.org,
multimedia and printing packages, and many other open source
applications. At this stage, you'll probably start craving a binary
Linux distribution, one that can be installed and is ready to use in 20
minutes. But even if you don't plan on further package compiling, the
BLFS book is a great reference for those moments when you do need to
compile applications, with many tricks, workarounds and guidelines.
Linux From Scratch is a wonderful project. It should become a compulsory
reading material for all Linux training courses, and something that
every Linux enthusiast should complete at least once. This would also
create another interesting side effect: people who tend to be quick in
expressing dissatisfaction on the distributions' mailing lists and
forums would probably show a lot more respect for the developers.
Installing a ready-made distribution is a trivial task. Building up a
set of 4 CDs containing a stable, secure and reliable operating system,
plus thousands of applications, is most definitely not.
Comments (5 posted)
Distribution News
It's official: Fedora Core 2 is out. "
Including musical numbers such as 'Who Let Fedora Out?' by the
Slashdot Men, 'The Download Goes On' by Celeron Dion, and 'The Hacker
in Me' by Shania Sane.
'It's a singing, dancing extravaganza!' says the Rawhide Daily
News." As of this writing, not all of
the mirror sites
had opened up yet, but that should change quickly. Click below for the
full announcement.
Full Story (comments: 10)
Here's the
Debian Weekly News for May 18,
2004. In this issue: an interview with Miguel de Icaza, new K6 mini iso
images, the status of the Java to main effort, Debian powered binoculars,
the status of GNOME 2.6 for unstable, and several other topics.
The Debian Project has sent out a release
mourning the death of two of its developers, Manuel Estrada Sainz and
Andrés García, who were killed in an automobile accident on return from the
Free Software conference in Valencia.
Comments (none posted)
The Linux Business Alliance has unveiled a preview of the next generation
LBA-Linux. "
LBA-Linux R2 Beta, a test version of the
as-yet-unreleased LBA-Linux R2, reveals a slew of new features and sports
an enhanced, stylish design."
Full Story (comments: none)
Here are a couple of Mandrakelinux 10.0 updates:
- XMMS on amd64 was not built against
the GTK libraries which can cause some problems with applications such as
mencoder. The updated packages correct the problem.
- /etc/lsb-release still had data
referencing the 9.2 release and the old Mandrakesoft naming.
Comments (none posted)
This week the
slackware
current branch received various upgrades including perl 5.8.4, pine
4.60, xscreensaver 4.16, more gnome packages, getmail 3.2.4, BitTorrent
3.4.2, plus a number of packages were recompiled to use the upgraded
versions. There were several security fixes to both slackware-current and
slackware-stable, check
here for security
updates.
Comments (none posted)
Trustix Secure Linux fixes several Samba bugs in TSL 1.5, 2.0, 2.1 and TSEL
2..
Full Story (comments: none)
Minor distribution updates
Astaro Security Linux has released
v5.008
with minor bugfixes. "
Changes: This Up2Date fixes some minor bugs
in the user interface called WebAdmin."
Comments (none posted)
BasicLinux has released
v3.21fd
with major feature enhancements. "
Changes: The new FD version boots
from two floppy disks. It includes all the features of the HD version,
including the X11 applications. The FD version runs in a ramdisk and can
(optionally) be installed to the hard drive with LILO."
Comments (none posted)
Buffalo Linux has released
v1.2.2
with major feature enhancements. "
Changes: Version 1.2.2 has been
released on the main site. The ISO includes kernel 2.6.6 and an improved
Buffalo Desktop with Opera 7.50 and links to CrossoverOffice 3.0. Also
included is GNOME-2.6 as a bundle package. All packages are in sync with
Slackware-current as of 14 May. It includes many bug fixes (and probably
some new ones to keep you entertained). An update-only download is
available."
Comments (none posted)
ClusterKnoppix V3.4-2004-05-10-EN-cl1 has been released. ClusterKnoppix
uses Knoppix and OpenMosix to create a live CD that can create and manage
clusters. Click below for features and change log.
Full Story (comments: none)
Coyote Linux has released
v2.10
with minor bugfixes. "
Changes: This release fixes a bug that can
cause the firewall to stop forwarding traffic if the configuration is
reloaded from the Web administrator."
Comments (none posted)
Damn Small Linux has released
v0.7
with major feature enhancements. "
Changes: This release added
myDSL, an easy way to extend DamnSmall, a Synpatic download script, gRun
(replacing fbrun), and enhnacements to emelfm. A bug with passing the
current video mode for hard drive installation was fixed. OpenOffice,
AbiWord, GCombust, Samba, Ace of Penguins, GNU utils, and Firefox
extensions were created."
Comments (none posted)
Feather Linux has released
v0.4.2
with major feature enhancements. "
Changes: This release allows
customization. It includes PSS, a self-written music server to stream music
over your network, XMMS 1.2.10, a gaim script, alsaconf and usbview. tcc
now works. Several other minor changes are incorporated."
Comments (none posted)
FreeBSD 4.10-RC3 is
available. "
Changes from RC2 include a full package set for
Alpha, fixes for the twe(4) driver under load, fixes for the twa drives not
being seen by sysintall, along with various other bug fixes. i386 ISO
images are available now, alpha ISO images are uploading to ftp-master now
and will be available shortly. We expected this to be the final RC before
the full release at the end of this week. So please test this as much as
possible and report any problems."
Comments (none posted)
GeeXboX has released
v0.97
with major feature enhancements. "
Changes: This release uses
MPlayer 1.0pre4. It has support for DXR3cards, PCI and USB WiFi network
adapters, Serial ATA disks, Gigabit ethernet cards, and BT8x8 and Saa73134
cards (Composite and S-VHS inputs and TV tuners). It has support for
audio/video streaming. There is a telnet server for remote access. It
supports VidiX for EPIA-M, ATI Radeon 9xxx, and nVidia cards. An image
viewer (FBI) has been added with support for BMP, GIF, JPEG, PCD, PNG, PNM,
and PPM formats."
Comments (none posted)
LEAF has released
Bering-uClibc
2.2-beta2 with major feature enhancements. "
Changes: This
release includes a new linuxrc and leaf.cfg. Other changes are a
modularized ip_conntrack, replacement of arp with the busybox arp applet,
and a small patch for uClibc for keepalived."
Comments (none posted)
NSA Security Enhanced Linux has
released
v2004051217
with minor feature enhancements. "
Changes: The current prototype
and the experimental NFS code are now based on Linux kernel 2.6.6. Several
races and kernel socket creation problems were fixed and a runtime disable
was added. The old 2.4-based kernel patch was ported to 2.4.26. The
userland patches were updated from Fedora Core 2 development. There are now
man pages for libselinux. X server security classes and access vector
definitions were added and many policy updates were made."
Comments (none posted)
RIP
has released
v8.5
with minor feature enhancements. "
Changes: Some of the software was
updated on the CD and Floppy versions. There's also a new way to install
and run the Linux system: on a Windows NTFS partition, without
repartitioning."
Comments (none posted)
SLAX has released
v4.1.2-pre1
with major bugfixes. "
Changes: X11 locales are no longer
removed. DOC_MULTILANG documentation that describes how to create a module
with your language was included. KDE 3.2.2 with QT 3.3.2 and KOffice 1.3.1
were added, and .inputrc was modified to enable Czech, Russian, and all
other keymaps in bash. The Russian (and probably some other) fonts were
fixed in KDE, and the create_bootdisk.sh script for making bootable USB
flash disks was fixed. The mouseproto, mousedev, and wheelmouse boot
options were also fixed."
Comments (none posted)
Zool Linux has released
v5
with major feature enhancements. "
Changes: BusyBox is now used
instead of Crunchbox. The FS checking utilities were removed, and the
built-in shell was changed to ash. The default editor is now vi. DevFS was
added along with a DHCP server/client daemon, wget, route, ping, nslookup,
ftp, httpd, and pgen. The init system was changed and the sysv scripts were
rewritten. Some cleanups were made along with some hacks to kernel 2.4.26
to make it smaller. linux_logo.h was changed, and BusyBox was hacked to
make it faster and smarter."
Comments (none posted)
Page editor: Rebecca Sobol
Development
Ethereal is an open-source
and cross-platform network protocol analyzer that offers a wide range of useful features for the network administrator.
Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows.
Ethereal
features
include:
- The ability to read and dissect packets off of live networks.
- Support for ethernet, PPP, FDDI, Token-Ring, IEEE 802.11, and other network hardware.
- The ability to decipher packet streams stored in various file formats.
- Support for 512 different network protocols, more protocols are typically added with each new version.
- Output can be sent to a GUI or TTY interface.
- Output can be saved as plain text or PostScript formatted files.
- Support for output display filters.
A complete set of Ethereal
documentation
is available online, the
FAQ is available
for common questions, and the
Screen Shots show the software in action.
Ethereal
source code
and pre-compiled packages are available. The long list of
authors is a great example of open-source cooperation.
Ethereal has been released under the GNU General Public License.
Version 0.10.4 of Ethereal
was released this week. Changes include
new GUI features under GTK+ 2.4, better PostScript output,
the ability to set preferences on the main display window,
support for a number of new network protocols, improvements
to the existing network protocol support, and more.
Comments (1 posted)
System Applications
Audio Projects
The msAlsaSeq ALSA driver is out.
"
The driver lets you connect to ALSA devices and other ALSA sequencer
clients from MidiShare applications. It can be used instead of the
msRawMidi, msRawSerial and msInetDriver clients if you're running ALSA
instead of plain ol' OSS (which you should ;-). It also allows you to
map ALSA client ports to corresponding MidiShare ports."
Full Story (comments: none)
The
latest changes from the
Planet CCRMA audio utility packaging project include
new versions of VASP, Audacity, and FIL-plugins.
Comments (none posted)
Database Software
Version 0.7 test1 of knoda, a database front-end, is out.
"
The main feature is a database designer dialog".
Full Story (comments: none)
The May 17, 2004 edition of the PostgreSQL Weekly News is available
with the latest PostgreSQL database information.
Full Story (comments: none)
Mail Software
Version 2.1.5 of Mailman, a mailing list manager, has been released.
"
Mailman 2.1.5 is a significant upgrade which should improve disk i/o
performance, administrative overhead for discarding held spams, and the
behavior of bouncing member disables. This version also contains a fix
for an exploit that could allow 3rd parties to retrieve member
passwords. It is thus highly recommended that all existing sites
upgrade to the latest version."
Full Story (comments: none)
Networking Tools
Luke A. Kanies
continues his O'Reilly series on cfengine.
"
In this article we are going to take the script we wrote in Introducing Cfengine and distribute it to all of our servers using cfengine. As an added bonus, we're going to pull both our cfengine configuration and the sudoers file directly out of a versioning system. It's a simple additional step something you should do with all centralized configuration files and provides a convenient control point for modifying and auditing your configurations."
Comments (none posted)
Version 1.3.0 of the
Twisted networking framework
has been released.
See the
Release Notes for details.
"
This is the last release before Twisted begins splitting up."
Comments (none posted)
Security
Version 0.1.1 of the realtime Linux Security Module has been released.
"
This release handles changes to the capabilities structure introduced
in Linux 2.6.6, but still works with earlier 2.6 kernels. There are
no functional changes. Unless you are running 2.6.6, there is no need
to upgrade."
Full Story (comments: none)
Web Site Development
The first alpha release of the long-awaited Zope 3.0 project is out. "
Zope X3 is the next major Zope release and has been written from scratch based
on the latest software design patterns and the experiences of Zope 2." Click below for the details.
Full Story (comments: none)
Web Services
Chetna Warade, Virinder Batra, and Rick Runyan
work with web services and bioinformatics in part one of a series
on IBM's developerWorks.
"
This series describes the process of building, deploying, and using high-throughput Web services for bioinformatics applications. This is meant to serve as a guide for development of software based on the Open-Bioinformatics Foundations software toolkits with packages such as BioPerl, BioJava, and BioPython. This article provides directions for how to deploy a service and present a new implementation of document-style Web services extensions to the BioPerl module that will allow a wide range of existing applications to consume such services."
Comments (none posted)
Miscellaneous
Version 0.33 of the GNOME System Tools, a set of
cross-platform configuration utilities,
has been announced.
"
A new release of the GST is out! this time with a whole bunch of
improvements, such as adding full PPP support for Slackware, network tool
support for Conectiva and adding full support for all tools for Gentoo and
FreeBSD".
Comments (none posted)
Desktop Applications
Accessibility
Version 0.9.2 of gnopernicus, a screen reader for the GNOME desktop, is
out. This version adds a configurable magnifier option and more.
Full Story (comments: none)
Audio Applications
The alpha release of Helix Player 1.0 is
available.
See
the
release notes for information on what's in this release and the known
problems (e.g. no ALSA support). Of course, if you want to play certain
proprietary media formats, Helix Player won't do it for you, but the alpha
version of Real Player 10 is available from the same place.
Comments (3 posted)
Version 0.4 of Rhythmbox, a music player, has been announced.
"
Among other things, I spent a day squashing memory leaks in Rhythmbox
and GStreamer. Upgrading to this release is suggested for long-running
playback, and you'll also want to upgrade to the
hopefully-soon-to-be-released gstreamer-plugins 0.8.2 (which will also
fix stuff like infinite loops on .wma files)."
Full Story (comments: none)
Desktop Environments
GnomeDesktop
reports on the
release of GNOME 2.6.1 with lots of bug fixes and improvements.
Also an updated GNOME Installation
Guide has been released.
Comments (none posted)
GARNOME version 2.6.1 is available.
"
The latest 'somewhat toned down' version of GARNOME distribution
for those who want a new version of GNOME for regular day-to-day
use, but don't want to wait until your distribution catches up, is
now out and about."
Full Story (comments: none)
Version 0.3 of the GSwitchIt Plugins are available for the GNOME 2.6.x
series.
"
GSwitchIt Plugins is a set of plugins which include functionality not
available (or hidden) in the core GNOME Keyboard Indicator (because of
usability, political correctness, code quality, HIG compatibility,
external dependencies etc etc etc)."
Full Story (comments: none)
The May 14, 2004
KDE-CVS-Digest
is available. Here's the content summary:
"
More work on KDevelop documentation tools, adding a TOC plugin. Khtml text-decoration mostly brought up to CSS1 standards. KBlueTooth adds utilities to search for services and send faxes. Kopete adds rich text editor capabilities."
Comments (none posted)
KDE.News has a
Quickies announcement
that lists a bunch of new versions of various applications.
Comments (none posted)
Games
Version 2.7.1 of gnome-games, a collection of games, is out.
Full Story (comments: none)
Interoperability
The May 14, 2004 edition of
Wine Traffic has been published. Take a look for the latest
WINdows Emulation (WINE) news.
Comments (1 posted)
Web Browsers
Release Candidate 2 of the Mozilla 1.7 browser
has been announced.
"
Like the first release candidate, which came out last month, this
build is designed to ensure that there are no major bugs remaining before the
final release of Mozilla 1.7."
Comments (none posted)
Word Processors
The May 15, 2004 edition of the
AbiWord Weekly News is out with news and information about the
AbiWord word processor.
Comments (none posted)
Miscellaneous
Colin Charles has put up
an article explaining and defending the GNOME 2.6 "spatial Nautilus" file manager. "
It sticks to the fact that people associate better with the computer's interface when they know that files and folders seem real, just like their physical equivalents, where you 'could manipulate in familiar, direct and predictable ways.' So, the spatial interface is supposed to be better, because it helps mimic real life - this makes associations easier and better for the user.
GNOME has done something ground-breaking by doing away with the browser-styled, Navigation metaphor. Everytime the contents changes within a window, people get lost, and file navigation becomes harder. So 'folders' are 'windows', now..."
Comments (49 posted)
Languages and Tools
C
The GCC Tree SSA branch
has been merged into the GCC mainline code.
"
I am glad to announce that Tree SSA has been merged into mainline. The branch is now closed and mainline is, once again, open for business."
See last week's LWN
development page
for more information on this project.
Comments (none posted)
Caml
The Caml Weekly News for May 11-18, 2004 has been published.
Full Story (comments: none)
Java
Paul Reiners
makes music with Java on IBM's developerWorks.
"
Take computers, mathematics, and the Java Sound API, add in some Java code, and you've got a recipe for creating some uniquely fascinating music. IBM Staff Software Engineer Paul Reiners demonstrates how to implement some basic concepts of algorithmic music composition in the Java language. He presents code examples and resulting MIDI files generated by the Automatous Monk program, which uses the open source jMusic framework to compose music based on mathematical structures called cellular automata."
Comments (none posted)
Robert Simmons, Jr.
explores nested classes in Java.
"
One aspect of the Java language that is not widely understood is the concept
of nested classes. But because you're bound to encounter
one or more of them in other people's code, it's important to understand how
they work. Chapter six of Hardcore Java covers the various nested classes. In
this first excerpt in a three-part series of excerpts from the chapter,
author Robert Simmons covers the first of the three basic
categories of nested classes: inner classes."
Comments (none posted)
JSP
Hans Bergsten completes his series on JSP 2.0 with
part four.
"
The wait is almost over: the latest version of the JavaServer Pages (JSP)
specification, JSP 2.0, is about to be released. Hans Bergsten shows how the
new changes make using JSP and its expression language cleaner and more
powerful."
Comments (none posted)
Lisp
Loom is now available under an open-source license.
"
The Loom group at the University of Southern California has released
the Loom(tm) knowledge representation language under an open-source
license. Loom is a "language and environment for constructing
intelligent applications" written in Common Lisp."
Full Story (comments: none)
Perl
The May 10-16, 2004 edition of
This Week on perl5-porters is online.
"
Welcome to our latest edition of the P5P summary, for which I'm sure you
have been waiting. This week, you'll read about considerations on
Storable, nice improvements to the debugger, bugs, and other interesting
subjects."
Comments (none posted)
The May 14, 2004 edition of
This Week on Perl 6 is online.
"
Ooh look. Stuff's been happening in perl6-internals again. Will wonders never cease?"
Comments (none posted)
PHP
Alexander Prohorenko
writes about the use of shared memory from PHP on O'Reilly.
"
IPC is one of the most important features of the UNIX systems. It allows two processes to communicate with each other. In this article we'll work with two System V IPC functions, semaphores and shared memory. System V IPC originated in SVR2, but has implementations by numerous vendors. It's also available in SVR4."
Comments (none posted)
Python
Version 2.3.4 RC 1 of Python is out with bug fixes. If no major
problems are found, the final Python 2.3.4 release will be out shortly.
Full Story (comments: none)
Version 2.0.0 of python-ldap is out.
"
python-ldap provides an object-oriented API to access LDAP directory
servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for
that purpose."
Full Story (comments: none)
The May 14, 2004 python-dev Summary is out with a summary of the
python-dev mailing list traffic from April 1-30, 2004.
Full Story (comments: none)
Ruby
Version 0.2.0 of Ruby/GtkSourceView, a Ruby binding for the GtkSourceView
C library, is out.
"
This release fixes several bugs (memory-related for some), brings
more compliance to the Ruby-GNOME2 design guidelines, wraps more
classes/methods and provides API reference documentation."
Full Story (comments: none)
Tcl/Tk
The May 17, 2004 edition of Dr. Dobb's Tcl-URL! is out with the week's
Tcl/Tk article links.
Full Story (comments: none)
XML
Arnaud Le Hors
covers XML 1.1 and Namespaces 1.1 on IBM's developerWorks.
"
In this article, software engineer Arnaud Le Hors explains what XML 1.1 and Namespaces 1.1 are about, what changes they bring, and how they affect other specs and users."
Comments (1 posted)
Uche Ogbuji has written
part two
in his O'Reilly series on XML Namespaces.
"
In this article I shall focus on the various libraries packaged in 4Suite. If you need background on 4Suite, see my earlier article "A Tour of 4Suite ". I did briefly cover how to express namespaces for use in 4XPath in that article, but in this one I will explore different angles on the topic."
Comments (none posted)
Fabio Arciniegas A.
explores SVG and typography on O'Reilly.
"
In the second part of our discussion of SVG and typography we explore some time-honored practices of typographic excellence; as we go along, each type issue will lead to the discussion of relevant technical aspects of SVG."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
ZDNet UK
reports
that the European Council has approved the software patent directive.
"
The Directive will now be sent back to the European Parliament for
another vote there in the autumn as the different bodies of the EU engage
in a game of legislative ping-pong. While observers expect vociferous
lobbying from open-source and developer groups, reversing the Council's
vote will be difficult, according to James Heald of the Foundation for a
Free Information Infrastructure..."
Comments (28 posted)
Serverwatch
looks at desktop
usability. "
We've spent a lot of time experimenting with GNOME
2.6 during the past few weeks, and we're inclined to say it's no worse than
anything else we've dealt with in recent years. Early OS X releases
constituted the hoodwinking of an entire user community that had no idea it
was paying for the privilege of running two years of beta software. It took
a veritable bucket brigade of third-party software developers to let us
stand the sight of a pulsing blue button. We've been similarly troubled by
Windows XP and its obvious anxiety over OS X, and we've looked at the
latest from the KDE project, which provides a cluttered riot of
over-configurability." (Found on
GnomeDesktop)
Comments (9 posted)
Trade Shows and Conferences
NewsForge
covers the recent International PHP Conference in Amsterdam.
"
One of the most exciting novelties I saw at the conference was PIMP, a new graphic extension for PHP 5 meant to replace GD as the main image manipulation tool for PHP. Its author, Pierre-Alain Joye, gave an interesting demonstration of its capabilities. Even though PIMP is still experimental and unstable, its performance and nice API are really impressive. PIMP will certainly be an improvement compared to GD, which is quite buggy and has caused a lot of headaches over the last few years."
Comments (2 posted)
The SCO Problem
Groklaw
celebrates one year on the net. "
What
a difference a year makes. When we started, all the headlines were saying
that SCO was going to destroy Linux or at least make it cry. Now, looking
around today, I see almost everyone predicting SCO's imminent doom instead.
I think the truth, as usual, isn't in the headlines, and that it's somewhere
in between those two extremes."
Comments (none posted)
Companies
The Register
reports
that a bug in payment software from Natexis has been overcharging
Mandrakesoft customers. "
The system is now up and running properly
and Natexis is talking to the banks so anyone who overpaid should get a
refund soon."
Comments (4 posted)
Microsoft Taiwan Corp is claiming superior performance over several popular
Linux distributions in the availability
of security patches, according to
this article in the Taipei Times.
"
Citing a report released in March by Forrester Research, Chan said Microsoft is the only company that fixed all the flaws found in its platform, unlike Red Hat Inc, Debian Systems, Mandrakesoft and Suse, who are the major developers of the open-source Linux operating system.
Chan said the number of security alerts announced by Microsoft had decreased from 43 in 2002 to 38 last year, while Red Hat, Debian and others reported more alerts during the period."
Comments (7 posted)
The Register
reports that Microsoft is taking Linspire to court again,
despite the name change from Lindows.
"
The software giant is taking action in the Dutch courts, where it won its
previous case, claiming that the word Lindows is still appearing on
Linspire's website. A decision is expected by the end of this month.
Michael Robertson, chief executive of Linspire, said: "Microsoft is
continuing the bullying tactics which have obliterated competition over the
last 20 years...Its recent actions demonstrate that it has not reformed, but
continues to be one of the world's worst corporate citizens that will do
anything to squash competitors that threaten its monopoly profits."
Comments (19 posted)
eWeek
covers
Novell's enterprise desktop plans. "
"So, we are essentially
taking the best of all three companies: strength from SuSE in terms of
multiplatform support and enterprise-hardened Linux distributions; our
expertise and usability and innovation and interoperability on the desktop
from Ximian; and Novell's strength as a billion-dollar-revenue company with
an enormous channel and very powerful reach and great product quality and
support," Nat Friedman, Novell's vice president of Linux desktop
engineering, told eWEEK in an interview."
Comments (3 posted)
News.com
reports
the recent release of Red Hat Enterprise Linux 3 Update 2 and the expected
release of Fedora Core 2. "
In Red Hat Enterprise Linux 3 Update 2,
released Wednesday, the Linux seller added support for Intel's 64-bit "x86"
processors and IBM's Power processor-based JS20 blade servers. In addition,
the update adds 64-bit versions of developer tools for Intel's Itanium and
Xeon chips and Advanced Micro Devices' Opteron." Fedora Core 2 is
scheduled to
be available on May 18.
Comments (none posted)
Business
Dave Fancella
looks at issues behind making money with free software.
"
Once, a long time ago, we had one of the Rock Stars--er, businessmen himself appear on the list. He basically said "How am I supposed to make money off this software when people can just download it for free?".
Well, you're not. Sorry. You asked the wrong question. The right question for him is "How can I add value to this software so that people will buy it from me rather than download it for free?"."
Comments (none posted)
Linux Adoption
LinuxInsider.com
reports
that several Asian countries are sharing research about conversion to Linux.
"
According to Japanese officials, the purpose of talks between Japan, South Korea and China is to share research findings, reduce the amount of money spent on Windows licensing and maintenance fees, and promote the use of Linux in the private sector.
The main goal is to come up with a Linux standard that will support Asian languages -- which have many more characters than Western alphabets. In the Chinese language, for example, there are literally thousands of characters."
Comments (13 posted)
Linux at Work
Bioinformatics.org
reports on an organization called the Gelato Federation.
"
The Gelato Federation, also known as Gelato, is working to develop scalable, commodity software to enable researchers to advance their studies in developing and technology-intensive areas, such as life sciences and physical sciences. Gelato invites participation from all interested organizations.
Co-founded by HP and seven of the world's leading research institutions, Gelato is launching an open source community initiative designed to foster the development and dissemination of focused computing solutions for researchers and associated IT staffs working on the Itanium Linux platform."
Comments (none posted)
Legal
Declan McCullagh
reports on the House subcommittee meeting which considered the
Digital Media Consumers' Rights Act (a DMCA reform bill).
"
It's unclear what the prospects are for the Boucher-Doolittle bill. It has a
mere 15 co-sponsors in the House and no Senate version exists. What's more,
the consumer protection subcommittee that convened Wednesday's hearing does
not have jurisdiction over copyright law, making it unlikely the bill will be
forwarded to the House floor this year."
Comments (none posted)
La Repubblica
reports
(in Italian) that some members of the Italian government are opposed to
the introduction of software patents in Europe. "
'An excessive
reliance on software patents risks putting small and medium
enterprises in this sector at a disadvantage, limiting the development of the market.'
With these words, the Minister for Innovation and Technology, Lucio Stanca,
expressed himself today against the proposed software patent
directive..." (Editor's translation. The headline reads "A European
directive threatens open source.") Sig. Stanca will not be representing
Italy when the directive is discussed, however, so it is unclear what the
country's position will ultimately be.
Comments (4 posted)
Interviews
KernelTrap
interviews VM
hacker Andrea Arcangeli. "
The VM at large is a big heuristic,
and there's no perfect formula you can use to tell which page it's time to
swapout to disk when, nor you can exactly predict how well the swapping
will behave at runtime until you test or simulate it; that is the really
hard part of the VM.'
Comments (2 posted)
Fabrice Mous
talks with
Walter Stolk at International Hout about the company's KDE use on
KDE::Enterprise. "
The big advantage we have from using using KDE is
the manageability of the workstations. Because there is not much need for
maintenance I can take care of this aside of my daily work without the need
for external expertise. This saves us a lot of money." (Found on
KDE.News)
Comments (none posted)
The People Behind KDE will be going on a summer vacation after this
interview with Gunnar Schmi
Dt. "
Which section of KDE is underrated and could get more
publicity?
The accessibility project could live with many more
people. Some jobs that can increase the accessibility of KDE without
requiring much knowledge about programming are to test all applications in
order to find accessibility issues and to read bug reports and decide
whether they are accessibility related or not. " (Found on
KDE.Net)
Comments (none posted)
vnunet
talks with Red Hat
CEO Matthew Szulik about desktop Linux. "
One of those Wall
Street banks now has one administrator for 800 machines. One did it then
everybody else came rushing to him to say: 'how did you do that?' Now nine
out of the 10 leading Wall Street banks are Red Hat customers."
Comments (5 posted)
Resources
The OSDN DevChannel
looks
at monitoring filesystems with tools like dnotify and FAM. "
Most
modern operating systems provide file monitoring facilities to give
applications real-time information about changes to the filesystem. A
variety of notification methods are used to tell the application when a
change happens, ranging from an asynchronous signal being sent from the
kernel through a user space tool printing the name of the changed file on
its standard output. We'll take a look at some of the file monitoring
facilities available to the Linux developer, starting with the lowest-level
mechanism and working up to the highest."
Comments (1 posted)
Reviews
Planet Geek has
a review
of BloGTK, the Python-based blog tool.
"
The interface is clean and easy to work with, nothing was difficult to find or unintuitive. I'm able to save postings for later re-editing, (though the 'draft posts' are not available from my MT installation, so if I've been working on something online, I can't switch to using BloGTK to continue editing, or vice versa)."
Comments (none posted)
Linux Journal
examines
desktop publishing using OpenOffice.org. "
Desktop publishing (DP for
short) differs from word processing. In word processing, you type pages of
characters and numbers to create documents for others to read. They might
include graphics, such as tables and charts, to illustrate points made in
the text, but the goal is to create a written document to convey
information. In DP, you use graphics, along with text, to create a document
with more visual appeal. Look at any printed advertising--the graphics in
the document often are more important than the written word."
Comments (17 posted)
KDE.News
reviews
KMPlayer in its Application of the Month series.
"
KMPlayer is a multimedia player for the KDE Desktop capable of playing audio and video. The difference between KMPlayer and other multimedia players like Kaffeine is that KMPlayer acts as a frontend to multiple multimedia libraries. KMPlayer supports not only Mplayer but also Xine and Ffmpeg. This means that KMPlayer will play everything MPlayer and Xine will play. With KMPlayer you can also record streams with mencoder and watch TV if your card is supported by Video4Linux."
Comments (none posted)
Linux.com
reviews
Linux training from The Training Camp. "
The most important thing to
realize when attending The Training Camp's LPIC certification course is
that it really is a boot camp. You need to be prepared to eat and sleep
Linux for seven days. Although there are no prerequisites, students should
familiarize themselves with Linux before attending. Browse the Web, read up
on Linux, install it, acquire a frame of reference. Being able to learn and
retain this much information in this short of a timeframe is a skill. It's
important to put yourself in that mindset when attending."
Comments (none posted)
IBM developerWorks
reviews
three perl books:
Perl 6 Essentials,
Perl Cookbook, 2nd
Edition, and
Perl Template Toolkit. "
After finishing
the second edition of the Perl Cookbook, I felt ready for the challenges of
programming Perl in today's environment. Where the first edition seems
inadequate today because of technologies that have emerged since its
printing, the second edition again provides a stable foundation for any
Perl programmer, beginner to advanced. I recommend the Perl Cookbook
strongly, even for those who already have the first edition."
Comments (4 posted)
The Linux Journal
reviews The Official Samba-3 HOWTO and Reference Guide. "
Due to the complexity of modern Samba installations, it isn't
sufficient for a book to cover only the Samba software itself.
A number of external software packages are needed to
integrate a Samba server into a large network. Fortunately,
the book does not let us down. The use of
OpenLDAP, PAM, ISC BIND and DHCP in conjunction with Samba
are all touched on in varying degrees."
Comments (4 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Remember the Alexis de Tocqueville Institution? They are the folks who put
out the
"Linux
may help terrorists" press release almost exactly two years ago. They
are at it again with
this strange
release hyping an upcoming book. "
In one of the few extensive
and critical studies on the source of open source code, Kenneth Brown,
president of AdTI, traces the free software movement over three decades --
from its romantic but questionable beginnings, through its evolution to a
commercial effort that draws on unpaid contributions from thousands of
programmers. Among other points, the study directly challenges Linus
Torvalds' claim to be the inventor of Linux." They promise excerpts
from the book on May 20.
Comments (16 posted)
FFII has sent out a news release (click below) stating that the EU Council
of Ministers has approved a new patent directive which removes the
amendments added by the European Parliament last year. "
Instead the lax language of the original Commission proposal is to be
reinstated in its entirety, with direct patentability of program text
fragments added as icing on the cake. The proposal is now scheduled to
be confirmed without discussion at a meeting of ministers on 17-18 May,
unless one of the Member States changes its vote." As one might
imagine, FFII is urging action to bring about such a change.
Full Story (comments: 13)
The AGNULA project has published a protest against EU software patents.
"
In September 2003, the European Parliament had voted to maintain and
reinforce the exclusion of software and business methods from
patentability. On May 5 2004, the Irish Presidency managed to secure
a qualified majority for a counter-proposal to the software patents
directive, with only a few countries - including Belgium and Germany -
showing resistance. This proposal discards all limiting amendments
from the European Parliament, reinstates the laxist provisions from
the Commission, adding direct patentability of data structures and
process descriptions as icing on the cake."
Full Story (comments: none)
Mandrakesoft urges people to get involved in stopping the adoption of
software patents in the EU. "
Mandrakesoft would like to forewarn and
mobilize its users and the software community about the very real threat of
such a law. Please contact the media, your political representatives, and
your government, and urge them to vote against unlimited Software Patents
and to revert to the previous European Parliament position."
Full Story (comments: 6)
Marist College in Poughkeepsie, New York has announced that it has joined
the Open Source Development Labs. Marist is the first college to become an
affiliate member of OSDL through a newly established College and University
affiliate program.
Full Story (comments: none)
ObjectsSearch.com has announced a web search engine that is based
on open-source code.
Full Story (comments: none)
Open Source Industry Australia has sent out a couple of press releases
relevant to current attacks on free software.
This one warns against the risks of using
proprietary software in defense applications: "
Whilst there have been numerous attempts at
inserting trojan code into both closed and open source products, all
such attempts on open source program have been discovered and reversed,
prior to the code becoming widely deployed and therefore a security risk
to business, government and security agency users.."
Then, there is this warning about relying on
vendor "roadmaps." "Very often the actual path followed by the vendor marketing the 'vision'
bears little real resemblance to the eventual technology users will be
asked to run a few years later."
Comments (2 posted)
Version 2.1 of the Zope Public License has been announced.
"
We have updated the Zope Public License (ZPL) to revision 2.1. ZPL 2.1
is reusable. It supports having a consistent license for Zope and
third-party products without requiring 3rd-party developers to assign
copyright to Zope Corporation."
Full Story (comments: none)
Commercial announcements
Acucorp, Inc. has
announced its support for Red Hat Enterprise Linux 3.
"
Acucorp's announcement of support for Red Hat Enterprise Linux 3 coincides
with its official designation as a Red Hat Ready Partner. This designation
requires companies to meet certain certification guidelines, confirm that
their software runs on Red Hat Enterprise Linux, and agree to support
customers who deploy their applications on the Red Hat platform."
Comments (none posted)
Astaro Corporation has announced that it has raised more venture capital.
"
Astaro Corp.,
developers of the most popular Open Source-based
security product, today announced it has raised a
Series B round of $6.7 million from co-investors
Insight Venture Partners of New York and Wellington
Partners of Munich, Germany. The same group of
investors co-led the companys Series A round of $6.2
million in May 2003, bringing the total amount raised
to date to $12.9 million."
Full Story (comments: none)
California Digital, Quadrics, and Intel have
announced that they have successfully deployed the "most powerful Linux
supercomputer ever built", a 4,096 Itanium 2 processor based Linux cluster
code named "Thunder" at Lawrence Livermore National Laboratory.
Comments (3 posted)
Flashline, Inc. has
announced the Flashline Pattern Book for Open Source in the Enterprise.
"
The Flashline Pattern Book
offers a collection of documents based on best practices that address various
aspects of the creation, launch and ongoing management of an open source
software initiative, from building a business case to budget, staffing, and
licensing issues."
Comments (none posted)
LynuxWorks has
announced growth and profitability at the close of its fiscal year
2004. BlueCat Linux 5.0, "
the industry's first embedded Linux product
built on the 2.6 kernel, continues to be the platform of choice for
developers of consumer electronics products."
Comments (none posted)
Mandrakesoft has announced its new Personalized Solutions and
Maintenance Program (PSMP).
"
The "Personalized Solutions and Maintenance Program" (PSMP) is an
easy-to-use, cost effective program designed to meet the needs of
businesses of all sizes. PSMP allows you to purchase Mandrakesoft
solutions at volume prices. It reduces the costs associated with
evaluating, acquiring, implementing, and maintaining eBusiness
software, and provides streamlined purchasing and centralized solution
management through an Internet based graphical interface."
Full Story (comments: none)
Metrowerks Corporation has
announced
the CodeWarrior Development Studio for ColdFire ISA, Linux Platform Edition.
Comments (none posted)
New Books
O'Reilly has published the book
JavaServer Faces by Hans Bergsten.
Full Story (comments: none)
No Starch Press has published the book
How Linux Works
by Brian Ward.
Full Story (comments: none)
O'Reilly has published the book
Network Security Hacks by
Andrew Lockhart.
Full Story (comments: none)
Volumes 1 and 2 of
The R Reference Manual are available from
Network Theory Ltd.
"
They are published under a free documentation license and raise
money for the R Foundation ($10 for each set of manuals sold)."
Full Story (comments: none)
Addison-Wesley/Prentice Hall PTR has published the book
Understanding the Linux Virtual Memory Manager by Mel Gorman.
Full Story (comments: none)
Resources
A set of papers on the Common Lisp Object System are available online.
"
Richard Gabriel has made available online the text of all the CLOS
papers he authored or co-authored. They include the original design
documents and some overview articles. CLOS (Common Lisp Object
System) is the Object-Oriented subsystem of the Common Lisp
programming language."
Full Story (comments: none)
The April, 2004 edition of the LPI-News has been published.
Take a look to see what the Linux Professional Institute is up to.
Full Story (comments: none)
Contests and Awards
The Seventh International Conference on Functional Programming (ICFP)
Programming Contest
has been announced.
"
On Friday 4th June at 16:00 UTC (12:00 noon EDT), the programming task will be published on this web site. Teams will have 72 hours to write and submit a program to perform this task."
Comments (none posted)
The SCO Group has sent out
a press release
proclaiming its being named in the "SD Times 100." "
"SCO is honored
to be named among the many influential companies that comprise the SD Times
100. We pride ourselves in the work we do to create world renowned
Unix-based solutions designed by some of the most experienced and
outstanding engineers in the industry." For the curious, here is
the SD Times 100;
SCO appears under "Influencers" in the company of Apache, Eclipse,
O'Reilly, OSDL, and the W3C; the entry reads "
The company's legal
assaults on IBM and Linux users dominated 2003's tech headlines and shook
up the open-source community. No other IT topic inspires such fervent
debate, fear, uncertainty and doubt." Honored, indeed.
Comments (11 posted)
UKUUG (the UK's Unix and Open Systems User Group) has made its 2004 Open
Source Award to Julian Field of the University of Southampton for his work
in creating, developing and supporting MailScanner, an e-mail security
system. The award is made annually to give particular recognition to the
development of free and open source software in the UK. MailScanner is
distributed free under the GNU General Public License.
Full Story (comments: 1)
Upcoming Events
Representatives of the AGNULA project will be present at the
creAzione event in Milan, Italy on May 20-22, 2004.
Full Story (comments: none)
The EuroPython Team has posted
a status update for the event.
"
EuroPython 2004, being held June 7-9 in Göteborg, Sweden is now less than three weeks away!"
Comments (none posted)
If you are planning to go to OLS and haven't registered yet, there's still
time to get the early registration discount.
Full Story (comments: none)
The 2005 Linux Audio Conference will take place at ZKM in Karlsruhe, Germany
on April 21-24, 2005.
Full Story (comments: none)
The
forum PHP 2004 (in French) will be held in Paris, France on
November 25 and 26, 2004.
Comments (none posted)
| Date | Event | Location |
| May 20, 2004 | Fifth LCI International Conference on Linux Clusters | (University of Texas)Austin, TX |
| May 20 - 22, 2004 | Austrian Perl Workshop | Vienna, Austria |
| May 20, 2004 | Black Hat Briefings Europe 2004 | (Grand Hotel Krasnapolsky)Amsterdam, the Netherlands |
| May 20 - 21, 2004 | Apache Boot Camp | Atlanta, GA |
| May 20 - 22, 2004 | creAzione | (Sesto San Giovanni)Milan, Italy |
| May 24 - 26, 2004 | GridToday 2004 | (Philadelphia Convention Center)Philadelphia, PA |
| May 25 - 26, 2004 | LinuxWorld Conference & Expo | (Suntec)Singapore |
| May 25 - 27, 2004 | CeBIT America | (Javits Center)New York, NY |
| May 26 - June 6, 2004 | DebConf4 | Porto Alegre, Brazil |
| May 26 - 29, 2004 | 2nd International Symposium on Computer Music Modeling and Retrieval | Esbjerg, Denmark |
| June 2 - 4, 2004 | 2004 GCC and GNU Toolchain Developer's Summit | (Ottawa Congress Centre)Ottawa, Canada |
| June 2 - 4, 2004 | inbox, the email event | (San Jose Marriott)San Jose, CA |
| June 3 - 4, 2004 | Web.It 2004 | Milano, Italy |
| June 6 - 7, 2004 | French Perl Workshop | Paris, France |
| June 7 - 9, 2004 | EuroPython | (Chalmers University of Technology)Göteborg, Sweden |
| June 13, 2004 | 1st European Lisp and Scheme Workshop | Oslo, Norway |
| June 14 - 18, 2004 | 18th European Conference on Object-Oriented Programming(ECOOP-2004) | (The University of Oslo)Oslo, Norway |
| June 16 - 18, 2004 | Yet Another Perl Conference(YAPC::NA::2004) | (University at Buffalo)Buffalo, NY |
| June 28 - 30, 2004 | GNOME User and Developer European Conference(GUADEC) | Kristiansand, Norway |
| June 29 - July 1, 2004 | Perl Workshop 6.0 | (Barbara-Künkelin-Halle)Schorndorf, Germany |
| July 12 - 15, 2004 | Real-time and Embedded Systems Workshop | Washington, DC |
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| "Eric S. Raymond" <esr-AT-snark.thyrsus.com> |
| To: |
| wire-service-AT-snark.thyrsus.com |
| Subject: |
| If Cisco ignored Kerckhoffs's Law, users will pay the price |
| Date: |
| Mon, 17 May 2004 14:49:13 -0400 |
The 15 May 2004 theft and publishing of the source code for Cisco's
IOS router firmware may mean a wave of exploits against the critical
router infrastructure of the Internet may be on its way. If that
happens, it will be because Cisco ignored one of the iron rules of
network security -- and experts the world over will be muttering
"if only IOS had been open source".
The iron rule is Kerckhoffs's Law, which states[1] "A cryptosystem
should be designed to be secure if everything is known about it except
the key information." Now that the source code of IOS is circulating
in the cracker/phreak underground, we're going to find out if IOS followed
that rule. If they didn't, we'll find out the hard way.
What has this got to do with open source? Well -- if IOS had been
open source to begin with, we'd have a firm basis for believing that
it passes the Kerckhoffs test -- open source keeps you honest that way.
As it is, customers' first notice that they didn't is likely to be
chaos and havoc from router compromises.
Claude Shannon, the inventor of information theory, restated Kerckhoff's Law
as: "[Assume] the enemy knows the system." Here's Raymond's Reformulation for
the 21st century: "Any security software design that doesn't assume
the enemy possesses the source code is already untrustworthy;
therefore, *never trust closed source*."
Maybe the theft will be a good enough reason for Cisco customers to
check out open-source alternatives like XORP[2] or FREESCO[3]. And that's
not just a good idea for router firmware either. As the Netsky and
Sasser worms pound on your Windows machines, ask yourself: "Is there a
better way?"
Millions of Linux users already know the answer is yes.
[1] http://www.fact-index.com/k/ke/kerckhoffs__law.html
[2] http://www.xorp.org/
[3] http://www.freesco.org/
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
Comments (2 posted)
Page editor: Jonathan Corbet