With the 7.5 release of PostgreSQL not too far away, and news of
new
features sponsored by Fujitsu and Software Research Associates (SRA),
we decided to take a look at the PostgreSQL project and what users might be
able to expect in the coming months. We spoke to PostgreSQL steering
committee member Bruce Momjian about the upcoming 7.5 release, and the
"state" of PostgreSQL. According to Momjian, "
the project is doing
very well."
We're very organized and thorough in the way we do stuff. That's kind of
paid off [in that] every three or four months it seems like we're making
another kind of milestone in what we can do with Postgres in terms of
adoption and features. It's kind of hard to put it into words, I've stopped
getting surprised at how successful it's been.
Though each new release is a milestone, Momjian said that the 7.5 release
would have an unusual number of new features. In part, that's thanks to
Fujitsu and SRA underwriting the development of tablespaces, nested transactions development and support for Java server-side programming. Momjian is employed by SRA to work with PostgreSQL and the community, and says the
company approached him to broker arrangements with developers already
working on those features:
Big missing functionality typically takes weeks to develop, very hard for
developers to spend weeks volunteering, they've got to put food on the
table. Fujitsu would supply X amount of money for the amount of time
they're spending working on these features, [which were] very slow going
because they were only spending a few hours a week... the infusion of cash
allowed them to commit weeks.
The tablespace feature will allow a database to be spread across multiple
storage devices. Currently, PostgreSQL requires all of a database to exist
on a single filesystem. This can be a problem for performance and space
reasons. In 7.5, by default, PostgreSQL will continue to store everything
on the same filesystem, but Momjian said that an administrator will be able
to use tablespaces to move a table or entire database to another
filesystem. Even better, Momjian says that this will not impact an
application using the database -- so existing applications will not need to
be rewritten to use a database that takes advantage of tablespaces.
Oracle users and developers will know nested transactions by the name
"savepoints." This feature in 7.5 will give developers "better
control over failure cases with multi-statement locks" and allow
developers a better option than simply causing an entire transaction to
fail if one statement fails. Momjian noted that PostgreSQL already had
"a robust system" but that developers porting applications
from Oracle needed finer control than the current PostgreSQL system
allows. "Some applications needed logic that would say 'I want to try
inserting, but if that fails, I want to do something else.'"
Another feature in 7.5 of interest to many users will be point-in-time
recovery. With point-in-time recovery, PostgreSQL will allow users to
recover information "up to the instant of hardware failure."
Of course, not all PostgreSQL users are defectors from the Oracle camp. The
focus of late for many open source projects seems to be on the "enterprise"
features, which might lead hobbyist and small business users to wonder
whether those projects will continue to be suitable for their use. We asked
whether focus on enterprise features might detract from the "little guy,"
and he said that while PostgreSQL 7.5 will have many features that are
aimed directly at the enterprise users, the PostgreSQL project isn't losing
sight of the small-scale users. In fact, there are several features that
are directly aimed at the little guy rather than enterprise users.
One of those features is direct import of comma-separated value (CSV)
files. Momjian said that many users have asked for the ability to directly
import a CSV file produced by a spreadsheet program or other utility. Prior
to 7.5, users would have to convert those files into a suitable format for
PostgreSQL to import using a Perl script or other utility -- but with 7.5
users will be able to "load CSV natively right into Postgres."
Another "little guy" feature of interest in 7.5 is the ability to change
the data type of a column. In prior versions of PostgreSQL, it would be
necessary to add a new column, import data from the existing column into
the new column, drop the old column and then rename the new column to
change the data type. In 7.5, users will be able to simply alter the
data type of a column in one easy step.
Momjian also said that the Postgres developers do worry about "bloat," and
that "we've managed to come very far with adding features, without
impacting performance or readability [of the PostgreSQL code.]" On
average, he said that PostgreSQL adds "maybe 50,000 lines every year
to the code...no feature goes in unless it fits like a glove."
Though not part of the 7.5 release, the recently announced Slony-I
replication system bears mentioning as well. The Slony-I replication
system, sponsored by Afilias, does
asynchronous master-to-slave replication, slave promotion and failover.
In addition to the obvious new features, there's also a little work
underneath the hood that will benefit PostgreSQL users as well. Momjian
told LWN that the PostgreSQL team had done a "major redesign"
in the way that PostgreSQL buffers disk writes, which will result in a
"serious performance improvement" in the next release.
Though perhaps of little interest to the LWN readership, Momjian also
pointed out that 7.5 will be the first version of PostgreSQL to have a
native port to Win32:
We feel that the Windows port is important to highlight the accomplishments
of open source to the people running on the Windows platform. You can't
show how good open source is if it's not running on their platform.
There is no set date for the 7.5 release yet, but he said that it should be
out be out by the end of the year, once the project has been able to
conduct extensive testing of all the new features. After the release, he
predicts "increased migration from proprietary databases," and
notes that the PostgreSQL project is already seeing 1,000 to 2,000
downloads per week of the unofficial, unadvertised testing release of
PostgreSQL for Windows.
In all, the next release of PostgreSQL should be quite impressive, and
allow a number of organizations to dump expensive proprietary databases for
an open source alternative.
Comments (13 posted)
The 2004
Ottawa Linux Symposium
starts on July 21. The content this year looks as good as ever: the
list
of presentations includes well-known Linux developers from all over the
world. As usual, the talks place OLS at the forefront of kernel-oriented
Linux conferences, with some don't-miss desktop topics thrown in as well.
It will be a great gathering for anybody interested in where Linux is
going, or who just wants to hang out with a lot of developers and drink too
much beer. At least, for anybody who has registered; OLS is sold out and
is no longer accepting registrations.
Once again, OLS will be preceded by the invitation-only Kernel Summit. At
the same time, the Desktop
Developer's Conference will be happening upstairs; registration for
that event is still open.
The 2004 event will be the sixth annual Ottawa Linux Symposium. We talked
briefly with OLS founder and organizer Andrew Hutton about the event.
LWN: The sixth Ottawa Linux Symposium will be happening next month. Can you
tell us how this event got its start? What inspired you to create OLS?
After attending Linux Expo in North Carolina in 1998 and 1999 and the Atlanta
Linux Showcase I noticed that the technical events were in danger of being
overshadowed by the Dot.Com inspired multi-million dollar marketing events
that were beginning to happen at that time. Nobody I knew would voluntarily
go to one of these new marketing events. At about 4am one morning while
thinking about this problem I asked Alan Cox if he'd consider coming to
Ottawa and doing the keynote for a new event on the other end of the
spectrum, a pure technical event. He said something like 'sure haven't been
to Canada yet, why not' and 3 months later we had the first Linux Symposium.
LWN:
OLS has become one of the definitive gatherings of free software
developers, especially in the kernel area. How is it that OLS is able
to attract such an impressive list of participants - many of whom have
to travel a long way to get there - every year?
Content, content, content. Above all else we try to attract the best leading
edge content we can. The goal is to create an environment in which nobody
goes to a presentation without learning something new about the subject.
LWN:
This year, the Desktop Developers Conference will be happening
immediately prior to OLS. Can you tell us a little about this event and
your expectations for it?
The goal is to bring together the various parties involved in a functional
free desktop from kernel people, to X developers, distribution builders,
desktop infrastructure people (GNOME/KDE/etc) and application developers to
share experiences and discuss the areas in which future cooperation is
possible.
LWN: The 2004 Kernel Summit will also be happening just before OLS. Do you
expect to host more such events in the future, along the lines of the
successful "miniconfs" which accompany Linux.Conf.Au?
For smaller groups we've encouraged this for years. The Desktop Developers'
Conference will be the first of the more public ones though. It may or may
not remain adjacent to the Linux Symposium in the future. The main reason it
is this year is that despite all the buzz you've heard about the future of
the desktop, there isn't a lot of support for it yet and this makes it easier
for people to justify attending both at this time.
LWN: Another Linux.Conf.Au idea that seems to work well is moving the
conference to a different city every year. Might we ever be able to
look forward to the Jasper or Victoria Linux Symposium?
Probably not. We discuss this every year and people just enjoy coming to
Ottawa ever year. Ottawa is a nice tourist town these days, and has the
facilities we require all within walking distance. One of the great things
about OLS is never needing a car.
LWN:
The Symposium is currently limited to about 500 attendees. Do you think
you may ever allow OLS to become larger? Why?
There are two main reasons. Space and communications overhead. It is nice to
have time to find and sit and chat with all the people you're looking for
during the event. We do end up a bit larger than 500 some years, but for now
the space we have isn't suitable either. To keep things productive keeping
it small is key.
As usual, LWN editor Jonathan Corbet will be present at OLS and the Kernel
Summit this year.
Comments (none posted)
Anybody who is curious about what benefits software patents might bring to
Europe need look no further than
UK
patent GB2362971, entitled "A method of searching the internet and an
internet search engine." This patent, held by the Italian company Godado
Italia Srl, was first filed in May, 2000; it was assigned last February.
What does this patent cover?
Upon receipt of a search signification, a search is conducted for
web sites having a textual match with the search signification. In
addition, the thesaurus database is searched to determined the
category of meaning to which the search signification belongs and
the meaning of the search signification thus determined is used to
identify related significations having a correlation with the
meaning of the search signification. The enquirer is then provided
with a list of web sites having a textual match with the search
signification and with a list of related significations as a
suggestion for supplementary research.
In other words, a search engine with the advanced capability of looking up
additional search terms in a thesaurus and telling the user about those terms.
Godado is not content to sit on this patent. The company has applied with
the EPO for a
Europe-wide patent, and has also filed a claim in Italy. With those in
hand, Godado has selected its first target: the financial portal Portalino. For the curious, Portalino has
posted Godado's
demand letter (in Italian); your editor has created an English translation to go along with it.
Essentially, the letter accuses Portalino of the heinous crime of running a
search engine, claims that said search engine is an infringement of
Godado's patent, and demands that the search engine be shut down
immediately.
One might assume that Godado does not intend to content itself with
harassing Portalino; according to this Punto Informatico
article, the patent has already been filed in Spain, Portugal, Germany,
and France (along with the UK and Italy). A new litigation company, it
would seem, has been turned loose in Europe.
This patent was not filed until 2000; chances are that, with a bit of (yes)
searching, sufficient prior art can be found to invalidate it. This will
not be the last shakedown attempt by a company wielding a suspect patent,
however, especially if the European Union blesses software patents in their
full glory. Godado shows that U.S.-style software patent hassles
can become part of the European landscape. Unless, of course, the
EU manages to avoid the imposition of union-wide software patents.
Comments (8 posted)
Page editor: Jonathan Corbet
Security
The Organization for Internet Safety has
announced the availability, in draft form, of
its "Security Vulnerability Reporting and Response Guidelines." These
guidelines offer suggestions for how security researchers and software
vendors should work together to deal with security problems in the most
effective way. Comments are being solicited for this version; they will be
accepted until July 16.
The guidelines, for the most part, make sense. Essentially, they say that
things go as follows:
- A researcher finds a problem.
- That problem is communicated in a clear way to the relevant vendor.
- The vendor responds, and the two agree on a timeline for investigating
the problem and, if warranted, developing a fix.
- The two talk to each other while this is going on.
- When the fix is complete, the vendor makes it available, and both
parties can release advisories.
- Detailed information on the vulnerability is to be withheld for
30 days.
Of course, it takes the OIS 23 pages, many dozen sub-objectives and
contingencies, and several complicated flow charts to communicate the
above.
The OIS and its guidelines have come under significant fire recently. Many
people distrust the OIS after having seen its list of members: @stake,
BindView, Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, Symantec,
and our old friends the SCO Group. There are no independent researchers:
OIS policy explicitly excludes them. There is also no representation from
the free software community. In fact, the OIS is not that impressed with
free software in general:
We believe the software author should be given a chance to create a
fix before vulnerability information is made public, but that there
should be no further distribution of that information until the fix
is complete. This priniciple [sic] can be very difficult to adhere to in
certain situations, such as dealing with the open source community
where there aren't protections to keep vulnerability information
secret.
In recent times, the community has shown itself to be quite capable of
keeping vulnerability information under wraps for the time it takes to
generate a fix. If you want to do that, though, it is imperative to create
the fix quickly. The vendor-driven OIS standards seem more oriented toward
keeping vulnerability information secret for as long as possible.
The OIS claims that it has no intention of promoting legislation which
would codify its guidelines. Given the nature of some of the companies
involved, not everybody believes that claim. Certainly any attempts in
that direction should be watched for and resisted.
Perhaps the most interesting perspective on the OIS is this, however:
there are no free software organizations or vendors represented because the
community has no need for the OIS. As a general rule, vulnerability
reporting and response works very well in the free software world.
Vulnerabilities are reported to the relevant parties, and a whole set of
independent vendors and projects gets fixes out quickly. It is hard to see
problems in this aspect of our performance which are amenable to any sort
of improvement via a set of official guidelines. Our problems, instead,
lie in the fact that we create far too many vulnerabilities in the first
place. The OIS is not going to help us with that.
Comments (none posted)
New vulnerabilities
esearch: insecure temp file handling
| Package(s): | esearch |
CVE #(s): | |
| Created: | July 1, 2004 |
Updated: | July 6, 2004 |
| Description: |
The eupdatedb utility that is part of esearch can allow a symbolic
link to be created in /tmp, making it possible for users to create
arbitrary files. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
Pure-FTPd - denial of service
| Package(s): | Pure-FTPd |
CVE #(s): | |
| Created: | July 5, 2004 |
Updated: | July 6, 2004 |
| Description: |
Pure-FTPd contains a bug potentially
allowing a Denial of Service attack when the maximum number of connections
is reached. |
| Alerts: |
|
Comments (none posted)
XFree86, X.org: XDM ignores requestPort setting
| Package(s): | XFree86 X.org |
CVE #(s): | CAN-2004-0419
|
| Created: | July 5, 2004 |
Updated: | July 28, 2004 |
| Description: |
XDM will open TCP sockets for its chooser, even if the
DisplayManager.requestPort setting is set to 0. This may allow
authorized users to access a machine remotely via X, even if the
administrator has configured XDM to refuse such connections. See this XFree86 bug report. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
Apache: denial of service
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0493
|
| Created: | June 30, 2004 |
Updated: | July 19, 2004 |
| Description: |
Versions of apache 2.0 through 2.0.49 fail to defend against arbitrarily long header lines; this bug can be exploited to cause the server to use arbitrarily large amounts of memory. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
dhcp: buffer overflows
| Package(s): | dhcp |
CVE #(s): | CAN-2004-0460
CAN-2004-0461
|
| Created: | June 23, 2004 |
Updated: | July 14, 2004 |
| Description: |
Two separate buffer overflows have been found in versions 3.0.1rc12 and 3.0.1rc13 of the ISC DHCP server. These overflows can be exploited by a remote attacker to cause a denial of service, or, potentially, to execute arbitrary code. DHCP servers should not be exposed to the Internet, but this problem is worth fixing regardless. See this CERT advisory for more information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling
| Package(s): | freeswan |
CVE #(s): | |
| Created: | June 26, 2004 |
Updated: | July 15, 2004 |
| Description: |
FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN contain two bugs
when authenticating PKCS#7 certificates. This could allow an attacker
to authenticate with a fake certificate. All these IPsec implementations
have several bugs in the verify_x509cert() function, which performs
certificate validation, that make them vulnerable to malicious PKCS#7
wrapped objects. With a carefully crafted certificate payload an attacker
can successfully authenticate against FreeS/WAN, Openswan, strongSwan or
Super-FreeS/WAN, or make the daemon go into an endless loop. |
| Alerts: |
|
Comments (none posted)
giFT-FastTrack: remote denial of service attack
| Package(s): | gift-fasttrack |
CVE #(s): | |
| Created: | June 24, 2004 |
Updated: | June 30, 2004 |
| Description: |
giFT-FastTrack is a plugin for the giFT file-sharing application.
If a maliciously crafted signal is sent to giFT-FastTrack,
remote attackers can crash the giFT daemon. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
gzip: temporary file execution problem
| Package(s): | gzip |
CVE #(s): | |
| Created: | June 24, 2004 |
Updated: | June 30, 2004 |
| Description: |
The gzip compression program has a problem that
can cause code to be executed from the command
if the creation of a temporary file fails. |
| Alerts: |
|
Comments (none posted)
Horde-IMP: improper input validation
| Package(s): | Horde-IMP |
CVE #(s): | |
| Created: | June 16, 2004 |
Updated: | August 10, 2004 |
| Description: |
An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils |
CVE #(s): | CAN-2004-0403
|
| Created: | April 26, 2004 |
Updated: | July 29, 2004 |
| Description: |
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
kernel: netfilter denial of service
| Package(s): | kernel |
CVE #(s): | |
| Created: | June 30, 2004 |
Updated: | July 28, 2004 |
| Description: |
The netfilter code in 2.6 kernels through 2.6.7 is vulnerable to a remote denial of service attack - but only if filtering on the TCP options field has been enabled. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CAN-2004-0554
|
| Created: | June 15, 2004 |
Updated: | July 5, 2004 |
| Description: |
2.4 and 2.6 kernels running on the i386 and x86_64 kernels have a vulnerability which can allow a local attacker to lock up the system. See this LWN article for a description of the problem.
Many of the updates for this problem also fix various potential driver vulnerabilities found while instrumenting the code for automated auditing. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
krb5: unauthorized root privileges
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0523
|
| Created: | June 3, 2004 |
Updated: | June 29, 2004 |
| Description: |
Multiple buffer overflows exist in the krb5_aname_to_localname() library
function that if exploited could lead to unauthorized root privileges. In
order to exploit this flaw, an attacker must first successfully
authenticate to a vulnerable service, which must be configured to enable
the explicit mapping or rules-based mapping functionality of
krb5_aname_to_localname, which is not a default configuration. See the
this MIT krb5 Security Advisory for more information. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mailman: password disclosure
| Package(s): | mailman |
CVE #(s): | CAN-2004-0412
|
| Created: | May 27, 2004 |
Updated: | July 20, 2004 |
| Description: |
In mailman versions above 2.1, third parties can retrieve
member passwords from the server. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
postgresql buffer overflow in ODBC driver
| Package(s): | postgresql |
CVE #(s): | |
| Created: | June 7, 2004 |
Updated: | July 28, 2004 |
| Description: |
A buffer overflow has been discovered in the ODBC driver of PostgreSQL,
an object-relational SQL database, descended from POSTGRES. It possible
to exploit this problem and crash the surrounding application. Hence, a
PHP script using php4-odbc can be utilized to crash the surrounding
Apache webserver. Other parts of postgresql are not affected. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
rsync remote file write attack
| Package(s): | rsync |
CVE #(s): | CAN-2004-0426
|
| Created: | April 30, 2004 |
Updated: | July 12, 2004 |
| Description: |
See the rsync homepage for the
April 2004
advisory: "There is a security problem in all versions prior to
2.6.1 that affects only people running a read/write daemon WITHOUT using
chroot. If the user privs that such an rsync daemon is using is anything
above "nobody", you are at risk of someone crafting an attack that could
write a file outside of the module's "path" setting (where all its files
should be stored). Please either enable chroot or upgrade to 2.6.1. People
not running a daemon, running a read-only daemon, or running a chrooted
daemon are totally unaffected." |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
tripwire format string vulnerability
| Package(s): | tripwire |
CVE #(s): | CAN-2004-0536
|
| Created: | June 4, 2004 |
Updated: | July 7, 2004 |
| Description: |
The code that generates email reports contains a format string
vulnerability in pipedmailmessage.cpp. With a carefully crafted filename
on a local filesystem an attacker could cause execution of arbitrary code
with permissions of the user running tripwire, which could be the root
user. See this advisory on SecurityFocus for more details. |
| Alerts: |
|
Comments (none posted)
webmin: denial of service
| Package(s): | webmin |
CVE #(s): | CAN-2004-0582
CAN-2004-0583
|
| Created: | June 16, 2004 |
Updated: | July 28, 2004 |
| Description: |
Versions of webmin prior to 1.150 suffer from denial of service and information disclosure vulnerabilities. See advisories for the disclosure and lockout problems for more information. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 kernel is still 2.6.7; it has been almost a month
since that release (which happened on June 15) and no 2.6.8 prepatches have
yet come out.
Linus's BitKeeper tree continues to grow, though at a slower rate. Recent
additions include a new, faster scrolling mode for framebuffer consoles, a
serial ATA update, various architecture updates, many fixes for a new
series of locking bugs reported by the
Stanford checker, a fix for a /proc permissions bug (see below),
and lots of fixes.
The current tree from Andrew Morton is 2.6.7-mm6. Recent additions to -mm include
packet writing support for DVD-RW and CD-RW drives, a new set of scheduler
tweaks, an IDE update and various fixes.
The current 2.4 prepatch is 2.4.27-rc3, which was released by Marcelo on July 3. Very few
patches were added this time around; things would appear to be stabilizing
toward the 2.4.27-final release.
Comments (none posted)
Kernel development news
The stuff that's gone around looks minor. It's not like they're teaching
sched.c to play cpu tetris for gang scheduling or Kalman filtering
profiling feedback to stripe tasks using different cpu resources across
SMT siblings or playing graph games to meet RT deadlines, so it doesn't
look like very much at all is going on to me.
It's pretty obvious why everyone and their brother is grinding out
purported scheduler rewrites: the code is self-contained, however,
nothing interesting is coming of all this. Never been for have so many
patches been written against the same file, accomplishing so little.
-- William Lee Irwin would like to see more
ambitious scheduler patches.
Comments (1 posted)
Every TCP packet includes, in the header, a "window" field which specifies
how much data the system which sent the packet is willing and able to
receive from the other end. The window is the flow control mechanism used
by TCP; it controls the maximum amount of data which can be "in flight"
between two communicating systems and keeps one side from overwhelming the
other with data.
In the early days of TCP, windows tended to be relatively small. The
computers of that age did not have huge amounts of memory to dedicate
toward buffering network data, and the available networking technology was
not fast enough to make use of a larger window in any case. Modern network
interfaces can handle larger packets and keep more of them in flight at any
given time; they will perform better with a larger window. Some kinds of
high-speed long-haul links can have very high
bandwidth, but also high latency. Keeping that sort of pipe filled can
require a very large window; if a sending system cannot have a large number
of packets in transit at any given time, it will not be able to make use of
the bandwidth available. For these reasons, good performance can often
require very large windows.
The TCP window field, however, is only 16 bits wide, allowing for a maximum
window size of 64KB. The TCP designers must have thought that nobody would
ever need a larger window than that. But 64KB is not even close to what is
needed in many situations today.
The solution to this problem is called "window scaling." It is not new;
window scaling was codified in RFC 1323 back in
1992. It is also not complicated: a system wanting to use window scaling
sets a TCP option containing an eight-bit scale factor. All window values
used by that system thereafter should be left-shifted by that scale factor;
a window scale of zero, thus, implies no scaling at all, while a scale
factor of five implies that window sizes should be shifted five bits, or
multiplied by 32. With this scheme, a 128KB window could be expressed by
setting the scale factor to five and putting 4096 in the window field.
To keep from breaking TCP on systems which do not understand window
scaling, the TCP option can only be provided in the initial SYN packet
which initiates the connection, and scaling can only be used if the SYN+ACK
packet sent in response also contains that option. The scale factor is
thus set as part of the setup handshake, and cannot be changed thereafter.
The details are still being figured out, but it would appear that some
routers on the net are rewriting the window scale TCP option on SYN packets as
they pass through. In particular, they seem to be setting the scale
factor to zero, but leaving the option in place. The receiving side sees
the option, and responds with a window scale factor of its own. At this
point, the initiating system believes that its scale factor has been
accepted, and scales its windows accordingly. The other end, however,
believes that the scale factor is zero. The result is a misunderstanding
over the real size of the receive window, with the system behind the
firewall believing it to be much smaller than it really is. If the
expected scale factor (and thus the discrepancy) is large, the result is,
at best, very slow communication. In many cases, the small window can
cause no packets to be transmitted at all, breaking TCP between the two
affected systems entirely.
In the 2.6.7 kernel, the default scale factor is zero; in Linus's BitKeeper
tree and the 2.6.7-mm kernels, instead, it has been increased to seven.
This change has brought the broken router behavior to light; suddenly
people running current kernels are finding that they cannot talk to a
number of systems out there. One of the higher-profile affected sites is
packages.gentoo.org. Gentoo
users are, unsurprisingly, not pleased.
As a way of making things work, Stephen Hemminger has proposed a patch which adds a calculation to select the
smallest scale factor which covers the largest possible window size. The
result on most systems is that the scale factor gets set to two. This
factor will still be corrupted by broken routers, but the resulting window
size (¼ of what it should be) is still large enough to allow
communication to happen.
The patch makes networking with systems behind broken routers work again,
but it has been rejected anyway. The
networking maintainers (and David Miller in particular) believe that the
patch simply papers over a problem, and that adding hacks to the Linux
network stack to accommodate broken routers is a mistake. If, instead, the
situation is left as it is, pressure on the router manufacturers should get
the problem fixed relatively quickly. It has been a few years, now, that
Linux has a strong enough presence in the networking world that it can get
away with taking this sort of position.
In the mean time, anybody running a current kernel who is having trouble
connecting to a needed site can work around the problem with a command
like:
echo 0 > /proc/sys/net/ipv4/tcp_default_win_scale
or by adding a line like:
net.ipv4.tcp_default_win_scale = 0
to /etc/sysctl.conf.
Comments (21 posted)
The latest Fedora Rawhide kernels come with an interesting feature: the
ability to enforce cryptographic signatures on loadable modules. This
capability has a few uses:
- Preventing the kernel from loading modules which have somehow been
corrupted.
- Making it harder for an attacker to install a rootkit on
a compromised system.
- Enabling vendors of enterprise Linux distributions to block the
loading of unapproved modules into stock kernels.
(It should be noted that, at this point, no vendor has indicated any plans
to restrict module loading in this way.)
The code which handles signed modules was originally written by Greg
Kroah-Hartman; it has subsequently been fixed up in various ways by David
Howells. Greg wrote a Linux Journal
article about his work back in January.
The signature code works by looking at the most interesting ELF sections
within a module file: the .text (program code) and .data
(initialized data) areas. When the module is built, a script uses the
objdump utility to extract those sections; the result can be fed
to gpg to generate a signature. That signature is then patched
into the module as yet another section, called module_sig.
Overall, adding signatures is a relatively small change to the module build
process.
The signatures are not much use, however, if nobody checks them;
implementing that check within the kernel is a somewhat larger business.
The 2.6 kernel includes a whole cryptographic subsystem, but that code is
oriented toward the needs of networking and encrypted filesystems.
Verifying module signatures using public keys was not one of the objectives
when the crypto API was added. To support this task, several thousand
lines of code must be added to the kernel; they perform arbitrary-precision
integer arithmetic (this code came directly from GnuPG), DSA signature
verification (also from GnuPG), simple in-kernel key management, and the
code to actually verify module data against signatures.
As things stand in the patch currently, any public keys used to verify
modules are built directly into the kernel itself. Being able to add a
site-specific key at run time would be a convenient feature, but it would
also defeat the purpose of this whole exercise. Any attacker who is in a
position to load malevolent modules could just load a new key first, thus
circumventing the signature verification. Even as things stand, a kernel
using signature verification should be set up to not allow overwriting of
in-kernel key data by way of /dev/kmem and such.
With all that infrastructure in place, a relatively small set of patches
makes the module loader actually verify signatures. Once again, the
interesting sections are stripped out, and a checksum is generated with the
SHA1 algorithm. If the signature in the module (1) can be decrypted
with a public key contained within the kernel, and (2) contains the
same checksum, the module checks out and can be loaded.
In the code, one can see the traces of a kernel developer encountering an
interesting problem. In many systems, the SHA1 transform code is kept in a
loadable module. The module loader, when it attempts to verify the
signature of a different module, could well force the kernel to try loading
the SHA1 module. The module code, however, takes the module_mutex
semaphore very early in the process; the recursive attempt will thus simply
deadlock the whole thing. To avoid this problem, the crypto API was
enhanced with a crypto_alloc_tfm2() function which can be
instructed to not load any modules while setting itself up. The SHA1
code will have to be linked directly into the kernel if it is used for
module verification.
Rawhide kernels come configured to verify any signatures found in modules,
but they will also happily load modules with no signature at all. There is
a configuration option which tightens things up, however, so that only
signed modules will be accepted. One wonders how much a proprietary module
vendor might pay to have their public key included in a distributor's stock
kernels once that option is turned on.
Comments (6 posted)
Herbert Poetzl
discovered some interesting
behavior in the 2.6 kernel: it seems that any user can set arbitrary
permissions on most files in
/proc. A patch had been merged back in
the 2.5 days which enabled changing of permissions, but an important check
got left out.
For the most part, the security implications of this bug are small, but
real. Local users can make files in /proc inaccessible, which can
break commands (like ps) which rely on them. Making
/proc/sysrq-trigger writable allows some obnoxious mayhem to be
created. On the other hand, changing permissions in /proc/sys has
no useful effect: the sysctl code performs its own permissions checking on
top of what the filesystem does. The actual process entries under
/proc do their own checking as well, and do not allow the
permissions to be changed.
The fix is simple, and has been merged for 2.6.8. But some developers
wondered why anybody would want to mess with permissions in /proc
in the first place. It turns out that there is some information there
which, in some cases, people would like to hide from other users on the
system. Command lines for specific processes and TCP connection tracking
information were mentioned as specific examples. So permissions tweaking
in /proc will remain - but not just anybody will be able to do
it.
Comments (none posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
According to
the Fedora web site:
The Fedora Project is a Red-Hat-sponsored and community-supported
open source project... The goal of The Fedora Project is to work
with the Linux community to build a complete, general purpose
operating system exclusively from free software. Development will
be done in a public forum.
The "about" page adds this:
Red Hat will retain editorial control over The Fedora Project but
will explicitly include external developers in the process of
making technical decisions that align with the project objectives.
In this context, it is interesting to consider the Fedora Core 3 plan,
which was posted on July 2. The plan calls for all kinds of
interesting things, including:
- GCC 3.4 as the standard compiler.
- GNOME 2.8 - which is not yet released.
- KDE 3.3.
- Evolution 2.0
- Another attempt at SELinux, with a less ambitious, less intrusive
set of policies.
- Indic language support
And a lot more. It looks like a bunch of good stuff.
One should note, though, that the scheduled date for the first test release
is July 12 - ten days after the announcement. Before the plan announcement, there
was very little public discussion of what FC3 was going to contain.
At this point, there is not a whole lot of time to "include external
developers in the process of making technical decisions." Instead, it
looks much like, once again, the core decisions have emerged in final form
from a smoke-filled room at Red Hat headquarters.
Let there be no mistake: Fedora Core is an unmitigated good thing. Red Hat
is giving the world a high-quality distribution with (mostly) highly
current software and a certain degree of visibility into the development
process. One should not complain about such a gift; we are certainly
richer as a result of it.
But Fedora clearly is not meeting its stated goals of being a community
project, and, apparently, it is not even making much progress in that
direction. Red Hat would do well to clarify its plans for Fedora at this
point. If Fedora is to be a community project, interested developers need
to see some progress in that direction. Opening up the promised CVS server
would be a good start. Another promise that would
be good to keep is this one:
With minimal necessary exceptions (such as information from
partners under NDA), Red Hat's own internal development on Fedora
Core will be done, starting immediately, on public mailing
lists. One of the reasons for Red Hat's success has been an open
process for making engineering decisions; our engineers have been
welcome to take opposing points of view in development discussions
and to argue passionately for their point of view. Now, with Red
Hat development going on in public, Red Hat developers will be
arguing their points of view on public mailing lists.
The FC3 plan was clearly not developed in this way. The formation of the
promised technical
committee, which is supposed to include outside members, would also be
a good step.
If, instead, Red Hat plans to keep Fedora in its current form (essentially,
a development and testing platform for technologies eventually slated for
the enterprise products), it should say so. Red Hat would be entitled to
take this position, and, certainly, large numbers of users are content to
run a Fedora distribution which is developed in this way. Who can
complain? It is a free, high-quality distribution with good security
support. But outside developers who would like to participate in its
creation have a right to know whether (and when) that will be possible.
Comments (2 posted)
Distribution News
Conectiva Linux 10 is out; this release includes the 2.6 kernel, additional
spam-fighting software, Samba 3, the latest KDE and GNOME, Conectiva
Office (OpenOffice.org with a Portuguese translation), and lots of other
goodies. Click below for details and download coordinates.
Full Story (comments: none)
Mr. Bad
asks
(on linux-elitists), which distribution is the most powerful?
"
So, after seeing the umpteenth Debian package description mentioning
what a powerful throbbing ur-package is barely contained within the bulging
envelope of this particular .deb, I started wondering: how much of the
software in Debian is actually POWERFUL? Like, so notably powerful that
that's how you'd describe the software; it impresses its powerful powerness
on the maintainer that much that they can't help mentioning its
power."
Comments (1 posted)
The
Debian Weekly News July 6, 2004 is
available with news about a Debian Trivia Quiz, GNOME 2.6 in testing, the
future of Debian's X11 packages, and several other topics.
An unofficial announcement has gone out: the
Debian Project has voted to postpone its recent social contract changes
until after the next major release ("Sarge") goes out. The changes in
question force the removal of all documentation, data, and other materials
seen by Debian as not being free; they had threatened to delay the (already
tardy) Sarge release. This vote should pave the way for a faster release.
Note that the project adopted the resolution wording which defers the
changes indefinitely, rather than the version which put a September
deadline on the release. The full
results are available for the curious; the full text of the several
variants of the resolution is available over here. The
announcement from the project Secretary is here.
Chris Cheney reports that the Debian AMD64
port is the second most complete port behind i386. Chris's post contains
more details about the status of this port.
Comments (none posted)
LibraNet GNU/Linux is offering free
trial
downloads.
Full Story (comments: 2)
The Gentoo Weekly Newsletter for the week of July 5, 2004 is out. This
week's edition has an announcement for the Gentoo web redesign contest,
among other topics.
Full Story (comments: none)
The
DistroWatch
Weekly for July 5, 2004 is out with an up-to-date look at new and
updated distributions.
Comments (none posted)
The Fedora Core 3
announcement lists
plans for this release which include integrating GCC 3.4,
GNOME 2.8, KDE 3.3, another (less ambitious) attempt at SELinux,
Indic language support, VNC, etc.
Fedora Core 2 has updates for GConf2 (fixes
a problem when using merged files) and xorg-x11 (new release with minor enhancements
to the package upgrade process).
Comments (none posted)
Mandrakelinux has an updated autofs package that fixes a stalling problem
in Corporate Server 2.1/x86_64.
Full Story (comments: none)
New Distributions
The
Resala Linux Project is a
single CD distribution based on the Fedora Core Project. Its main
objectives are: to make an Arabic ready distribution, make it easy for
normal users to use Linux in Arabic speaking countries, open the doors for
Arabic developers to participate positively in the OSS, to be a test bed
for Arabic application and introduce these applications to other main
stream distributions. Resala Linux Core 1 was
released June
21, 2004.
Comments (none posted)
Minor distribution updates
Astaro Security Linux has released
v5.013
with minor bugfixes. "
Changes: This Up2Date adds possibility to
fetch Up2Dates via proxy, improves the downloader and spamscore
capabilities for the Contentfilter, improves the POP3 Extensionfilter and
fixes the Openswan vulnerability CAN-2004-0590 besides a list of fixes for
other small problems."
Comments (none posted)
Deep-Water/Linux has released
v0.4.0
with minor feature enhancements. "
Changes: This release replaces
the GUI, adds a new file browser, and updates to a newer kernel."
Comments (none posted)
Feather Linux has released
v0.5.3
with lots of bug fixes. From the
changelog:
- Fixed multiple fpkg "Additions" menu creation
- Fixed HD install script
- Fixed XFCE script, and edited it so that it requires less memory
- Changed Fluxbox menu text size to 12
- Changed some wording of the X setup script and mount.app.
- Downgraded Firefox to 0.8 because of dependencies
Comments (none posted)
LEAF (Linux Embedded Appliance
Firewall) has released
Bering-uClibc
2.1.3 with minor bugfixes. "
Changes: Maintenance release for
the stable 2.1 series."
Comments (none posted)
LormaLINUX has
released v5 RC2.
"
his release of LormaLinux makes sure that all packages are clean and
have all the dependencies covered. Replaced Xpdf with Acroread (Adobe
Acrobat Reader) that works with Firefox enabling you to view and copy
content of a PDF file right on your browser. Added the latest version of
wine (a Windows emulator) for your extreme cross-platform gaming
pleasure."
Comments (none posted)
Onebase Linux has released
OnebaseGo
v2.0 with numerous package updates, improved EPS and Docking. Onebase
2004r4 has also been
released.
Comments (none posted)
tinysofa has released v2.0-pre2
(Persistence). "
The C#/ASP.NET suite has been updated to 1.0. vsftpd
is now at 2.0.1 and includes SSL/TLS support. Apache version 2.0.50 brings
forth many feature enhancements and bug fixes. The slony1 replication
engine for PostgreSQL also features in pre2, with version 1.0.0 being
included in the distribution. Additionally, ruby is now included in the
distribution."
Comments (none posted)
Distribution reviews
This linux.com author
examines
Fedora Core 2 on his production system. "
Getting FC2 to a state of
desktop readiness is a task that requires a medium amount of skill and will
probably take close to a full day for the first workstation (assuming that
you have a high-speed Internet connection). Subsequent installs should go
more quickly; indeed, I intend for my students to get most of it done
during their first three-hour class."
Comments (7 posted)
Open for Business
advocates Slackware for the desktop. "
The installation and
initial setup is to be done by someone with more experience with
computers. This is consistent with widespread practice. As I said before,
end users installing their own operating systems are an exception, and not
the norm, in almost every OS under the sun. Therefore, the install and
initial setup should be performed by the "resident nerd" of the office or
home, or by an otherwise qualified person."
Comments (none posted)
DistroWatch
reviews
OpenBSD. "
Devout cynics will claim that a "secure network
operating system" is an oxymoron. No matter how good you make it, somebody
will find a way to break it. Nevertheless, the OpenBSD developers can claim
(with considerable justification) that they've worked harder and longer
than anyone else to make sure that their OS is secure. The record speaks
for itself - in the nearly nine years of OpenBSD's existence, only one
remote security hole in the default install has been discovered (and that
hole was immediately closed)."
Comments (none posted)
Page editor: Rebecca Sobol
Development
KRename
is a batch-mode file renaming utility for the K Desktop Environment
(KDE). The primary software developer is Dominik Seichter.
The utility is primarily designed for managing large collections of
digital photographs and music files, but it is general enough in
design to be applicable to a wide variety of uses.
Krename offers an easy way to rename hundreds of files in one go, giving you as much freedom as you need. You can use parts of the old filename, information like the current date or even an mp3 tag or the colour depth of an image.
Krename integrates into the Konqueror or Krusader filemanager !
Despite its description as a batch utility, KRename is a GUI-based
application, not a shell script. The
screenshots page shows some of the features of the GUI.
The basic actions of KRename include file renaming, copying, moving and
overwriting. KRename can create shortcuts and undo what it changed.
Some additional KRename
features include:
- The ability to work on single files, groups of files, and directories.
- Support for recursive directory scanning.
- Has two GUI modes: tabbed and wizard-like.
- Support for multiple language translations.
- Use of an open plugin architecture for expandability.
- Has plugins for showing meta-information of images, sounds, languages, and many other file formats.
- Support for image viewing with numerous formats.
- Renaming can be performed via filenames, extensions, dates, times, substrings, regular expressions, and upper/lower case letters.
- Integration with Konqueror and Krusader.
Version 3.0 of KRename
was announced
this week. The
KRename home page lists
numerous improvements, some of them include:
- KIO-Slave Support for handling remote file operations.
- Completely controllable by the command line.
- Support for scripting via the DCOP interface.
- Usability improvements, including simplified operation and a beginner mode.
- New language translations.
- Bug fixes.
- Performance improvements.
- New documentation in PDF format.
KRename looks like a very useful application, the software
is available for download
here.
Comments (5 posted)
System Applications
Audio Projects
The
latest changes from the
Planet CCRMA audio utility packaging project include new versions of the Alsa Modular Synth, TAP Plugins, TAP Reverb Editor,
Gmorgan, Libfishsound, and Qjackctl.
Comments (none posted)
Database Software
Version 0.8.4 of Glom, a GUI database table designer, is available.
Changes include dependence on a new version of Bakery, connect button
behavior changes, build improvements, more translations, and more.
Version 0.8.5
was also announced
this week, followed by
version 0.8.6.
Glom is, apparently, under intensive development.
Full Story (comments: none)
Version 4.1.3-beta of the MySQL database is available.
"
This is the first beta development release, adding new features
and fixing recently discovered bugs. The change to "beta" level indicates,
that all planned major features for MySQL 4.1 have been implemented by
now. The focus is now on testing and stabilizing these new features and
the rest of the code base."
Full Story (comments: none)
The July 6 issue of the PostgreSQL Weekly News is out; among other things,
it looks at what will be in the upcoming 7.5 release. "
With the caveat that these
features could be removed during the beta cycle, most of the big name
features made it in under the wire including nested transactions, PITR, and
integrated pg_autovacuum. It is also worth reminding folks about win32
support, tablespace support, and the ARC buffer code, which is making this
release one of the most significant in several years."
Full Story (comments: 3)
Version 1.0 (Production Grade) of Slony-I, a database replication
solution for the PostgreSQL database,
has been announced.
The Slony-I project
web site has more details:
"
Slony-I, which functions on PostgreSQL 7.3 or better, does asynchronous master-to-multiple-slaves replication, slave promotion and failover, and helps you do PostgreSQL upgrades with extremely short downtimes."
Comments (1 posted)
Mail Software
Qms-analog version 0.3.4, a log file analyzer for qmail-spanner,
has been announced.
Comments (none posted)
Security
Stable version 2.3-0 of afick (Another File Integrity Checker),
a cross-platform intrusion monitoring system,
is out. Here is the change summary:
"
A new command is added in this release : afickonfig, to help
afick configuration. Running options are added in reports."
Comments (none posted)
Web Site Development
Version 1.0 of the
Quixote
web development platform has been released.
The
CHANGES document shows no differences from the 1.0c1 release.
Comments (none posted)
Version 0.5.2 of Samizdat, a generic RDF-based engine for building collaboration and
open publishing web sites, is available.
"
This version adds Wiki functionality to Samizdat, allowing to edit
messages and track history of changes. Messages may use Textile format
for advanced hypertext markup, editing may be limited to the original
creator or open for all site members. Other highlights of this release
are FastCGI support, configurable site logo, multiple usability
improvements, and the usual bunch of bugfixes. Once again, database
schema is slightly changed."
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 0.2.9 of QjackCtl is out.
"
It's been a while, although this time there's not much. Just minor fixes,
nothing very outstanding. However here it is, a new public release for
QjackCtl, the little Qt (cutie:) application to control the JACK sound
server daemon, specific for the Linux Audio Desktop infrastructure."
Full Story (comments: none)
Version 1.6.4 of
WaveSurfer, a sound visualization and manipulation tool, is out.
The
Change History document mentions several changes in the
transcription section of the code.
Comments (none posted)
Data Visualization
Version 1.0.0 of Fl_PlotXY, an XY plotting widget for FLTK,
has been announced.
Here are the changes:
"
A complete re-write of Fl_PlotXY. It now draws the data properly and is capable of handling multipule lines of data. More features will be added over the next few days, including loading and saving of .csv files, data manipulation and more." New versions of Gmsh and Table are
also available on the
FLTK site.
Comments (none posted)
Desktop Environments
Version 2.3.7 of Bakery, a C++ Framework for creating document-based GNOME applications, is available with minor changes.
Full Story (comments: none)
Tarballs are due for the GNOME Development Release Version 2.7.3.
Full Story (comments: none)
Version 2.6.2 of GARNOME, the bleeding edge GNOME distribution, is out
with lots of new component software versions.
Full Story (comments: none)
The July 2, 2004
KDE-CVS-Digest
is out with the following content summary:
"
KWord now can mailmerge from KSpread as data source. Less flicker in Konqueror and Kicker. And many bugfixes in KSnapshot , Konqueror, khtml and KMail."
Comments (none posted)
Electronics
Version 0.2 of
KRelais,
an electronic relay and switch simulation program,
has been announced. Here are the changes:
"
Signal lines on voltage are now highlighted. Pause and continue are simulated. Code cleanup was done."
Comments (none posted)
Games
Version 2.7.4 of the Gnome-games collection is out.
"
Lots of new stuff this time around. There are now new ways to play
both Aisleriot and Robots. Also, I've removed the shuffle button in
Mahjongg, you can currently only shuffle if you run out of
moves."
Full Story (comments: none)
Version 0.3.2 of GNOME War Pad, a VGA Planets client for GNOME,
is out with bug fixes and several enhancements.
Full Story (comments: none)
Version 1.7 of the game Monster Masher is available.
This version has been ported to gtkmm 2.4, and features bug fixes.
Full Story (comments: none)
Slagpanic
is a new game that is available on the PyGame site.
"
Slagpanic is a colorful modernization of the classic, Qix. Your job is to box in a wild variety of enemies and obstacles. You can also grab powerups to make things easier. Slagpanic also optionally makes use of some accelerated C++ routines, but benefits are only slight."
Comments (none posted)
GUI Packages
Version 2.4.4 of gtkmm, a C++ interface to GTK+, is out
with build fixes and other improvements.
Full Story (comments: none)
News Readers
Version 0.5.1 of Lifrea is out with bug fixes and other improvements.
"
Liferea (Linux Feed Reader) is a fast, easy to use, and easy to install
GNOME news aggregator for online news feeds. It supports a number of
different feed formats including RSS/RDF, CDF, Atom, OCS, and OPML."
Full Story (comments: none)
Office Applications
Version 1.7.1 of anyInventory, a cross-platform inventory system,
has been announced.
"
Brand new user-requested features in this version include the ability to highlight fields, the addition of an auto-incrementing field, automatic hiding of the administration links from unauthorized users, and an improved quick search.
Several bugs that made version 1.7 unusable for some users have been fixed. As version 1.7.1 is the most well-tested and stable release of anyInventory to date, current users of any previous release are encouraged to upgrade."
Comments (none posted)
Version 0.0.5 of criawips, a slide show / presentation application
for GNOME, is available.
"
This version includes a preview of the slide within the main window.
This is currently affected by a bug (feature?) of the GNOME Canvas that
prevents zooming text."
Full Story (comments: none)
Version 1.2.13 of the Gnumeric spreadsheet is available.
"
This is a medium priority release. We finally seem to have fixed
the xls export
issues around sheet local names and dealt with text overflow for really large
workbooks. Andreas chipped in with some LaTeX export fixes and patches for
printing problems. While we were playing with Glynn's film game we
noticed a
problem at the bottom of some of the pictures. Morten found the missing
8 bytes
and the jpgs look clear now.
This release also has a few nifty features backported."
Full Story (comments: none)
Office Suites
KDE.News
points to
an article on KOffice.
"
When was the last time you took a look at KOffice, KDE's native office suite?
This article looks at the good, and the bad, in the latest version of the 1.3
series. Although OpenOffice.org grabs most of the limelight KOffice has been
steadily improving, with a low memory footprint and tight integration with
Konqueror you might find useful."
Comments (none posted)
The June 2004 edition of the OpenOffice.org Newsletter
is available with the latest news from the OpenOffice.org
office suite project.
Full Story (comments: none)
Web Browsers
Despite the previous version being named "End of the Line",
version 1.3.16 of the Galeon browser
is available.
"
Yes, it's roughly that time of the month again, and here's our first official release that's compatible with Mozilla 1.7. There's a lot of small fixes and refinements - particularly the fixing of the annoying crash when deleting cookies."
Comments (3 posted)
Miscellaneous
Alexandria 0.3.0, a book collection management application for GNOME,
is out."
This release considerably improves the dialog box to add books,
ships a new provider to the Proxis library and features
more GNOME compatibility."
Full Story (comments: none)
Version 0.12 of Gwget, a download manager for Gnome 2, is out.
This release features code cleanup, notification area support, and more.
Full Story (comments: 2)
Languages and Tools
C
Version 3.4.1 of GCC, the GNU Compiler Collection
is available.
The
changes
document has a long list of fixed bugs.
"
"
Comments (none posted)
Caml
The June 29 - July 6, 2004 edition of the Caml Weekly News
is available with the week's Caml language development news.
Full Story (comments: none)
Java
Don Schwarz
writes about code generation and bytecode
manipulation in Java on O'Reilly.
"
In this article, I will consider the case of a status-bar component embedded in a GUI application. I will explore a number of different ways to implement this status reporter, starting with the traditional hard-coded idiom. Along the way, I will introduce and discuss a number of new features in Java 1.5, including annotations and run-time bytecode instrumentation."
Comments (none posted)
Andreas Schaefer continues his series on class loading with
part two.
"
Though we discussed the basics of class loading in the previous article in this series, we still need more knowledge before we can delve into the advanced class-loading techniques. This article will show how to solve class-loading problems and to overcome some debugging limitations of the JDK class loaders."
Comments (none posted)
Jack Shirazi and Kirk Pepperdine
discuss Java garbage collection optimizations
on IBM's developerWorks.
"
If you're part of the current blogging craze, then you've likely heard of Blog-City, a blogging site owned and operated by Blog-City Ltd., a small company in Scotland. When some unexpected performance issues cropped up, Java performance experts Jack Shirazi and Kirk Pepperdine were asked to assist in a technical tuning of Blog-City."
Comments (none posted)
Lisp
Version 1.0-alpha of SLIME, an Emacs mode for Common Lisp development,
is available.
Full Story (comments: none)
Perl
The June 28 - July 4, 2004 edition of
This Week on perl5-porters is available. Here's the content
summary:
"
This was a week rich in discussion. Read about programming with threads, UTF-8 crashes and leaks (and fixes), parsing, globbing, deparsing, and other things."
Comments (none posted)
The June 27, 2004 edition of
This Week on Perl 6 is available with the latest Perl 6 development
news.
Comments (none posted)
Use Perl
mentions the search for a new Perl 6 pumpking.
"
We need a Perl 6 pumpking, someone to take on the responsibility of making the Perl 6 compiler happen. When we started this whole process these many years ago, we thought having one person handle the software end of things was sufficient, but making perl 6 a reality is a much larger task than we'd originally figured, as both Perl 6 the language and Parrot the interpreter have ended up bigger than we'd thought they'd be. Bigger, in fact, than one person can reasonably manage, especially with a volunteer project."
Comments (none posted)
Matt Casher
introduces POE on O'Reilly.
"
My framework of choice is POE. POE is a single-threaded, event driven, cooperative multitasking environment for perl. Basically, POE is an application framework in which a single threaded perl process waits for events to occur so it can act accordingly. This event loop comprises the core of a POE process."
Comments (none posted)
Python
Barry A. Feigenbaum
introduces Jython on IBM's developerWorks.
"
Jython is an implementation of the popular scripting language Python, but running on a JVM. For Python developers Jython is the best possible entry point to the Java platform; for Java developers it may be the strongest incentive to learn another language. Frequent developerWorks contributor and alternate language enthusiast Barry Feigenbaum introduces Jython and shows you what it can do to enhance your productivity on the Java platform."
Comments (none posted)
The Dr. Dobb's Python-URL! for July 5, 2004 is out. This week's links
include Quixote 1.0 release announcement and a discussion of backward
compatibility in Python, among other topics.
Full Story (comments: none)
Tcl/Tk
The July 5, 2004 edition of Dr. Dobb's Tcl-URL! has been published.
Full Story (comments: none)
XML
Fabio Arciniegas A.
demonstrates
SVG animation on O'Reilly.
"
In the last part of our exploration of SVG and Typography, we turn our attention to effects with animated type, exploiting SVG declarative animation features."
Comments (none posted)
Uche Ogbuji presents
part three
of his series on Python tools and XML on O'Reilly.
"
In this article I focus on ElementTree, libxml/Python and PyRXPU. I recommend reading or reviewing those articles first, as well as the earlier articles in this namespace series."
Comments (none posted)
Edd Dumbill
steps down
from his position as chief editor at XML.com.
"
From a personal point of view, my time at the helm of XML.com has been endlessly enriching. The XML community itself is a unique mix of the erudite, the obscure, the eccentric and the inspired. XML as a technology covers such a broad and fascinating range of applications, and perhaps more than most technologies has deserved the soubriquet "world-changing"."
Comments (none posted)
Editors
Version 1.1.0 of tease
is out. Here's the project description:
"
tease (text editing and scripting environment), language: tcl/tk, using
freewrap and tkprint, dual-OS (win32, unix) editor with: basic encryption,
fast commenting of code, excellent search/replace (regexp, too), unlimited
undo/redo, more features".
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
The New York Times has
an
article (registration required) trying to figure out the politics of the
free software community. "
But the politics surrounding open-source
software do not always fit neatly into party categories. The people who
work on software like the Linux operating system, the Apache Web server and
others are an eclectic bunch of technologists. 'You'll find gun nuts along
with total lefties,' Linus Torvalds, the creator of Linux, said in an
e-mail message."
Comments (10 posted)
The International Herald Tribune has taken
a lengthy look at the
ongoing European software patent debate. "
The political storm, which
has spread to national parliaments in Germany and Denmark and provoked
questions about the EU directive in Poland and Portugal, is the latest
twist in a bitter fight between large corporations with significant
research investments and scores of patents and small and midsize software
companies, academic institutions and supporters of open source
software, who oppose software patents."
Comments (6 posted)
The SCO Problem
SD Times
looks at
some interesting comments by Darl McBride concerning the OSDL's
Linux Developers Certificate of Origin program.
"
We believe this unchecked process has allowed SCO code to be entered into Linux, McBride said. He called the OSDL decision an admission of errors in the Linux review process. McBride added that the Certificate of Origin program does not make the past issue of alleged intellectual property infringement go away."
Comments (12 posted)
Here's
a long Groklaw article on the application of copyrights to public-domain information (such as the U.S. Constitution or legal information).
"
Naturally, there has been a case about this, actually two, but with just one company, Jurisline, losing both. David Boies was the attorney for Jurisline, along with Robert Silver, now on the SCO case also, which unsuccessfully argued that copyright law trumped state laws regarding contracts. Small world, isn't it?"
Comments (3 posted)
Companies
Apple
has released
the source code for Rendezvous under the Apple Public Source license.
"
Rendezvous is a zero-configuration technology designed to be compatible with the requirements of the Internet Engineering Task Force's Zeroconf Working Group, and is used to enable automatic discovery and configuration of compatible devices on a network."
Comments (2 posted)
Open for Business
likes
Apple's Rendezvous technology on the Linux desktop. "
This week,
Apple brought Rendezvous back to the forefront with updated libraries for
POSIX systems, as well as support for Java. Unfortunately, despite the fact
that these libraries are out there for distributions and developers to use,
few in the Free Software community have taken the time to adopt Zeroconf
technology (Mandrakesoft's Mandrakelinux being the sole exception that I am
aware of). It is time for this to change."
Comments (none posted)
The Register
covers the launch of Linspire 4.5 Linux laptops from Dell and Questar.
"
The Linux version is actually sold by Dell partner Questar, an
Italian system builder which favours the open source operating
system. Purchases are made through Questar's website."
Comments (none posted)
Fujitsu has announced that it will be funding the development of new
PostgreSQL functions, according to
this article on NewsForge.
"
The
Japanese company, folding Windows as well as Linux and other open source into its mix of strategy, will support the BSD-based PostgreSQL database with code contributions and underwriting development that will be a part of version 7.5 of the database, PostgreSQL core team member Josh Berkus said. It is expected to be available before the end of the year."
Comments (3 posted)
News.com
reports
that Novell has raised $600 million in a bond offering. "
About $125
million of the money Novell raised will be used to buy back stock that
outside investors sold short, the software maker said."
Comments (none posted)
Here's an
editorial
at nekita.no-ip.com, examining the pros and cons of open source Java.
"
I think that we should basically try to get the software into the
Open Source community, but regulate Java by using existing tools we have
for that. I think that there could be a "commission" setup within the RFC
community that would comprise of members of Sun and the Open Source who
would create RFC's that set standards for the Java platform."
Comments (10 posted)
Linux Adoption
News.com
covers Indian president A.P.J. Abdul Kalam's remarks on the use of free software in defense applications.
"
Even though the required software for the equipment could be developed by the private industry, it is essential that the technical know-how and the architecture is fully available with these services for ensuring provision of lifetime support for the software which may or may not be forthcoming from the trade." Evidently Mr. Kalam found how "not forthcoming" support can be when the U.S. imposed an embargo after India's nuclear test.
Comments (10 posted)
Linux at Work
LinuxMedNews
covers two recent deployments of OpenEMR.
"
Pennington Firm, an open source software development company, is chosen by two clinics to implement the open source electronic medical record (EMR) application OpenEMR. Clinics choosing OpenEMR in June 2004 are: West Marion Family Medicine in Florida; and Operation Samahan in California. Pennington Firm is assisting both with electronic billing using a clearinghouse."
Comments (none posted)
Interviews
Linux Journal
interviews Brazilian government
member Sérgio Amadeu da Silveira, the target of
a Microsoft suit concerning comments he made about the use of
drug-dealing methods in the promotion of Windows.
Question: "Has this episode changed the government's opinion of Microsoft?"
Silveira: "I cannot answer on behalf of the entire administration. What I can say is that Microsoft made a huge mistake. The captive market they enjoyed within our government is a thing of the past, and I'm sure they are well aware of that. We live in a democracy where there is competition. They made a big mistake, they appear to have an attitude problem. What they did was unprecedented. We're working for a free-software implementation policy, not against this or that company."
Comments (3 posted)
Resources
News.com
takes
a look at a free Cisco manual. "
[Matt] Basham, a professor of
information technology and IT security at St. Petersburg College in
Clearwater, Fla., wrote his own 800-page Cisco networking textbook and last
week made it available for download over the Internet free of charge."
Comments (5 posted)
O'ReillyNet
uses a
FreeBSD-based live CD to build a cluster. "
Suppose that we need
to build a cluster of web servers to serve HTTP and HTTPS connections. Why
do we need a cluster? First of all, our web services are heavily loaded and
having one or two CPU systems and a lot of RAM is not enough
anymore. Secondly, our services need 24x7 availability and this requires an
excellent fail-over backup system, which should be completely transparent
for customers and normal web surfers. Nobody cares how many servers and
sites we have; everyone only wants to see the requested web page."
Comments (none posted)
Jem Matzan
walks through the process of customizing the GNOME desktop in
a NewsForge article.
"
Red Hat and Sun have showed us that GNOME can be both nice to look at and fun to use. However, GNOME is horribly bland in its natural state, and fixing it so that it's more palatable seems like such a daunting task. But what if you could do your own Bluecurve-like customizations and turn a boring and annoying default GNOME installation into a thing of beauty and productivity in about 20 minutes?"
Comments (17 posted)
Linux Journal
presents a
HOWTO for setting up Subversion. "
Subversion is receiving the
attention of many open-source developers due to its robustness, similarity
to CVS and innovative architecture. Having recently marked its 1.0 version
release, Subversion is being used in many open-source projects, including
SpamAssassin, the Linux 1394 FireWire support project and the SILO Sparc
Boot loader."
Comments (12 posted)
Joe Bolin
explains how to set up web filtering on a Linux box in a
NewsForge article.
"
Having converted quite a few people to the world of GNU/Linux, I am often asked by parents, "Can I set up parental Web filters for my children using Linux?" The answer is yes, and here's how."
Comments (none posted)
Reviews
Linux.com
installs
MPlayer. "
The best way to install MPlayer is by compiling it
from source code. Though pre-compiled binary packages (.deb and .rpm) are
available, a source-based installation gives you a fully customised player,
optimised for maximum performance in terms of your system's processor type,
video drivers, and other features."
Comments (2 posted)
NewsForge
looks at the
OpenIB Alliance, aimed at unifying efforts to build on InfiniBand
technology. "
"Linux is basically where we see most of the demand,"
said Mellanox director of product marketing Thad Omura. "That's why our
charter is a bulletproof stack for Linux.""
Comments (none posted)
Dave Phillips
reviews the LilyPond musical typesetting system in the Linux Journal.
"
Its Web page refers to LilyPond as an automated engraving system,
a software music typesetter designed to create beautiful readable
output. Set to its defaults, LilyPond automatically formats most music for
excellent printed output, at the same time permitting highly detailed
customizations to accommodate virtually any music scoring requirement,
including unusual and idiosyncratic notations."
Comments (none posted)
Miscellaneous
Netcraft
looks
at the latest round of browser wars, and recommends Firefox.
"
This experience of the professional quality of free software might
even lead some into the ultimate temptation: GNU/Linux itself. That option
has been made as convenient as possible by the creation of Knoppix, another
image file that can be downloaded, burnt to CDs and passed
around. Remarkably, this 2 Gbyte package of GNU/Linux plus applications can
be run from any Windows PC without changing a single file on the hard disc
simply by booting from the CD drive. The automatic configuration allows
users to experience GNU/Linux in a completely risk-free way."
(Thanks to Jonathan Lucas)
Comments (13 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Free Software Foundation Europe (FSFE) has sent out a
press release that details some of its recent activities in
Europe, it also mentions a need for more funding.
Full Story (comments: none)
The Open Source Development Labs (OSDL) has announced a new
college and university affiliate program.
Full Story (comments: none)
The Open Source Development Labs (OSDL) has announced that Aduva Inc., a
provider of Linux management automation solutions for distributed and
mainframe-based environments, has joined OSDL and will participate in the
Lab's Desktop Linux and Data Center Linux working groups.
Full Story (comments: none)
The official list of Perl Mongers groups
is being cleaned up.
"
There are, however, still a couple of hundred groups whose status is unknown. These are the groups that I got no response from when I tried to contact them a couple of years ago. If you're a member of a Perl Monger group that isn't listed here then please email me and let me know about your group."
Comments (none posted)
Commercial announcements
theKompany.com
has released version 1.1 of Aethera, a cross-platform
email/PIM/groupware client.
"
Aethera is offered for free under GPL in English, German and French while
additional plugins for Jabber (including peer to peer file transfer),
whiteboarding and voice over IP are offered commercially."
Comments (3 posted)
Innoopract, a provider of Eclipse-based tools and services announced the
introduction of Yoxos, an Eclipse Distribution. Yoxos is a distribution of
the new Eclipse 3.0 plus a choice of the most popular Open Source plugins,
and prepackaged bundles of plugins.
Full Story (comments: none)
Jataayu Software has announced that it has entered into an alliance with
MontaVista Software Inc., to make available Jataayu's Infrastructure and
Mobile device solutions on the MontaVista Linux platform.
Full Story (comments: none)
Mandrakesoft will be acquiring the company Edge-IT.
"
Mandrakesoft,
publisher of the Mandrakelinux distribution, and Edge IT a provider
of support and services in the Linux market, reached a definitive
agreement by which Mandrakesoft will acquire all outstanding shares
of Edge-IT."
Full Story (comments: none)
New Books
O'Reilly has published the book
Programming Jakarta Struts, Second Edition by Chuck Cavaness.
Full Story (comments: none)
O'Reilly has published the book
Java Cookbook, Second Edition
by Ian F. Darwin.
Full Story (comments: none)
No Starch Press has published the book
The Spam Letters
by Jonathan Land.
Full Story (comments: none)
Resources
The July 6, 2004 edition of the FSF Europe Newsletter has
been published.
Full Story (comments: none)
The
July issue of
LinuxFocus is out, with a report from LinuxTag, an interview with Jeff
Dike, a look at Dia, and other articles.
Comments (none posted)
The July issue of
Linux
Gazette is now available with articles, tips and features to help you
get the most out of our Linux system.
Comments (none posted)
Eric S. Raymond has put together
an analysis on the use of the terms "open source" and "free software"
on the web. Here are some of his conclusions:
- Among software developers and in the technology trade press, use of the term "open source" dominates use of the term "free software" by 95%-5% or more.
- On the general Web, the ratio is 80%-20% or more.
- The gratis/libre ambiguity in the term "free software" produces about an 80% false-positive rate in Web searches.
- Use of the term "free software" is in long-term decline, and older or obsolete pages form a larger part of its share than for "open source".
Comments (7 posted)
Contests and Awards
You can cast your vote for the 10th annual Linux Journal
Readers' Choice Awards, according to
this announcement.
"
Vote for your favorites in over 20 categories, from favorite programming language to favorite programming beverage. If your favorite isn't on the list, use the write-in option for each category.
Voting will take place from July 6 through August 5, and winners will be published in the November 2004 issue of Linux Journal."
Comments (none posted)
Event Reports
KDE.News
covers the KDE presence at
the LinuxTag conference.
"
As usual, the KDE booth in the exhibition area was crowded. Six to eight demopoints were available for LinuxTag visitors to learn about the current KDE 3.2 release, accessibility, the KDE FreeNX project, personal information management (KDE PIM), the award-winning KDevelop IDE as well as the future of KDE. Many users also took the opportunity to personally provide developers with valuable feedback and suggestions. KDE developers used the hacking area to work on KDE FreeNX, jointly develop new ideas and generally hack on KDE."
Comments (none posted)
Upcoming Events
The members of the Audacity audio editor project
have announced a party.
The event will take place near Seattle, WA on Sunday, July 25, 2004.
"
If you're an Audacity fan, and you live near Seattle, WA or would be interested in traveling there this summer, we would love to meet you! This is your chance to meet the Audacity developers, hang out with other Audacity users, see demos of cool new features under development, and in general have a good time.
You must RSVP by Monday, July 19 in order to attend, because the exact location of this event will be determined based on demand. It will likely be at a restaurant with a private room."
Comments (none posted)
NMS Communications has
announced a one day conference in Sao Paolo, Brazil on global
telecommunication trends.
The event will take place on July 13, 2004.
"
Special emphasis will be given to the recent Brazilian
government position advocating the use of free software like Linux to
correct the imbalance between software imports and exports and how
realistic this is for the telecom market, where consumers and
businesses take for granted the highest reliability from applications
and infrastructure."
Comments (none posted)
Red Hat is sponsoring the "Minneapolis Cluster Summit," happening on
July 29 and 30. "
We call this the 'Cluster Summit' because
it goes well beyond GFS, and
is really about building a comprehensive cluster infrastructure for
Linux, which will hopefully be a reality by the time Linux 2.8 arrives.
If we want that, we have to start now, and we have to work like fiends,
time is short." Click below for the details.
Full Story (comments: none)
Damian Conway
will give two public talks in Toronto, Canada on
July 17 and 19, 2004.
Comments (none posted)
Registration
is open for the Italian Perl Workshop. The event will take place
in Pisa, Italy on July 19 and 20, 2004.
Comments (none posted)
A
Call for Venues has gone out for the 7th German Perl Workshop.
The event will take place in the Spring of 2005 before the
CeBit conference.
Comments (none posted)
The Linux Users' Group of Davis will be holding another
Linux Installfest on July 17, 2004 in Davis, CA.
Full Story (comments: none)
| Date | Event | Location |
| July 8 - 10, 2004 | Libre Software Meeting 2004(RSM/RMLL) | (Bordeaux I University)Bordeaux, France |
| July 12 - 15, 2004 | Real-time and Embedded Systems Workshop | Washington, DC |
| July 19 - 20, 2004 | Italian Perl Workshop | (Polo Fibonacci)Pisa, Italy |
| July 21 - 24, 2004 | Linux Symposium | Ottawa, Canada |
| July 26 - 30, 2004 | O'Reilly Open Source Software Convention 2004(OSCON) | Portland, OR |
| July 26 - 30, 2004 | IBM pSeries Technical Conference | Cairns, Australia |
| July 31 - August 2, 2004 | Vancouver Python Workshop | Vancouver, Canada |
| August 2 - 5, 2004 | LinuxWorld Conference & Expo | (Moscone Center)San Francisco, California |
| August 21 - 29, 2004 | KDE Community World Summit 2004(aKademy) | (Filmakademie Ludwigsburg)Ludwigsburg (Stuttgart Region), Germany |
| September 2 - 3, 2004 | Python for Scientific Computing(SciPy) | (CalTech)Pasadena, CA |
Comments (1 posted)
Web sites
The popular community site
Advogato is
back on the net after several weeks of down time. The future of the site
is still unclear, however; as described in
this article, Advogato
needs a volunteer to help keep the site going. Advogato is worth keeping
around; here's hoping that the necessary resources can be found shortly.
(Thanks to Nathan Myers).
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Miscellaneous
LinuxMedNews
mentions a medical company's job posting.
"
Ok, guys, here you have it. Open source does not ruin the economy, it creates
jobs! A notice to all open-source programmers: A Care2x service provider is
looking for developers (its paid) to work on Care2x customizations."
Comments (none posted)
Page editor: Forrest Cook