LWN.net Logo

LWN.net Weekly Edition for July 1, 2004

The Grumpy Editor's guide to graphical mail clients

This article is part of the LWN Grumpy Editor series.
This is the second article in a series dedicated to the discovery of the perfect mail client. Those who have not read the introduction to the series may want to do so; it explains much of the motivation behind this search. This article, in particular, looks at the current crop of graphical mail clients. Future articles will look at terminal-oriented and emacs-based clients and other aspects of the mail system.

Your editor, remember, is looking for a mail client which enables the processing of vast amounts of mail in a flexible manner. An LWN editor can spend hours each day dealing with email from various sources; actually getting an LWN Weekly Edition out every week very much depends on the use of an efficient, reliable client. In particular, your editor is looking for:

  • A powerful and flexible command set which does not require constant use of the mouse.

  • A high degree of configurability. When a complex tool is being used as a key part of the daily workflow, it is worth spending some time to tweak it to optimal performance. That tweaking should be possible.

  • The ability to interface with external programs for the disposition of email.

  • Support for common tasks, such as sending patches.

For this article, your editor spent a significant amount of time working with Balsa, Evolution, KMail, Sylpheed, and Thunderbird. These programs all have a great deal in common; they would appear to have all been built from the same basic template. A tall pane on the left contains the folder hierarchy, usually split between local folders and those found on some remote server. The top right pane gives a folder view, while the bulk of the space, in the bottom right, contains the text of a message itself. Separate windows are used for composition of new messages.

Each client has its own keyboard shortcuts (we will get to that later), but the mouse-oriented interaction is quite similar between all of them. A user familiar with one of these clients could make use of another with little trouble. Could it really be that the optimal model for graphical email clients has already been found, and that no further experimentation is called for at this point? Or could it be that all of these clients are imitating a popular proprietary email offering?

All of the clients have most of the expected features: built-in address books; support for multiple accounts; disconnected operation; secure POP, IMAP, and SMTP access; threading of folders; hierarchical folders; filtering of messages based on various criteria; etc. Most of the common features will not be discussed here.

Balsa

[Balsa] Balsa is a longstanding GNOME client. In recent years it has been somewhat upstaged by Evolution, but development on Balsa continues. The 2.1.3 development release came out in May, 2004, but your editor was unable to make it work on his system; this review, thus, looks at the stable 2.0.17 release.

Balsa lacks the polish of some of the other mail clients we'll look at here, but it has many of the same capabilities. It can deal with remote mailboxes via POP or IMAP, and local mailboxes in mbox, maildir, and MH format. It can only use SMTP for outgoing mail; there is no option for passing a message to a local command.

Balsa has one failing which it shares with a few other clients: it makes the user wait while it talks with the remote SMTP server. It would be nice if this conversation could happen in the background; there is little joy in staring at a "connecting to server" dialog for an indefinite period of time. Yes, one can always set up a local MTA to handle this task, but that should not be necessary.

Balsa can render HTML mail reasonably well, though it cannot create such mail (the lack of this feature does not strike your editor as a problem). Its display of multipart MIME messages is somewhat awkward; it can only show one part at a time, forcing the user to bounce between tabs to see the whole message.

There is a reasonable set of keyboard shortcuts which, happily, do not require extensive use of modifier keys. There is no provision for changing the shortcuts, however.

Balsa's interface can be somewhat annoying; it can, at times (such as when getting a large message from a remote server), become unresponsive to the user, who is left wondering what is really going on. The address book interface looks powerful, but it would be nicer if it started with a default, local book and didn't require the user to dig through the preferences dialog before allowing addresses to be saved.

Balsa has a basic set of filter operations, though less advanced than most other mail clients. One unique filter operation, however, allows matching messages to be automatically sent to the printer. The potential for paper waste and embarrassment is impressive.

All told, Balsa is a reasonably capable mail client. One gets the impression, however, that its time in the limelight has passed. Most of the other clients reviewed here are more capable and smoother to operate.

Evolution

[Evolution] Evolution has the broadest focus of any of the clients reviewed; it merges the email functionality with contact management, task list, and calendaring functions. Your editor, who is looking for an email client rather than a calendar manager (he addressed that problem a few months back), did not look at these other capabilities in any great detail. One can certainly imagine uses where an integrated calendar manager would be useful, but, if one is seeking a focused mail client, calendars and such can be a distraction.

Version 1.5.9.2 (a pre-1.6 development release) was looked at for this review.

Evolution can handle a wider range of email account types than any of the other clients reviewed. Along with the usual forms (IMAP, POP, local mailbox), Evolution can work with Novell GroupWise accounts and folders in maildir or MH format. An attempt to set up an MH directory, however, crashed Evolution and rendered it incapable of launching; such is life when one plays with development releases. Use of Evolution to read netnews groups is also supported. Outgoing mail can be sent via SMTP to a server, or passed to a local application. Evolution has a nice feature where it can query the remote mail server to determine what sorts of authentication and encryption features it supports.

Some basic spam filtering is built into Evolution; users can mark messages as being "junk" and, once the internal filter is properly trained, apply filters to clear the spam out of the way. The filtering appears to be based on SpamAssassin. The documentation mentions an option to have Evolution pass mail to spamd for evaluation, but that option does not yet actually exist in the configuration dialogs.

Evolution provides a set of keyboard shortcuts which allows some actions to be performed without the mouse. There is no evident way of configuring shortcuts, however; if you don't like the defaults, there's little to be done.

Evolution provides full support for HTML mail. Incoming HTML is rendered by default. It can compose mail in HTML format, and a full set of operations is provided enabling the composition of truly gaudy messages. Happily, Evolution defaults to sending plain text mail only; users must explicitly say they want to create HTML messages.

There are some nice features for finding messages within folders. A search bar in the main menu can quickly narrow the view to messages meeting the search criteria. The "vFolder" mechanism is a more advanced feature which enables the creation of custom views which can include messages from multiple folders which meet the search criteria.

KMail

[KMail] KMail is the KDE mail client, part of the "kdepim" package. In many ways, KMail is the most configurable and flexible of the graphical email clients out there.

KMail can handle incoming mail via POP, IMAP, and local mailboxes in mbox or maildir format. Outgoing mail is transferred via SMTP or handed to a local program. KMail's account setup is, however, a little more confusing than that found in the other mailers. Mail identities, mail sources, and "transports" (ways of sending mail) are all configured separately; they can then be mixed and matched in arbitrary ways. Those who are so inclined can select a different outgoing transport for each message. The system is flexible, but not necessarily straightforward to set up at the outset.

Like Evolution, KMail can query remote mail servers to determine their encryption and authentication capabilities. This is such an obviously good feature that one wonders why all mail clients do not work that way.

KMail has extensive configuration options. Uniquely among the clients reviewed (but standard for KDE applications), KMail provides an easy mechanism for configuring keyboard shortcuts. The defaults also make some sense: "R" for reply, for example. Given that regular, unmodified keystrokes have no intrinsic meaning in the context of a mail client window, why make users lean on the control key to get anything done? One should be able to simply hit "N" to see the next message, and KMail's designers understand that.

The usual filtering operations are available. KMail does not, however, have any sort of internal spam filtering built into it (though some of the available, undocumented options, like "mark as spam," suggest that this capability is coming). Filters can, among other things, change the default identity or outgoing transport which applies to a given message, or rewrite header fields. Like Evolution, KMail supports virtual folders created by searching; there is no search bar in the main window, however.

KMail can render HTML mail quite nicely, but it refuses to do so until the user explicitly requests HMTL rendering for a specific message. It also will not load external images until you get past a configuration screen with dire warnings on it. KMail does not appear to be able to create HTML messages.

As a whole, KMail has a pleasant, responsive interface. It is visually pleasing, and makes relatively good use of the screen space. More than some other clients, it provides feedback on what it is doing at any given time, and does not make the user wait unnecessarily. On the other hand, it has an obnoxious habit of popping up "tool tips" with the message [Kmail icons] subject when the pointer moves over the subject in the folder view pane; this behavior creates a great deal of distracting flashing while not really giving the user any useful information. Some of the toolbar icons are less than instructive; try to guess what the three shown on the left mean. (They are "get new mail", "reply", and "forward").

In summary: KMail is a capable client; its developers have clearly given some thought to how to make life easier for their users. It is arguably one of the best mail clients available.

Sylpheed

[Sylpheed] Sylpheed is a GTK+ mail client which advertises itself as fast and lightweight. Like Balsa, Sylpheed feels a little rough in the modern world. This client, however, has some capabilities that the others lack.

At the top of the list of those capabilities might be "actions." Sylpheed includes a mechanism for running external programs on messages; the output of that program can, optionally, replace the original message. Actions can be created with a dialog box (canned actions can also be obtained from the net and added directly to the configuration file); thereafter they show up under the "Tools/Actions" menu. It would be nice if an action could be bound to a keystroke, but...

...Sylpheed does not allow the configuration of keyboard shortcuts. Shortcuts do exist for most operations, but they all require the use of the control key. The font selection available in Sylpheed is also somewhat restrictive; it cannot use the nice anti-aliased fonts the way some of the other mail clients can. If you spend a lot of time staring at a mail client every day, this makes a difference.

Sylpheed tends to hang up at times; when an action is being run, for example. It also makes the user wait for SMTP conversations to complete when sending a message.

This client cannot render HTML mail; it wings it by stripping out the markup and simply displaying the remaining text. This technique works surprisingly well; if you don't get much HTML mail, you may never even notice the lack of proper support.

Sylpheed can work with POP and IMAP mailboxes, or with local mailboxes in the mbox format. It creates local mailboxes using the MH format; it can also be configured to use the MH inc command to incorporate new mail. It has no support for mailboxes in maildir format.

The Sylpheed address book is minimal but functional; there is no LDAP support, however.

For those who find Sylpheed inadequate, but who like the basic platform, the Sylpheed-Claws project may be worth a look. Sylpheed-Claws is an ongoing effort to add vast numbers of features to Sylpheed. Some of these include a plugin mechanism, spell checking (a feature available on most other mail clients), the ability to assign actions to icons on the toolbar, a search bar for narrowing folder views, themes, message scoring, HTML viewing (using an external viewer), better GPG support, LDAP support, and more. The biggest problem with Sylpheed-claws, however, is that it is very much a development release; you editor was able to make it crash in several different ways. Crashing is not a desirable feature in a vital work tool.

Sylpheed is a powerful client which is clearly aimed at serious users. In your editor's not entirely humble opinion, what it could best use at this point is (1) a bit more attention to polish, human factors, and visual appeal, and (2) a concerted effort to move the best, most stable features from Sylpheed-Claws into the mainline client. With some work in that direction, Sylpheed could be a powerful contender for the title as the best graphical client for advanced users.

Thunderbird

[Thunderbird] Thunderbird is the standalone mail client from the Mozilla project; its most recent release is version 0.7.1. Thunderbird is a slick product; it is visually appealing and, for the most part, easy to use.

Unlike other mail clients, Thunderbird has no provision for local maildrops at all; it can only obtain mail via POP or IMAP. It does maintain local folders, however; they are buried deeply under the user's .thunderbird directory, and appear to be in mbox format. Thunderbird can be used to read netnews from NNTP servers. On the outgoing side, Thunderbird expects to talk to an SMTP server, and it makes you wait while the conversation takes place.

Thunderbird handles HTML mail without trouble; one would expect a Mozilla project to get that part down reasonably well. The client will, by default, execute Javascript contained within HTML mail; your editor is hard put to come up with a reason why one would ever want to leave that option enabled. Thunderbird also sends mail in HTML format and, discouragingly, comes configured to send HTML by default.

Thunderbird is a highly configurable client. The actual configuration can be a bit confusing, however; quite a few options (such as sending HTML mail) are part of the account configuration. A user will look for such options under the "options" menu in vain. Thunderbird also has a powerful extension mechanism, with numerous extensions available on the net.

The default keyboard shortcuts are heavily reliant on the control key, and there is no provision for changing them. The "keyconfig" extension mitigates that problem somewhat, though it is not trivial to use and cannot create shortcuts for all that many operations.

Thunderbird has some strange behavioral glitches. Clicking on a URL in a message, for example, causes Thunderbird to copy the web page to a local file and run a browser on that file; this strange behavior breaks all the images and links, among other things. If, instead, the user drags the URL to a browser window, the right thing happens. Thunderbird is also reluctant to use folders on the remote IMAP server that it didn't create itself; folders created by a different mail client tend to be completely inaccessible.

On the other hand, Thunderbird's composition window is relatively nice and easy to use. The interaction with the address book is easy and transparent, and Thunderbird makes it easy to set various types of headers ("Bcc:", "Reply-To:") without having to dig through menus.

Thunderbird has its own bayesian spam filter built in. Messages which look like spam are prominently marked as such; the user then has the option of correcting things. The toolbar icon toggles between "Junk" and "Not junk," depending on the current marking of the message; the user thus has to actually look at it to see what it will do at any given time. This sort of modal interface is an encouragement to the user to make mistakes. The keyboard shortcuts for marking and unmarking spam, at least, are distinct.

There is a search bar in the main window for quickly narrowing folders. There are no virtual folders for holding search results, however.

Thunderbird is an impressive client; for version 0.7 it is in very good shape. Your editor would like to see some attention paid to the needs of users who want to do nonstandard things, such as adding custom operations to the toolbars. Given that most of the details and polish are already in place, a bit of careful feature work could turn Thunderbird into a truly powerful and useful program.

Other important points

A grumpy editor who posts to lists like linux-kernel lives in fear of two things: (1) sending text in very long lines, and (2) sending patches which have been word-wrapped by the mail client. Committing either faux pas can cause a budding kernel hacker to contemplate a switch to Visual Basic programming. Your editor attempted to get each mailer to send an unmolested patch while performing word wrapping on the accompanying text. Note that some people really want to see patches inline, rather than as attachments, which complicates the situation - any of the mail clients reviewed here can send an attachment without trouble.

Only Sylpheed passed this test in a clear way. If the "wrap on input" option is selected, typed text will be wrapped, but an inserted file will be left alone. KMail sort of works, in that word wrap can be disabled for specific messages. If you use the "external editor" option (which works in a bit of a confusing way; you must type a keystroke in the text area of the composition window to get your editor), whatever the editor produces will not be messed with. Balsa wraps everything, as does Evolution. Thunderbird, interestingly, has no option for inserting a file into an outgoing message; you must cut-and-paste it in (and deal with wrapping problems), or send it as an attachment.

Another important feature, as far as your editor is concerned, is the ability to feed a message to an external program. After all, it just might be possible that users may think of things to do with their mail which, inexplicably, just didn't occur to the implementers of the mail client. Such operations might include feeding a message to sa-learn to better train SpamAssassin's filter, or, in your editor's case, inserting a software announcement into the LWN site.

Support for external programs is poor in most of the clients reviewed. Some of them can invoke an external program while filtering messages (thus, for example, allowing SpamAssassin to be used to clean out junk), but only Sylpheed has a separate mechanism for running programs on specific messages. Even then, only Sylpheed-Claws brings that mechanism to the toolbar, and there is still no way to assign an action to a keystroke. Thunderbird has an "external application" extension, but it is really just an application launcher; it can't be used to process messages. There should be no reason why the right kind of extension couldn't be written; it's just that, as far as your editor can tell, nobody has done it yet.

In general, extensibility is an important feature for a complex application. The original developers will never think of everything, and really should not even try. If the application provides an easy way for others to add capabilities, the result will often be a rich ecosystem of features far beyond the imagination of the application's designers. Among the clients reviewed above, only Thunderbird provides support for first-class extensions - though Sylpheed-Claws is getting there. In the long term, the email client which best supports extensions may well be the one which gathers the largest, happiest user base.

Conclusions

A few other free graphical clients exist, but didn't make it into this review:

  • Althea looks like a fairly basic GTK-based client. "The design goal was a stable e-mail client with the richness of usability of Microsoft's Outlook, Qualcomm's Eudora, and Cyrusoft's Mulberry."

  • [Mahogany] Mahogany is a feature-rich, highly configurable client; its 0.66 release came out in January, 2004. Mahogany does indeed offer a dizzying variety of configuration options; should those options not suffice, there is also a built-in Python interpreter for extensions. That notwithstanding, Mahogany is said to be a low-bloat application.

  • Aethera is a client produced by theKompany.com; it claims to do task lists and appointment management; it also comes up with news and weather reports on the side. Unfortunately, source for current releases does not appear to be available from theKompany's download site.

So, with all these options, which would your editor choose? The answer, for the moment, is "none of the above." Your editor is not yet sold on the advantages of a graphical client for this sort of work; these clients do have a number of nice features, but an email client must, above all else, enable quick and efficient processing of mail. Anybody who has tried to exchange email with your editor knows that he can easily get far behind; if the email client adds friction to the process, that problem will get worse.

Some of the clients reviewed look like they could eventually be a part of a workable email system. With luck, future development will take at least one of them in a direction where it is, on the one hand, polished, feature-rich, and usable, while being, on the other hand, easy to integrate into a wider way of doing things. Meanwhile, your editor will proceed to look at some of the current non-graphical offerings (this includes emacs-based clients, which are becoming increasingly graphical in their own right). Stay tuned.

Comments (95 posted)

The Global File System goes full circle

June 30, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

In 2003, Red Hat announced that it was acquiring Sistina, and that it would work to release Sistina's current technologies as open source in 2004. Red Hat made good on that promise on June 24 by re-releasing the Global File System under the GPL. The Global File System (GFS) has a fairly long and interesting history. According to the OpenGFS website, the GFS project started at the University of Minnesota and was sponsored from 1995-2000 by the University. Then Matthew O'Keefe, a professor at the university, founded Sistina around GFS.

Sistina stopped making new versions of GFS available under the GPL in 2001. It's important to note that it's inaccurate to say (as many have) that GFS has been "re-released" under the GPL -- the original code that was available under the GPL remained available under the GPL. Sistina simply quit putting out new releases under the GPL, but users still had the option of using and working with releases prior to Sistina's license change, as did the OpenGFS project.

The release put out by Red Hat last week actually consists of more than just GFS the file system; it totals nine components in all. In addition to GFS itself, Red Hat has released the clustering extensions to the Logical Volume Manager 2 (LVM2). Also, Red Hat has released clustering infrastructure tools and cluster block devices that work with GFS; The Cluster Configuration System (CCS), Cluster Manager (CMAN), Distributed Lock Manager (DLM), GFS Unified Lock Manager (GULM), the Fence I/O fencing system, the Global Network Block Device (GNBD) and the Cluster Snapshot Block Device (CSBD).

Linux has no shortage of filesystems to choose from, but GFS is quite a bit different from Ext3, ReiserFS and other popular file systems being used with Linux today. The GFS release probably isn't that interesting for users with a single Linux workstation or for small installations of Linux systems that don't require a great deal of filesystem sharing or redundancy. For Linux shops that have deployed or plan to deploy Linux in a clustering capacity or using a Storage Area Network (SAN) to share filesystems among servers, instead, GFS is a very interesting technology.

GFS allows Linux servers to share a single file system on a block device via fiber channel, iSCSI, NDB or other technology, and allows those servers to simultaneously read from that file system and coordinates writes to the filesystem to avoid data being overwritten. Changes to the filesystem made by one server are immediately available to other servers. GFS is different from the Network File System (NFS) in that it removes the requirement for clients to access storage devices through an NFS server. It removes some of the overhead from working with data, making GFS more robust. One can use the two technologies in conjunction with one another, using GFS to give a set of servers access to a filesystem stored on a set of fiber channel drives (for example) and then exporting the filesystem to clients via NFS.

GFS is highly scalable, which means that hundreds of systems can share a filesystem on a SAN. In addition, as one might expect, file system and volume resizes can be performed while the system is running -- which means that enterprise systems don't need to be brought down for filesystem maintenance when a deployment starts to require more space. The file servers themselves can be clustered to provide high availability, redundancy and increased performance. Just what the doctor ordered for a database cluster, enterprise file servers, large e-mail installations and many other applications.

For those interested in trying out GFS, source RPMs are available for Red Hat Enterprise Linux 3, CVS snapshots are available, and enterprising Fedora user Lennert Buytenhek has already whipped up FC2 RPMs of GFS and the necessary tools. Packages are no doubt being prepared for other popular Linux distributions as well. Instructions on using GFS can be found here.

Of course, RHEL users still have the option of buying GFS for a mere $2200.

The GFS team is now working to put GFS into the mainline Linux kernel. It shouldn't be terribly difficult for a project this useful to find a healthy community of users to apply whatever elbow grease is necessary to make that happen.

Comments (9 posted)

A look at Slackware 10.0

June 28, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

The long-awaited Slackware 10 release has hit the streets, so to speak. Though Patrick Volkerding's Slackware wasn't the very first Linux distribution (it was originally based on the SLS distribution) it has outlived all of its predecessors. First released on July 16, 1993, Slackware has come a long way since its floppy-based origins -- though in some ways, it has also remained very much the same.

The Slackware installer, for example, has changed very little over the years. Though the lack of a graphical installer may intimidate new users, the text-based menu installer still serves well and is quite simple to use if one will only take the time to read the text. This writer installed Slackware 10, using the "install everything" option, on a Toshiba Satellite 1415-S105 notebook in about twenty minutes. That includes disk partitioning, network setup and reboot. Slackware's installer may lack bells and whistles, but it serves just fine on almost any hardware.

Slackware also continues to use the BSD-style init scripts, though slightly streamlined in this release, as opposed to the SYSV style init scripts that are used by most other Linux distributions. Whether this is an annoyance or feature largely depends on the personal preference of the user.

The latest Slackware release is based on the stock 2.4.26 Linux kernel, with an optional 2.6.7 kernel for users who wish to run the 2.6 series. Apparently, the 2.6 kernel series hasn't quite yet lived up to Volkerding's standards for a default kernel. Nor has Slackware jumped to the Apache 2.0.x series yet; it still ships with Apache 1.3.31. Slackware also still includes lprng and LILO, which have been replaced by CUPS and GRUB in most distributions -- though Slackware also now includes CUPS alongside lprng.

Slackware still includes a wide array of window managers and desktop environments, and tends to stay on or close to the cutting edge there. KDE 3.2.3 is included, as is GNOME 2.6.1, XFce 4.0.5, Blackbox, Fluxbox, and many others. While most popular distributions tend to brand the window managers and desktop environments -- Red Hat's "Bluecurve" and Mandrake's "Galaxy" themes come to mind -- Slackware ships them more or less as-is. In fact, all packages shipped with Slackware "follows the setup and installation instructions from its author(s) as closely as possible." This writer tends to prefer the "generic" version of packages, so Slackware is his favored choice in this area.

Though not part of the default install, there are a few new package tools for Slackware 10. There's now a "slackpkg" tool to help with upgrading an older release of Slackware, and "slacktrack" to help building Slackware packages. Users who wish to try these new tools will find them in /extras, on the third Slackware disk.

Speaking of disks, it's also worth noting that Slackware is still fairly lightweight in terms of disks required for installation. Only the first disk is necessary for a basic install with KDE, while the second disk will be necessary for users wishing to use GNOME. Users who wish to use the ZipSlack distribution will need to grab disk four. Users interested in trying Slackware before it's available in stores or to subscribers can find ISOs through BitTorrent or through one of the unofficial mirrors.

The only complaint this writer has about Slackware 10 is the lack of a simple sound configuration utility. Configuring sound on the Toshiba laptop with Slackware was a bit more challenging than with other distributions, which usually find and enable the sound card without any user intervention. Other than that, however, installing and configuring Slackware was a pleasure.

In all, Slackware is a solid distribution that's easy to set up and run. For users who are already running Slackware-based systems, the upgrade is well worth it. Users who have never tried Slackware might find that it's well worth the time to test out.

Comments (40 posted)

Page editor: Jonathan Corbet

Security

The netfilter packet of death

Adam Osuchowski and Tomasz Dubinski have sent out an advisory regarding a new vulnerability in the 2.6 netfilter subsystem. Netfilter, being the Linux firewalling code, inspects network packets and makes decisions on which ones to pass on. Use of netfilter is supposed to increase security, so it is always discouraging when the opposite happens. Fortunately, the number of sites vulnerable to this particular bug should be fairly small.

TCP packets can contain an "options" field within the header. This field allows TCP implementations to change how the protocol works; options can be used to turn on features like selective acknowledgments, change how checksumming is done, and so on. Each option has a simple format:

NumberLength 'Length' bytes of data

Multiple options can be packed into the field; an option number of zero terminates the list. If netfilter is asked to filter packets based on the contents of the TCP options field, it goes into a loop stepping through each option present in a packet. Unfortunately, it treats the length byte as a signed quantity; the result is that, with an option number greater than 128, netfilter's index into the options field can be pushed backward, and the code can end up in an infinite loop. That tends to slow packet delivery somewhat.

The fix is straightforward: declare the options array as unsigned.

The good news is that, in all likelihood, very few firewalls filter on the TCP options field, and, of those, most have probably not yet been upgraded to 2.6. The bad news is that there are almost certainly many other bugs in the kernel (and elsewhere) caused by confusion between signed and unsigned types. These vulnerabilities can be hard to find without detailed, tedious auditing. And some of them, certainly, will have a larger impact than this one.

Comments (10 posted)

The U.S. Constitution locked up

As seen in Lawrence Lessig's weblog: Amazon.com is offering an electronic version of the U.S. Constitution aimed at Microsoft's reader. It's all nicely equipped with the usual digital rights management stuff; according to Amazon, permission to print the Constitution has been denied.

The irony of the situation is self-evident. We at LWN would certainly never want to INDUCE anybody to commit a crime, but... if somebody were to get around the DRM and dump a copy of this electronic book onto their printer, it would be a clear violation of the DMCA. For somebody looking for a day in court, it would be harder to find a more desirable case to defend than being charged with printing the U.S. Constitution. Explaining the problems of U.S. copyright law to otherwise uninterested parties has always been a challenge; given enough products like this one, that task is likely to get easier.

Comments (8 posted)

New vulnerabilities

Apache: denial of service

Package(s):apache2 CVE #(s):CAN-2004-0493
Created:June 30, 2004 Updated:July 19, 2004
Description: Versions of apache 2.0 through 2.0.49 fail to defend against arbitrarily long header lines; this bug can be exploited to cause the server to use arbitrarily large amounts of memory. See this advisory from Georgi Guninski for details.
Alerts:
Fedora FEDORA-2004-204 2004-07-19
Fedora FEDORA-2004-203 2004-07-19
Red Hat RHSA-2004:342-01 2004-07-06
Gentoo 200407-03 2004-07-04
tinysofa TSSA-2004-012 2004-06-29
Mandrake MDKSA-2004:064 2004-06-29

Comments (none posted)

FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling

Package(s):freeswan CVE #(s):
Created:June 26, 2004 Updated:July 15, 2004
Description: FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN contain two bugs when authenticating PKCS#7 certificates. This could allow an attacker to authenticate with a fake certificate. All these IPsec implementations have several bugs in the verify_x509cert() function, which performs certificate validation, that make them vulnerable to malicious PKCS#7 wrapped objects. With a carefully crafted certificate payload an attacker can successfully authenticate against FreeS/WAN, Openswan, strongSwan or Super-FreeS/WAN, or make the daemon go into an endless loop.
Alerts:
Mandrake MDKSA-2004:070 2004-07-14
Gentoo 200406-20 2004-06-25

Comments (none posted)

giFT-FastTrack: remote denial of service attack

Package(s):gift-fasttrack CVE #(s):
Created:June 24, 2004 Updated:June 30, 2004
Description: giFT-FastTrack is a plugin for the giFT file-sharing application. If a maliciously crafted signal is sent to giFT-FastTrack, remote attackers can crash the giFT daemon.
Alerts:
Gentoo 200406-19 2004-06-24

Comments (none posted)

gzip: temporary file execution problem

Package(s):gzip CVE #(s):
Created:June 24, 2004 Updated:June 30, 2004
Description: The gzip compression program has a problem that can cause code to be executed from the command if the creation of a temporary file fails.
Alerts:
Gentoo 200406-18 2004-06-24

Comments (none posted)

kernel: netfilter denial of service

Package(s):kernel CVE #(s):
Created:June 30, 2004 Updated:July 28, 2004
Description: The netfilter code in 2.6 kernels through 2.6.7 is vulnerable to a remote denial of service attack - but only if filtering on the TCP options field has been enabled. See this advisory for details.
Alerts:
Conectiva CLA-2004:852 2004-07-28
Gentoo 200407-12 2004-07-14
Fedora FEDORA-2004-202 2004-06-30

Comments (none posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

Updated vulnerabilities

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

dhcp: buffer overflows

Package(s):dhcp CVE #(s):CAN-2004-0460 CAN-2004-0461
Created:June 23, 2004 Updated:July 14, 2004
Description: Two separate buffer overflows have been found in versions 3.0.1rc12 and 3.0.1rc13 of the ISC DHCP server. These overflows can be exploited by a remote attacker to cause a denial of service, or, potentially, to execute arbitrary code. DHCP servers should not be exposed to the Internet, but this problem is worth fixing regardless. See this CERT advisory for more information.
Alerts:
OpenPKG OpenPKG-SA-2004.031 2004-07-08
Fedora FEDORA-2004-190 2004-06-23
SuSE SuSE-SA:2004:019 2004-06-22
Mandrake MDKSA-2004:061 2004-06-22

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

Horde-IMP: improper input validation

Package(s):Horde-IMP CVE #(s):
Created:June 16, 2004 Updated:August 10, 2004
Description: An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser.
Alerts:
Gentoo 200408-07 2004-08-10
Gentoo 200406-11 2004-06-16

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

racoon: denial of service vulnerability

Package(s):ipsec-tools racoon iputils CVE #(s):CAN-2004-0403
Created:April 26, 2004 Updated:July 29, 2004
Description: racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details.
Alerts:
Red Hat RHSA-2004:308-01 2004-07-29
Mandrake MDKSA-2004:069 2004-07-14
Fedora FEDORA-2004-197 2004-06-28
Whitebox WBSA-2004:165-01 2004-06-10
Fedora FEDORA-2004-132 2004-05-19
Red Hat RHSA-2004:165-01 2004-05-11
Gentoo 200404-17 2004-04-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kernel: symlink overflow in the iso9660 filessytem

Package(s):kernel CVE #(s):CAN-2004-0109
Created:April 14, 2004 Updated:July 15, 2004
Description: The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release.
Alerts:
Conectiva CLA-2004:846 2004-07-15
Red Hat RHSA-2004:106-01 2004-04-21
Red Hat RHSA-2004:105-01 2004-04-21
Debian DSA-489-1 2004-04-17
Debian DSA-491-1 2004-04-17
Debian DSA-479-2 2004-04-14
SuSE SuSE-SA:2004:009 2004-04-14
Mandrake MDKSA-2004:029 2004-04-14
Fedora FEDORA-2004-101 2004-04-14
Debian DSA-482-1 2004-04-14
Debian DSA-481-1 2004-04-14
Debian DSA-480-1 2004-04-14
Debian DSA-479-1 2004-04-14

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CAN-2004-0554
Created:June 15, 2004 Updated:July 5, 2004
Description: 2.4 and 2.6 kernels running on the i386 and x86_64 kernels have a vulnerability which can allow a local attacker to lock up the system. See this LWN article for a description of the problem.

Many of the updates for this problem also fix various potential driver vulnerabilities found while instrumenting the code for automated auditing.

Alerts:
Gentoo 200407-02 2004-07-03
Fedora FEDORA-2004-186 2004-06-23
Mandrake MDKSA-2004:062 2004-06-23
Whitebox WBSA-2004:255-01 2004-06-21
tinysofa TSSA-2004-011 2004-06-18
Conectiva CLA-2004:845 2004-06-22
EnGarde ESA-20040621-005 2004-06-21
Red Hat RHSA-2004:260-01 2004-06-18
Trustix TSLSA-2004-0035 2004-06-18
Red Hat RHSA-2004:255-01 2004-06-17
Trustix TSLSA-2004-0034 2004-06-16
SuSE SuSE-SA:2004:017 2004-06-16
Slackware SSA:2004-167-01 2004-06-15
Fedora FEDORA-2004-171 2004-06-14

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

krb5: unauthorized root privileges

Package(s):krb5 CVE #(s):CAN-2004-0523
Created:June 3, 2004 Updated:June 29, 2004
Description: Multiple buffer overflows exist in the krb5_aname_to_localname() library function that if exploited could lead to unauthorized root privileges. In order to exploit this flaw, an attacker must first successfully authenticate to a vulnerable service, which must be configured to enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname, which is not a default configuration. See the this MIT krb5 Security Advisory for more information.
Alerts:
Gentoo 200406-21 2004-06-29
Debian DSA-520-1 2004-06-16
Whitebox WBSA-2004:236-01 2004-06-10
Mandrake MDKSA-2004:056-1 2004-06-09
Red Hat RHSA-2004:236-01 2004-06-09
Fedora FEDORA-2004-150 2004-06-04
Fedora FEDORA-2004-149 2004-06-04
Mandrake MDKSA-2004:056 2004-06-03

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mailman: password disclosure

Package(s):mailman CVE #(s):CAN-2004-0412
Created:May 27, 2004 Updated:July 20, 2004
Description: In mailman versions above 2.1, third parties can retrieve member passwords from the server.
Alerts:
Fedora-Legacy FLSA:1734 2004-07-19
Fedora FEDORA-2004-168 2004-07-01
Fedora FEDORA-2004-167 2004-07-01
Gentoo 200406-04 2004-06-09
Mandrake MDKSA-2004:051 2004-05-26

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

postgresql buffer overflow in ODBC driver

Package(s):postgresql CVE #(s):
Created:June 7, 2004 Updated:July 28, 2004
Description: A buffer overflow has been discovered in the ODBC driver of PostgreSQL, an object-relational SQL database, descended from POSTGRES. It possible to exploit this problem and crash the surrounding application. Hence, a PHP script using php4-odbc can be utilized to crash the surrounding Apache webserver. Other parts of postgresql are not affected.
Alerts:
Mandrake MDKSA-2004:072 2004-07-27
Debian DSA-516-1 2004-06-07

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

racoon: improper certificate validation

Package(s):racoon ipsec-utils CVE #(s):
Created:June 23, 2004 Updated:June 23, 2004
Description: The racoon tool found in ipsec-tools (through version 0.3.3) fails to perform proper authentication, enabling a potential man-in-the-middle attack.
Alerts:
Gentoo 200406-17 2004-06-22

Comments (none posted)

rsync remote file write attack

Package(s):rsync CVE #(s):CAN-2004-0426
Created:April 30, 2004 Updated:July 12, 2004
Description: See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected."
Alerts:
Gentoo 200407-10 2004-07-12
Fedora FEDORA-2004-116 2004-07-01
Whitebox WBSA-2004:192-01 2004-06-10
Debian DSA-499-2 2004-06-02
OpenPKG OpenPKG-SA-2004.025 2004-05-21
Red Hat RHSA-2004:192-01 2004-05-19
Mandrake MDKSA-2004:042 2004-05-10
Slackware SSA:2004-124-01 2004-05-02
Debian DSA-499-1 2004-05-01
Trustix TSLSA-2004-0024 2004-04-29

Comments (none posted)

squid: buffer overflow

Package(s):squid CVE #(s):CAN-2004-0541
Created:June 9, 2004 Updated:September 30, 2004
Description: The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Alerts:
Red Hat RHSA-2004:462-01 2004-09-30
Mandrake MDKSA-2004:093 2004-09-15
Gentoo 200409-04 2004-09-02
Gentoo 200406-13 2004-06-17
Whitebox WBSA-2004:242-01 2004-06-10
Trustix TSLSA-2004-0033 2004-06-10
Mandrake MDKSA-2004:059 2004-06-09
SuSE SuSE-SA:2004:016 2004-06-09
Red Hat RHSA-2004:242-01 2004-06-09
Fedora FEDORA-2004-164 2004-06-09
Fedora FEDORA-2004-163 2004-06-09

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

Subversion: Remote heap overflow

Package(s):subversion CVE #(s):CAN-2004-0413
Created:June 11, 2004 Updated:March 7, 2005
Description: Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:
Fedora-Legacy FLSA:1748 2005-03-07
SuSE SuSE-SA:2004:018 2004-06-17
Fedora FEDORA-2004-166 2004-06-11
Fedora FEDORA-2004-165 2004-06-11
OpenPKG OpenPKG-SA-2004.028 2004-06-11
Gentoo 200406-07 2004-06-10

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 10, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

tripwire format string vulnerability

Package(s):tripwire CVE #(s):CAN-2004-0536
Created:June 4, 2004 Updated:July 7, 2004
Description: The code that generates email reports contains a format string vulnerability in pipedmailmessage.cpp. With a carefully crafted filename on a local filesystem an attacker could cause execution of arbitrary code with permissions of the user running tripwire, which could be the root user. See this advisory on SecurityFocus for more details.
Alerts:
Mandrake MDKSA-2004:057-1 2004-07-06
Red Hat RHSA-2004:244-01 2004-06-14
Mandrake MDKSA-2004:057 2004-06-07
Gentoo 200406-02 2004-06-04

Comments (none posted)

webmin: denial of service

Package(s):webmin CVE #(s):CAN-2004-0582 CAN-2004-0583
Created:June 16, 2004 Updated:July 28, 2004
Description: Versions of webmin prior to 1.150 suffer from denial of service and information disclosure vulnerabilities. See advisories for the disclosure and lockout problems for more information.
Alerts:
Mandrake MDKSA-2004:074 2004-07-27
Conectiva CLA-2004:848 2004-07-16
Debian DSA-526-1 2004-07-03
Gentoo 200406-12 2004-06-16

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):xchat CVE #(s):CAN-2004-0409
Created:April 19, 2004 Updated:November 15, 2005
Description: XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:
Fedora-Legacy FLSA:123013 2005-11-14
Red Hat RHSA-2004:585-01 2004-10-27
Netwosix NW-2004-0014 2004-05-01
Red Hat RHSA-2004:177-01 2004-04-30
Mandrake MDKSA-2004:036 2004-04-21
Debian DSA-493-1 2004-04-21
Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is still 2.6.7; the first 2.6.8 prepatch has not yet been released.

Patches continue to accumulate in Linus's BitKeeper tree, however; they include the new dma_get_required_mask() API (covered here last week), support for 64-bit Super-H hardware (forward ported from 2.4), x86 no-execute support, asynchronous I/O support for USB gadgets, a reworked symbolic link lookup implementation (see below), a new "CPU mask" implementation, some read-copy-update performance improvements, support for new Apple PowerBooks, more sparse annotations, some netfilter improvements, some kbuild work, a new wait_event_interruptible_exclusive() macro, support for the O_NOATIME flag in the open() call, sysfs knobs for tuning the CFQ I/O scheduler, mirroring and snapshot targets for the device mapper, the removal of the PC9800 subarchitecture, reiserfs data=journal support, preemptible kernel support for the PPC64 architecture, and many fixes and updates.

The current prepatch from Andrew Morton is 2.6.7-mm4. Recent additions to -mm include a rearrangement of the x86 user-space memory layout (see below), some preparatory work for software suspend on SMP systems, PCMCIA sysfs support, and lots of fixes.

The current 2.4 prepatch is 2.4.27-rc2, which was released by Marcelo on June 26. A relatively large number of patches (for a release candidate) went in; they include a USB gadget driver update, a number of backported fixes for potential security problems, an XFS update, a netfilter update, and various fixes.

Comments (none posted)

Kernel development news

Reorganizing the address space

[memory layout diagram] The traditional organization of the virtual address space (as seen from user space, on x86 systems) is as shown in the diagram to the right. The very bottom part of the address space is unused; it is there to catch NULL pointers and such. Starting at 0x8000000 is the program text - the read-only, executable code. The text is followed by the heap region, being the memory obtainable via the brk() system call. Typically functions like malloc() obtain their memory from this area; non-automatic program data is also stored there.

The heap differs from the first two regions in that it grows in response to program needs. A program like cat will not make a lot of demands on the heap (one hopes), while running a yum update can grow the heap in a truly disturbing way. The heap can expand up to 1GB (0x40000000), at which point it runs into the mmap area; this is where shared libraries and other regions created by the mmap() system call live. The mmap area, too, grows upward to accommodate new mappings.

Meanwhile, the kernel owns the last 1GB of address space, up at 0xc0000000. The kernel is inaccessible to user space, but it occupies that portion of the address space regardless. Immediately below the kernel is the stack region, where things like automatic variables live. The stack grows downward. On a really bad day, the stack and the mmap area can run into each other, at which point things start to fail.

This organization has worked for some time, but it does have a couple of disadvantages. It fragments the address space, such that neither the heap nor the mmap area can make use of the entire space. If one program makes heavy use of the heap, it could run out of memory, even though a large chunk of space is available between the mmap area and the stack. Normally, not even yum can occupy that much heap, but there are other applications out there which are up to that challenge.

[revised memory layout] As a way of making life safer for the true memory hogs out there, Ingo Molnar has posted a patch which rearranges user space along the lines of the revised diagram on the left. The mmap area has been moved up to the top of the address space, and it now grows downward toward the heap. As a result, the bulk of the address space is preserved in a single, contiguous chunk which can be allocated to either the heap or mmap, as the application requires.

As an added bonus, this organization reduces the amount of kernel memory required to hold each process's page tables, since the fragment at 0x40000000 is no longer present.

There are a couple of disadvantages to this approach. One is that the stack area is rather more confined than it used to be. The actual size of the stack area is determined by the process's stack size resource limit, with a sizable cushion added, so problems should be rare. The other problem is that, apparently, a very small number of applications get confused by the new layout. Any application which is sensitive to how virtual memory is laid out is buggy to begin with; according to Arjan van de Ven, the most common case is applications which store pointers in integer variables and then do the wrong thing when they see a "negative" value.

The fact is that most users will never notice the change; for a demonstration, consider that Fedora kernels have been shipping with this patch for some time. Even a vanilla Fedora Core 1 system has it; a command like "cat /proc/self/maps" will show the new layout at work. The patch is currently part of the -mm kernel, and will probably find its way into the mainline before too long.

Comments (14 posted)

DMA issues, part 2

Last week's Kernel Page looked at various DMA-related issues. One of those was the ability to make use of memory located on I/O controllers for DMA operations. That work has taken a step forward with this proposal from James Bottomley, which adds a new function to the DMA API:

    int dma_declare_coherent_memory(struct device *dev, 
                                    dma_addr_t bus_addr,
                                    dma_addr_t device_addr, 
                                    size_t size, int flags);

This function tells the DMA code about a chunk of memory available on the device represented by dev. The memory is size bytes long; it is located at bus_addr from the bus's point of view, and device_addr from the device's perspective. The flags argument describes how the memory is to be used: whether it should be mapped into the kernel's address space, whether children of the device can use it, and whether it should be the only memory used by the device(s) for DMA.

The actual patch implementing this API is still in the works. As of this writing, there have been no real comments on it.

Meanwhile, a different DMA issue has been raised by the folks at nVidia, who are trying to make their hardware work better on Intel's em64t (AMD64 clone) architecture. It is, it turns out, difficult to reliably use DMA on devices which cannot handle 64-bit addresses.

Memory on (non-NUMA) Linux systems has traditionally been divided into three zones. ZONE_DMA is the bottom 16MB; it is the only memory which is accessible to ancient ISA peripherals and, perhaps, a few old PCI cards which are simply a repackaging of ISA chipsets. ZONE_NORMAL is all of the memory, outside of ZONE_DMA, which is directly accessible to the kernel. On a typical 32-bit Linux system, ZONE_NORMAL extends up to just under the first 1GB of physical memory. Finally, ZONE_HIGHMEM is the "high memory" zone - the area which is not directly accessible to the kernel.

This layout works reasonably well for DMA allocations on 32-bit systems. Truly limited peripherals use memory taken from ZONE_DMA; most of the rest work with ZONE_NORMAL memory. In the 64-bit world, however, things are a little different. There is no need for high memory on such systems, so ZONE_HIGHMEM simply does not exist, and ZONE_NORMAL contains everything above ZONE_DMA. Having (almost) all of main memory contained within ZONE_NORMAL simplifies a lot of things.

Kernel memory allocations specify (implicitly or explicitly) the zone from which the memory is to be obtained. On 32-bit systems, the DMA code can simply specify a zone which matches the capabilities of the device and get the memory it needs. On 64-bit systems, however, the memory zones no longer align with the limitations of particular devices. So there is no way for the DMA layer to request memory fitting its needs. The only exception is ZONE_DMA, which is far more restrictive than necessary.

On some architectures - notably AMD's x86_64 - an I/O memory management unit (IOMMU) is provided. This unit remaps addresses between the peripheral bus and main memory; it can make any region of physical memory appear to exist in an area accessible by the device. Systems equipped with an IOMMU thus have no problems allocating DMA memory - any memory will do. Unfortunately, when Intel created its variant of the x86_64 architecture, it decided to leave the IOMMU out. So devices running on "Intel inside" systems work directly with physical memory addresses, and, as a result, the more limited devices out there cannot access all of physical memory. And, as we have seen, the kernel has trouble allocating memory which meets their special needs.

One solution to this problem could be the creation of a new zone, ZONE_BIGDMA, say, which would represent memory reachable with 32-bit addresses. Nobody much likes this approach, however; it involves making core memory management changes to deal with the shortcomings of a few processors. Balancing memory use between zones is a perennial memory management headache, and adding more zones can only make things worse. There is one other problem as well: some devices have strange DMA limitations (a maximum of 29 bits, for example); creating a zone which would work for all of them would not be easy.

The Itanium architecture took a different approach, known as the "software I/O translation buffer" or "swiotlb." The swiotlb code simply allocates a large chunk of low memory early in the bootstrap process; this memory is then handed out in response to DMA allocation requests. In many cases, use of swiotlb memory involves the creation of "bounce buffers," where data is copied between the driver's buffer and the device-accessible swiotlb space. Memory used for the swiotlb is removed from the normal Linux memory management mechanism and is, thus, inaccessible for any use other than DMA buffers. For these reasons, the swiotlb is seen as, at best, inelegant.

It is also, however, a solution which happens to work. The swiotlb can also accommodate devices with strange DMA masks by searching until it finds memory which fits. So the solution to the problem experienced by nVidia (and others) is likely to be a simple expansion of the swiotlb space. Carving a 128MB array out of main memory for full-time use as DMA buffers may seem like a shocking waste, but, if you have enough memory that you're having trouble with addresses requiring more than 32 bits, the cost of a larger swiotlb will be hard to notice.

Comments (2 posted)

Supporting deeper symbolic links

Linux has long limited filename lookups to a maximum of five chained symbolic links. The limit is a useful way of dealing with symbolic link loops, but that is not why it exists. Following symbolic links is an inherently recursive task; once a link has been resolved, the new destination can be another link, which starts the whole process from the beginning. In general, recursion is frowned on in the kernel; the tight limit on kernel stack space argues against allowing any sort of significant call depth at all. The five-link limit was set because, if the limit were higher, the kernel would risk overrunning the kernel stack when following long chains.

Users do occasionally run into the five-link limit, and, of course, they complain. The limit imposed by Linus is lower than that found on a number of other Unix-like systems. So there has long been some motivation to raise that limit somewhat.

Alexander Viro has finally done something about it. His approach was to change the behavior of the filesystem follow_link() method slightly. This method has traditionally been charged with finding the target of a symbolic link, then calling back into the virtual filesystem code (via vfs_follow_link()) to cause the next stage of resolution to happen. In the new scheme of things, the follow_link() method is still free to do the whole job, so unmodified filesystems still work. But the preferred technique is for the filesystem code to simply store the file name for the link target in a place where the VFS code can find it and return. The VFS can then make the vfs_follow_link() call itself.

This seems like a small change, but it has an important effect. The filesystem's follow_link() method's stack frame is now gone, since it has returned back to the core VFS code. And the core code can use an in-lined version of vfs_follow_link(), rather than calling it (with its own stack frame) from the outside. As a result, two fewer stack frames are required for every step in the resolution of the symbolic link.

Al figures that this change will enable raising the maximum link depth to eight, or even higher (though there is probably little reason to go beyond eight). That change has not yet happened - all of the filesystems will need to be updated and the patch proven stable first. But the initial set of patches has found its way into Linus's BitKeeper tree, so the process is coming near to its conclusion.

Comments (8 posted)

Patches and updates

Kernel trees

Build system

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Networking

Architecture-specific

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

A Short History of Linux Distributions

June 30, 2004

This article was contributed by Joe Klemmer

There have been many articles and books written about Linux; where it came from, how it got where it is today, the whole "Who's Who" list... A good Google search or some time spent on sites such as The Linux Documentation Project and Linux Journal will tell you more than you could ever wish to know. But there is little information on the history and evolution of Linux distributions. As of this writing, there are 303 Linux distributions according to DistroWatch [editor's note: currently 353 "active" distributions are listed on LWN's Distribution List]. It would seem that everyone and his dog has a distribution available. This hasn't always been the case.

Back in late 1991, when Linux first hit the 'Net, there were no distributions per se. The closest thing was HJ Lu's Boot/Root floppies. They were 5.25" diskettes that could be used to get a Linux system running. You booted from the boot disk and then, when prompted, inserted the root disk. After a while you got a command prompt. Back in those days if you wanted to boot from your hard drive you had to use a hex editor on the master boot record of your disk. Something that was definitely not for the faint of heart. I remember when Erik Ratcliffe wrote the first instructions (this was long before HOWTO files) on how to do just that. It wasn't until later that anything you could call a real distribution appeared.

The first such thing was from the Manchester Computing Centre. Known as MCC Interim Linux, it was a collection of diskettes that, once installed on your system, let you have a basic UNIX environment. It was console only, no X. Shortly after that there was a release out of Texas A&M University called TAMU 1.0A. This was the first one that let you run X, though the method they used to configure it occasionally allowed the magic smoke to escape from your monitor. Both of these were developed for their universities' in-house use. They were also released to the world for anyone to use.

The first commercial, in the sense that it was developed for public consumption rather than in-house use only, Linux distribution was Yggdrasil. This also had the distinction of being the first "Live" Linux CD. You could boot from a diskette and run everything off the CD. This was back in days of 1x and 2x CD-ROM drive speeds so it wasn't exactly setting the world on fire. You could start X then literally go get a cup of coffee before it finished coming up. Yggdrasil had some nice features dealing with configuration, though, especially for the time.

On the heels of that came the first widely recognized and used Linux distribution, SLS Linux. It was put together by Soft Landing Systems, hence the name, and came in a handful of files that you would unzip and copy to floppy disks. This was Linux's first big breakthrough. SLS dominated the market until the developers made a decision to change the executable format (if you remember the a.out to ELF conversion you'll remember this). This was not well received by the user base. Just around the time this happened Patrick Volkerding had taken SLS and adapted, modified, tweaked and cleaned it up making it a different thing all together. He called it Slackware. With the unpopular direction SLS had taken, Slackware quickly replaced it and became the dominant distribution used by nearly everyone. In fact it's still in use today.

Now, all of this took place in the span of about 3 years. In those days the speed with which changes happened was unbelievable. By the time '94/'95 came around you started seeing more distributions popping up. Familiar names like Red Hat, Debian, Caldera, TurboLinux, and SuSE were becoming popular. There were also a few other distributions that came and went between '91 and '95. However, they had little impact on the overall direction that Linux distributions would take. If you search the 'Net you can still find references to these early distributions, and possibly even some archives of the releases themselves. If you have some free time you should look at these old releases. Not only will you be able to see how far Linux has come, you'll also see what life was like in the early days of Linux distributions.

Comments (15 posted)

Distribution News

Slackware 10.0 released

Slackware 10.0 is out; see the announcement for details. Downloads are available via the mirrors or with BitTorrent.

Comments (none posted)

Red Hat, Novell to ship Helix Player

RealNetworks has been cranking out the press releases at GUADEC. This one announces a deal with Red Hat; that company's upcoming desktop distribution will feature Helix Player and a "no-cost upgrade" option for RealPlayer 10. There is also an arrangement with Novell; which will simply ship RealPlayer directly.

Comments (2 posted)

SmoothWall Express 2.0 is a success

Here's a press release from SmoothWall Ltd. on the success of SmoothWall Express, the company's standalone firewall product.

Full Story (comments: none)

Debian GNU/Linux

The Debian Weekly News for June 29 is out. Topics this week include the general resolution which would allow the release of Sarge with non-free data (voting ends July 2), various installer topics, and Debian at LinuxTag.

To vote in the general resolution (if it's not too late) go to the voting page.

Robert Millan announced the release of the GNU/kFreeBSD LiveCD rescue system. You can use it to try GNU/kFreeBSD without the hassle of installing, and for now it is also the recommended install method.

DebianPlanet reports that the Hilux installer for Woody is now available.

Comments (none posted)

Gentoo Weekly Newsletter

The June 28 issue of the Gentoo Weekly Newsletter is out. The main topic this week is Gentoo at LinuxTag. "There are offers simply impossible to turn down. When Gentoo developer Lars Weiler (Pylon) was approached to try an installation on the finest machine displayed at the Hewlett-Packard booth during the German LinuxTag, the HP staff really didn't have to ask him twice."

Full Story (comments: none)

Improved fedora.us UPDATE submission policy

The core fedora.us developers have announced the first concrete step of an ongoing work to improve the flow and documentation of the fedora.us package submission process. The updated process (click below for details) is effective immediately.

Full Story (comments: none)

Fedora updates

Updates for Fedora Core 2:
  • Sysstat had minor buffer overflows and parsing problems. None of them in any way exploitable it turns out. Sysstat also spewed junk to the console on startup.
  • Finger mishandled stale utmp entries and also entries from remote X sessions. This would cause random idle times and spurious users to be shown.
  • The ftp client would segmentation fault in certain situations when the remote server closed the connection on it in an unexpected fashion.
  • This im-sdk update hides the status window when the input method is off and also fixes a number of other issues.
  • An updated jcode.pl package has been released to fix the wrong install path so that it was not usable except on x86-64 architecture.
  • This release of cdrtools obsoletes the dvdrtools packages. It includes a stub for dvdrecord and its man page, which mentions that it is obsoleted.
  • Another update to cdrtools.
  • A new version of openmotif fixes a problem in the latest xinitrc (which links to the openmotif libraries).
  • The kcc kanji code converter crashes when an invalid option is specified. This updated package fixes the problem.
  • This gimp update is supposed to fix #124307 "missing help files" by spitting out a slightly more informative error message if gimp-help isn't installed.
  • The gimp-gap package has been updated to version 2.0.2 which has enhancements and bugfixes.
  • A new xinitrc update resolves an issue caused by the previous xinitrc package update in which some users were unable to use input methods in X11.
  • This gaim update fixes the Yahoo protocol bug.
  • This dovecot update resolves several rare problems.
  • This strace update is for those running 32-bit binaries on the x86-64 platform.
There are also gaim and dovecot updates available for Fedora Core 1, as well as two tcltk updates, FEDORA-2004-193 and FEDORA-2004-200.

There are new cscope packages for FC1 and FC2.

Comments (none posted)

Mandrakelinux

Mandrakelinux has an updated initscripts package that corrects various bugs.

Full Story (comments: none)

Trustix Secure Linux

Trustix fixes bugs in kerberos5 for TSL 2.1 and Enterprise Server 2.

This advisory covers minor bug fixes in libpng, mod_php4, openssl, rsync, slocate and swup for TSL 1.5, 2.0, 2.1 and Enterprise Server 2.

Trustix has several bug fixes available for apache, libpng and python. (TSL 2.0, 2.1 and Enterprise Server 2)

Comments (none posted)

New Distributions

German Government Linux Desktop (DebianPlanet)

DebianPlanet covers the released of the Linux Government Desktop at LinuxTag 2004. The Linux Government Desktop is produced by the German Federal Office for Information Security and the company credativ as a Live CD as well as an Install CD Edition. It is composed entirely of free software, based on Debian stable "woody" and contains KDE 3.2.2, Mozilla and a special themed version of OpenOffice 1.1.1 which integrates seamlessly with KDE.

Comments (none posted)

Hiweed GNU/Linux

Hiweed GNU/Linux is a Chinese Linux distribution, based on Debian GNU/Linux. Its features include preconfigured Chinese applications, such as Chinese input method, Chinese-English and English-Chinese dictionaries, and Chinese true-type fonts. Hiweed joins the list at version 0.3RC1 released June 29, 2004.

Comments (none posted)

Nitix

Nitix is a product of Net Integration Technologies Inc., a server OS with autonomic computing features -- self-management, self-healing, self-configuring and self-optimizing capabilities. (Thanks to Leandro Guimarães Faria Corcete Dutra)

Comments (3 posted)

Minor distribution updates

Astaro Security Linux

Astaro Security Linux has released v5.012 with minor bugfixes. "Changes: This Up2Date improves the Up2Date backend and fixes a bug which prevents the operation of the "Pause" button in livelog on MS Internet Explorer."

Comments (none posted)

BG-Rescue Linux

BG-Rescue Linux has released v0.3.2 with minor feature enhancements. "Changes: The kernel was updated to 2.4.26 and NTFS was updated to 2.1.6b. nForce Ethernet support was added. Parts of reiserfsprogfs were replaced by the smaller progsreiserfs. The new busybox applets udhcpc and telnetd were added. progsreiserfs 0.3.0.5 was added. tar was downgraded to the version from busybox 0.60.5, which is more reliable. cloop was updated to 2.01, e2fsprogs to 1.35, lilo to 22.5.9, mdadm to 1.6.0, ms-sys to 2.0.0, ntfsprogs to 1.9.2, reiserfsck to 3.6.17, and syslinux to 2.08."

Comments (none posted)

blueflops

blueflops has released v2.0.4 with minor feature enhancements. "Changes: The kernel was upgraded to 2.6.7. Only English and Romanian translations are currently available. The mouse configuration has been separated from that of the video card. NumLock status is now a setup option. A new Finnish keymap (fi-latin1) was added. A "links_text" script was added to run "links" in text mode. Various scripts were changed in minor ways, and some small fixes were made. A better logo was created."

Comments (none posted)

Buffalo Linux

Buffalo Linux has released v1.3.1 with major feature enhancements. "Changes: This major release makes Buffalo fully compatible with Slackware 10.0. Additional enhancements include: desktop improvements, a new Buffalo GUI "admin", an improved CD upgrade option, kernel 2.6.7, OpenOffice 1.1.2, GIMP 2.0.2, GNOME 2.6.1, GCC 3.3.4, Mozilla 1.7, a total of 59 package upgrades, and new builds of MySQL, Scribus, GAIM, and others. With this release, the rate of new Buffalo releases is expected to slow down. Future version releases will track new kernel versions or major package updates."

Comments (none posted)

INSERT

INSERT (INside SEcurity Rescue Toolkit) has released v1.2.13 with major feature enhancements. "Changes: This is a major new release. The kernel was updated to version 2.4.26. INSERT is now based on KNOPPIX 3.4. The result is even better hardware support and detection. The bug with the file system on the image not being readable from Windows is fixed. Also other minor issues have been addressed. Various feature requests have been dealt with. Support for virus scanning is improved with clamav being updated to the latest version. Most of the other packages come in newer versions now."

Comments (none posted)

Linux LiveCD Router

Linux LiveCD has released v1.9.6 with minor bugfixes. "Changes: Minor default config bugs were fixed. The documentation was updated."

Comments (none posted)

Always Current Lineox Enterprise Linux

Lineox, Inc. has released Always Current Lineox Enterprise Linux version 3.023, the 23th version of Always Current Lineox Enterprise Linux since February 23, 2004. A new version of Always Current Lineox Enterprise Linux is always released when Red Hat, Inc. releases bug or security fix packages for Red Hat Enterprise Linux 3.0, but occasionally also when new features are added to Always Current Lineox Enterprise Linux. Click below for more.

Full Story (comments: none)

Mulimidix

Mulimidix has released the build tree of Mulimidix 0.7. You can use this LFS based source-compilation to build your own Mulimidix, optimized for your processor.

Comments (none posted)

NSA Security Enhanced Linux

NSA Security Enhanced Linux has released v2004062816 with minor feature enhancements. "Changes: The current prototype and the experimental NFS code are now based on Linux kernel 2.6.7. Fine-grained netlink classes and permissions have been added. Many enhancements and bugfixes for policy as well as userland tools including slat and setools have been incorporated."

Comments (none posted)

Overclockix

Overclockix has released the third revision for v3.4. "6/22/04- New 3.4 release is finished. Mostly minor bugfixes in this release. Also worthy of news- I've been assisting the develpoer of Barnix/DebXPde with iso hosting. Barnix is a custom Knoppix which uses XPde as the default desktop environment. It should look and feel very much like Windows XP. I hope in the future to incorporate XPde as an option in Overclockix, but will probably not set it as the default desktop."

Comments (none posted)

Puppy Linux

Puppy Linux has released sources for puppy-0.9.0. See the June 28th entry at Puppy News for more information.

Comments (none posted)

New Quantian release 0.5.9.2 available

Quantian 0.5.9.2 is the second release based on Knoppix 3.4 with many changes from both new and updated packages. This Quantian release is based on Knoppix 3.4 and the clusterKnoppix release from May 10 with kernel 2.4.26 with the 'testing status' openMosix patch as well as a non-openMosix kernel 2.6.6. Click below for more information.

Full Story (comments: none)

Rock Linux

Rock Linux has released v2.0.2 with major security fixes. "Changes: This is a maintenance release and includes a number of security fixes and minor version updates pulled from the development tree. It includes linux-2.4.26+fpu-state-fix, linux-2.6.7, kde-3.2.2, qt-3.3.2, apache-2.0.49, samba-3.0.4, and wine-20040615. New packages include firefox, thunderbird, e2fsimage, device-mapper, and lvm2. usability improvements were made for ROCK Net and the CD-Installer. This release now features full boot-CD support for IBM RS/6000 and Ultra SPARC and iBook-G4 support."

Comments (none posted)

tinysofa

tinysofa has released tinysofa enterprise server 2.0-pre1 (Persistence), technology preview of the next version.

Comments (none posted)

wrt54g-linux

wrt54g-linux has released v0.51 to add documentation. "Changes: This release adds a FAQ to address most common installation problems."

Comments (none posted)

Distribution reviews

Aurox 9.3 review

SKN Informatyki SGH reviews Aurox Linux 9.3, a Polish distribution based on Fedora Core 1. "A large portion of this review either directly or implicitly compares Aurox with Fedora Core 1. This is inevitable, as Aurox is directly derived from Fedora and most of the packages, including the kernel, are the same. What Aurox does is that it seamlessly fits into the area where Fedora lacks mostly, that is multimedia support. That means if you are considering Fedora or it is already your distro of choice, then you definitely should give Aurox a try."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Free Software Directory's Documentation Vacuum

One of the numerous duties your development page editor must do each week is to scan a list of web sites for announcements of new and updated open-source software packages. Several criterion are used to select software announcements for inclusion in the weekly edition. The most important points include usefulness of the software to a wide range of people, the existence of documentation describing the project, and availability of documentation describing the changes in the just-released version.

Over the years, many projects have been added to this list, and many others have been removed, due to either project stagnation, or ineffective project documentation. The list itself is a bit too ragged for publication here.

One site that gets visited one or more times each week is the FSF/UNESCO Free Software Directory. It contains a list of the most recently changed open-source applications, as well as categorized listings of over 3,000 packages. It's a great place to find just about any kind of software you may need, and get a real feel for the wealth of open-source applications that are available.

Unfortunately, a common problem has been observed with the majority of the new releases listed on the site: discovering what the changes are in the latest versions. We'll look at the latest release of etherboot as an example. We're not picking on this particular project in any way, it's just one of many cases.

Starting with the FSF/UNESCO Free Software Directory, we see an interesting package listed in the Ten most recently updated entries section:

etherboot - [The GNU General Public License, Version 2] - 2004-06-28 Makes boot ROMS

Cool, there's a new version this week. Clicking on the link to the etherboot announcement, we see, among other things,

Version 5.3.8 (devel) released on 2004-06-28.

So far, so good. But here's where things begin to get dicey. The announcement page links to the source code (stable version only), various mailing lists, documentation, and the project web page. But we want to get development version that we saw in the previous announcement.

Moving to the project web page, we get a typical project presentation with the usual links. Let's see if there's anything about the new release under News. Nope, just a link to the project's SourceForge page. Finally, we're getting somewhere. Using the age-old axiom, Use the Source, Luke, we download version 5.3.8. Interestingly, the download date for this release has mysteriously changed to June 12, 2004. Downloading takes us through the usual series of intermediate steps to select a local server, before beginning the operation.

Now, we have a local copy of the source file. An invocation of tar yields the source tree. Change into the source tree, and FINALLY, there are some release notes:

As of Etherboot 5.3.8: There is no longer a default target for make. You must specify an argument to make. Help text is now provided to indicate possible make targets. binutils-2.14 is no longer needed in order to compile images. The symbolsrec feature is not used, so older binutils (ld) should work.

That took an awful lot of clicking through web sites across the net, the need for a lot of disk space, some bandwidth, the knowledge of dealing with bunzip2 and tar, and a fair amount of patience.

There really ought to be a simpler way to get this kind of information out. Often, your griping (but not necessarily grumpy) editor simply moves on to the next project in search of more accessible documentation, and the cool new software doesn't get the attention that it deserves.

Finally, a frequent problem with software announcements is the lack of any kind of date associated with a new version announcement. Free software writers would be well advised to add a few trivial bits of information to their releases, and make sure the information is easy to find. Doing so would probably do wonders for expanding the user base.

Comments (5 posted)

System Applications

Database Software

Using CachedRowSet to Transfer JDBC Query Results Between Classes (O'ReillyNet)

Sean Eidemiller works with the Java Database Connectivity (JDBC) API on O'Reilly. "JDBC developers have always needed to keep a database connection open while pulling query results. But with the CachedRowSet in J2SE 1.5, it's now possible to disconnect and then get results. Sean Eidmiller shows the advantages of this approach."

Comments (none posted)

pgpool 2.0 is available

Version 2.0 of pgpool, an open-source connection pool and replication server for PostgreSQL, is out. "2.0 now supports native V3 protocol which should make pgpool faster if used with PostgreSQL 7.4 or later. Also, pgpool 2.0 supports the load balancing between master/secondary PostgreSQL backends to gain better performace for SELECT statement."

Full Story (comments: none)

PostgreSQL Weekly News

The June 29, 2004 edition of the PostgreSQL Weekly News has been published. "Probably the largest patch this week was rounding out of object ownership changing capabilities. You can now change owners on aggregates, conversions, functions, operators, operator classes, schemas, types, and tablespaces."

Full Story (comments: none)

Why Write PostgreSQL Extension Functions?

Joe Conway explains PostgreSQL extension on O'Reilly. "Have you ever wanted (or needed) to process your data in a way that your database cannot handle natively? You're not alone. One of my favorite capabilities of PostgreSQL is its extensibility. You can extend PostgreSQL's native functionality using one of the five procedural languages shipped with PostgreSQL or one of several independently available procedural language handlers."

Comments (none posted)

Mail Software

Bogofilter 0.92.0 released

Stable version 0.92.0 of Bogofilter, an email spam filter, is out. "There have been a few documentation update and a minor bug fix since the previous release."

Full Story (comments: none)

Web Site Development

OutSide Photos 0.70 released (SourceForge)

Version 0.70 of OutSide Photos, a PHP-based web photo management system, has been released. Changes include selectable themes, a comment system, automatic user creation, semi-automatic setup, and bug fixes.

Comments (none posted)

PHPoto 0.5.0-pre-3 released (SourceForge)

Version 0.5.0-pre-3 of PHPoto, a PHP/MySQL photo gallery package, is available. "Added a new feature: thumbnail regeneration! This will allow administrators to normalize the size of thumbnails in an album if they choose to change the album's max thumbnail size. Thumbnails will be regenerated to fit in the new size. This version also include MANY user interface enhancements from all previous versions."

Comments (none posted)

MediaWiki 1.3.0beta4 released (SourceForge)

Version 1.3.0beta4 of the MediaWiki collaborative editing software, has been announced. Changes include: "Some compatibility fixes for PHP 4.1.2 and 4.2.x; installer checks for missing MySQL support; and many various things fixed. Anyone running a public server on 1.3.0beta is strongly recommended to upgrade to this release, as a potential JavaScript injection attack in earlier betas has been fixed."

Comments (none posted)

ZopeMag Weekly News

Issue 35 of the ZopeMag Weekly News is available with the latest Zope/Plone news.

Comments (none posted)

Miscellaneous

GNOME System Tools 0.34.0 is out

Version 0.34.0 of the GNOME System Tools, a set of cross-platform configuration utilities, is out. Changes include the use of GTK+ 2.4 widgets, improved message strings, support for Mandrake 10 and SUSE 9, bug fixes, and more.

Full Story (comments: none)

Desktop Applications

Audio Applications

WaveSurfer 1.6.5 released

Version 1.6.5 of WaveSurfer, an audio file editor, is out. The primary change is a move to version 2.2.7 of the Snack Sound Toolkit.

Comments (none posted)

Desktop Environments

The GNOME 2.6.2 Desktop and Developer Platform

Version 2.6.2 of the GNOME Desktop and Developer Platform is out. "This point release from the stable branch of the GNOME Desktop and Developer Platform contains a lot of bugfixes and improvements over the previously released 2.6.1 version. Our maintainers, bugfixers, translators and general contributors have been hard at work for the last couple of months bringing more polish, stability and performance to your favourite desktop environment."

Full Story (comments: none)

GNOME Terminal 2.7.3 announced

Version 2.7.3 of GNOME Terminal, a terminal emulator, is out with bug fixes, better translations, and more.

Full Story (comments: none)

libxklavier 1.03 announced

Version 1.03 of libxklavier, a GNOME keyboard library, is out. "This is bugfix release, addressing several big and small issues detected by people using the Keyboard Indicator applet in gnome-applets. This release is absolutely API/ABI compatible with the previous one."

Full Story (comments: none)

KDE-CVS-Digest (KDE.News)

The June 25, 2004 edition of the KDE-CVS-Digest is online. Here's the content summary: "Python bindings for QT and KDE are now in Kdebindings. amaroK now has Javascript scripting. Kutils adds incremental find. Kwin adds window specific settings GUI."

Comments (none posted)

Quickies: SuperKaramba Theme Archive, Unified Desktop, Skype, RULE Mini KDE (KDE.News)

The latest KDE Quickies Posting mentions the SuperKaramba Theme Archive, Unifying the desktop, the first beta release of Skype, and the RULE Mini KDE page.

Comments (none posted)

Games

fewnn 0.1 announced

Version 0.1 of fewnn is out. "fewnn [Frontend with No Name] is frontend for the Multi-Arcade Machine Emulator. It's written for the GNOME platform using C#/Gtk#."

Full Story (comments: none)

WorldForge Weekly News

The June 26, 2004 edition of the WorldForge Weekly News is available. This issue covers the WorldForge presence at the LinuxTag conference in Karlsruhe, Germany.

Comments (none posted)

Conquer medieval kingdoms with CodeRuler (IBM developerWorks)

Sing Li explores CodeRuler on IBM's developerWorks. "Guard your castle! Claim your land! Command your knights to joust valiantly and defeat their foes. Capture the enemy's position and seize its land while dodging its menacing knights. If writing mudane Java code is giving you the blues lately, maybe it's time to turn your medieval fantasies into reality. You can rule your own kingdom while refining your Java programming skills and mastering the Eclipse development environment all at the same time. It's all in a hard day's work for a supreme CodeRuler."

Comments (none posted)

GUI Packages

Gazpacho 0.1.0 released

Initial version 0.1.0 of Gazpacho, a GUI builder for the GTK+ library, has been announced. "This program allows you to create the Graphical User Interface (GUI) of your GTK+ program in a visual way. Yes, it is a Glade-3 clone. It is compatible with libglade and it's on its early stages of development."

Full Story (comments: none)

Gtk2-Perl 2.7.3 is out

Version 2.7.3 of Gtk2-Perl, the Perl bindings for GTK+ 2.x, is available. Changes include C89 compatibility fixes, new fallback and explicit handlers, and more.

Full Story (comments: none)

Instant Messaging

Laffer 0.3.2.2 released (SourceForge)

Version 0.3.2.2 of Laffer, a Web-based instant messenger client, has been released. "In this version the code of YIM and MSN protocol classes is improved and there is support for using different interface languages, message and client charset convertions."

Comments (none posted)

Music Applications

horgand 1.07 released

Version 1.07 of horgand, an organ synthesizer, is out with lots of bug fixes and improvements.

Full Story (comments: none)

MusE 0.7pre4 is now ready

Version 0.7 pre 4 of MusE, a MIDI/Audio sequencer, has been announced. This release adds a number of features and fixes some bugs as well.

Comments (none posted)

swh-plugins 0.4.4

Version 0.4.4 of swh-plugins, a real-time audio effect utility, is out with a new limiter and bug fixes.

Full Story (comments: none)

Office Suites

ooo-build-1.1.60 announced

Build 1.1.60 of OpenOffice.org has been announced. "This package contains Desktop integration work for OpenOffice.org, several back-ported features & speedups, and a much simplified build wrapper, making an OO.o build / install possible for the common man."

Full Story (comments: none)

Web Browsers

Firefox, Thunderbird Minor Upgrades Released (MozillaZine)

MozillaZine covers the latest releases of the Firefox browser and Thunderbird email client. "Mozilla.org today released upgrades to both Firefox 0.9 (0.9.1) and Thunderbird 0.7 (0.7.1) to fix some minor bugs present in both releases. Both releases correct some flaws in the Extension System that some users may have been experiencing, as well as a new icon set for the navigation toolbar on Windows and Linux in Firefox 0.9.1."

Comments (none posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes are available for the June 14, 2004 Mozilla.org staff meeting. "Issues discussed include Mozilla 1.7 final, Mozilla Firefox 0.9, Mozilla Thunderbird 0.7, Rafael Ebron and mirrors."

Comments (none posted)

Miscellaneous

GNOME Phone Manager 0.4 is out

GNOME Phone Manager version 0.4 is available. "Phone Manager allows you to send and receive text (SMS) messages from the desktop, connecting to your mobile phone via Bluetooth, serial or IrDA. This release incorporates interface enhancements."

Full Story (comments: none)

gnubiff 1.4.0 announced

Version 1.4.0 of gnubiff, a mail notification program, is available with bug fixes, a security fix, support for PNG animation, GNOME panel integration, and more.

Full Story (comments: none)

intltool 0.31 is available

Version 0.31 of intltool is out. "The intltool package is a set of tools for translating the contents of data files using the gettext translation framework. This release contains many bug fixes, so as always we suggest everyone to upgrade."

Full Story (comments: none)

KRename 3.0.0 stable released (SourceForge)

Stable version 3.0.0 of KRename, a batch file-renamer for KDE3, is out. Changes include support for the KDE KIO-Slave technology, full command line control, useabillity improvements, and more.

Comments (none posted)

Languages and Tools

C

Gcc news

A new web site called Gcc News has hit the virtual street, it features weekly status updates on the Gnu Compiler Collection project. This week's topics include the status of gcc 3.4.1, merging Apple's Objective C++ frontend, the removal of the expect and the dejagnu directories, measuring optimization, and more. Thanks to Ranjit Mathew.

Comments (2 posted)

C#

Mono 1.0 released

Novell has announced the release of Mono 1.0; a .NET platform for Linux. There is also a new web site at mono-project.com with a focus on how to use the Mono framework.

Comments (12 posted)

Java

EMMA 2.0.4127 released (SourceForge)

Release 2.0.4127 of EMMA is available. "EMMA is a fast Java code coverage tool based on bytecode instrumentation. It differs from the existing tools by enabling coverage profiling on large scale enterprise software projects with simultaneous emphasis on fast individual development. Release 2.0.4127 fixes a bug in the implementation of feature request 971176 and significantly improves classloading in EMMA's shutdown hook responsible for coverage data dumping."

Comments (none posted)

Java theory and practice: Kill bugs dead (IBM developerWorks)

Brian Goetz writes about FindBugs on IBM's developerWorks. "This month, columnist Brian Goetz builds on Chris Grandstaff's earlier Introduction to FindBugs and shows you how this static analysis tool can help you analyze your code for compliance with design principles that have been discussed in past issues of this column."

Comments (none posted)

Lisp

SBCL 0.8.12 released

Version 0.8.12 of Steel Bank Common Lisp has been released. "This version includes a new sampling profiler, a customizable editor invocation function, better performance for the SB-POSIX implementation, and more."

Full Story (comments: none)

Perl

Profiling Perl (O'Reilly)

Simon Cozens shows how to profile Perl in an O'Reilly article. "Everyone wants their Perl code to run faster. Unfortunately, without understanding why the code is taking so long to start with, it's impossible to know where to start optimizing it. This is where "profiling" comes in; it lets us know what our programs are doing. We'll look at why and how to profile programs, and then what to do with the profiling information once we've got it."

Comments (none posted)

This Week on perl5-porters (use Perl)

The June 21-27, 2004 edition of This Week on perl5-porters is online. "Summer is here, and it's vacation time for the Perl 5 porters. Well, except for the valorous maint pumpking, who just released a snapshot of perl 5.8.5-to-be."

Comments (none posted)

This Week on Perl 6 (O'Reilly)

The June 24, 2004 edition of This Week on Perl 6 is online with the latest Perl 6 issues.

Comments (none posted)

PHP

PHP HL7 API (LinuxMedNews)

LinuxMedNews mentions the creation of a new Perl HL7 toolkit API for the Care2x project. "The API has been announced on the PEAR site, and the call for votes has been initiated, so as to accept this package in the official PHP PEAR list. It would be rather nice if those PHP lovers would audit the package, and vote."

Comments (none posted)

PostScript

flpsed 0.1 is out

Version 0.1 of flsped is out. "flpsed is a WYSIWYG pseudo PostScript editor. "Pseudo", because you can't remove or modify existing elements of a document. But flpsed lets you add arbitrary text lines to existing PostScript documents."

Comments (none posted)

Python

SIP v4.0 Released

Version 4.0 of SIP is available and features improved documentation. "SIP is a tool for generating Python modules that wrap C or C++ libraries. It is similar to SWIG. Its main use to date has been to generate PyQt and PyKDE."

Full Story (comments: none)

Dr. Dobb's Python-URL!

The June 29, 2004 edition of Dr. Dobb's Python-URL! is out with the latest Python language article links.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The June 28, 2004 edition of Dr. Dobb's Tcl-URL! is available with the latest news and articles from the Tcl/Tk community.

Full Story (comments: none)

XML

UML, XMI, and code generation, Part 3 (IBM developerWorks)

Benoît Marchal continues his series on UML modeling and XML in the third part of an IBM developerWorks series. "Benoît further refines the conversion stylesheet with the introduction of stereotypes and tags. These are extension mechanisms for UML that are used to store implementation information in the model."

Comments (none posted)

Practical XML data design and manipulation for voting systems (IBM developerWorks)

David Mertz applies XML to voting machine software on IBM's developerWorks. "In this installment, David discusses his practical experiences developing interrelated XML data formats for the EVM2003 Free Software project to develop voting machines that produce voter-verifiable paper ballots. Some design principles of format subsetting emerge."

Comments (none posted)

Creating XML with Genx (O'Reilly)

Michael Fitzgerald introduces Genx on O'Reilly. "Genx is an easy-to-use C library for generating well-formed XML output. In addition to being well-formed, Genx writes all output in canoncial form. It was created by Tim Bray with help from members of the xml-dev mail list."

Comments (none posted)

Editors

gedit 2.6.2 released

Version 2.6.2 of gedit the GNOME text editor, is out. "A new release from the stable branch is out, featuring translation updates and minor fixes."

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Senate bill bans P2P networks (News.com)

According to this News.com article, Senator Hatch's "INDUCE" act has been renamed the "Inducing Infringements of Copyrights Act," but has not otherwise been changed. "Foes of the IICA, including civil liberties groups and file-swapping network operators, are alarmed that the measure enjoys strong support from prominent politicians of both major parties. Its supporters include Patrick Leahy, D-Vt.; Senate Majority Leader Bill Frist, R-Tenn.; Minority Leader Tom Daschle, D-S.D.; Lindsey Graham, R-S.C.; and Barbara Boxer, D-Calif."

Comments (48 posted)

EFF Publishes Patent Hit List (Wired)

Wired covers the EFF's top ten list of patents to challenge. Number one: "Acacia Technologies' digital media transmission patent, which the company defines as covering 'the transmission and receipt of digital content via the Internet, cable, satellite and other means.' The EFF is worried that Acacia, which has already sued several large communications companies, is unfairly targeting small audio- and video-streaming websites."

Comments (6 posted)

Looking for Indemnification While Linux Sales Double (O'ReillyNet)

Tom Adelstein examines issues related to Linux use in the enterprise while copyright infringement claims exist, on O'ReillyNet. "Realists consider Linux adoption remarkable. The word on the street and in the foxholes of the IT community has created a swell of adoption from small businesses to the entire Fortune 500. The marketing of Linux by HP, IBM, Sun, Dell, Oracle, and Novell demonstrates the commitment of industry to Linux. With all the agreement in the market, most observers do not give SCO much of a chance of winning its cases."

Comments (5 posted)

The Open Source Paradigm Shift (O'Reilly)

Tim O'Reilly examines the paradigm-shift characteristics of open-source code. "My premise is that free and open source developers are in much the same position today that IBM was in 1981 when it changed the rules of the computer industry, but failed to understand the consequences of the change, allowing others to reap the benefits. Most existing proprietary software vendors are no better off, playing by the old rules while the new rules are reshaping the industry around them."

Comments (none posted)

Trade Shows and Conferences

Preview on kNX Client and FreeNX Server for LinuxTag Visitors (KDE.News)

KDE.News reports that a team of KDE and Knoppix hackers are showing two programs at LinuxTag. The FreeNX Server and kNX Client are not officially released yet, but several presentations have shown a well working preview of the KDE version for the speed boosting NX Terminal Server technology, developed by NoMachine.com.

Comments (2 posted)

The SCO Problem

SCO's Memo in Opposition to DC's Motion to Dismiss (Groklaw)

Groklaw has SCO's memo trying to keep the DaimlerChrysler suit alive, along with extensive commentary. "And why do they do this elaborate verbal dance with all the mock horror at DC's dillydallying? Because on a motion to dismiss, if there is even one fact in dispute, you can't grant the motion. We just saw that in the Novell hearing, and here SCO stands on its head to present facts 'in dispute' and to present issues that they claim are not clear in the contract. The underlying common sense truth is that there is no damage and nothing to sue about in any rational universe. But if they get a stickler judge with no common sense, they might just prevent the motion to dismiss from being granted."

Comments (2 posted)

Companies

Singapore to be 'port of call' for Linux (ZDNet)

Oracle and Red Hat are working together to build a Linux applications centre in Singapore, according to this article on ZDNet. "The two firms today announced they will invest $11.6m in a new Linux applications centre on the island-state to ramp up Linux certification among independent software vendors (ISVs) in the ASEAN region. The move is expected to expand the range of third-party software available on the Linux operating system, widely-viewed as a pre-requisite for it to gain greater commercial uptake."

See this press release for more information on the project.

Comments (5 posted)

Linux Adoption

Iraqis get a taste for Linux (BBC)

The BBC looks at efforts to promote Linux use in Iraq. "Inside the country, the Iraqi Linux User Group is thinking big. Their ambitious goal is to see every server in the country running Linux a year from now. Getting there, they face numerous obstacles."

Comments (1 posted)

Linux in Government: Open Source Innovation within the DoD (Linux Journal)

Linux Journal looks at open source adoption by the US Department of Defense. "The Program Management Office (PMO) for DMLSS [Defense Medical Logistics Standard Support] is located in Falls Church, Virginia. Continuing development and support facilities exist at Ft. Detrick, Maryland, at the Joint Medical Logistics Functional Development Center. At Ft. Detrick, programmers support open-source components in applications that require cryptography. They open-source components include Stunnel, Apache, ModSSL and OpenSSL."

Comments (1 posted)

Legal

Cisco the target of wireless lawsuit (News.com)

News.com reports that WI-LAN is suing Cisco in Canada for alleged infringement of patents associated with the wireless networking standards. "'Without our OFDM patents, there would be no 802.11a/g,' [WI-LAN VP Ken Wetherell] said. 'We didn't enforce these patents sooner, because we didn't want to slow down development in the market. But now that the technologies are firmly established, we feel we must protect our intellectual property.'" This looks like the SCO school of IP enforcement.

Comments (10 posted)

Interviews

Munich opens gates to Linux (vnunet)

Vnunet.com talks with Wilhelm Hoegner, Munich's City IT chief, about the city's switch to open-source software. "The key aspect was the ability to control the release policy ourselves; in other words to free ourselves from reliance on the product cycles of a small number of software companies. Another important point, of course, was licence costs, and security also plays an important part. We are switching directly from Windows NT to Linux, since NT, which is non-secure, was followed by a number of systems from the same manufacturer, which were also open to attack."

Comments (20 posted)

GPL Freedom Has Limits (Groklaw)

Groklaw is carrying an English translation of this German-language interview with Harald Welte of the Netfilter team. The topic of interest is Netfilter's ongoing efforts to ensure that its GPL licensing is respected. "The idea is to publicly make known some high-profile cases in order to put the opposition, those thinking of violating the GPL, on notice that we are serious and that we mean what we say and will enforce the license in court if you violate its terms. The idea is that then it will prevent having to handle lots of little cases, once the word is out."

Comments (none posted)

The Pragmatic Programmers Interview (O'ReillyNet)

O'ReillyNet interviews Andy Hunt and Dave Thomas, the authors of The Pragmatic Programmers. "Andy Hunt and Dave Thomas are The Pragmatic Programmers, two experienced and intelligent software developers with impressive experience, including the authoring of the popular The Pragmatic Programmer and the well-regarded Programming Ruby. Recently, they launched their own small publishing company to produce books on agile and pragmatic software development. Andy and Dave recently agreed to an interview with the O'Reilly Network."

Comments (3 posted)

Resources

Preventing Denial of Service Attacks (O'ReillyNet)

O'ReillyNet looks into DoS prevention on FreeBSD systems. "The first step to protecting yourself from an attack is to understand the nature of different types of attacks. As we said earlier, resource-consumption attacks target your system in places that can cause bottlenecks. The most popular targets are network bandwidth, system memory, network stack memory, disk I/O, operating system limitations such as a limit on the number of open file handles, and the CPU. These bottlenecks can be on your systems or in your network hardware."

Comments (none posted)

The Natural Language Toolkit (developerWorks)

IBM developerWorks covers a Python library for applying academic linguistic techniques to collections of textual data. "For this first article, I will present some relatively fleshed out examples from the lower-level capabilities, but simply describe abstractly most of the higher level capabilities. If I have the opportunity to return to NLTK in a later installment, I will give more detailed descriptions of parsing and graphing; for now, let us take the first steps past text processing, narrowly construed."

Comments (7 posted)

Reviews

A Look Back and a Look Forwards at KDE 3.3 (KDE.News)

KDE.News introduces this preview of KDE 3.3. "KDM looks better. No, it's not because it's gotten an GDM like makeover. Nor is it because MDM (from KDE-Look.org) has been adopted as the new DM. It's simply because we now have usable user icons now. Yup, you heard correct boys and girls. I said user icons. Courtesy of some kind soul who saw the need and had the talent KDM users now have a variety of faces to choose from in $KDEDIR/share/apps/kdm/pics/users. As an added bonus there's also a simple way to choose those user icons, but we'll get to that when we chat about kcontrol."

Comments (2 posted)

Book Review: Postfix: The Definitive Guide (Linux Journal)

Linux Journal reviews the book Postfix: The Definitive Guide. "Postfix: The Definitive Guide digs a little deeper into the hows and whys. I like that; I've never been much good at turning the crank on rote procedures. By explaining how Postfix's features reflect its architecture and how they relate to real world needs, debugging configurations and extending Postfix with third-party virus scanners and spam filter is a lot easier."

Comments (2 posted)

gLabels: Ready for prime time (NewsForge)

NewsForge reviews gLabels v1.93.3. "gLabels is a feature-packed label-printing application that's easy to use. It comes with an online manual that is current as of version 1.93.2. The manual is well laid out and seems to be nearly complete. For a beta (or developer version, if you prefer), gLabels is in great shape. I'm recommending it for usage today to friends and strangers alike. There are bugs to be squashed, I'm sure, but only a few, and I'm looking forward to the 2.0 release in the near future. Kudos to Jim Evins and the rest of the development crew for a job well done."

Comments (5 posted)

Miscellaneous

Carrier Grade Linux moving to carriers and beyond (NewsForge)

NewsForge looks at the adoption of Carrier Grade Linux in the telecom industry. "Carrier Grade Linux (CGL) -- an open source software framework being developed by the Open Source Development Labs to support high-availability, fast-to-market solutions for major telecommunications and other companies -- is taking considerable time to penetrate the slow-moving carrier market, but it is also gaining ground in vertical segments such as financial services, according to analysts attending this week's SuperComm telecom conference in Chicago."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

CELF specification and reference implementation available

The CE Linux Forum has announced the availability of the first CELF specification, being a document describing how Linux should best work on consumer electronics devices. The specification is concerned with issues like reducing boot time, power management, real-time response, and so on. The specification is downloadable in PDF format; there is also a reference implementation available.

Comments (none posted)

Firefox Team Looking for Artists (MozillaZine)

The Firefox team needs help from artists. "Blake Ross writes: "The Firefox team is looking for talented artists to help expand our grassroots button campaign. We are looking to translate the buttons into other languages and create a handful of new buttons to widen our selection."

Comments (none posted)

OSAF announces open source Chandler subproject - PyLucene

The OSAF has announced the PyLucene project. "PyLucene is a Python wrapper around the Lucene indexing and search engine. It was developed by Andi Vajda at OSAF for use in Chandler. PyLucene is a way of letting Python use Lucene to do full text indexing."

Full Story (comments: none)

Open source solid state holter (LinuxMedNews)

LinuxMedNews points to a development project that is working on an open-source ambulatory ECG monitor.

Comments (none posted)

Volunteer psqlODBC Developer Required

The psqlODBC project needs volunteer help. "The psqlODBC project is currently in need of a new developer to lead the development of the driver. Unfortunately the previously developers now have other commitments, leaving the project with only one developer (me!) with little time for anything other than applying patches and producing release packages."

Comments (none posted)

WHATWG Looking for Comments on First Draft of Web Forms 2 (MozillaZine)

Comments are being accepted on the Web Forms 2.0 draft specification. "The WHATWG is looking for comments on the first stable draft of the Web Forms 2.0 specification. The Web Forms 2.0 specification addresses requests made for new features to be added to the Forms features in HTML4."

Comments (none posted)

Commercial announcements

Arkeia Unveils First Professional Hot Backup and Restore Solution for LDAP Servers

Arkeia Corporation has announced a new LDAP server backup solution. "Arkeia Corporation today announced the release of a plug-in for hot backup of Lightweight Directory Access Protocol (LDAP) servers, the first provider to offer a professional online backup and restore solution for LDAP servers. It enables Arkeia backup solutions customers to protect server data without interrupting LDAP services."

Comments (none posted)

Breakthrough HP Technology Yields up to 100 Times More Bandwidth for Linux Clusters

HP has announced a new technology that improves cluster bandwidth by up to 100 times. "The new product, HP StorageWorks Scalable File Share (HP SFS), is a self-contained file server that enables bandwidth to be shared by distributing files in parallel across clusters of industry-standard server and storage components."

Comments (none posted)

Mississippi deploys Linux-based 'homeland security' system

IBM has sent out a press release describing the new "security system" being deployed by the state of Mississippi; it runs on SUSE Linux. "When complete, this project will provide mobile units with real-time access to all available public safety information including mug shots, arrest warrants, criminal intelligence, hazardous materials data and medical emergency protocols enhancing their ability to prevent and respond to incidents that pose a danger to the public." Surely such a system would never be used for any other purpose, right?

Full Story (comments: 2)

JBossCache integrated with Berkeley DB Java Edition

At the JavaOne conference, JBoss and Sleepycat announced a developer version of JBossCache integrated with the new Berkeley DB Java Edition.

Full Story (comments: none)

MySQL AB Launches UK and Ireland Sales Office

MySQL AB has announced the opening of a new sales office in Dublin, Ireland.

Comments (none posted)

NEC announces database benchmark results

NEC Solutions has announced a new set of TPC database benchmark results: the company was able to achieve 683,575 transactions per minute on one of its Itanium-based servers. The system was running Oracle and SUSE Linux Enterprise Server; it is a 32-processor box with 512GB of memory. All that scalability work would appear to have accomplished something.

Comments (none posted)

Quadrics Continues to Drive Linux Cluster Performance

Quadrics has posted a press release claiming the high ground in Linux cluster performance. "Two years after Quadrics helped build the fastest Linux cluster of the day, called MCR (www.llnl.gov/linux/mcr/), Quadrics and Lawrence Livermore National Laboratory (LLNL) have done it again. This time the system, called Thunder, is not only the fastest Linux cluster in the world, but also the fastest computer system in the US and the #2 system in the world (see www.top500.org), surpassing the previous #2 system (ASCI-Q), also based on Quadrics QsNet."

Comments (none posted)

Sun Contributes to Open Source Community

Sun Microsystems, Inc. has announced Project Looking Glass and Java 3D technology will be made available to the open source community. Sun also announced additional open source desktop efforts in collaboration with the Java developer community: the JDesktop Network Components (JDNC) and JDesktop Integration Components (JDIC).

Comments (5 posted)

New Books

No Starch Press releases "The Official Blender 2.3 Guide"

No Starch Press has published the book The Official Blender 2.3 Guide by Ton Roosendaal and Stefano Selleri.

Full Story (comments: none)

"Better, Faster, Lighter Java" Released by O'Reilly

O'Reilly has published the book Better, Faster, Lighter Java by Bruce A. Tate and Justin Gehtland.

Full Story (comments: none)

"XML Publishing with AxKit" Released by O'Reilly

O'Reilly has published the book XML Publishing with AxKit by Kip Hampton.

Full Story (comments: none)

Rapid Application Development With Mozilla to be Translated into Russian (MozillaZine)

MozillaZine reports on an effort to translate the book Rapid Application Development With Mozilla into Russian.

Comments (none posted)

Syngress Releases "Richard Thieme's Islands in the Clickstream"

Syngress Publishing has published the book Richard Thieme's Islands in the Clickstream: Reflections on Life in a Virtual World by Richard Thieme.

Full Story (comments: none)

Resources

A Linux Quick Reference to Useful Commands (O'ReillyNet)

O'Reilly has announced the availability of a downloadable PDF version of Linux Quick Reference to Useful Commands by Daniel J. Barrett.

Comments (none posted)

The LDP Weekly News

The June 30, 2004 edition of the Linux Documentation Project Weekly News is available with the latest new documentation releases.

Full Story (comments: none)

LPI-News May and June 2004

News from the Linux Professional Institute includes a look at new courseware for LPI Level 2 certification exams, re-writes of the exams and other topics.

Full Story (comments: none)

Updated VST/VSTi Tutorial Available

Dave Phillips has released and updated version of his tutorial on using VST/VSTi audio plugins under Linux.

Full Story (comments: none)

Contests and Awards

ERP5 Open Source ERP Project beats SAP and Navision in Professional Magazine Award

Coramy, a European company in the apparel industry and first user of the open source ERP5 Enterprise Resource Planning Solution, was awarded best ERP implementation project in the special edition of Décision Informatique.

Full Story (comments: none)

Event Reports

Announcements from JavaOne

JavaOne, Sun's annual Java conference, is in full swing in San Francisco. "Open Source" seems to be the buzz word of the day in these press releases:
  • JBoss and Novell have announced a strategic alliance to enable Novell(R) exteNd(TM) customers to deploy SOA-based applications to the open source JBoss Application Server.
  • Gluecode Software has announced the general availability of Gluecode Portal Server 3.5, the latest version of Gluecode's open source enterprise portal.
  • Gluecode Software contributes to the Apache Portals Project.
  • Agilent Technologies and Sun Microsystems have announced the formation of the Java Distributed Data Acquisition and Control (JDDAC) java.net community, an open-source forum for the development of Java applications and libraries for wide-area distributed sensors and controls.
  • ObjectWeb has announced that its corporate members are now targeting the delivery of ESB solutions built on open-source components.
  • JBoss has announced JBossLabs(TM), a research and development center focused on delivering innovative middleware technologies to the market.
  • JBoss has announced JBoss Inside, a new offering for companies integrating JBoss technology into their products.
  • JBoss and Sleepycat Software have announced a developer version of JBossCache(TM) integrated with Berkeley DB Java Edition.
  • Sun Microsystems has announced the release of version 4.0 of the NetBeans project.
  • Sun Microsystems has announced that Allied Irish Bank will migrate 7,500 desktop users and transition branch dependent applications across its entire branch network to the Sun Java(TM) Desktop System.

Comments (7 posted)

Upcoming Events

Libre Software Meeting 2004

The 2004 Libre Software Meeting will be held in Bordeaux, France on July 6-10, 2004. Presentations on Lisp will included in the high-level languages track. "The Lisp hackers who will attend the upcoming LSM 2004 are organizing short informal presentations and other activities besides formal presentations."

Full Story (comments: none)

Embedded Systems Conference, Boston

The next Embedded Systems Conference will be held in Boston, Mass on September 13-16, 2004 at the Hynes Convention Center.

Full Story (comments: none)

YAPC::EU Call for Venue 2005 (use Perl)

Use Perl has a Call for Venue for the YAPC Europe 2005 conference. "European YAPC's and National Workshops now have a foundation. The main goal of the newly formed YAPC Europe Foundation is to provide assistance on request to any European crew setting up a conference (be it a YAPC::Europe or a national workshop)."

Comments (none posted)

Events: July 1 - August 26, 2004

Date Event Location
July 1, 2004Perl Workshop 6.0(Barbara-Künkelin-Halle)Schorndorf, Germany
July 1 - 2, 2004USENIX 2004(Boston Marriott Coppley Place)Boston, MA
July 1, 2004JavaOne(Moscone Center)San Francisco, CA
July 6 - 10, 2004Libre Software Meeting 2004(RSM/RMLL)(Bordeaux I University)Bordeaux, France
July 12 - 15, 2004Real-time and Embedded Systems WorkshopWashington, DC
July 19 - 20, 2004Italian Perl Workshop(Polo Fibonacci)Pisa, Italy
July 21 - 24, 2004Linux SymposiumOttawa, Canada
July 26 - 30, 2004O'Reilly Open Source Software Convention 2004(OSCON)Portland, OR
July 26 - 30, 2004IBM pSeries Technical ConferenceCairns, Australia
July 31 - August 2, 2004Vancouver Python WorkshopVancouver, Canada
August 2 - 5, 2004LinuxWorld Conference & Expo(Moscone Center)San Francisco, California
August 21 - 29, 2004KDE Community World Summit 2004(aKademy)(Filmakademie Ludwigsburg)Ludwigsburg (Stuttgart Region), Germany

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds