LWN.net Logo

LWN.net Weekly Edition for May 27, 2004

Documenting kernel code provenance

Linus's request for discussion made his motivation clear:

Some of you may have heard of this crazy company called SCO (aka "Smoking Crack Organization") who seem to have a hard time believing that open source works better than their five engineers do. They've apparently made a couple of outlandish claims about where our source code comes from, including claiming to own code that was clearly written by me over a decade ago.

He notes that the process of debunking these claims, while highly effective, has not been entirely fun. As a way of making life easier when the next SCO comes along, Linus is proposing a lightweight mechanism which would document how each patch finds its way into the kernel. In essence, this scheme would require each patch to contain at least one line like:

    Signed-off-by: Some kernel hacker <skh@some.host>

One such line would be added by each person who handles the patch on its way to the mainline kernel. Together, these lines would document the originator of the patch and the path it took before it was merged. Each developer, by "signing off" on the patch in this way, would indicate that he or she has the right to submit it to the kernel under a free license - either by virtue of having written the code, or by having obtained it from a source which allows this form of redistribution. Companies which require review of code contributed to external projects can designate a person who must sign off on patches before they go out.

This procedure is a far cry from, for example, the full-blown copyright assignment required from contributors to GNU projects. Contributions to the kernel will still require no physical, signed papers, no assignment of copyright, no indemnification, and no documented permission from the contributor's employer. The Free Software Foundation, with its assignment policy, is trying to set itself up as the owner and custodian of the GNU system, with clear title to the code, the ability to specify the license under which that code will be released and to enforce the terms of that license. The kernel hackers, instead, seem to feel that they can get by without such a custodian, wish to retain ownership of their code, and, as the netfilter team has demonstrated, they feel entirely capable of enforcing their own licenses.

The kernel system is, instead, aimed entirely at documentation. The next time somebody questions the legitimacy of code in the kernel, it would be nice to be able to point out, quickly, exactly where the code came from. In this way, perhaps, people can spend less time digging through ancient mail archives and more time developing. For this reason, suggestions varying from GPG-signing of patches to the (poorly received) idea of adopting an ISO-9000 process will probably not be implemented. Some tweaking will probably happen, but whatever system finally gets adopted will remain a simple, lightweight documentation mechanism.

While the new kernel contribution scheme is aimed at documenting future contributions, the just-launched Grokline project is trying to document the past. From the site:

This is an open, community-based, collaborative research project, a living history, designed to carefully trace the ownership history of UNIX and UNIX-like code with the goal of reducing, or eliminating, the amount of software subject to superficially plausible but ultimately invalid copyright, patent and trade secret claims against Linux or other free and open source software.

The project has put together a basic Unix timeline, and is soliciting input from anybody who can help document where all this code came from.

Grokline will, without doubt, yield no end of interesting historical information. One can't help wondering, however, if the community isn't gearing up to fight last year's war. The SCO Group has done us a tremendous favor by showing that (1) finding copyright infringements in free software (and the Linux kernel in particular) really is hard, and (2) the community will unite with devastating effect against anybody who seeks to profit from baseless attacks on free software. It is hard to imagine another company wanting to be the next SCO. The next time a copyright claim is raised against free software, the claimants will be well advised to have their evidence in place from the beginning - and to be right.

If there is another SCO-scale war in our near future, it will probably not involve copyrights. It will be, instead, a patent fight. Unless it serves to establish prior art, documentation of the provenance of code will not be helpful in a patent case. It is also worth noting that the SCO case has forced a remarkable alignment of interests between many large, deep-pocketed companies and the broader free software community. That alignment of interests may well be absent in a patent battle. Next year's patent war may not be fought off as easily as this year's copyright and (formerly) trade secret suit. By all means, we should be documenting where our code comes from, and, in general, doing our best to ensure that it has been contributed legitimately. But it would be a mistake to believe that this documentation alone will be sufficient to defend us from all "intellectual property" charges.

Comments (10 posted)

Fedora: looking forward

May 21, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

With the final release of Fedora Core 2 out the door, and on schedule no less, now might be a good time to take stock of the project and where it's going. Unfortunately, that's not as clear as one might hope.

It's easy to see where the project is now, but the future is a bit more murky -- at least for those outside the project. For the most part, the Fedora Project seems to be meeting its goals. A quick glance at the objectives for Fedora Core shows that the project is meeting nearly all of its objectives. Fedora Core 2 contains a wide range of open source packages on the "leading edge" of development. The project has done well at sticking to release schedules, and at putting together a fine Linux distribution that more or less picks up where Red Hat Linux left off.

What Fedora has not yet achieved, however, is a significant level of community involvement beyond simple testing of releases. The situation has not been helped by the project's recent change in leadership; Cristian Gafton assumed the position of Technical Lead in January, but some have complained about a lack of communication from Gafton about the project. A quick search of the Fedora devel archives gives some credence to this complaint: Gafton has only posted twelve messages to the Fedora devel lists since he assumed the Technical Lead position -- six in January, and six in May.

We contacted Gafton to see if we could get a glimpse at the roadmap and find out whether the community will have an opportunity to become more involved in the development of Fedora Core 3 (FC3) and future releases. Here's what we learned.

LWN: How long will FC1 remain "supported" now that FC2 is being released?

Our current plans are calling for issuing security updates for FC1 for two-three months after Fedora Core 2 has been released. Realistically, once the Fedora Core 3 test1 is out (or shortly after) I would expect the development interest in the Fedora Core 1 to diminish and we will take a formal look at declaring the End of Life for Fedora Core 1.

LWN: It looks like the project managed to stick to the schedule set for FC2 pretty well. In retrospect, was the schedule too aggressive or just right? Will the schedule for FC3 be as aggressive as this one? Any breathing room between FC2 and starting FC3?

We're all very happy with the fact that we have not run into any major issues in our quest to incorporate the features we have planned for the Fedora Core 2. Of course, the desire for more development time will always be there, but I think that we have managed to put together a very good schedule and we have managed to stick successfully to it. This is one of those times where we come to appreciate the Red Hat developers' experience and leadership in planning and managing an OS release, as well as the resourcefullness demonstrated by Fedora development community.

LWN: Speaking of FC3, what can we expect to see in the next release? Do you have a clear picture of what the next release will include?

We will start having a public debate about what we will plan for FC3 pretty shortly. As far as I am concerned, I will pay attention to the deployment, testing and migration to the new GCC 3.4 SSE compiler base, further refining of the SELinux techonlogy, and - of course - the new versions of Gnome, Evolution, KDE that are planned for release in the next few months. As of right now we have encouraged every developer to build up the wish list for the next round, and through a public debate process we will get a clearer picture of a feature list in the next couple of weeks.

Planning the release will require us to figure out what will be reasonable to expect to include and what would be our stretch goals. We will start this process in very short order, because we want to get a tentative schedule out as soon as possible, so that developers around the world will know what to expect. For the Fedora Core 2 release I have been happy to notice that some projects have attempted to syncronize their release schedules so that we will have an easier time integrating their new code bases in the Fedora Core. It is my sincere hope that this trend will continue, and we are aware of the fact that we have to give people plenty of time to plan ahead.

LWN: According to the FC2 schedule, the SELinux functionality was considered "stop-ship" -- but it was disabled by default in the last test release. Is SELinux ready for mass consumption in the final FC2 release, or does it still require some polish before it's ready for prime time?

I think the SELinux functionality is pretty well cooked and I encourage the seasoned users and developers to play with it. Unfortunately at this stage, the implementation and management of the SELinux security policies are complex tasks that require an advanced degree of familiarity with the inner workings of the operating system.

The challenge we face in developing a default security policy is the balance one needs to strike between the level of security barriers deployed and the functionality people would reasonably expect out of this release. For example, can we subject third party applications, that are not aware of the security contexts, to a paranoid policy that most likely will prevent them from functioning correctly, or do we provide a more relaxed policy at which point the security advantages of SELinux are not so readily apparent? Also, the legacy of the discretionary access control setups will be a tough nut to crack - we found out that a lot of users still expected that the root account will be able to do and fix everything - an assumption no longer valid when running under SELinux.

So, for the Fedora Core 2 we have decided to court the experienced users and developers to help us figure out the lines of compromise between the challenges posed by the SELinux policy - a sort of a continued beta program for refining what would be an acceptable set of defaults. Of course, this does not preclude the development of very strict or more relaxed policies as alternatives to the balanced default set.

LWN: No doubt you've seen the parody published by Konstantin Ryabitsev about Fedora/Red Hat's interaction with the community. Though it's a bit over the top, it has raised quite a bit of discussion. Is it likely that RH will seek more involvement from the community in terms of setting the direction of Fedora? Will there be any changes in the way Fedora is managed in the near future?

This is and continues to be one of the challenges Red Hat faces - how do we build an effective way of engaging more of the external development community and how do we enable them to participate in this project. The parody you are referring to, while an entertaining read, assumes a political conflict out of the current state, when in fact the challenges we are facing are logistical. We are talking about deploying a parallel development process for the Red Hat developers, geared and built to support external parties contributing code on various sections of the operating system. This means planning and executing a huge change in everything infrastructure-related inside Red Hat engineering, which has the potential of causing big impacts in the other corners of our business, like support, professional services and even sales. We are working hard on opening up our infrastructure, but we have to do it responsibly and we have to be mindful of the business impact we are going to cause on the commitments Red Hat needs to fullfill as a publicly traded company. Oftentimes we internally compare this process to working on a jet engine while it is running...

Our short-term plans include the opening of a source code management repository where the interested developers can follow closely the development activity of the Red Hat engineering team. We will also be revamping the fedora.redhat.com website, adding dynamic content to it and allowing people to start participating in forums and start oganizing according to their common interests. These are steps that are going to happen in the very few next weeks, in time for the start of the Fedora Core 3 development process.

LWN: On the same topic, a lot of discussion has been comparing Fedora to Debian -- obviously, there are some serious differences in the way that both distros are put together. Would you say that the Fedora approach is better, or just different? Why?

Well, some things are better, some things are "different." The Red Hat engineering team is more experienced at putting together high-quality, commercial distributions. The planning, scheduling and focus we bring to the process are superior, and by transforming the Fedora Project into a community-focused release we now also have the flexibility of doing more of what is right when it comes to setting up a schedule.

In the software development process there are always three factors that are at play: features, quality and development speed. In commercial software development one can always have only two of those three. I believe that the community focus of the Fedora Project allows us to seek a more reasonable balance between those three objectives. Our background in commercial releases will allow us to keep focus on the fact that we need to have timely releases and we need to manage aggressively against the schedules we set. As far as Debian goes, they have been more successful at engaging the open source development community and there is a lot we can and will learn from their experiences. There is no question that as of now Fedora and Debian are very different in the way we put things together - but I think in the near future we will start to look more and more alike as far as the level of involvement with the development community.

That may yet happen, but the Fedora project is going to have to open up significantly before it can begin to shake off its image (in some quarters, at least) as a beta test program for Red Hat's enterprise products. With luck and work, perhaps Fedora can begin to approach Debian's level of community involvement. If this can be done while retaining Fedora's rather more predictable release schedule, so much the better.

Comments (5 posted)

Movable type and "almost free" software

Movable Type is a highly popular and capable content management system oriented toward the publication of weblogs. It is written in Perl, and is necessarily distributed in source form. It has never, however, been free software. Its license did not allow distribution of modified versions, though patches could be distributed. As a whole, the license was "free enough," and Movable Type developed a large, happy user base.

That user base is rather less pleased now. With the announcement of Movable Type 3.0 came the news that, for all but the smallest, personal sites, use of the new version would require a paid license. Six Apart Ltd., the company which owns Movable Type, has since learned what happens when you upset thousands of people, each of whom has a personal printing press. Many online commenters have expended countless electrons on criticism of Six Apart and its new license.

We'll not join them. Six Apart owns its code, and sets the terms for its use. The company is behaving no worse than any other proprietary software vendor, and better than many. One might argue it should have made its new licensing plans clear before inviting beta testers to help them finish 3.0, but that's about it.

What Six Apart has done is to provide an object lesson in the perils of "almost free" software. If you do not have the right to run, modify, and redistribute a program, you will, eventually, find yourself in a situation where that program loses its value to you. If its owner fails to maintain it, nobody else can. If its owner imposes an onerous license, your only options are to take it or leave it. Source-available proprietary software can be deceptive; it feels much like free software. But every such package is another MT 3.0 waiting to happen.

Consider, for example, the case of qmail. It is, beyond doubt, a powerful and secure mail transfer agent. It is distributed in source form. But it also comes with a non-free license which forbids distribution of modified versions, and which makes the distribution of binary packages difficult. There has not been a new qmail release since June, 1998. Patches are required to get it to build on a modern Linux distribution, and others are needed to bring it up to the level of functionality needed by many sites. But, due to the redistribution restrictions, nobody can take over qmail maintenance and release a new version.

That notwithstanding, many sites (LWN included, it should be said) have chosen to run qmail. But all such users should bear in mind that qmail's license terms are, at best, vague; the software itself comes with no explicit license. If qmail's author were ever to proclaim a new license, it would be hard for users to prove that any other terms had ever been in force. Even without that sort of problem, it seems pretty clear that qmail's author has long since lost interest in working on the code; the chances of there ever being another qmail release appear small.

The Movable Type episode has shown, once again, that licenses really do matter. A free software license represents a sort of gift from a developer to users: those users will never be deprived of the right to use, modify, and distribute the covered software. Developers are not (and should not be) required to offer such a gift. But if the author of software you use has not given you those rights, you should not be surprised when the terms change in the future.

Comments (34 posted)

Page editor: Jonathan Corbet

Security

Did they read it?

May 26, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Return receipts for email have been around for quite some time. They can be useful in some settings where a user is willing to verify that they've received an email without taking the time to compose a reply. However, the return receipt depends on the user's willingness to participate in the process. Often, for one reason or another, users do not wish to do that; these users can simply configure their email client to deny requests for return-mail receipts -- if, in fact, the user's email client supports that feature at all.

There are, however, those who aren't content to depend on voluntary responses. Rampell Software is peddling a subscription service for nosy correspondents who want to know whether or not their email has been read. Rampell is a company that pushes several spyware products for MacOS and Windows that are aimed at monitoring the use of other peoples' computers. The "DidTheyReadIt" service is aimed at people who are determined to know whether or not their mail has been read, and who are willing to pay for the privilege.

This, of course, has some not-so-pleasant implications for personal privacy. While the company assures its potential customers that it respects their privacy, nothing is said about the privacy of the recipient who may not wish to divulge whether or not they've read a particular email or where they've read it from. On the company's About Us page, they identify what kinds of people might want to find out whether an email has been read -- including some that make DidTheyReadIt sound like a must-have for potential stalkers:

Users of online dating services such as match.com who want to know if their potential dates are reading their messages...or ignoring them.

It isn't particularly cheap to violate others' privacy either, at least not when using DoTheyReadIt on a regular basis. A quarterly subscription for the service, with the ability to track 500 messages per month, is $24.99.

To use the service, the user has to send email through DidTheyReadIt's servers by tacking ".didtheyreadit.com" onto the recipient's email address. DidTheyReadIt's server then tags the email with a "web bug" and sends it on its way to the intended recipient. For the uninitiated, web bugs are a well-known spammer trick to verify working email addresses. The spammer includes a bit of HTML in the email that will request an unique image name (usually a small image that is invisible to the reader) from a remote server that tracks the hits. The image name and email address are paired so that the spammer can identify working email addresses with users gullible enough to open the spammer's email. When the image is requested from didtheyreadit.com, a hit is logged and the sender can then view the information on the DidTheyReadIt website and/or be notified via email.

DidTheyReadIt takes the web bug idea further than the spammers do, however. It responds to the request for the web bug image by sending a slow stream of data back to the mail client; that stream will continue until the receiving system resets the connection. The amount of time the connection was allowed to run will be roughly equivalent to how long the message was on the reader's screen, giving a sense of how seriously the message was read.

When the service works, the amount of information provided to the sender is quite intrusive. Not content to simply verify that a user opened an email, [DidTheyReadIt report] DidTheyReadIt reports the number of times an email is read, how long the recipient spent reading it, when it was opened, the location of the reader, the IP address of the recipient at the time the message is opened and their ISP. Not only is the recipient (including anybody the message may be forwarded to) being monitored in their reading habits, they are also being physically tracked when the service is able to pair up a geographic location with an IP address. While it's not possible for the service to report a street address, it can narrow down the location to a city. It's easy to imagine scenarios where this would be particularly undesirable.

Users who are even moderately knowledgeable about the way that the Web works will have no problem blocking DidTheyReadIt from divining whether or not they have opened an email sent through this service. Rampell's claims of success "the vast majority of the time, upwards of 98% in extensive testing" are a bit suspect. In fact, many users are already protected by sane defaults in their mail clients that prohibit the display of remote graphics in HTML email by default.

This writer had to deliberately disable the defaults in the Yahoo! and SpamCop (which uses Horde) webmail clients to allow DidTheyReadIt to track test emails. The tracking did not work with Thunderbird or Opera's mail client. It goes without saying that users of mutt and Pine will easily slip under the radar.

Furthermore, once word gets around about this service, many users may simply opt to filter out email that passes through the DidTheyReadIt servers altogether. Some folks might also decide to play havoc with this service by writing scripts to call random images from DidTheyReadIt's servers to generate false positives and render the service useless. Ed Felten predicts that DidTheyReadIt will not succeed in the long run:

Products like this sow the seeds of their own destruction, by triggering the adoption of technical measures that defeat them, and the creation of social norms that make their use unacceptable.

One would hope that the use of such a service would be considered "unacceptable" by most people already. Whether or not that is true, however, the use of free software for crucial tasks like email gives users the upper hand against this sort of service. There is, after all, nothing that forces us to tolerate a mail system which supports this kind of monitoring. If only all of our email problems were so easy to solve.

Comments (7 posted)

New vulnerabilities

firebird: Locally exploitable stack overflow

Package(s):firebird CVE #(s):
Created:May 24, 2004 Updated:May 26, 2004
Description: A buffer overflow exists in three Firebird database binaries (gds_inet_server, gds_lock_mgr, and gds_drop) that is exploitable by setting a large value to the INTERBASE environment variable. An attacker could control program execution, allowing privilege escalation to the UID of Firebird, full access to Firebird databases, and trojaning the Firebird binaries. An attacker could use this to compromise other user or root accounts. See also this bug report.
Alerts:
Gentoo 200405-18 2004-05-23

Comments (none posted)

kernel: exploitable bug in the cpufreq code

Package(s):kernel CVE #(s):CAN-2004-0228
Created:May 24, 2004 Updated:May 26, 2004
Description: Brad Spender discovered an exploitable bug in the cpufreq code in the Linux 2.6 kernel.
Alerts:
Mandrake MDKSA-2004:050 2004-05-21

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

xpcd: buffer overflow

Package(s):xpcd CVE #(s):CAN-2004-0402
Created:May 24, 2004 Updated:June 1, 2004
Description: Jaguar discovered a vulnerability in one component of xpcd, a PhotoCD viewer. xpcd-svga, part of xpcd which uses svgalib to display graphics on the console, would copy user-supplied data of arbitrary length into a fixed-size buffer in the pcd_open function.
Alerts:
Mandrake MDKSA-2004:053 2004-06-01
Debian DSA-508-1 2004-05-22

Comments (none posted)

Updated vulnerabilities

apache - denial of service in mod_ssl

Package(s):apache CVE #(s):CAN-2004-0113
Created:April 13, 2004 Updated:May 25, 2004
Description: A memory leak has been discovered in mod_ssl that may be triggered by sending normal HTTP requests to the Apache HTTPS port. An attacker can exploit this vulnerability to consume all memory available in the server, thus causing a denial of service condition. This problem has been fixed in Apache 2.0.49.
Alerts:
Fedora FEDORA-2004-117 2004-05-25
Mandrake MDKSA-2004:043 2004-05-10
Red Hat RHSA-2004:182-01 2004-04-30
Conectiva CLA-2004:839 2004-04-13

Comments (none posted)

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CAN-2003-0993 CAN-2003-0020 CAN-2003-0987 CAN-2004-0174
Created:May 12, 2004 Updated:May 26, 2004
Description: Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details.
Alerts:
Gentoo 200405-22 2004-05-26
Mandrake MDKSA-2004:046-1 2004-05-20
Mandrake MDKSA-2004:046 2004-05-17
Trustix TSLSA-2004-0027 2004-05-13
Slackware SSA:2004-133-01 2004-05-12
OpenPKG OpenPKG-SA-2004.021 2004-05-12

Comments (none posted)

cvs: heap overflow

Package(s):cvs CVE #(s):CAN-2004-0396
Created:May 19, 2004 Updated:June 11, 2004
Description: CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites).
Alerts:
Whitebox WBSA-2004:190-01 2004-06-10
Fedora-Legacy FLSA:1620 2004-06-02
Slackware SSA:2004-140-01 2004-05-19
Gentoo 200405-12 2004-05-20
OpenPKG OpenPKG-SA-2004.022 2004-05-19
Mandrake MDKSA-2004:048 2004-05-19
Fedora FEDORA-2004-131 2004-05-19
Fedora FEDORA-2004-126 2004-05-19
SuSE SuSE-SA:2004:013 2004-05-19
Red Hat RHSA-2004:190-01 2004-05-19
Debian DSA-505-1 2004-05-19

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.
Alerts:
Debian DSA-511-1 2004-05-30
OpenPKG OpenPKG-SA-2004.015 2004-04-16
Red Hat RHSA-2004:137-01 2004-03-31
Mandrake MDKSA-2004:024 2004-03-30
Conectiva CLA-2004:835 2004-03-31
Red Hat RHSA-2004:136-01 2004-03-30
Netwosix NW-2004-0007 2004-03-29
Gentoo 200403-07 2004-03-28

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

heimdal: missing input sanitizing

Package(s):heimdal CVE #(s):CAN-2004-0472
Created:May 18, 2004 Updated:May 27, 2004
Description: Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4 component of heimdal, a free implementation of Kerberos 5. The problem is present in kadmind, a server for administrative access to the Kerberos database. This problem could perhaps be exploited to cause the daemon to read a negative amount of data which could lead to unexpected behavior.
Alerts:
Gentoo 200405-23 2004-05-27
Debian DSA-504-1 2004-05-18

Comments (none posted)

icecast: denial of service

Package(s):icecast CVE #(s):
Created:May 19, 2004 Updated:May 19, 2004
Description: The icecast server has a read error in its authorization code which can enable a denial of service attack; upgrading to version 2.0.1 fixes the problem.
Alerts:
Gentoo 200405-10 2004-05-19

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

racoon: denial of service vulnerability

Package(s):ipsec-tools racoon iputils CVE #(s):CAN-2004-0403
Created:April 26, 2004 Updated:July 29, 2004
Description: racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details.
Alerts:
Red Hat RHSA-2004:308-01 2004-07-29
Mandrake MDKSA-2004:069 2004-07-14
Fedora FEDORA-2004-197 2004-06-28
Whitebox WBSA-2004:165-01 2004-06-10
Fedora FEDORA-2004-132 2004-05-19
Red Hat RHSA-2004:165-01 2004-05-11
Gentoo 200404-17 2004-04-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kde: URI Handler Vulnerabilities

Package(s):kde Opera CVE #(s):CAN-2004-0411
Created:May 17, 2004 Updated:June 15, 2004
Description: iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that similar vulnerabilities exists in all version of KDE, up to KDE 3.2.2 inclusive. See this advisory for more information.
Alerts:
Debian DSA-518-1 2004-06-14
Conectiva CLA-2004:843 2004-05-26
SuSE SuSE-SA:2003:014 2004-05-26
Gentoo 200405-19 2004-05-25
Gentoo 200405-11 2004-05-19
Fedora FEDORA-2004-122 2004-05-19
Mandrake MDKSA-2004:047 2004-05-18
Fedora FEDORA-2004-121 2004-05-17
Slackware SSA:2004-238-01 2004-05-17
Red Hat RHSA-2004:222-01 2004-05-17

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: symlink overflow in the iso9660 filessytem

Package(s):kernel CVE #(s):CAN-2004-0109
Created:April 14, 2004 Updated:July 15, 2004
Description: The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release.
Alerts:
Conectiva CLA-2004:846 2004-07-15
Red Hat RHSA-2004:106-01 2004-04-21
Red Hat RHSA-2004:105-01 2004-04-21
Debian DSA-489-1 2004-04-17
Debian DSA-491-1 2004-04-17
Debian DSA-479-2 2004-04-14
SuSE SuSE-SA:2004:009 2004-04-14
Mandrake MDKSA-2004:029 2004-04-14
Fedora FEDORA-2004-101 2004-04-14
Debian DSA-482-1 2004-04-14
Debian DSA-481-1 2004-04-14
Debian DSA-480-1 2004-04-14
Debian DSA-479-1 2004-04-14

Comments (none posted)

kernel - root exploit in MCAST_MSFILTER

Package(s):kernel CVE #(s):CAN-2004-0424
Created:April 22, 2004 Updated:June 11, 2004
Description: A locally exploitable integer overflow has been found the multicast code of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A successful exploit could lead to full superuser privileges.
Alerts:
Whitebox WBSA-2004:183-01 2004-06-10
SuSE SuSE-SA:2004:010 2004-05-05
Slackware SSA:2004-119-01 2004-04-28
Mandrake MDKSA-2004:037 2004-04-27
Red Hat RHSA-2004:183-01 2004-04-22
Fedora FEDORA-2004-111 2004-04-22
Trustix TSLSA-2004-0022 2004-04-21

Comments (1 posted)

Linux kernel 2.2.10 failing function and TLB flush vulnerability

Package(s):kernel-source-2.2.10 CVE #(s):CAN-2004-0077
Created:March 18, 2004 Updated:June 4, 2004
Description: A local root exploit is possible due to early flushing of the TLB.
Alerts:
Debian DSA-514-1 2004-06-04
Debian DSA-466-1 2004-03-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

kolab: password disclosure

Package(s):kolab CVE #(s):
Created:May 5, 2004 Updated:May 27, 2004
Description: Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information.
Alerts:
Mandrake MDKSA-2004:052 2004-05-26
OpenPKG OpenPKG-SA-2004.019 2004-05-05

Comments (3 posted)

LHA: stack buffer overflows and directory traversal flaws

Package(s):LHA CVE #(s):CAN-2004-0234 CAN-2004-0235
Created:April 30, 2004 Updated:June 11, 2004
Description: LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. See this advisory+patch for more details.

CAN-2004-0234: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim.

CAN-2004-0235: An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory.

Alerts:
Whitebox WBSA-2004:178-01 2004-06-10
Debian DSA-515-1 2004-06-05
Red Hat RHSA-2004:178-01 2004-05-26
Fedora FEDORA-2004-119 2004-05-11
Gentoo 200405-02 2004-05-09
Conectiva CLA-2004:840 2004-05-06
Slackware SSA:2004-125-01 2004-05-04
Red Hat RHSA-2004:179-01 2004-04-30

Comments (2 posted)

libpng: denial of service vulnerability.

Package(s):libpng CVE #(s):CAN-2004-0421
Created:April 29, 2004 Updated:June 11, 2004
Description: The PNG library can accesses memory that is out of bounds when creating an error message, this can be exploited by a malformed PNG image file.
Alerts:
Whitebox WBSA-2004:180-01 2004-06-10
Red Hat RHSA-2004:180-01 2004-05-19
Gentoo 200405-06 2004-05-14
Fedora FEDORA-2004-106 2004-05-05
Fedora FEDORA-2004-105 2004-05-05
Slackware SSA:2004-124-04 2004-05-02
Red Hat RHSA-2004:181-01 2004-04-30
Trustix TSLSA-2004-0025 2004-04-30
Debian DSA-498-1 2004-04-30
Mandrake MDKSA-2004:040 2004-04-29
OpenPKG OpenPKG-SA-2004.017 2004-04-29

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: multiple vulnerabilities

Package(s):mc CVE #(s):CAN-2004-0226 CAN-2004-0231 CAN-2004-0232
Created:April 29, 2004 Updated:May 26, 2004
Description: Midnight Commander has multiple vulnerabilities including buffer overflows, insecure temp files, and format string problems.
Alerts:
Gentoo 200405-21 2004-05-26
Red Hat RHSA-2004:172-01 2004-05-19
Slackware SSA:2004-136-01 2004-05-14
SuSE SuSE-SA:2004:012 2004-05-14
Red Hat RHSA-2004:173-01 2004-04-30
Mandrake MDKSA-2004:039 2004-04-29
Debian DSA-497-1 2004-04-29

Comments (none posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Gentoo 200405-17 2004-05-21
Debian DSA-449-1 2004-02-24
Mandrake MDKSA-2004:014 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Red Hat RHSA-2004:073-01 2004-02-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

passwd: various problems

Package(s):passwd CVE #(s):
Created:May 17, 2004 Updated:June 2, 2004
Description: Steve Grubb found some problems in the passwd program. Passwords given to passwd via stdin are one character shorter than they are supposed to be. He also discovered that pam may not have been sufficiently initialized to ensure safe and proper operation. A few small memory leaks have been fixed as well.
Alerts:
Mandrake MDKSA-2004:045 2004-05-17

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

Pound format string vulnerability

Package(s):pound CVE #(s):
Created:May 18, 2004 Updated:May 19, 2004
Description: There is a format string flaw in Pound, allowing remote execution of arbitrary code with the rights of the Pound process.
Alerts:
Gentoo 200405-08 2004-05-18

Comments (none posted)

proftpd privilege escalation

Package(s):proftpd CVE #(s):
Created:April 30, 2004 Updated:May 19, 2004
Description: A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like an "AllowAll" directive and so FTP clients are granted access to files and directories although the server configuration might explicitly deny this. See this bug report.
Alerts:
Gentoo 200405-09 2004-05-19
Mandrake MDKSA-2004:041 2004-04-30
OpenPKG OpenPKG-SA-2004.018 2004-04-30

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

rsync remote file write attack

Package(s):rsync CVE #(s):CAN-2004-0426
Created:April 30, 2004 Updated:July 12, 2004
Description: See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected."
Alerts:
Gentoo 200407-10 2004-07-12
Fedora FEDORA-2004-116 2004-07-01
Whitebox WBSA-2004:192-01 2004-06-10
Debian DSA-499-2 2004-06-02
OpenPKG OpenPKG-SA-2004.025 2004-05-21
Red Hat RHSA-2004:192-01 2004-05-19
Mandrake MDKSA-2004:042 2004-05-10
Slackware SSA:2004-124-01 2004-05-02
Debian DSA-499-1 2004-05-01
Trustix TSLSA-2004-0024 2004-04-29

Comments (none posted)

subversion: buffer overflow

Package(s):subversion CVE #(s):CAN-2004-0397
Created:May 19, 2004 Updated:May 21, 2004
Description: Versions of the subversion source management package up to and including 1.0.2 suffer from a remotely exploitable buffer overflow vulnerability in their date parsing code; see this advisory for details. "Exploiting this vulnerability on not heavily protected servers is trivial even for beginners, therefore it is strongly recommended to update immediately."
Alerts:
Gentoo 200405-14 2004-05-20
OpenPKG OpenPKG-SA-2004.023 2004-05-19
Fedora FEDORA-2004-128 2004-05-19
Fedora FEDORA-2004-127 2004-05-19

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

utempter problems with symlink and strncpy

Package(s):utempter CVE #(s):CAN-2004-0233
Created:April 19, 2004 Updated:June 11, 2004
Description: Steve Grubb discovered two potential issues in the utempter program:
  1. If the path to the device contained /../ or /./ or //, the program was not exiting as it should. It would be possible to use something like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another important file, programs that have root privileges that do no further validation can then overwrite whatever the symlink pointed to.

  2. Several calls to strncpy without a manual termination of the string. This would most likely crash utempter.
Alerts:
Whitebox WBSA-2004:174-01 2004-06-10
Red Hat RHSA-2004:174-01 2004-05-26
Fedora-Legacy FLSA:1546 2004-05-18
Gentoo 200405-05 2004-05-13
Red Hat RHSA-2004:175-01 2004-04-30
Mandrake MDKSA-2004:031-1 2004-04-21
Fedora FEDORA-2004-108 2004-04-21
Slackware SSA:2004-110-01 2004-04-19
Mandrake MDKSA-2004:031 2004-04-19

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-lib: malicious code execution

Package(s):xine-lib CVE #(s):CAN-2004-0433
Created:May 3, 2004 Updated:May 28, 2004
Description: A vulnerability exists in xine-lib where playing a specially crafted Real RTSP stream could run malicious code as the user playing the stream. More details can be found in this advisory. The problem has been fixed in xine-lib 1-rc4.
Alerts:
Gentoo 200405-24 2004-05-28
Slackware SSA:2004-124-03 2004-05-02

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.7-rc1, which was announced by Linus on May 22. The most significant changes are certainly the scheduling domains patch, and, surprisingly, the full set of object-based reverse mapping patches, including the anon_vma work. This patch also includes a generic msleep() function for millisecond-scale waits, a CPU frequency control update, a set of autofs4 patches, a set of patches to shrink the heavily-used dentry structure, the "filtered wakeup" mechanism (see the May 5 Kernel Page), a libata update, some architecture updates, the removal of the Intermezzo filesystem due to lack of use and support, a sysctl variable giving "huge page" access to a administrator-specified group, the ability to re-enable interrupts while waiting in spin_lock_irqsave() (for all architectures now), support in reiserfs for quotas and external attributes, the NUMA API, a big ramdisk fixup, and lots of fixes. See the long-format changlog for the details.

Linus's BitKeeper repository contains an implementation of separate interrupt stacks for the PPC64 architecture, an ALSA update, and a fair number of fixes.

The current tree from Andrew Morton is 2.6.6-mm5. Recent additions to -mm include a reworking of the symbolic link following code (allowing the eventual increase of the maximum symbolic link depth from five to eight), a new block I/O request barrier implementation (for IDE and SCSI), and the usual collection of fixes. Andrew has also quietly restored the 8KB stack option on x86 systems.

The current 2.4 prepatch is 2.4.27-pre3; no prepatches have been released since May 18.

Comments (none posted)

Kernel development news

The merging of anon_vma and 4G/4G

Immediately prior to releasing 2.6.7-rc1, Linus merged the full remaining set of virtual memory patches from Andrea Arcangeli and Hugh Dickins, including the anon_vma code. This action has raised eyebrows in some quarters; some developers had been under the impression that 2.6 was a stable kernel series. Nobody seems to doubt that the object-based reverse mapping code is a good idea in the long run, but merging it now strikes some developers as unlikely to increase the stability of the 2.6 kernel in the near future.

Linus defends the change in this way:

It's not "fundamental", in that the reverse mapping is still done. It's just done in a slightly different way. Going to rmap was a _fundamental_ change to how we did VM. In contrast, this was just an "implementation detail".

Most "implementation details" fit into rather less than 40 individual patches, do not involve difficult special cases (such as making all uses of mremap() work correctly), and avoid making significant changes to core parts of the virtual memory subsystem. That said, one should note that the core decision-making VM code has not been changed; the algorithm for choosing pages to move into and out of memory is the same as before. It is also notable that there have been almost no VM-related problem reports since 2.6.7-rc1 was released. This particular change may just work out in the short term after all.

A related topic is the 4G/4G patch, which separates kernel and user space entirely so that each can make full use of the 4G virtual address space on 32-bit systems. This patch has been considered for merging for some time, but has never quite found its way in. Most developers see it as an ugly hack (though, perhaps, a necessary one), and there is fear of the (possibly overstated) performance overhead that the 4G/4G mode imposes. Even so, some people wonder when this patch might be merged.

The answer seems to be "never, if at all possible." The motivations behind this patch are (1) to make more kernel-space low memory available on large-memory systems, and (2) to provide a larger virtual address space for applications. The first reason may well have just become moot; the anon_vma patch was merged because, among other things, it significantly reduces the amount of low memory used by the VM subsystem. The initial reports suggest that the current VM code handles 32GB of memory nicely on 32-bit systems. Since 32-bit systems rarely come more heavily loaded than that (so far), it is thought that the VM has gotten as good as it needs to be on those systems.

The real hope, however, is that a serious transition to 64-bit systems will happen before too long. The x86 architecture has been stretched much further than anybody would have expected it to go, and x86_64 makes the transition so easy that there is very little reason not to do it. The 4G/4G patch is likely to hang around (and be included by some distributors) for some time; if nothing else, all of the currently-deployed monster x86 systems are likely to go on running for a while yet. But the mainline kernel may just get away with saying "switch to 64-bit" and leaving that particular patch out.

Comments (5 posted)

The Big Kernel Lock lives on

It was recently noted that ioctl() system calls are still executed with the Big Kernel Lock (BKL) held. A suggestion was made that drivers which can implement ioctl() without the BKL held should be specially flagged as a way of increasing parallelism. That suggestion looks like it will not get very far. But it did pique your editor's interest in current use of the BKL. Besides, there hasn't been a whole lot else going on this week.

The BKL is an artifact from when the Linux kernel first supported multiprocessor systems. Making the kernel safe for concurrent access from multiple CPUs has been a multi-year task; it is not a job that could have been done all at once at the beginning. So Linux 2.0 supported SMP systems by way of the BKL, which only allowed one processor to be running kernel code at any given time. The BKL is essentially a spinlock, but with a couple of interesting properties:

  • The BKL can be taken recursively; the kernel remembers how many times a given thread has called lock_kernel() and does the right thing. Normal spinlocks are rather less forgiving.

  • Code holding the BKL can sleep. The lock is released while the given thread sleeps, and reacquired upon awakening.

The BKL made SMP Linux possible, but it didn't scale very well. Its overhead could be felt even with two processors, and it made running on anything larger problematic. So the kernel developers have been breaking the BKL into finer-grained locks ever since. Thus, for example, the block I/O subsystem went from the BKL to its own lock (io_request_lock) in 2.2, and from that to individual queue locks in 2.6. The kernel now has thousands of locks, and some people had assumed that the BKL would be gone by 2.6.

As it turns out, there are still over 500 lock_kernel() calls in the 2.6.6 kernel. For the curious, here are some of the places which still rely on this old, system-wide lock:

  • The core kernel retains a few calls. The implementation of the reboot() system call is one of them; this is, of course, not one of the more performance-sensitive parts of the kernel. The boot-time early initialization process is also run with the BKL held. The sysctl() system call is run under the BKL; interestingly, while much of /proc is also implemented under the BKL, it appears that reads and writes to /proc/sys do not run with the BKL held.

  • Many older filesystems (UFS, coda, HPFS, FAT, NCP, SMB, Minix, etc.) make heavy use of the BKL for serialization. The UnixWare "Boot File System" implementation has several calls; somehow, they seem unlikely to be fixed anytime soon. There are also lock_kernel() calls in NFS, UDF, isofs, the reiserfs journaling code, autofs, and some others. The ext2 filesystem uses the BKL to protect modifications to the superblock; ext3, instead, had all of its lock_kernel() calls purged during the 2.5 development process.

  • The rpciod kernel thread spends its entire life with the BKL held.

  • Core dumps are created with the BKL held.

  • Block and character devices have their open() methods called under the BKL. Block release() methods are also called this way, but that is not true for char drivers. The default llseek() method runs under the BKL, but, if a driver or filesystem provides its own llseek() method, that method will not be called with the BKL held. The fasync() method is always called under the BKL. As noted at the beginning, ioctl() methods are called with the lock held; additionally, the ugly code which does 32-bit emulation on 64-bit systems needs the BKL.

  • The file locking code still requires the BKL.

  • Almost 10% of the lock_kernel() calls can be found in the (old, deprecated) OSS sound code. The ALSA code has no BKL calls, with one exception: the implementation of its /proc files.

  • Most of the architectures retain some calls in the arch-specific code. The ptrace() system call is one common place for these calls. i386 also uses the BKL to protect llseek() calls on the CPUID and MSR pseudo-devices. uClinux performs execve() calls under the BKL.

  • Almost all of the remaining BKL calls are to be found in device drivers. The TTY subsystem still has quite a few of them, as does USB. Many of these calls are protecting llseek() implementations. Quite a few of the rest are for the creation of special-purpose kernel threads: the daemonize() function needs to be called with the BKL held. Those calls can, presumably, go away as the driver code is (slowly) migrated over to the new kthread calls.

Given how poorly the BKL is viewed, it may be surprising that so many places in the kernel still use it. The simple fact is that, with regard to the BKL, all of the low-hanging fruit has long since been taken. For most of the remaining calls, removing the BKL is not worth the trouble and code churn. So, while removal of the remaining calls over the 2.7 development series looks entirely possible, it would not be surprising if that does not happen.

Comments (10 posted)

The new Debian kernel team

Herbert Xu was the maintainer of a surprising number of core Debian packages, including the i386 and Alpha kernels. Unfortunately, Mr. Xu became upset over the Debian Project's perceived recognition of Taiwan as a separate country, and resigned from the project on May 5. Many of his packages have been picked up by others or have gone into the orphan state, but the kernel packages are important enough to require more careful handling.

The actual process of selecting the new kernel maintainer would appear to have been done in private; we were not able to get an answer from the Debian leader about just how it was done. The results have now been made public, however. The Debian kernel will now be maintained by a team, with William Lee Irwin and Al Viro at the core. Additional helpers include Troy Benjegerdes, Dann Frazier, Goto Masanori, Christoph Hellwig, Benjamin Herrenschmidt, Anton Blanchard, and Arjan van de Ven.

In other words, Debian will now have a set of kernel packages maintained by active kernel developers. This should help to improve the quality of Debian's kernels (though, it should be said, complaints about Mr. Xu's kernels were rare) and to improve the feedback from Debian into the kernel development process. Mr. Irwin's plans include "aggressive mainline tracking" and, eventually, a unified source package for all architectures supported by Debian. Expect some interesting things from the Debian kernel in the near future.

Comments (14 posted)

Patches and updates

Kernel trees

Build system

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Architecture-specific

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

The RULE Project

May 26, 2004

This article was contributed by Jason Bechtel

A modest computer training center appears in the African Republic of Togo in December of 1998. In January, 2001 a Cyber Cafe goes up in Cameroon. In the summer of 2002 a "Computer-College" is established in Congo. Around Africa and across the developing world, technology is seeping in. People there may have very little, but they do have hope and they need jobs. They need to start nurturing a local tech community, building local skills and creating human capital.

Most of the world is not fortunate enough to have access to the latest hardware and they have neither the money nor the local computer store for acquiring parts. If free software is to fulfill the promise of software access for all, then something needs to be done to accommodate the needs of the great majority of the world running on donated 486– and Pentium–era computers.

Unfortunately, the mainstream distributions do not target older hardware. Even selecting individual packages presents problems because of cascading dependencies (try removing gpm). Some suggest using older releases, but older software often lacks important features, contains many security holes, and no longer has an active support community.

Enter the RULE Project (Run Up2date Linux Everywhere). RULE is not a new distribution. It makes an existing distribution install and run on older hardware. Specifically, it takes standard Red Hat Linux, adds a custom installer, provides resource–friendly RPM package lists, and packages alternative light–weight GPL applications. The advantage of this approach is that the original distribution provides all the patches and documentation, reducing the maintenance load for RULE.

The result is amazing. Machines that would otherwise have been unusable are suddenly doing web browsing, word processing, instant messaging, and even multimedia tasks.

Of course, using alternative programs is a huge part of what makes this possible. Instead of Mozilla or Opera, you use w3m or links or dillo. Instead of OpenOffice.org, you use AbiWord and Gnumeric. Instead of KDE, you use IceWM or XFCE. But the other secret is KDrive, Keith Packard's light–weight X server. This allows X to consume much less memory. It doesn't do everything that the full–blown X does, but it provides the core functionality at a greatly reduced resource penalty.

At the helm of this effort is Marco Fioretti, a telecommunications systems designer in Rome, Italy. It all started when he spoke up on the Red Hat users mailing list. Standing up to much resistance, he argued for better packaging to reduce dependencies, for more optimization and for less bloat. Despite initial cynicism, he pushed on. When he opened the project on Savannah, people began to join. One of those people was Michael Fratoni, an electronics technician in New England. Michael had already become familiar with the difficulties of slimming down Linux by putting together low–resource firewalls for family and friends. He never expected to become the project's lead developer, but he is responsible for most of what has been implemented so far.

From their "home" page, the goals of the project are to

  • Modify the current Red Hat Linux installer so that it runs in less than 32 MB of RAM, or create a new one if needed

  • Select, test, and (if needed) package the system and desktop applications which give the greatest real functionality with the smallest consumption of CPU and RAM resources

  • Create another installation option for the Red Hat Linux distribution, containing all and only the packages above, optimized to run either a server, or a basic desktop on obsolete hardware with very little RAM and HD space

  • Promote and support (especially in developing countries) the use of this install option with schools, public and private organizations

Thanks to Michael, they have already completed their first goal. They have created Miniconda, a low–resource version of Red Hat's installer, Anaconda, that lowers the memory requirement from 20MB to about 12MB and provides reduced package lists.

They have also created Slinky, a completely new installation routine written in Bash, which can do a complete install on a system with only 8MB of RAM. Both installers work with the latest Red Hat Linux distribution media, but Slinky is under active development and Miniconda appears to be on the way out.

Now that Red Hat Linux has become Fedora Linux and is taking on a much more community–driven aspect, RULE is poised to make great strides toward its other goals. Last fall, Marco announced his group's intentions on the Fedora developers list. Besides an endorsement from Alan Cox, he received encouragement from a kernel RPM maintainer. While Fedora will likely not restructure its packaging, it sounds like RULE will soon be able to have a low–resources i386 kernel configuration maintained within Fedora.

So, if you have a system that balks at the demands of the latest distributions, but you want to have access to a large, flourishing user community, look into RULE. Install it on that old 486 in the closet. Submit your results to their test machine list. Join the mailing list. Pitch in and help with the website or the database or the development.

More importantly, if you are looking to deploy a herd of old boxen in an underfunded area, RULE could be the way to make those donated systems useful again. I cannot overstate the importance of RULE in the developing world and in underprivileged neighborhoods. It is already being used to great success by VUM (the Association for the Support of Humans) in several African nations. It can be made to serve many other purposes such as this.

There are, of course, other noteworthy attempts to bring GNU/Linux to low–resource systems. The KNOPPIX revolution has spawned several LiveCD contenders, such as Feather, Puppy, and DamnSmall Linux. These can be run from CD and thus do not require a hard drive. They come with light–weight desktops like Fluxbox and apps like dillo. One weakness of this approach is that the CDROM drives one generally finds in today's donated PCs are often excruciatingly slow (4x). In this case, the ability to install to a hard drive is quite valuable.

Vector Linux is a distribution based on Slackware that claims to perform admirably on a 386. It is a very polished distribution and may be a good choice for donated PCs, but it doesn't seem to be as "hard core" as RULE. For instance, it uses the full-blown XFree86 X-server instead of kdrive. It might be appropriate for a 586 with 64MB of RAM, but probably wouldn't give much hope to someone using a 486 with 16MB of RAM.

There has been talk recently on the RULE mailing list of using RULE with LTSP. The Linux Terminal Server Project also gives new life to old hardware. It takes the thin client approach, using a decently powerful server to serve up logins, applications, and storage to terminals over a network. While RULE and LTSP take different approaches, they can work together nicely. RULE can be used as the basis for the LTSP server, allowing it to do more with less. So, while an LTSP server tasked with serving up KDE, OpenOffice.org and Mozilla to 12 terminals would have to be a dual-processor P-III with at least 512 MB of RAM, a RULE-ified LTSP server providing IceWM, AbiWord, and dillo to 12 terminals could be a PII-350 with 128 MB of RAM.

In short, while there are other distributions and projects that recognize the need to serve older hardware, only RULE exists in its particular niche. It may be a while before a "Low–Resources" option appears in the installers of the main distributions. Until then, there's RULE.

Comments (7 posted)

Distribution News

Debian GNU/Linux

Debian news is slow this week because many Debian developers are at DebConf, however we do have the Debian Weekly News for May 25, 2004, which covers a Debian 3.0 DVD in the June issue of Australian Personal Computer magazine, installing Debian with Overclockix, and several other topics.

Comments (none posted)

Fedora Core

Issue #12 of the Fedora News Updates is online with information about the Fedora Core distribution. "Fedora Core 2 has been released, after over six months, and it's been a big week for all of us. Updates here don't contain much more information on the test3 release any longer, unless the issues still got carried over."

Looking for more Fedora news and Fedora forums? Check out Fedorazine.

Fedora also has many mailing lists. This mailing list reminder will help you find the right list for your Fedora questions.

The Fedora Hardware Project aims to document hardware that works (or doesn't work) with Fedora Core. Some information has been added to the project's wiki page. So chime in, and let people know how Fedora works on your hardware.

A Fedora Core 1 update to php is available providing bug fixes since the previous 4.3.4 release.

Fedora Core 2 updates:

  • rsync could crash when passing multiple directories of the same length
  • this hwdata update fixes the module mapping for cmpci cards in the upgradelist and other bugs
  • this libgnome update allows GNOME sound events to work in FC2
Plus some FC updates in testing (not ready for prime time):
  • kudzu: (FC2) has a problem handling modules that contain a '-' in the name
  • vsftpd: (FC1) fixes signal handling problem
  • gimp-gap: (FC2) updated to version 2.0.2 which has enhancements and bugfixes

Comments (none posted)

Making Fedora Core 2 and Windows play well together

As some users have found to their dismay, installation of Fedora Core 2 on a dual-boot Windows system can render Windows unbootable. The Fedora hackers have now put together a draft document on how to avoid that outcome, and how to recover your system if it's already too late. Click below for the full text.

Full Story (comments: 65)

LinspireEspanol

Lindows, Inc. has announced the opening of its Mexico City office. The new office will work with system builders, resellers, OEMs, business partners, and the retail channel to provide LinspireEspanol in Latin America.

Comments (none posted)

Mandrakelinux

Mandrakesoft has announced the availability of Mandrakelinux 10.0 Official for download. Find out more Mandrakelinux 10.0 news in the May 26th edition of the Mandrakelinux News Digest. Also here is a Mandrakelinux 10.0 update for mkinitrd-net which removes a debugging statement that could cause problems in booting a client machine.

Comments (none posted)

Slackware Linux

The slackware-current changelog was a busy place this week, with a variety of fixes and changes. Upgrades include mysql-4.0.20, cvs-1.11.16, slackpkg-1.2.1, lilo-22.5.9, automake-1.8.5, curl-7.11.2, brltty-3.4.1, emacspeak-20.0, fluxbox-0.9.9 and lftp-3.0.4; and the packages device-mapper-1.00.17, LVM2.2.00.15, alsa-driver-1.0.4, kernel-generic-2.6.6, kernel-modules-2.6.6 and mkinitrd-1.0.0 have been added to testing.

Comments (none posted)

The Complete Reference: Red Hat Enterprise Linux & Fedora Edition (Linux Journal)

Linux Journal reviews the book The Complete Reference: Red Hat Enterprise Linux & Fedora Edition. "The first half of the book is geared towards novice to intermediate users, and the second half is dedicated to more advanced subjects. Chapters covering installation, command-line and GUI environments help novices become oriented to Linux while other chapters about NFS, Samba DNS and Security should appeal to system administrators. Several reference books are available that cover a great many topics but often fail to go into the proper detail. Considering the breadth of topics included in this book, I was pleasantly surprised to find that the most important details were present."

Comments (1 posted)

New Distributions

Debian From Scratch

John Goerzen has released "Debian From Scratch;" click below for the full announcement. DFS is yet another Debian live CD, with an emphasis on system rescue tools and the ability to install Debian (including the x86_64 port) onto a hard disk. Perhaps the most interesting part, however, is the "DFSbuild" utility, which enables the creation of custom live CDs with whatever packages seem like they might be useful.

Full Story (comments: none)

YES Linux

YES Linux (YourESale) provides the YES business appliance, an easy-to-use Business in a Box designed specifically for the small businesses and non-profits to be able compete with the larger businesses. YES Linux, at the core of the appliance, contains the tools neeeded to create a website, set up email and more. YES Linux joins the list at version 2.0.8, released May 23, 2004.

Full Story (comments: none)

Minor distribution updates

Astaro Security Linux

Astaro Security Linux has released v4.022 with minor security fixes. "Changes: This Up2Date package fixes Exim vulnerabilities (OpenSSL and stack overflow), the License key replication bug in HA mode, and the issue with dropped packets in the LogAllow chain."

Comments (none posted)

floppyfw

floppyfw has released stable v2.0.9 with minor security fixes. "Changes: This release features kernel 2.4.26 and a few other small fixes."

Comments (none posted)

GoboLinux

GoboLinux has released v011 Beta 2. "This version is far more stable than beta1, and is almost a release candidate. The main item remaining to be done is the addition of a kernel 2.6.6 image. Probably 011 final will be released in the next few days, so any report on this version very, very welcome."

Comments (none posted)

Linux Live

Linux Live has released v4.1.2 with major feature enhancements. "Changes: create_bootdisk.sh was fixed, the mv and cut commands were added to the initrd, and tohd and fromhd boot options were implemented."

Comments (none posted)

Oralux

Oralux has released v0.6-alpha. "Changes: The audio menu is now available in Russian. The new settings concern the braille display or the external synthesizer. A new cheatcode has been added to select the external synthesizer at boot time. Two new voice synthesizers have been added: ParleMax (in French) and Multispeech/Ru_tts (in Russian and English). This new release proposes a new environment based on Yasr, a lightweight and portable screen reader. A mini menu has been added so that the user can select and launch software under Yasr."

Comments (none posted)

Rock Linux

Rock Linux has released v2.0.1 with minor feature enhancements. "Changes: This release features improved compilation on other distributions (SuSE, Red Hat), updates to KDE, GNOME, Linux, OpenSSL, OpenSSH, neon, Subversion, CVS, silo, and dietlibc, and some package additions. There were also single user mode improvements, ROCK Net and ROCK Plug updates (and speed optimizations), a reinclusion of source CD creation, and some PowerPC and SPARC fixes."

Comments (none posted)

Server optimized Linux

Server optimized Linux has released v18.00 with major feature enhancements. "Changes: This is the fifth stable release of SoL since 2002. The installation- and rescue-system is now based on the new SoL-ISI technology, which was first introduced in the live-CD distribution XoL 18.00. RunSoL, the XML boot-technology introduced by antitachyon was extended by many features. The release includes gcc 3.3.3 and gcc 2.95.3 integration with fast-switching, Linux Kernel 2.6.6, a multilanguage installer (English, German, Nederlands, Italian, Spanish, and Greek), the LIVE-CD Diagnosis and rescue system SoL-ISI, a ready to run copy of spamassassin, and easy X11 configuration."

Comments (none posted)

SLAX

SLAX-Live CD has released v4.1.2 with major feature enhancements. "Changes: This release fixed xconf, so the mouse should finaly work. DBdiff (configsave) was modified to skip mounted partitions (or Samba shares), and tohd, fromhd, and server boot options were added. gpart, a tool for guessing PC-type hard disk partitions was included. Network services are no longer started automatically at bootup due to security issues, and a simple firewall is activated to disallow all incoming connections. Modules were added for Czech, Polish, Brazillian, Italian, French, and German."

Comments (none posted)

Distribution reviews

Fedora Core 2 Review (LinuxLookup.com)

LinuxLookup.com reviews the Fedora Core 2 distribution. "This leads me to my biggest problem with Fedora. On one hand, it is a great introduction to Linux. It installs easily, works well and is attractive. On the other hand, it plays right into the hands of Linux's biggest critics, which is the mistaken notion that it is unfinished and most things don't work. You are given a browser with no plugins, so if you jump online excitedly with your new system, there are a lot of things that won't work. You load your favorite mp3s, then find out you cannot play them. God forbid you have a dvd drive. You notice the red exclamation point telling you there are updates available, but up2date freezes leaving you unable to get them. I know there are fairly simple solutions to these complaints, but the fact remains that not everyone who tries Fedora will know how to do it. They will just feel disappointed by a system that lets them down, deciding that this Linux thing is not ready for prime time."

Comments (16 posted)

Experiences with Gentoo, CRUX and Onebase Linux (OSNews)

OSNews takes a look at three source based distributions. "Crux is simple to use, non-user-friendly-at-all, but simple. Just the way I like it. I use xfce4 window manager, firefox, gimp2, xpdf, nedit, openoffice, gqview, gaim, thunderbird, xmms, gxine and a few other gtk/gtk2 apps. These programs and a handful of their dependencies are all I compiled and installed, with my optimized architecture and optimization flags of course. Sadly nothing breaks. Nothing crashes. I love to tinker with my system but there is no need. That is why I keep a partition empty to try out the new ones."

Comments (none posted)

First look: Sun Java Desktop System Release 2 (linux.com)

Linux.com reviews the second release of the Sun Java Desktop System. "Despite my best efforts, this software just didn't work for me, so the rest of this review will cover what the software includes and what it should offer if you manage to get it installed and working on your machine. I can't verify that any of these features work as stated; I can't even verify that Sun Java Desktop System 2 works at all on any computer hardware, although I'd say it's a safe bet that someone, somewhere has a computer that this software will work properly on."

Comments (none posted)

Review of Fedora Core 2 (OSNews)

Here's an OSNews review of Fedora Core 2. "First, allow me to say that I have only been using Linux for about 5 months, so I'm a comparative newbie to many in the Linux world. I don't make presumptions to know everything. With that in mind, this review is not geared toward the Linux veteran, but for people who have more curiosity than experience with Linux."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Interview with Audacity developer Dominic Mazzoni

May 26, 2004

This article was contributed by Dave Fancella

The full text of this interview (much longer) is available here.

As a long time musician, or so I like to call myself, and a free software enthusiast, I have personally found Audacity to be an indispensable tool for mastering mixes. Other people find a variety of uses for it, including deployment into public radio stations, restoring LPs for CD-burning, and more. Audacity has been in continuous development since 1990. It is a multi-track recorder, mixer, wave form visualization tool, and editor all rolled into one. It's the Free Software equivalent of Protools, Soundforge, and Cakewalk, albeit without the midi portion of any of those programs.

Recently I exchanged some email with Dominic Mazzoni, the Lead Developer and founder of Audacity. As a long-time lurker on the Audacity-devel mailing list, I've come to be familiar with Dominic as one of those kind, gentle spirits who leads first with his coding and second with his ideas, and is an inspiration to us all. Here, then, is the email interview with Dominic Mazzoni:

Q: In the Audacity FAQ, it says "Audacity was started in the fall of 1999 by Dominic Mazzoni while he was a graduate student at Carnegie Mellon University in Pittsburgh, PA, USA. He was working on a research project with his advisor, Professor Roger Dannenberg, and they needed a tool that would let them visualize audio analysis algorithms. Over time, this program developed into a general audio editor, and other people started helping out." Would you provide some information on the nature of the tool? How did it turn into a general audio editor? Was it a graded assignment, and if so, what grade did you get?

A: I was in a Ph.D. program at CMU, and the way it works there is that grad students are supposed to work on independent research right from day one, even while we're taking classes. My dream was to develop automatic music transcription software that could take any recording and turn it into sheet music. This was too difficult, of course, so I was working on monophonic pitch transcription and melody matching, which eventually led to some reasonably successful research in how to retrieve a melody from a database of songs based on a sung/hummed query. While I was trying to visualize pitch transcription algorithms, I started developing my own tool. Since there weren't any other audio editors for Linux that I liked, and I couldn't afford any good editors for the Mac (my two preferred platforms), I thought it would be fun to turn my project into a complete editor.

My advisor, Roger [DF: Roger Dannenburg is the mastermind behind the Nyquist scripting library which is now embedded in Audacity and is just one way to extend Audacity's sound processing capabilities], was very supportive of the project, and convinced me to turn the editor into a Computer Science research project. So I came up with an interesting data structure that could do editing operations quickly, and we wrote a paper on it. By the end of that year, though, I was having a lot of fun with the audio editor and was spending more and more time on it outside of my official research. I came up with the name "Audacity" and released it on Sourceforge. It was pretty limited at the time, but it was cross-platform, which was a big deal, and it worked well enough to generate interest. From that point on I worked on it mostly as a hobby, rather than as a part of my research, though I did find it useful for my research, too.

Q: Audacity has been gaining a lot of traction in the market, lately. How do you feel about that? Do you ever get the "15-minutes of fame" feeling, or is it something you ever really think about?

A: I've thoroughly enjoyed all of the attention that Audacity has gotten. I enjoy working on something that people find useful, and I would choose fame over fortune any day. I've invested so much time into Audacity that it can affect me pretty seriously - seeing a good review or getting an email full of praise can give me an emotional high that lasts all week, but unfortunately bug reports, especially serious ones where people have lost work because of a bug in Audacity, can really make me feel depressed. Recently I had to take a step back and give myself a vacation from responding to emails to audacity-help for my own sanity (thankfully, other developers and users have done a great job of answering the mail).

Q: How do you feel, and how do you respond when users show up that want specific features found only in specific commercial applications?

A: Actually I don't think that anyone has ever said they wouldn't use Audacity if it didn't work exactly like their favorite proprietary application. Most people are perfectly happy to do things a different way as long as it's equally intuitive and powerful. Sometimes we're able to satisfy users by making Audacity as customizable as possible - for example you can edit all of Audacity's keyboard shortcuts and make them the same as some other program if you want. The other Audacity developers and I came up with our own keyboard shortcuts based on what we thought would be the most intuitive and useful, but users are free to modify that (and they can even save their keyboard layouts as XML and share them with other users).

I've been a Mac user since the very beginning (my parents bought an original Macintosh in 1984) so I've always been a fan of intuitive, "discoverable" interfaces. My main complaint with other audio editors is that too often they are trying to emulate the interfaces of analog mixing boards, which I didn't think was very intuitive for the rest of us. I wanted to create an interface that anyone computer-literate could figure out how to use on their own.

Q: For that matter, even the digital mixing boards are trying to emulate the analog interfaces when they don't really have to. :) Are there any specific areas where you think Audacity could really take advantage of the fact that it's software for a general use computer to make some really nice interface?

A: There are lots of areas where an audio editor could be "smarter" than it is now to save users time. I'd like to see Audacity do automatic beat detection and have an option to snap the selection to the nearest beat boundary, making it easier to cut an entire chorus out of a song without breaking the tempo, for example. I'm sure there are hundreds of other things like that.

If you look closely, you'll see lots of subtle differences in the way that Audacity operates. Unlike almost every other audio program I've seen, Audacity lets you have multiple tracks, each with a different sample format (16-bit/32-bit) and sample rate (44100 Hz, etc) - and Audacity automatically mixes them on the fly. It also has a rather unique built-in amplitude envelope editor, and one of the best frequency analysis views.

Q: How would you define Audacity's target market?

A: Well, it's free, so everyone. Seriously. I'd like Audacity to be good enough to meet the needs of 90% of the users who just want to record a song or an interview, create a mix, convert a tape or LP to CD, etc. Then for everyone who has more advanced needs than that, there are plenty of other tools available - but there's no reason not to keep Audacity around also for the few things that Audacity might do best.

Audacity is a particularly good choice when it's helpful to have a truly cross-platform tool, such as in a mixed-operating-system school computer lab - or when the licensing cost of other tools is prohibitive, such as in third-world countries or at public radio stations.

Q: I understand that Audacity uses a block file approach, where instead of manipulating each track as one large file you guys have broken each track down into many small files. Would you tell us more about this setup? Why did you chose it over other methods? What are the benefits and drawbacks with using block files?

A: Well, to be honest, when I started Audacity I didn't know about Edit Decision Lists. My only experience was with tools like SoundEdit and (early versions of) CoolEdit, both of which were very slow at doing things like Cut, Copy, Paste, and Undo, because they rewrote the entire audio file on disk after each operation.

Q: How about some more information on Edit Decision Lists?

A: An edit decision list is a list of all of the modifications you made to the original audio. The original audio file is left alone, and when you press play, the computer applies all of the edits in real-time to render the audio. This makes editing very fast, since the program is just manipulating a list of edits, but it can increase the amount of processing power required to playback audio in real-time. These days, though, you can do hundreds of edits before you even begin to slow down a modern PC.

I knew I could do better using my Computer Science knowledge, and soon I had worked out a method that involves splitting each track into small pieces - say about 2 MB each. If you allow each piece to be any size from 1 MB to 2 MB, but no smaller or larger, then it turns out you can implement all of the basic editing operations (cut, paste, etc.) without ever having to modify more than 5 pieces ("blocks") at a time. This was what I ended up writing a paper on.

In doing the research for the paper, I learned about Edit Decision Lists and other techniques for nondestructive audio editing. In the end I decided while there were some advantages to EDLs, there were just as many advantages to the blocked-file approach, so it would be better to keep Audacity unique and capitalize on the strengths of this approach, rather than switch to EDLs just to copy everyone else.

One advantage of the blocked-file approach is that you can have multiple "references" to the same data in multiple places. So duplicating a track in Audacity, or creating a loop (using the Repeat effect), are both virtually instantaneous. Also, because Audacity never splits files smaller than about a megabyte, it doesn't slow down trying to playback a region that contains hundreds of edits, which can be a problem with EDL-based editors.

Q: More recently, there has been a bit of buzz over a new back end implementation of Audacity's work code in a library that has been named "Mezzo". Would you tell us a bit about Mezzo?

A: We've been talking about something like Mezzo for years, but Joshua Haberman (one of the earliest Audacity developers) and I finally started working on it a couple months ago. We did a lot of redesigning and rewriting together early on, but now that we're mostly happy with the new design, Joshua has been doing most of the work.

Mezzo is a rewrite of all of the major core features of Audacity aside from the graphical interface. While Audacity is distributed under the terms of the GNU General Public License, which means that the source code can only be borrowed for use in other GPL or GPL-compatible programs, Mezzo will be released under a very unrestrictive BSD-like license that will allow it to be used by almost anyone. We hope that this will encourage many more people to use Mezzo in projects unrelated to Audacity, including commercial products, which will lead to Mezzo being much more robust and stable.

Well, thank you very much Dominic for your time, both in this interview and your time spent bringing us Audacity. It definitely fills a hole for many of us, and as usual, there isn't really any way to properly thank you other than continuing to use and support Audacity.

Audacity can be found at audacity.sourceforge.net. Information on Mezzo can be found in the Audacity Wiki.

Comments (5 posted)

System Applications

Database Software

PostgreSQL Weekly News

The May 25, 2004 edition of the PostgreSQL Weekly News is online with new PostgreSQL database information. "This week saw a swing back toward enhancements to existing systems rather than new functionality, although given that some of these changes will make old functions now usable for new people I guess that is in the eye of the beholder."

Full Story (comments: none)

Interoperability

Samba 3.0.5pre1 Available for Download

Samba Version 3.0.5pre1 is available. "This is the first preview release of the Samba 3.0.5 code base and is provided for testing only. This release is *not* intended for production servers. Use at your own risk. There have been several bug fixes since the 3.0.4 release that we feel are important to make available to the Samba community for wider testings."

Full Story (comments: none)

Libraries

Common C++ Version 1.1.8

Version 1.1.8 (stable) of Common C++ is out. "Common C++ is a C++ class library that abstracts various system services in a portable manner, thereby making the creation of portable applications much easier. It is portable code, with very low runtime overhead, that works well on a very wide range of target platforms and C++ compilers in everyday use."

Comments (none posted)

libannodex 0.5.66 released

Version 0.5.66 of libannodex, a C library for reading and writing Annodex media, is out. "Annodex is an open standards based technology that extends the World Wide Web's hyperlinking, searching, and compositing infrastructure to time-continuous data, enabling video surfing, searching for clips of audio and video files using ordinary Web search engines, and on-the-fly composition of a video on a Web server from previously annodexed clips."

Full Story (comments: none)

libfishsound 0.6.2 is out

Version 0.6.2 of libfishsound, a library which provides an interface for the Vorbis and Speex audio codecs, is out. This release adds the fish_sound_prepare_truncation() API call and has an improved encdec-audio test.

Full Story (comments: none)

liboggz 0.8.3 released

Version 0.8.3 of liboggz, a C library for working with Ogg compressed audio files and streams, is out with improved Theora parsing, bug fixes, and new documentation.

Full Story (comments: none)

Web Site Development

Latest Release of Back-End CMS (SourceForge)

Version 0.7.0.5 of Back-End CMS has been announced. "Back-End CMS is a flexible, multi-lingual template driven PHP/MySQL CMS which includes in-line editing and text, html, wiki or WYSIWYG editing interfaces. Release 0.7.0.5 is a major release and includes a serious security fix and a great many added features. We have extended our multi-lingual support to offer better support forunicode fonts like Persian, Arabic and Hebrew."

Comments (none posted)

Midgard 1.6.0 beta released

Version 1.6.0 beta of the Midgard Content Management Framework is out. New features include support for multiple languages, support for PAM, an Apache2 module, a PHP4 module that works with Apache 1 and 2, and more.

Full Story (comments: none)

phpWebSite 0.9.3-3 Stable released (SourceForge)

Version 0.9.3-3 Stable of phpWebsite, a web site content management system, has been released. "The focus of this release was to address bugs. There have also been several user submitted patches applied."

Comments (none posted)

Quixote 1.0b2 released

Version 1.0b2 of Quixote, a Python-based web development platform, is out with bug fixes. See the changes document for details.

Comments (none posted)

ZopeMag Weekly News

Issue #31 of the ZopeMag Weekly News has been published. Take a look for news on the Zope web development platform.

Comments (none posted)

Web Services

What's New in WSDL 2.0 (O'Reilly)

Arulazi Dhesiaseelan investigates WSDL 2.0 on O'Reilly. "The WG published its WSDL 2.0 working drafts on 26 March 2004. This is a significant milestone in the progress of WSDL. In this article, I discuss the changes that were made to the WSDL 1.1 specification and other major improvements to the service description language."

Comments (none posted)

Desktop Applications

Accessibility

gnopernicus 0.9.3

Version 0.9.3 of gnopernicus, a screen reader for the visually impaired, is out with a number of new features.

Full Story (comments: none)

Audio Applications

Ardour 0.9beta13 released

Version 0.9beta13 of Ardour, a multi-track audio recording utility, is out. The project status page says: "clearing mantis of as many bug reports as possible". The long-awaited 1.0 version is now projected for release around June 30.

Comments (none posted)

Desktop Environments

KDE-CVS-Digest (KDE.News)

The May 21, 2004 KDE-CVS-Digest is online. Here's the content summary: "Security fixes in URI handlers. KAddressbook now handles IM addresses. Kppp now can handle multiple modem configurations. KUser now can use LDAP, Samba and MD5 Shadow passwords."

Comments (none posted)

Quickies: KDEvibes, Zeroconf, New User Guide, Konqi's Background (KDE.News)

KDE.News has a Quickies posting that list a slew of new and updated applications for KDE.

Comments (none posted)

KDE 3.3 Release Cycle Starts with KDE 3.3 Alpha 1 'Kindergarten' (KDE.News)

KDE 3.3 Alpha 1 'Kindergarten' has been announced. "There won't be any binary packages for this release, everyone using Kindergarten is asked to compile it with --enable-debug, so that we can get valuable feedback."

Comments (none posted)

Electronics

gEDA News

The latest news from the gEDA project includes a new development snapshot of the Covered Verilog code coverage analysis tool, and a new gEDA talks page with slides from a recent presentation.

Comments (none posted)

XCircuit 3.2.19 released

Version 3.2.19 of XCircuit, an electronic schematic drawing tool, is available. Changes include a new bus notation handling capability and bug fixes.

Comments (none posted)

Financial Applications

Compiere R2.5.1c (SourceForge)

Release 2.5.1c of Compiere, an open-source business application, is available. "Release 2.5.1c is the first release with transactions based on Workflow. In addition to great customization flexibility, it is also a big step towards database independence as Java replaced PL/SQL."

Comments (none posted)

Games

GNOME War Pad 0.3.0 released

Version 0.3.0 of GNOME War Pad, A 'VGA Planets' client for GNOME, is out with lots of enhancements and a few bug fixes.

Full Story (comments: none)

WorldForge Weekly News

The May 21, 2004 edition of the WorldForge Weekly News has been published. Take a look to see the current status of the WorldForge game project.

Comments (none posted)

Graphics

Gimp-Perl 2.0 Release

Version 2.0 of Gimp-Perl for UNIX/Linux has been announced. This release features a plug-in to selectively sharpen an image, removal of unused plug-ins, bug fixes, and more.

Comments (none posted)

JGraphAddons 0.1 Released (SourceForge)

Version 0.1 of JGraphAddons is available. "This package contains a collection of layout algorithms (radialtree, circle, annealing, gem, moen, spring, sugyiama, tree), graph algebra stuff (shortest path, minimum spanning tree), and a number of useful utilities (mostly cleaned-up code from JGraphpad) for JGraph 4.0."

Comments (none posted)

GUI Packages

PyGTK 2.3.92 unstable released

Version 2.3.92 (unstable) of PyGTK, the Python bindings to GTK, is out. "It includes a number of changes since the last pygtk release; We'd really appreciate testing and bug reports on this release; please take the time out to download and test it to ensure it works for your application[s]."

Full Story (comments: none)

Interoperability

Wine Traffic

Issue #223 of Wine Traffic is online with the latest Wine project development news.

Comments (none posted)

Medical Applications

Care2x PM, Care2x CDS, Care2x HXP are now included (SourceForge)

SourceForge has an announcement for the merging of several projects into the Care2x project. "The Care2x project now becomes an "Integrated Healthcare Environment", not just a hospital information system."

Comments (none posted)

OpenEMR Developer Access - Subversion (LinuxMedNews)

LinuxMedNews has an announcement that states that the OpenEMR Electronic Medical Record system is now available under the Subversion version management system.

Comments (none posted)

Office Suites

OpenOffice.org build 1.1.54

Build 1.1.54 of OpenOffice.org is out. "This package contains the Gnome integration work for OpenOffice.org, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to OO.o. This release is mostly a snapshot of the (in-progress) merge of the SuSE patch-set, and adding a SuSE build target / distro etc".

Full Story (comments: none)

Web Browsers

Mozilla Foundation and Opera Software Describe Joint Vision for Web Application Framework (MozillaZine)

MozillaZine reports on a joint effort between Mozilla and Opera Software to standardize Web applications. "The Mozilla Foundation and Opera Software have published a paper outlining their vision for Web applications. The paper, submitted in preparation for next week's W3C Workshop on Web Applications and Compound Documents, describes a device-independent Web application framework based on HTML and backwards-compatible with existing Web content."

Comments (none posted)

Mozilla 1.8 Alpha 1 Released (MozillaZine)

The Alpha 1 version of Mozilla 1.8 has been announced. "New in this release is a basic FTP upload UI, better Linux mouse support, and a number of other features."

Comments (none posted)

New Milestone Schedule Announced (MozillaZine)

MozillaZine mentions the posting of a new Mozilla Milestone Schedule. "The main change is the now longer periods prior to a final release, with two longer Alpha periods, and a longer Beta period. This allows for more time to land large changes and get them stable prior to a final release. Along with these changes, there will now be at least one release candidate prior to each final release."

Comments (none posted)

Word Processors

AbiWord v2.0.7 Released (GnomeDesktop)

GnomeDesktop.org has the announcement for version 2.0.7 of the AbiWord word processor. "While our current development series is bound to be a great success, we have not forgotten our stable releases. Therefore, the AbiWord development team is proud to release AbiWord v2.0.7. This release benefits greatly from the feature freeze currently active on our development series, which means that all our efforts are focussed on fixing bugs; bugs that might be present the stable versions as well."

Comments (none posted)

AbiWord Weekly News

The May 22, 2004 edition of the AbiWord Weekly News has been published. Read about all of the latest AbiWord word processor developments.

Comments (none posted)

Miscellaneous

OpenLP 0.993 released (SourceForge)

Version 0.993 of OpenLP, the Open Lyrics Projector, has been released with minor changes. "OpenLP is a powerful lyrics projection application, specifically for use in church worship services. It will include easy & instant switching between slides, customisable backgrounds, a full song database & support for guitar chords and tablature (in v2)."

Comments (none posted)

VXL 1.1 released (SourceForge)

Version 1.1.0 of VXL has been announced. "VXL is a set of multi-platform C++ libraries for computer vision research and deployment."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The May 18-25, 2004 edition of the Caml Weekly News is available with the week's Caml language article collection.

Full Story (comments: none)

Haskell

Haskell Communities and Activities Report

The Haskell Communities & Activities Report for May 25, 2004 is available. Thanks to Duncan Coutts.

Comments (none posted)

Java

Flexible User and Environment Ant Configuration (O'ReillyNet)

Grant Bremer writes about Ant configuration issues on O'Reilly. "Among the many feats it can perform, Ant can save your team from having to have all of the same files in all of the same places. As Grant Bremer illustrates, flexible Ant configurations will make your build work among many developers, operating systems, and will even deploy to app servers with different file structures."

Comments (none posted)

Build distributed object management frameworks for J2EE apps (IBM developerWorks)

Zhengrong Tang works with distributed object management frameworks on IBM's developerWorks. "Many enterprise Java™ technology developers build their own object management infrastructures to improve application performance. However, traditional object pools encounter problems in applications that run across distributed JVMs on multiple physical machines. In this article, Zhengrong Tang presents an object management framework that uses the concept of scopes to handle distributed systems with ease."

Comments (none posted)

FindBugs, Part 1: Improve the quality of your code (IBM developerWorks)

Read about FindBugs on IBM's developerWorks. "Static analysis tools promise to find existing bugs in your code without requiring much effort on the part of the developer. Of course, if you've been programming for long, you know those promises don't always pan out. Even so, good static analysis tools are a valuable addition to your toolbox. In this first of a two-part series, Senior Software Engineer Chris Grindstaff looks at how FindBugs can help improve the quality of your code and eliminate bugs lying in wait."

Comments (none posted)

Nested Classes, Part 2 (O'ReillyNet)

O'Reilly has published part two of a series on Java nested classes. "Robert Simmons continues his efforts to clarify confusion over the use of nested classes in Java. In this week's installment, excerpted from Chapter 6 ("Nested Classes") of Hardcore Java, Robert discusses the somewhat troublesome limited-scope inner classes; one specific type within this category, known as anonymous classes; and the problems programmers encounter with limited-scope classes."

Comments (none posted)

Lisp

CL-PPCRE 0.7.7 released

CL-PPCRE version 0.7.7,a Perl-compatible regular expression library written in Common Lisp, is available. New features include hyperdoc support, new documentation strings, and bug fixes.

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The May 17-23, 2004 edition of This Week on perl5-porters is online with the latest Perl 5 news.

Comments (none posted)

PHP

PHP 4.3.7RC1 released!

Version 4.3.7RC1 of PHP has been announced. "This is the first release candidate and should have a very low number of problems and/or bugs. Nevertheless, please download and test it as much as possible on real-life applications to uncover any remaining issues." Change information is available in the NEWS file.

Comments (none posted)

Writing Scalable Applications with PHP (Linux Journal)

Xavier Spriet continues his Linux Journal series on PHP with the second article. "The first part of this article, "Real-World PHP Security", appeared in the April 2004 issue of Linux Journal and covered the subject of secure PHP development. This article takes you, the professional PHP developer, one step further, by providing detailed explanations and reliable source code that illustrate the steps to follow in order to develop successful PHP applications."

Comments (none posted)

Python

python-ldap 2.0.0 released

Version 2.0.0 of python-ldap is out: "python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. Mainly it wraps the OpenLDAP 2.x libs for that purpose."

Comments (none posted)

Dive Into Python 5.4 released

Version 5.4 of the online Python book Dive Into Python has been published. See the Revision history document for change information.

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The May 24, 2004 edition of Dr. Dobb's Tcl-URL! has been published. Take a look for lots of Tcl/Tk article links.

Full Story (comments: none)

XML

Thinking XML: Use the Atom format for syndicating news and more (IBM developerWorks)

Uche Ogbuji introduces Atom on IBM's developerWorks. "The Web has always included sites that present series of articles, events, and other postings which are meant to be shared and cross-referenced. With large parts of the Web becoming conversational communities, many in these communities have come together to work on an XML-based standard for such interchange and cross-reference. Atom is the product of this effort -- a format and API for exchanging Web metadata."

Comments (none posted)

SAX processing in Python (DevChannel)

Derek Fountain explores SAX on DevChannel. " An application developer can choose any one of a number of strategies to read and use an XML document. In some very simple examples a script containing a number of regular expressions might do the job, but normally a more rigorous technique is required. The Simple API for XML (SAX) is one of the two key techniques for analysing and processing XML documents (the other is the more complicated Document Object Model (DOM))."

Comments (none posted)

XML Matters: GUIs and XML configuration data, Part 2 (IBM developerWorks)

David Mertz continues his series on GUI configuration with XML with part two. "He looks at Mozilla's XML-based User Interface Language (XUL) which allows you to write applications that run without any particular dependency on the choice of underlying operating system. This may seem strange at first, but you'll soon see that this Mozilla project offers powerful tools for GUI building that allow you to develop for an extensive base of installed users."

Comments (none posted)

Cross Assemblers

GPICD 0.2-1 is available

Version 0.2-1 of GPICD, a programmer and in-circuit debugger (ICD) for the Microchip PIC micro-controller family, is available on the OpenCollector site. This version works with GTK2, and includes bug fixes.

Comments (none posted)

Test Suites

TET 3.6a adds support for Python

Version 3.6a of TET is out with new support for Python. "The Test Environment Toolkit (TET), is a multi-platform uniform test scaffold, into which non-distributed and distributed test suites can be incorporated. TET supports tests written in C, C++, Perl, Tcl, Shell (sh , bash), Python, POSIX shell and Korn Shell."

Full Story (comments: none)

Miscellaneous

Prothon gets Major Facelift in Vers 0.1.0

Prothon version 0.1.0 is available. Prothon is: "A classless prototype-based programming language a la Self with the sensibilities of Python."

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Is Torvalds really the father of Linux? (News.com)

News.com has a long look at the ADTI report and an interview with its author. "In an interview conducted for the study, [Andrew] Tanenbaum said Minix 'was the base that Linus used to create Linux. He also took many ideas from Minix, including the file system, source tree and much more. If Linux is a derivative work of Minix, that makes Linux vulnerable to charges of intellectual property infringement by Prentice Hall, which published books and the Minix source code but restricted its use until 2000, the study said. 'Arguably, Prentice Hall has lost out on tens of millions of dollars' because of lost book sales, the study said."

In this context, it is more than worthwhile to read this posting by Andrew Tanenbaum about the whole thing. "Thus, of course, Linus didn't sit down in a vacuum and suddenly type in the Linux source code. He had my book, was running MINIX, and undoubtedly knew the history (since it is in my book). But the code was his. The proof of this is that he messed the design up.... My conclusion is the Ken Brown doesn't have a clue what he is talking about. I also have grave questions about his methodology."

Comments (24 posted)

A followup from Andrew Tanenbaum

Andrew Tanenbaum has posted a second followup commenting on the strange stuff coming out of the Alexis de Tocqueville Institute. Worth a read. "Brown calculates that due to the creation of Linux, Prentice Hall sold 500 fewer copies of my book, Operating Systems: Design and Implementation, which at $100 [sic] per book cost them almost $1 million. Reminds me of the kind of arithmetic used on the NASDAQ prior to March 2000. If Brown can't multiply small positive integers correctly, how much faith can we have in the rest of his reporting?"

Comments (13 posted)

Grokline Launches - Come and Help, Please (Groklaw)

Groklaw announces the release of Grokline 0.1. "We hope with this Grokline project to be able to identify any conceivable legal issues that those wishing to block, slow, hobble or tax GNU/Linux may try to use in future legal assaults on the community. If there are litigation risks, even just from nuisance lawsuits, particularly with respect to patents, we want to find those risks, hopefully before they do, and mitigate or resolve them now. I am personally convinced, as you no doubt are too, that the next wave of attacks on GNU/Linux and the GPL will involve patents."

Comments (9 posted)

Free software guru speaks on patents (Register)

The Register covers Richard Stallman's London talk on software patents. "Against this political backdrop, Stallman's message is an important one, so it is a real shame that it gets clouded by his choice of analogy. There is little doubt that allowing patents on software will have a devastating impact on the free software community, and good reason to believe, based on the current situation in the US, that it will hurt smaller companies working in the field. Likening this impending doom to the AIDS crisis in Africa is counterproductive, and merely allows pro-patent groups to label Stallman, and by association the anti-patenting movement, as a crackpot."

Comments (10 posted)

Trade Shows and Conferences

Berners-Lee Keeps WWW2004 Focused on Semantic Web (O'Reilly)

Paul Ford covers a talk by Tim Berners-Lee on the Semantic Web. "But now that the Web is unquestioned as a basic medium, part of a parcel with television, publishing, and radio, there is risk of stagnation. To that end, Tim Berners-Lee, creator of the first Web browser and server, and inventor of HTML, gave an open-ended plenary talk focused on two open questions: What should we do with top level domain names (TLDs)? And what should we do with the Semantic Web?"

Comments (none posted)

The SCO Problem

Open source group won't hand over SCO docs (Silicon.com)

Silicon.com covers the response from the Free Software Foundation on a subpoena from SCO. "FSF general counsel Eben Moglen said: "I'm not going to permit a fishing expedition at the Free Software Foundation from a party that has shown a great deal of hostility to the Free Software Foundation and its community. We will not produce material that is the subject of attorney-client privilege, and I don't think anybody expects us to.""

Comments (5 posted)

SCO Responds to AutoZone (Groklaw)

Groklaw looks at SCO's response to two motions in the AutoZone suit. "Remarkably [SCO] even tells the court that they should *not* have to provide a more definite statement. It was plenty definite enough, they say, and AutoZone, they wax indignant, is improperly trying to obtain discovery.... Telling them what lines, files or organization of Linux code is the subject of the litigation is a question for discovery, they state. AutoZone will find out later. I don't think it would be prudent for AutoZone to hold their breath."

Comments (none posted)

Companies

CA Moves with New Open-Source Licensing (eWeek)

eWeek covers this week's open source announcements from Computer Associates. "Computer Associates International Inc. will use its annual CA World user conference in Las Vegas on Monday to make a slew of open-source announcements, including establishing a new open-source foundation that will support Plone, an out-of-the-box content management system built on the free Zope Application server; unveiling a new open- source license, and placing a version of Ingres, CA's flagship DBMS, under it."

Comments (3 posted)

Kill Bill (Forbes)

Yes, it's a Forbes article by Daniel Lyons, but he seems to have turned over a new leaf; this one is a lengthy look at IBM's involvement with Linux which doesn't mention lawsuits at all. "IBM seems to go to any length to push Linux into customer sites. Last year at the U.S. National Weather Service, IBM offered a free demo machine and a guarantee to keep its systems up-to-date, even writing software drivers for components IBM doesn't build, such as video cards. The result? The NWS spent $3 million to buy a thousand IBM desktop machines running Linux, replacing 900 HP Unix workstations."

Comments (12 posted)

Dell nears Sun in IBM-led server race (News.com)

News.com looks at the latest Gartner numbers on server sales. "One area that blossomed in particular was sales of Linux servers, which grew 57.3 percent to $1.02 billion... IBM was the top Linux seller, with 28 percent share, followed by HP with 26.9 percent, Dell with 17.8 percent, Silicon Graphics Inc. with 3.1 percent, Fujitsu with 2.8 percent, NEC with 1.9 percent and Sun with 0.9 percent."

Comments (1 posted)

Business

Open-source companies see profit aplenty (News.com)

News.com reports on comments from a panel discussion at the Software and Information Industry Association's Enterprise Software Summit. "The mix of license models has been controversial among open-source believers, but Urlocker said it's vital to MySQL's success. "We're not a religion, we're not a cult, were not a charity--we're a business," he said. "There's always going to be grassroots people...who see open source as a free ride, but there are corporate customers who are absolutely willing to pay for reliability, flexibility, support.""

Comments (none posted)

Linux Adoption

Linux Going Mainstream (Information Week)

Information Week looks at Linux adoption at United Parcel Service, Boeing, and other companies. "A key driver behind business use of Linux is support from high-profile vendors. Dell, Hewlett-Packard, and IBM are all several years into strategies to use Linux to increase sales of Intel-based servers. Applications vendors such as Oracle and SAP push Linux as an option for companies transitioning portions of their data centers from proprietary to open-source software."

Comments (none posted)

A Greens and Linux ticket (SMH)

The Sydney Morning Herald has an article on the use of Linux by the Australian Green Party. "Beyond the notions that Greens candidates and open source evangelists are viewed to be on the economic 'left', or seeking a more just and sustainable environment - depending on your point of view - the party has stopped using commercial software as much for pragmatic reasons. It wants to win more seats at the impending federal election, and Linux will help it do that, the Greens believe."

Comments (1 posted)

Two Medical Clinics Choose OpenEMR (LinuxMedNews)

LinuxMedNews reports on the adoption of the open source electronic medical record (EMR) application OpenEMR. "Pennington Firm is delivering OpenEMR with CMS 1500 (formerly HCFA 1500) billing support, and connection to a clearinghouse for the processing of claims. OpenEMR is a full featured, practice management, electronic medical record and prescription writing application that can serve as a direct open source replacement for proprietary medical applications such as Medical Manager, HealthPro and MegaWest."

Comments (3 posted)

Linux at Work

How Linux Saved My Files and My Job (Linux Journal)

This Linux Journal author used BG-Rescue Linux to save data from a "knackered" NTFS-based drive. "The current version of BG-Rescue Linux is 0.3.1, which is compiled with kernel version 2.4.24, and it supported a host of Ethernet devices--it even had USB and PCMCIA network device support. A host of command-line utilities are provided by BusyBox, and BG-Rescue Linux uses the uClibC C library. What really made my eyes light up was the inclusion of NTFS support."

Comments (2 posted)

Interviews

Interview with Everaldo and Jimmac (OSNews.com)

OS News interviews KDE artist Everaldo Coelho and GNOME artist Jakub Steiner (Jimmac). "Currently Everaldo works for Lindows inc. and Jakub works for Novell inc. They were very kind to answer our questions related with the art in Linux, its future and much more."

Comments (none posted)

An Interview with Allison Randal (Perl.com)

Simon Cozens interviews Allison Randal on O'Reilly's Perl.com. "This week, perl.com has the pleasure of interviewing Allison Randal, one of the key figures in the Perl community. Allison has been active in the Perl 6 design process since its inception, and is the President of the Perl Foundation. Let's hear more from Allison about what all of this means to her."

Comments (none posted)

Dreams of Longhorn (News.com)

News.com has an interview with Microsoft's Bob Muglia. "The world has changed a bit. If you went back 18 to 24 months ago, it was unclear what Linux would look like and how it would evolve. It was thought of as free. And there was a whole series of attributes that were attributed to Linux that in retrospect were inaccurate. As time has gone on, it's apparent that Linux is becoming a set of offerings from commercial vendors. When I think of Linux, I don't think about it as our competitor. I think about Linux as a technology that is used by our competitors to build competitive offerings."

"There's no question about who our biggest competitor is. It's IBM."

Comments (55 posted)

Resources

Top Ten Ethereal Tips and Tricks (O'ReillyNet)

O'ReillyNet presents the top ten list of Ethereal tips and tricks, from the book Ethereal Packet Sniffing (from Syngress). "Installing Ethereal from the source code is very beneficial in a number of ways. Not only will you have all of the source code, additional documentation, and miscellaneous files to peruse, you will also have the ability to control numerous aspects of the build process. Building software from source will give you a better feel for how the whole process works and what goes on behind the scenes. What you will take away is a wealth of knowledge about the software package, programming, and operating system management."

Comments (1 posted)

Secure programmer: Minimizing privileges (developerWorks)

David A. Wheeler covers secure programming by minimizing privileges, on IBM developerWorks. "Real-world programs have bugs in them. It's not what we want, but it's certainly what we get. Complicated requirements, schedule pressure, and changing environments all conspire to make useful bugless programs unlikely. Even programs formally proved correct using sophisticated mathematical techniques can have bugs. Why? One reason is that proofs must make many assumptions, and usually some of those assumptions aren't completely true. Most programs aren't examined that rigorously anyway, for a variety of reasons. And even if there are no bugs today (unlikely), a maintenance change or a change in the environment may introduce a bug later on. So, to handle the real world, we have to somehow develop secure programs in spite of the bugs in our programs."

Comments (none posted)

Build Web apps with Maypole (developerWorks)

developerWorks is running a lengthy introduction to Maypole (a Perl framework for creating database-backed web applications) written by Maypole's creator. "The big problem with Ninkasi's recipe is that the nicer the end result, the more of it you consume, and, for some reason, the less likely you are to remember how good it was in the morning, and so you never know whether or not you want to buy that particular beer again. So you have to buy it anyway to try to work out whether or not you liked it. This is enjoyable, but not particularly economical. I found myself needing some kind of database to keep track of my tastings."

Comments (none posted)

Reviews

GUI Administration with KSysguard (Linux.com)

Linux.com reviews KSysguard. "This app has absolutely nothing to do with guarding anything. KSysguard lets you manage processes and monitor resources on local or remote systems. According to the documentation, it can be built on Solaris, BSD, and Linux." (Found on KDE.News)

Comments (none posted)

Book Review: The Official GNOME 2 Developer's Guide (OSNews)

OSNews reviews The Official GNOME 2 Developer's Guide. "The book was written around the time of Gnome 2.0-2.2 but was released recently in the English language, and so newer material like the new GTK+ file selector or Gstreamer are not discussed. Even back then though, Gnome was capable of games, OpenGL views (via GtkGLArea), generic music and video, which are also not discussed. Also, while there is a whole chapter on the auto* development tools, there is not a mention of how to properly debug a GTK+ application using existing tools, or how to use Alleyoop and Valgrind to trace memory leaks. And there are not any tips & tricks on how to profile or optimize your application." (Found on GnomeDesktop)

Comments (none posted)

Linux Magazine: Play and Manage your Music with JuK (KDE.News)

KDE.News points to a review of JuK, the KDE Jukebox. "For starters: JuK is KDE's outstanding playlist-based jukebox application with a lot of unique and powerful features. The article talks about playlist management, advanced tag guessing with musicbrainz and how to keep your music collection consistant easily."

Comments (none posted)

Miscellaneous

A model for open source software development (NewsForge)

In this NewsForge article a pediatric oncologist finds analogies between biomedical research and the open source software development model. "It has been argued that the only way to make money off of software is to follow the closed proprietary system of software development. If this were true, then no company would be able to make money in biomedical research, which depends on full disclosure and published research. It can hardly be argued that there is no money to be made in biomedical research. Pharmaceutical companies do make money. But they do so in no small part due to the fact that they participate in research that is published in peer-reviewed journals."

Comments (5 posted)

Results from the 2004 ONJava Reader Survey (O'ReillyNet)

O'Reilly has published the results of the 2004 ONJava Reader Survey, with some interesting operating system statistics. "There was a healthy variety of operating systems reported in our questions about what you develop on and what you deploy on. 86 percent of you develop on Windows, 58 percent on Linux, 21 percent on Solaris, 16 percent on Unix, and 14 percent on Mac OS X. It looks like a lot of our readers have two boxes -- or emulators -- on their desks, given the implicit level of multi-platform development. As for deployment, Linux was a target for 69 percent of our readers, as was Windows, followed by Solaris at 37 percent, Unix at 29 percent, and Mac OS X at 10 percent."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

BEA and Apache Software Foundation Announce Project Beehive

BEA Systems, Inc. and the Apache Software Foundation have announced the acceptance of Project Beehive as an open-source project in the Apache community. Apache Beehive is based on the runtime application framework in BEA WebLogic Workshop, aims to be an easy-to-use, open source foundation for building enterprise Java and service-oriented architecture (SOA) applications.

Comments (none posted)

Bull Joins the Open Source Development Labs

The latest Open Source Development Labs (OSDL) member is Bull HN Information Systems Inc., according to this announcement.

Comments (none posted)

New Creative Commons licenses released

The Creative Commons project has announced the 2.0 release of its set of licenses. "Unlike the 1.0 licenses, the 2.0 licenses include language that makes clear that licensors' disclaim warranties of title, merchantibility, fitness, etc. As readers of this blog know by now, the decision to drop warranties as a standard feature of the licenses was a source of much organizational soul-searching and analytical thinking for us." There have been several other changes; see the announcement for details.

Comments (1 posted)

OSDL on kernel patch provenance

Yesterday, Linus posted a request for discussion on the idea of a "developer's certificate of origin" for kernel patches. Today, the Open Source Development Labs has announced that it is helping to implement the process. "OSDL has committed to providing resources to ensure that contributions made to the kernel adhere to the DCO and the process improvements. The Lab will review the content of the contributions to confirm that submissions to the kernel have been signed off by contributors in accordance with the DCO. In addition, OSDL plans to launch an educational campaign for developers and end users on the DCO and the process improvements."

Comments (7 posted)

Plone Foundation Created

The Plone Foundation has been announced. "The Plone Community today announced the formation of the Plone Foundation, an organization committed to elevating the use of the Plone open source content management software, expanding its integration in software solutions and increasing collaboration and development with the open source community and industry."

Comments (none posted)

Commercial announcements

CA Outlines Open Source Strategy

Computer Associates International, Inc. (CA) made several announcements this week. These include the release of Ingres and KGEM (Kernel Generalized Event Management) under an open source license, the introduction of a document management solution that uses the Plone Engine, and collaborations with JBoss and Zope.

Comments (2 posted)

FreeMED Software Support Services (LinuxMedNews)

Two FreeMed Software support companies have been formed in New York and Massachusetts. "FreeMED Software Foundation, Inc. announced the formation of two companies to help physicians, specialists, nursing homes and small hospitals implement, maintain and migrate to Linux and FreeMED Software."

Comments (none posted)

Gupta Technologies Opens SQLBase 9.0 for Linux

Gupta Technologies has announced a beta version of its SQLBase 9.0 database for Linux.

Full Story (comments: none)

Microsoft's Appeal Denied

Lindows, Inc. has announced that the United States Court of Appeals for the Ninth Circuit denied Microsoft's petition for interlocutory appeal in its ongoing trademark litigation against Lindows, Inc.

Comments (2 posted)

Thousands of New Partners Join Novell in Linux Push

Novell, Inc. has announced software developers, channel partners, and independent software and hardware vendors are supporting the company's Linux strategy.

Comments (none posted)

Novell Reports Financial Results for Second Fiscal Quarter 2004

Novell, Inc. has announced financial results for its second fiscal quarter ended April 30, 2004. Jack L. Messman, Novell chairman, president and chief executive officer said. "We are encouraged that NetWare(R)-related revenue in the quarter declined only 2% from the year ago period, or a 5% decline after adjusting for foreign currency effects. This figure compares to the prior year's decline rate in NetWare-related revenue of 12%, after adjusting for foreign currency effects. We believe this slowing of the rate of NetWare-related revenue decline reflects a favorable response from our customers to our Linux* strategy."

Comments (none posted)

Nuxeo releases CourierCPS, the generic solution for mail management in CPS 3

Nuxeo has announced the release of their CourierCPS mail management solution for Collaborative Portal Server 3. "This software module allows organisations to dematerialize from end to end the processing chain for incoming and outgoing mail."

Full Story (comments: none)

Oracle claims world's largest Linux-based development organization

Oracle has sent out a press release claiming to have the largest Linux-based development organization in the world. "The company began the global initiative last year with the migration of 5,000 developers to Linux, and anticipates that by the end of 2004, its core development team worldwide will be leveraging the operating system. With Linux, Oracle developers have a broader choice of hardware platforms and can use cheap, fast hardware in a grid environment to help increase productivity and enhance testing capabilities."

Comments (none posted)

Symbio Technologies Uses Old PC's as Diskless Thin Clients

Here's a press release from Symbio Technologies, a company that's turning old PCs into Linux thin clients. "Just remove the hard drive, CD-ROM, and floppy disk drives and connect the reborn PC to a server loaded with our Symbiont Management Suite and you'll have a robust, new computer that runs as fast as your server..."

Comments (none posted)

Xteam Software International Limited to Acquire Software Businesses of Beijing Development

Xteam Software International Limited has announced that it will acquire the software business of Beijing Development. "Xteam has established a strong presence in Beijing thanks to its leading edge Linux technology and R&D expertise. The new entity, leveraging on both strong positions in software in Beijing, will capture a dominant market share in Beijing to provide Linux operating systems and software solutions to government authorities in four key sectors: social security, labour security, e- government and e-education."

Comments (none posted)

New Books

"Hibernate: A Developer's Notebook" Released by O'Reilly

O'Reilly has published the book Hibernate: A Developer's Notebook by James Elliott. Hibernate is an open-source object/relational persistence and query service for Java.

Full Story (comments: none)

Resources

Austin Group Minutes of the May 20 Teleconference

The minutes are available for the May 20, 2004 Austin Group Teleconference.

Full Story (comments: none)

The LDP Weekly News

The May 19, 2004 edition of the LDP Weekly News has been published, take a look for the latest new documentation.

Full Story (comments: none)

The LDP Weekly News

The May 26, 2004 edition of the Linux Documentation Project Weekly News is available with another selection of new and updated documentation.

Full Story (comments: none)

OSIA position paper on SCO v. IBM

Open Source Industry Australia has released a position paper intended to guide Australian companies in deciding what to do about licensing demands from the SCO Group. Click below for the announcement; the paper itself is available in PDF format. "To any Australian organisation which receives any request for licence payment from The SCO Group, we recommend that you do not respond in any way, seek legal advice, taking this document to your lawyer, and also submit the received documentation from SCO as evidence to the Australian Competition & Consumer COmmission (ACCC)."

Full Story (comments: none)

Translate.org.za Newsletter May 2004

The May, 2004 Translate.org.za Newsletter has been published. "Translate.org.za is a project translating Opensource software into all of South Africa's official languages and offering assistance and creating tools to help other language teams."

Full Story (comments: none)

Upcoming Events

Linux Professional Institute Offers Its First Certification Testing at CeBIT America (eBCVG.com)

eBCVG.com reports on the LPI certification program at the CeBIT America conference on May 25-27 in New York City. "¨For many years LPI has been a regular participant in the prestigious international CeBIT show in Hanover, Germany. However this is the first time we have participated in this North American event and we are proud to be invited to attend. This demonstrates yet again the growing importance of Free and Open Source Software, particularly Linux, to the enterprise business community, ¨ said Evan Leibovitch, President of LPI."

Comments (none posted)

IDA's Open Source Competence Workshop

The IDA Workshop on OSS Competence in the Public Sector will be held at the LinuxTag Conference and Exhibition in Karlsruhe, Germany on June 23, 2004. Thanks to Sofia Segedy.

Comments (none posted)

Registration for German Perl Workshop 2004 is open (use Perl)

Registration for the 2004 German Perl Workshop has been announced. "The registration for the German Perl Workshop 2004 from Tuesday, June 29th to Thursday, July 1st 2004 at the Barbara-Künkelin-Halle Schorndorf (near Stuttgart) is now open."

Comments (none posted)

YAPC::NA::2004 Only 22 Days Away (use Perl)

Use Perl has a reminder for the upcoming YAPC::NA Perl conference.

Comments (none posted)

Tenth VistA Community Meeting (LinuxMedNews)

LinuxMedNews has an announcement for the Tenth VistA Community Meeting. The event will be held at the University of Washington School of Medicine in Seattle, Washington on June 17-20, 2004.

Comments (none posted)

IBM pSeries Technical Conference

IBM will be holding a Technical Conference on the IBM pSeries platform in Cairns, Australia on July 26-30, 2004. "This technical conference not only covers pSeries and AIX, but has some 30+ Linux sessions as well, most of which include hands-on labs. Speakers come from IBM themselves, Red Hat and SuSE."

Full Story (comments: none)

Events: May 27 - July 22, 2004

Date Event Location
May 27 - June 6, 2004DebConf4Porto Alegre, Brazil
May 27 - 29, 20042nd International Symposium on Computer Music Modeling and RetrievalEsbjerg, Denmark
May 27, 2004CeBIT America(Javits Center)New York, NY
June 2 - 4, 20042004 GCC and GNU Toolchain Developer's Summit(Ottawa Congress Centre)Ottawa, Canada
June 2 - 4, 2004inbox, the email event(San Jose Marriott)San Jose, CA
June 3 - 4, 2004Web.It 2004Milano, Italy
June 6 - 7, 2004French Perl WorkshopParis, France
June 7 - 9, 2004EuroPython(Chalmers University of Technology)Göteborg, Sweden
June 13, 20041st European Lisp and Scheme WorkshopOslo, Norway
June 14 - 18, 200418th European Conference on Object-Oriented Programming(ECOOP-2004)(The University of Oslo)Oslo, Norway
June 16 - 18, 2004Yet Another Perl Conference(YAPC::NA::2004)(University at Buffalo)Buffalo, NY
June 28 - 30, 2004GNOME User and Developer European Conference(GUADEC)Kristiansand, Norway
June 29 - July 1, 2004Perl Workshop 6.0(Barbara-Künkelin-Halle)Schorndorf, Germany
July 12 - 15, 2004Real-time and Embedded Systems WorkshopWashington, DC
July 19 - 20, 2004Italian Perl Workshop(Polo Fibonacci)Pisa, Italy
July 21 - 24, 2004Linux SymposiumOttawa, Canada

Comments (none posted)

Mailing Lists

The GNOME devel-announce-list

The new GNOME devel-announce-list has been announced. "Today we present the Fresh New Taste of devel-announce-list! This is a new, low-volume, moderated list for GNOME development related announcements and information"...

Full Story (comments: none)

Web sites

Linux-on-Hynix page launches (LinuxDevices)

LinuxDevices reports that a new web site and mailing list has been created to support Linux on ARM processors from Hynix.

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds