The free software world generally sees a fork in a development project as a
bad thing. The
ability to fork is a crucial freedom, but the
exercise of that ability is seen much like initiating a divorce. Sometimes
it is necessary, but it is rarely an event which brings joy.
Little attention, however, has been paid to the idea of a parallel
fork, which we will define as a fork which continues to follow the
changes in the original project. The Linux kernel has been the subject of
large numbers of parallel forks over the years; distributor kernels,
architecture-specific trees, and development trees have diverged widely
from the mainline kernel and each other, but they also track the updates to
the mainline. Projects which are patched by distributors (such as
cdrecord) can also be seen as parallel forks. Yet another example might be
Sylpheed-claws, which
functions as a testing ground for bleeding-edge Sylpheed features.
Parallel forks can be the best of both worlds: they retain a tie to the
original project, but also are responsive to whatever forces created the
fork in the first place.
A parallel fork worthy of some attention is ooo-build, a version of
OpenOffice.org maintained by the folks at Ximian. Version 1.3.0 of
ooo-build was announced on August 18.
This fork was motivated by several issues, which are explained in depth at
the project web site. What it comes down to, however, is that the
OpenOffice.org process is slow, bureaucratic, and difficult for outsiders
to contribute to. As the web site says, "this is no way to create
excitement and provide fast problem fixes." So ooo-build was set up
as a place where would-be contributors can get their changes in quickly
and, with luck, see those changes used and possibly propagated back into
OpenOffice.org.
What does the 1.3.0 release offer?
This package contains Desktop integration work for OpenOffice.org,
several back-ported features & speedups, and a much simplified
build wrapper, making an OO.o build / install possible for the
common man.
There is a detailed list, which includes a number of bug fixes, GTK+ and
KDE file selector support, Lotus 123 importing, improved icons, and much
more. Oh, and the obnoxious business where OOo calls your file "modified"
every time you print it has been fixed.
The ooo-build parallel fork is a good thing: it brings the notoriously
unapproachable OpenOffice.org development process closer to what the rest
of the community expects to deal with. It can be a useful staging ground
which gets new features to users quickly, and enables stability testing
which can help smooth the eventual merging of those features into OpenOffice.org. It is
not the sort of acrimonious separation which normally comes to mind when
the word "fork" is mentioned; it is, instead, more of an impedance matching
mechanism. ooo-build should result in a better OpenOffice.org experience
for everybody involved.
Comments (8 posted)
After last week's
discussion of cdrecord,
and concerns that recent releases of cdrecord may not be free software, we
decided to take a look and see what alternatives exist for Linux users. The
answer, unfortunately, is "not many."
While there are quite a few front-ends for recording CDs under Linux, there
are very few actual CD and DVD-burning applications available to Linux
users. Applications like K3b, MP3Roaster, BashBurn and others all use
cdrecord to burn CDs.
In all, we were only able to find three suitable candidates for users
looking to find a replacement for cdrecord. Projects that were obviously
abandoned or with no new releases in more than one year were not
considered.
Cdrdao
For users with no interest in recording DVDs, Cdrdao is available under the GPL
and is a good alternative to cdrecord. This utility will perform
disk-at-once recording for audio and data CD-R/CD-RWs. The primary focus of
the Cdrdao project seems to be audio or mixed-mode CDs. In fact,
documentation on burning ISO images with cdrdao seems to be non-existent.
However, it is possible to burn ISOs with cdrdao with a little extra
effort. Burning CDs with cdrdao requires a description file (either a
native toc-file or a cue file from a Windows burning utility) in addition
to the actual data to be burned to CD. In the case of ISO images, users
must create the toc-file by hand to provide cdrdao with the necessary
information to burn a disk from an ISO. The cdrdao utility is also used to
make an image of a disk, and to create a toc-file to burn the image back to
disk.
Aside from the extra bit of effort required to create a toc-file, cdrdao
works well and is probably preferable to cdrecord for users who primarily
burn audio CDs. One note of caution, users should specify an appropriate
writing speed for their device. This writer neglected to specify a writing
speed the first time out of the gate, and cdrdao elected to shoot for a
rather optimistic 40x writing speed -- which produced a coaster rather than
a bootable KNOPPIX disk on the Sony DRU-530A DVD+RW/-RW, CD-RW
drive. Theoretically, this drive is rated for 40x burns with CD-R media,
but much better success has been had with lower burn rates.
The supported
drives page gives a list of drives that are known to work with cdrdao,
though it is not exhaustive. Version 1.1.9 of cdrdao was released on June 7,
2004.
OSS DVD Extensions
Though not a standalone program, the OSS DVD extensions are
worth mentioning. This project provides extensions to cdrecord for users
who would like to be able to burn DVDs as well as CDs. There is little
difference between using cdrecord and cdrecord with the OSS DVD extensions,
with the exception that the OSS DVD extensions enable DVD burning from
DVD-R(W) drives.
The OSS DVD website includes patches for several releases of cdrecord, as
well as RPMs for several versions of Fedora Core, Mandrake, Red Hat, and
SUSE Linux. The last patch for cdrtools was released in May. The OSS DVD
Extensions should work with any drive supported by cdrecord.
DVD+RW-Tools
Another project for DVD-burning is the DVD+RW-Tools
project. Despite the name, the DVD+RW-Tools project actually supports
DVD+RW and DVD-RW drives.
This writer has been happily using DVD+RW-Tools since investing in a DVD
burner back in February. The DVD+RW-Tools project includes a utility called
growisofs, which is used to master images and burn them to disk. Growisofs
can also be used "on the fly" to burn directly to DVD without the
intermediate step of creating a image file. The project also includes a
utility called dvd+rw-format to, not surprisingly, format DVD+RW media
before use.
The DVD+RW-Tools are used only for burning DVDs. Users who want to burn CDs
and DVDs must depend on cdrecord or cdrdao for CD burning. The project
seems to be a fairly healthy one, with the latest
release being a little more than a month old at the time of this
writing. According to the DVD+RW-Tools website, any MMC-compliant drive
should be supported.
Conclusions
While it's not unusual for people to complain that there are too many
programs that handle a given task (e-mail clients, for example), the Linux
community could do with a choice of CD and DVD recording programs. The
existing programs are suitable enough, but users are left with a
disappointing number of options when they need to utilize CD and DVD
burners.
Comments (22 posted)
The core of the suit filed by the SCO Group against IBM is a set of
breach-of-contract allegations. SCO is saying that IBM, through its
contributions to Linux, has violated the Unix licensing contracts signed
with ATT years ago. SCO's rather broader public claims have tended to
overshadow the much more restricted nature of the actual case at hand, but
that is what the real issue is. IBM has concluded that the time has come
to put an end to those charges, however, and has filed for a partial
summary judgment which would dispose of the contract case. The
supporting memorandum is
available as a 100-page PDF file. Your editor, who has not had a chance to
rip into this sort of meaty legal document for a while, has been through
the whole thing; the following is a summary of what IBM is saying.
IBM goes on at great length on why it believes the judgment should be
entered. The core of the argument reads this way:
- There is very little of the original Unix code in either AIX or
Dynix.
- Of that code which remains, IBM has contributed none of it to Linux.
- SCO's interpretation of the license, which would give SCO rights over
any code which ever went near AIX or Dynix, is nonsensical. SCO has
no rights over IBM's code which it developed itself.
- Even if the license agreement did, somehow, give SCO those rights,
Novell has the right to waive licensing enforcements, and has done so
in this case.
- SCO, by virtue of continuing to publish the contested code itself, has
forfeited any rights it may have had to keep others from doing so.
- SCO's right to terminate IBM's AIX and Dynix license (the basis of two
of SCO's charges) does not exist, and, if it did, it would be
overridden by Novell's waiver.
As followers of the flotilla of SCO cases have been reminded many
times by now: a motion for a summary judgment must show that there are no disputed
facts at issue. For IBM to prevail here (and avoid a longer trial on these
charges), it must show that all the facts are on the table and are not
contested. The standards are high for this sort of motion; if you want to
short out a real trial and dump a set of charges against you, you must have
a truly convincing argument.
Direct copying of code
The first two points above (direct copying of code) are argued early on, in ¶7:
SCO alleges that it has found approximately 74,000 lines of UNIX
System V code in AIX and approximately 78,000 lines of UNIX System
V code in Dynix... SCO does not contend (and in any case has no
evidence) that IBM has misused any of these lines of code.
One of the best ways of establishing an "undisputed" fact, obviously, is to
use the opposite side's statements against them. IBM does not stop there,
however; the company brought in its own MIT scientist (and a high-profile
one at that: Randall Davis) to compare IBM's Linux contributions against
the SYSV code base. Mr. Davis concluded that, as one might expect, there
is no SYSV code (or even similarities to SYSV code) in IBM's work, which
is, thus, not a derived work of SYSV. The memorandum does not state
whether Mr. Davis developed a deep semantic theory to that effect,
however.
Finally, IBM repeatedly points out that SCO was never able to provide any
examples of SYSV-derived code contributed to Linux, and that SCO is not
arguing that such a contribution has occurred:
Moreover, SCO's responses to IBM's interrogatories do not identify
any UNIX System V source code from which any of the code IBM
contributed to Linux is allegedly derived. Indeed, SCO refused to
provide such information because it "is not part of SCO's
claims". (¶59).
Thus, says IBM, the lack of any direct use of SYSV-derived code in violation of the
license agreement is undisputed.
What the license says
SCO still seems to believe that it has a case, however. That case depends
on a very broad reading of the Unix license contract signed between ATT and
IBM almost 20 years ago. From ¶62:
SCO's contract claims instead rest entirely on the proposition that
"[t]he AIX work as a whole and the Dynix/ptx work as a whole are
modifications of, or are derived from [UNIX] System V". Under
SCO's theory of the case, all of the tens of millions of
lines of code ever associated with any technology found in AIX or
Dynix, even if that code does not contain any UNIX System V code,
is subject to the restrictions of the IBM and Sequent Software
Agreements.
SCO, in other words, claims to own anything which ever might have breathed
the same air as SYSV Unix. This interpretation has been clear for some
time, and IBM has gone to great lengths to get SCO to commit itself (in
court) to that
position. IBM now hopes to demonstrate that, beyond any possibility of
dispute, the license contracts do not give SCO the rights it thinks it has.
The first step in that process was to hold depositions with all of the
people involved in the writing and signing of those contracts. So they
tracked down all of the IBM, Sequent, and (crucially) ATT people who were
involved in the process and queried them about the intent of the license
language. Everybody involved, on both sides of the table, agreed that the
contract was never intended to give ATT (or any of its successors) power
over code which it did not
develop. There are many pages of quotes to this effect. Here is one
example, from Michael DeFazio, who ran ATT's Unix product management,
marketing, and licensing group, and who said:
The [software] agreements did not (and do not) give AT&T, USL,
Novell, or any of their successors or assigns the right to assert
ownership or control over modifications and derivative works
prepared by its licensees, except to the extent of the original
Unix System V source code included in such modifications and
derivative works.... I do not believe that our licensees would
have been willing to enter into the software agreement if they
understood Section 2.01 to grant AT&T, USL, Novell, or their
successors or assigns the right to own or control source code
developed by or for the licensee. (¶90).
Several of the ATT people involved are also quoted as stating, flat out,
that SCO's claims are wrong.
IBM notes that, under New York law (which is the law governing its
agreement with ATT), sworn statements from both parties to a contract are
the most compelling evidence with regard to the intent of the contract.
So, if there were any ambiguity in what the contract means (which, says
IBM, there is not), the testimony from the relevant IBM, Sequent, and ATT
people would be more than sufficient to straighten things out.
Not content with that, however, IBM argues this issue from several other
points. It brings up the old issue of $ echo describing ATT's
intent, and the "side letter" signed with IBM and various other licensees.
ATT also redrafted the paragraph in question at some point; the people
involved stated that the change was only to make the intent clearer, and
did not actually change the license terms. IBM states that SCO's
interpretation of the contract is simply absurd and unreasonable, and thus
not enforceable. And
finally, IBM cites federal copyright law and its provisions regarding
rights over derivative works.
Waivers
IBM believes that it has shown that there is no possible interpretation of
the ATT license contract which favors SCO's position. But, says IBM, even
if that argument were to fall apart entirely, it doesn't matter: Novell has
waived any alleged breaches by IBM. The agreement between Novell and the
Santa Cruz Operation ("old SCO") is murky in several ways, but it seems
clear that Novell retained the right to shut down enforcement of Unix
license agreements at its will. Says IBM:
Novell's letters to SCO establish as a matter of law that even if
SCO had the right under the IBM and Sequent Software Agreements to
prevent IBM from disclosing its or Sequent's original code, Novell
explicitly waived that right.
If that isn't enough, IBM also claims that SCO, itself, has waived any
enforcement rights through its own distribution of Linux.
In this case, SCO's acts and conduct are plainly inconsistent with
an intention to assert a breach of contract against IBM based on
the code allegedly at issue. Both before and even after SCO sued
IBM, SCO sold to customers and made publicly available on the
Internet the code that it claims IBM improperly contributed to
Linux. Indeed, this code was still available on SCO's website as
recently as August 4, 2004. SCO cannot on the one hand market
and sell the source code IBM contributed to the Linux operating
system, and on the other hand claim that IBM was prohibited by its
licensing agreements from contributing that code to Linux.
In support of this position, IBM has dug up old SCO press releases and such
proclaiming features like journaling filesystems, SMP scalability,
asynchronous I/O, etc. As many people have pointed out over the last year,
SCO has dug itself into a deep hole with its own Linux distribution
activities.
License termination
Two of SCO's charges against IBM have to do with SCO's "termination" of
IBM's Unix licenses. This termination, says SCO, deprives IBM of the right
to distribute AIX or Dynix. It also, incidentally, is said to deprive all
users of those operating systems the right to keep running them - a risk of
proprietary code that, one assumes, most users were not expecting to have
to deal with.
IBM's motion deals with these actions almost as an afterthought. If IBM
has truly not breached the Unix agreements, then SCO's "termination" is
clearly beyond its powers. IBM states that SCO has no right to terminate
the license in this way in any case, however; quoting Novell:
Pursuant to Amendment No. X, however, Novell and SCO granted IBM
the 'irrevocable, fully paid-up, perpetual right' to exercise of of
the rights under the IBM SVRX Licenses that IBM then held. IBM
paid $10,125,000 for the rights under Amendment No. X. Novell
believes, therefor, that SCO has no right to terminate IBM's SVRX
Licenses, and that it is inappropriate, at best, for SCO to be
threatening to do so.
Even without this argument, however, Novell's waiver of enforcement rights
should be adequate to counteract this "termination."
Conclusion
IBM's motion for a partial summary judgment is thoroughly and
comprehensively argued; the company would appear to have covered all of the
bases. If IBM's argument holds water with the judge, the core of SCO's
case will have been demolished, and the collapse of the entire house of
cards will not be far away. This motion is an ambitious attempt to put an
end to this whole affair.
It is interesting to see which arguments do not appear in this
memorandum. In particular, there is no reference to the whole issue of who
really owns the Unix copyrights other than little digs like saying that SCO
"purports" to have acquired them. The copyright ownership issue could, by
itself, torpedo everything SCO is trying to accomplish. But the ownership
of the copyrights is very much a disputed fact, and, as such, it is not a
useful argument in support of a summary judgment.
If IBM succeeds with this motion, the SCO case is done. It would be far
too soon to conclude that this will come to pass, however. The next step
will be a response from SCO, followed by arguments in front of the judge.
SCO will do its best to drag up facts which, it will claim, remain in
dispute. We may see expert witnesses claiming that, testimony from the
principals involved notwithstanding, the ATT license agreements have a
broader meaning than IBM is claiming. SCO may try to claim that it hasn't
been able to come up with the facts because IBM has been "stalling
discovery." And so on. If SCO can create enough fog around IBM's
arguments, it might just succeed in defeating this motion and forcing the
whole thing to go to a full trial. In that case, we would have to wait
until next year for the outcome.
Comments (22 posted)
Page editor: Jonathan Corbet
Security
Many people interested in security issues fear the first big security
breach which
affects mobile wireless devices. A large, destructive cell phone worm would
make for a bad day in many quarters. The "Mosquitos" trojan does not quite
live up to those fears, but there are lessons to be learned from it anyway.
Mosquitos is a game for Symbian-based wireless handsets. According to
early reports, a version of the game had been "cracked" and circulated
through the usual channels. Users who picked it up and ran it found out,
sooner or later, that it had a bad habit of sending text messages to
expensive, premium phone numbers. That was almost certainly not the
experience the users had in mind when they loaded the game.
While many outlets reported the existence of a Symbian trojan, rather fewer
followed up with the truth of the matter became clear: the "trojan"
functionality was an intentional feature added by the manufacturer of the
game. It is, in essence, an attempt at a copy protection mechanism; if the
game finds itself running outside of its intended geographical area, it
sends a bunch of expensive messages in retaliation. This behavior is a
feature, not a trojan.
Then again, that might depend on your definition of "trojan." It is an
undocumented behavior hidden within a program; certainly nobody who bought
this game intended to purchase a function which sends unwanted messages if
it decides things are not right. Most users might be forgiven for feeling
that they had, indeed, been trojaned after all.
It would be out of character for us to fail to point out that this sort of
behavior is almost exclusively associated with closed-source, proprietary
software. The author of a free software program is certainly capable of
inserting trojan-like behavior; consider the
mICQ incident from February, 2003. But it would be surprising indeed
for any such code to last for long. Free software means that hostile code
can be found and ripped out in a hurry. Now if we only had mobile phones built with
free software...
Comments (9 posted)
Brief items
News.com
reports from Crypto 2004, where researchers are presenting findings on weaknesses in secure hash algorithms.
"
Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives.
Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It is certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the U.S. government's Digital Signature Standard."
Comments (26 posted)
New vulnerabilities
acroread: UUDecode filename buffer overflow
| Package(s): | acroread |
CVE #(s): | |
| Created: | August 16, 2004 |
Updated: | August 17, 2004 |
| Description: |
acroread contains two errors in the handling of UUEncoded filenames.
First, it fails to check the length of a filename before copying it
into a fixed size buffer and, secondly, it fails to check for the
backtick shell metacharacter in the filename before executing a command
with a shell. By enticing a user to open a PDF with a specially crafted
filename, an attacker could execute arbitrary code or programs with the
permissions of the user running acroread. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gv: unsafe sscanf () buffer overflow vulnerability
| Package(s): | gv |
CVE #(s): | CAN-2002-0838
|
| Created: | August 12, 2004 |
Updated: | August 19, 2004 |
| Description: |
gv (prior to version 3.5.8-r4) has a buffer overflow vulnerability involving the sscanf()
function. An attacker can execute arbitrary code with the
permission of the user running gv. |
| Alerts: |
|
Comments (1 posted)
kdebase: multiple vulnerabilities
| Package(s): | kdebase |
CVE #(s): | CAN-2004-0689
CAN-2004-0690
CAN-2004-0721
CAN-2004-0746
|
| Created: | August 12, 2004 |
Updated: | October 4, 2004 |
| Description: |
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains. |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerability
| Package(s): | mysql |
CVE #(s): | CAN-2004-0457
|
| Created: | August 18, 2004 |
Updated: | September 1, 2004 |
| Description: |
The MySQL "mysqlhotcopy" script contains a temporary file vulnerability
which could be used by an attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
nessus: adduser race condition vulnerability
| Package(s): | nessus |
CVE #(s): | |
| Created: | August 12, 2004 |
Updated: | August 17, 2004 |
| Description: |
The nessus security scanner has a temporary file vulnerability that allows a
user to perform a privilege escalation attack by way of an adduser
race condition. |
| Alerts: |
|
Comments (none posted)
rsync: path-sanitizing bug
| Package(s): | rsync |
CVE #(s): | CAN-2004-0792
|
| Created: | August 16, 2004 |
Updated: | November 1, 2004 |
| Description: |
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written. |
| Alerts: |
|
Comments (none posted)
ruby: insecure file permissions
| Package(s): | ruby |
CVE #(s): | CAN-2004-0755
|
| Created: | August 16, 2004 |
Updated: | October 14, 2004 |
| Description: |
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session. |
| Alerts: |
|
Comments (none posted)
xine-lib: VCD MRL buffer overflow
| Package(s): | xine-lib |
CVE #(s): | |
| Created: | August 17, 2004 |
Updated: | August 18, 2004 |
| Description: |
xine-lib contains a bug where it is possible to overflow the vcd:// input
source identifier management buffer through carefully crafted playlists.
An attacker may construct a carefully-crafted playlist file which will
cause xine-lib to execute arbitrary code with the permissions of the
user. In order to conform with the generic naming standards of most
Unix-like systems, playlists can have extensions other than .asx (the
standard xine playlist format), and made to look like another file
(MP3, AVI, or MPEG for example). If an attacker crafts a playlist with
a valid header, they can insert a VCD playlist line that can cause a
buffer overflow and possible shellcode execution. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
Cfengine: RSA Authentication Heap Corruption
| Package(s): | Cfengine |
CVE #(s): | |
| Created: | August 10, 2004 |
Updated: | August 11, 2004 |
| Description: |
Two vulnerabilities have been found in cfservd. One is a buffer overflow in
the AuthenticationDialogue function and the other is a failure to check the
proper return value of the ReceiveTransaction function. An attacker could
use the buffer overflow to execute arbitrary code with the permissions of
the user running cfservd, which is usually the root user. However, before
such an attack could be mounted, the IP-based ACL would have to be
bypassed. With the second vulnerability, an attacker could cause a denial
of service attack. |
| Alerts: |
|
Comments (none posted)
cvstrac: arbitrary code execution
| Package(s): | cvstrac |
CVE #(s): | |
| Created: | August 6, 2004 |
Updated: | August 11, 2004 |
| Description: |
Richard Ngo
reported on BugTraq that a vulnerability has been discovered in the CVS
repository web browsing tool CVSTrac. If properly exploited an
attacker can execute arbitrary code on the CVSTrac host with the privileges
of the associated web server. |
| Alerts: |
|
Comments (none posted)
Ethereal: Multiple security problems
| Package(s): | ethereal |
CVE #(s): | CAN-2004-0633
CAN-2004-0634
CAN-2004-0635
|
| Created: | July 9, 2004 |
Updated: | August 19, 2004 |
| Description: |
There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.5, including:
* In some cases the iSNS dissector could cause Ethereal to abort.
* If there was no policy name for a handle for SMB SID snooping it
could cause a crash.
* A malformed or missing community string could cause the SNMP
dissector to crash.
See this
advisory for more information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kernel allows unauthorized changes to the group ID
| Package(s): | kernel |
CVE #(s): | CAN-2004-0497
|
| Created: | July 2, 2004 |
Updated: | September 27, 2004 |
| Description: |
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
MoinMoin Group ACL Bypass
| Package(s): | moinmoin |
CVE #(s): | |
| Created: | July 12, 2004 |
Updated: | August 26, 2004 |
| Description: |
MoinMoin contains a flaw that may allow a malicious user to gain access to
unauthorized privileges. The issue is triggered when an attacker creates a
user with the same name as an administrative group. This flaw may lead to a
loss of integrity. See this osvdb
entry for additional information. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
opera: remote filesystem read access vulnerability
| Package(s): | opera |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | August 11, 2004 |
| Description: |
The Opera browser has a vulnerability that may allow a remote attacker
to read a local filesystem. |
| Alerts: |
|
Comments (none posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
samba: potential buffer overruns
| Package(s): | samba |
CVE #(s): | CAN-2004-0600
CAN-2004-0686
|
| Created: | July 22, 2004 |
Updated: | September 2, 2004 |
| Description: |
According to this Samba advisory, Evgeny
Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug
in the Samba Web Administration Tool (SWAT) on decoding Base64 data during
HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are
affected. (CAN-2004-0600)
Another buffer overflow bug has been located in the Samba code used to
support the "mangling method = hash" functionality. The default setting for
this parameter is "mangling method = hash2" and therefore Samba is not
vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0
through 3.0.4 are affected. (CAN-2004-0686) |
| Alerts: |
|
Comments (1 posted)
shorewall: temporary file exploit
| Package(s): | shorewall |
CVE #(s): | |
| Created: | August 10, 2004 |
Updated: | August 11, 2004 |
| Description: |
Javier Fernández-Sanguino Peña has discovered an exploitable
vulnerability in the way that Shorewall handles temporary files and
directories. The vulnerability can allow a non-root user to cause
arbitrary files on the system to be overwritten. LEAF Bering and Bering
uClibc users are generally not at risk due to the fact that LEAF boxes
do not typically allow logins by non-root users. The complete advisory is
here. |
| Alerts: |
|
Comments (none posted)
sox: buffer overflow
| Package(s): | sox |
CVE #(s): | CAN-2004-0557
|
| Created: | July 28, 2004 |
Updated: | February 21, 2005 |
| Description: |
Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. |
| Alerts: |
|
Comments (none posted)
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin |
CVE #(s): | CAN-2004-0796
|
| Created: | August 9, 2004 |
Updated: | August 11, 2005 |
| Description: |
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service. |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
wv: buffer overflow
| Package(s): | wv |
CVE #(s): | CAN-2004-0645
|
| Created: | July 14, 2004 |
Updated: | February 10, 2005 |
| Description: |
wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 15, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
Resources
The August issue of CRYPTO-GRAM is out; this months topics include another
stupid aviation security story, alibi networks, GHB, and phishing attacks.
"
Computer security is an arms race, and money creates
very motivated attackers. Unsolved, this type of security problem can
change the way people interact with the Internet. It'll prove that the
naysayers were right all along, that the Internet isn't safe for
electronic commerce."
Full Story (comments: 5)
Version 2.2 of the Metasploit Framework is out; click below for the details. This release contains a set of new exploits, PPC and Sparc exploit support, and much more.
Full Story (comments: none)
vnunet has
interviewed Robert Clyde, CTO at Symantec. "
With open source, if an individual cares about a code flaw they'll fix it fast; if it's an obscure piece of code it could languish for years untouched. Commercial companies will try and fix all problems within a fixed timescale. Most commercial vendors are really behind reporting problems honestly and trying to fix them. I don't know of a single vendor who will sit on a vulnerability - maybe five years ago but not now."
Compare that with this eWeek article on Oracle's security performance. "It's been a good seven or eight months since the vulnerabilities were discovered. Sure, eight months seems like it would be 'as quickly as possible.' For a roomful of monkeys arbitrarily hitting keys to come up with a security fix. On broken keyboards."
Comments (9 posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 kernel is 2.6.8.1.
Linus
announced the availability of the
2.6.8 allegedly stable kernel on August 13.
Unfortunately, it turned out to be a true "Friday the 13th" release with a
fatal bug in the NFS code, so 2.6.8.1 was rushed out to fix it. This
is the first time that the kernel has used a four-entry version number.
Changes since -rc4 include the "Khazad" crypto algorithm, some added
permissions checking on raw SCSI commands from user space (see below), and
the removal
of the
fcntl() file operations method. For those just tuning in,
changes from 2.6.7 include snapshot and mirror support in the
device mapper, unbelievable numbers of "sparse" annotations, a bunch of
read-copy-update performance improvements, 64-bit SuperH support, some
security fixes, a reworked symbolic link lookup mechanism (which will
eventually enable raising the maximum link depth), and lots of fixes. The
long-format changelog has the details; the
2.6.8.1 changelog is also out there for the
curious.
No patches have been added to Linus's BitKeeper repository since the
2.6.8.1 release.
The current prepatch from Andrew Morton is 2.6.8.1-mm1. Recent changes to -mm include kprobes
("Generally we prefer to not merge infrastructure into the kernel
unless it has in-kernel users. kprobes is exceptional, in that its
applications are all custom-written to solve a particular
problem."), the removal of the single-array scheduler patch, a waitid()
system call implementation, and lots of fixes.
The current 2.4 prepatch is 2.4.28-pre1, which was released by Marcelo on August 15.
Additions include a big serial ATA update, the Khazad crypto algorithm,
some networking updates, and a handful of fixes.
Comments (5 posted)
Kernel development news
Some kernel interfaces last longer than others. The
fcntl()
method is one of the others. It was added to the
file_operations
structure in 2.6.6 with the purpose of
giving low-level filesystems and device drivers an opportunity to look at
the command being executed from an
fcntl() system call and,
possibly, do something different. The
immediate motivation was allowing the NFS code to disallow the combination
of the
O_APPEND and
O_DIRECT flags, since those two modes
cannot work together in that filesystem. Since then, the CIFS filesystem
also has made use of it to better handle the
F_NOTIFY command by
getting directory notifications from the remote server.
In 2.6.8, that operation is gone again. The thinking is that the
file_operations structure did not really need another
general-purpose, multiplexed operation like fcntl(). So the
method was replaced with two new, carefully-focused methods. The first is:
int (*check_flags)(int flags);
This operation, if present, will be called in response to an
fcntl(F_SETFL,...) system call. It can look at the flags passed
in from user space and ensure that they make sense for the device or
filesystem in question.
The other new operation is:
int (*dir_notify)(struct file *filp, unsigned long arg);
This is the new method used by CIFS to handle F_NOTIFY
requests. All other fcntl() operations are handled in the core
VFS code, as usual.
The patch as merged by Linus fixed the NFS
and CIFS code to use the new
methods. Unfortunately, nobody tested the NFS changes before the patch was
merged, and this change went in just before the final 2.6.8 release came
out. The result was an NFS implementation which crashed the kernel, and
the need for a quick 2.6.8.1 release.
Comments (10 posted)
By far the loudest chorus of complaints about the 2.6.8.1 kernel comes from
users who have found that they can no longer burn CDs. In most cases, the
problem can be worked around by running the recording program from a root
shell (setuid is not sufficient), but
that is an unsatisfying alternative for many. Why, ask inquiring minds,
did CD recording have to break with the new kernel?
It's all a matter of trying to get the permissions right. Burning a CD
requires sending a number of special-purpose SCSI commands to the drive, so
the operation is performed outside of the regular I/O paths. But once you
can send arbitrary commands, you can do more than write CDs. In pushing
for changes, Alan Cox put it this way:
With the current code I can destroy all your hard disks given read
access to the drive. With checks on writable I can destroy all your
hard disks/cdroms as appropriate with write access. Destroy here
means "dead, defunct, pushing up the daisies, go order a new one
kind of dead".
Seeing this outcome as undesirable, Linus threw in a patch shortly before releasing 2.6.8. This
patch creates an array of known SCSI commands, associating each with "safe
for read" and "safe for write" flags. Those flags are tested when a
process attempts to execute the given command. If the device has been
opened for read access, the set of allowed commands is relatively small:
read, request sense, play CD, etc. A process with write access can execute
more commands, but not the whole set. Any command not explicitly flagged
as safe for the given open mode is restricted to processes with the
CAP_SYS_RAWIO capability - root, for all practical purposes.
This patch broke CD burning in multiple ways. Users of growisofs were
burned (so to speak) because that utility opens the device for read access.
That should never have worked, but did until now; fixing that problem will
require a patch to the application. Beyond that, however, is the simple
fact that numerous SCSI commands needed for CD burning were omitted from
the "safe for write" list. These vary from locking the door to "send OPC,"
"blank", and many others. Enabling CD writing from an unprivileged process
with write access to the drive will require adding several commands to the
list.
Unfortunately, expanding the list in that manner can bring back the
original problem. Many commands which are safe to execute in one context
can destroy data, firmware, or hardware in other contexts. And it can be
very hard for the kernel to tell the difference between the two. There has
been talk of expanding the checking framework to better understand the
target device's operating modes and, perhaps, giving high- or low-level
drivers a say in the decision. Down that road lies complexity, however,
and it would be hard to reach a point where the developers could declare
victory and call the problem solved. It may well be that, despite other
faults in his reasoning on CD recording, Jörg Schilling got
it right when he suggested that the most secure mode of operation is to
simply restrict device access and run the CD recording application in a
setuid mode.
Comments (20 posted)
Power management remains one of the unfinished jobs from the 2.5
development series. Many of the pieces are in place, including the whole
device model infrastructure, but the kernel still lacks a comprehensive,
working power management subsystem. There are signs that things are
starting to happen, but it seems that the developers still lack a clear
idea of how they want to go forward.
Back on August 9, Patrick Mochel posted a
patch aimed at improving the power management subsystem. It brought
significant changes to the device model, including:
- Two power management methods were added to the class subsystem.
Until this point, classes had not been part of the power management
code at all; they are, instead, a way of exporting device information
in a functional organization. The rationale behind putting power
management functions in classes was that the higher-level code would
better understand how to "quiesce" a device in preparation for a
power state change.
- Three new power management methods were be added to the device model
representation of a bus (struct bus_type). These were
pm_save() (save state prior to a state transition),
pm_restore() (restore state afterward), and
pm_power() (perform an actual state change). These methods
would replace the current suspend() and resume() bus
methods, and the equivalent methods associated with struct
device_driver. The idea is to move all power management tasks
firmly into the bus-level code, and to let that code pass things on to
low-level drivers as appropriate.
- Each device would get two new arrays. One of these
(pm_supports) lists all of the power management states
supported by the device, in that particular device's (usually
bus-specific) terms. The second array (pm_system) is a
simple mapping from the power states understood system-wide into the
equivalent device states. These states are described by the new
pm_state structure, and sysfs interfaces exist to query the
supported states and to transition between them.
The resulting discussion implied a lot of changes to this patch; among
other things, the idea of using the class layer to quiesce devices was
controversial. An updated version of the patch has not been posted,
however.
Pavel Machek, meanwhile, has been trying to address a much smaller piece of
the problem: confusion over what the power management states really mean.
The power management code itself uses a set of states roughly related to
those defined in the ACPI specification, but other parts of the system (PCI
drivers, for example) have a different set of states. The current power
management methods take a u32 state value, and it is far from
clear what kind of state is intended.
Pavel's patch tries to address this problem
by creating a new enum type called system_state. The
bus- and driver-level power management methods are modified to accept a
parameter of this type, so that it is clear that (1) the power
management core's state values are being used, and (2) the parameter
describes the state to which the entire system is changing. It clears up a
core ambiguity without otherwise changing how things work.
Even this change is controversial, however. The largest concern is that,
eventually, it is expected that the drivers will need more information than
just the target system state. So, it is suggested, the type of the
parameter should be a structure pointer rather than a simple scalar value.
But nobody has really figured out what should go into the structure yet.
Getting it right the first time matters in this case. It is generally
accepted that fixing power management will require a driver API change, and
that, potentially, all drivers in the kernel (and out of tree as well) will
have to be changed at once. Developers are resigned to this change - but
they would really rather only do it once. So, says Patrick, it's better to wait:
Why be hasty? We need to do it right and do it once. If that means
a couple of more weeks and several more emails, than so be it.
Otherwise, we'll be stuck with a sub-par solution for who knows how
long.
What this means is that the discussion is likely to continue for a while -
and that an upgraded power management system will not be ready until
2.6.10, at best. Linux users, who have waited a long time for better power
management, can probably manage to be patient for a little while yet.
Comments (none posted)
Efforts to track down and eliminate sources of latency in the 2.6 kernel
continue. It seems, however, that most of the low-hanging fruit has been
found; with the current iteration of the voluntary preemption patch, the
remaining problems are rare and relatively hard to track down. So Ingo
Molnar
built himself a new tool to help with
those harder cases.
Ingo's problem with the previous preempt timing patch was that, while it
showed where a lengthy latency took place, it yielded little information
about what was happening during the high-latency event. So he adapted the
profiling mechanism to bring a little light to the situation. With the
latency tracing option turned on, a little tracing function gets called as part of
every kernel function call. This trace code stores the time of the call
into a large (4000 entries), per-CPU array. If the kernel avoids
scheduling for too long, that array of function call information gets copied into a
static array which is made available via /proc/latency.
Ingo included some example output with his patch:
preemption latency trace v1.0
-----------------------------
latency: 121 us, entries: 1032 (1032)
process: default.hotplug/1470, uid: 0
nice: -10, policy: 0, rt_priority: 0
=======>
0.000ms (+0.000ms): page_address (kmap_high)
0.000ms (+0.000ms): page_slot (page_address)
0.000ms (+0.000ms): flush_all_zero_pkmaps (kmap_high)
0.000ms (+0.000ms): set_page_address (flush_all_zero_pkmaps)
[...]
0.118ms (+0.000ms): page_slot (set_page_address)
0.118ms (+0.000ms): check_preempt_timing (sub_preempt_count)
The output shows the function call, and, in parentheses, the caller of each
function. In this case, the output identifies
flush_all_zero_pkmaps() as the real villain.
Other changes to this patch include making hardware and software interrupts
(which have been redirected into kernel threads) preemptible by default ("I
reviewed a number of softirq users and it appears to be safe"), and,
of course, the breaking up of more code which holds locks for too long.
Comments (none posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Architecture-specific
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Bruce Perens
posted an early draft of the
UserLinux Manifesto late last year. Since then
UserLinux has generated considerable press
coverage, much of it laced with a profound misunderstanding of what this
not yet released distribution is all about. (The first beta release is
due out September 1.) So, let's take a look at
what UserLinux is, and what it isn't. See also Brock Frazier's
definition of UserLinux from his post to the
UserLinux mailing list.
UserLinux is not a fork of Debian, it's a Custom Debian
Distribution aimed at the business market. UserLinux is currently a
subset of Debian Sarge. All packages are taken from main, none from
non-free, and where Debian provides a choice of about 9000 packages,
UserLinux streamlines that down to one web browser, one mail transfer
agent, one desktop, and so on, without a bewildering array of choices.
There are currently three different flavors of UserLinux; the enterprise
server, the enterprise desktop, and the SOHO (Small Office/Home Office)
edition. Each one defines a subset of Debian Sarge packages that will
create a simple system tailored to the desired task.
Most experienced Linux users are used to having a wide array of competing
packages to chose from, but for most businesses such choice is often
confusing and it adds to maintenance costs and security risks. UserLinux
chooses packages based on stability, usability, licensing, compatibility
and adherence to open standards, to create a distribution that is simple,
stable and easy to maintain.
Since UserLinux is Debian Sarge, any sysadmin with some knowledge of Debian
will be able to add additional packages or modify the package list, if
desired. A business with a skilled Debian sysadmin in-house will be able
to download and use UserLinux without any support contracts or licensing
fees. Many businesses will not have a knowledgeable sysadmin in-house, and
will instead contract with a UserLinux vendor for installation and support.
If the customer is knowledgeable enough to have a preference for some
package not included the default UserLinux install, they are free to
negotiate a modified package list with their vendor. Most customers should
find the default UserLinux install to be adequate for their needs.
Will it sell? Only time will tell for sure. Vnunet says: the big
companies aren't getting in line to offer support for UserLinux. True
enough, for now. What big customer wants to request a pre-beta OS? Bruce
Perens wasn't fazed by the article, and for
good reason.
The first stable UserLinux release will follow closely on the heels of
Debian's Sarge release. After that, who knows.
Comments (1 posted)
Distribution News
The
Debian Weekly News for August 17, 2004
is out. This week's topics include an offer of 24x7 support for Debian
GNU/Linux with HP Extensions from Hewlett-Packard, where to find online
changelog files, plus several Sarge release topics including a Sarge
security checkup, open season on RC bugs leads to 0-day NMUs, best practice
QA uploads, synchronizing Skolelinux with Sarge, and more.
John Goerzen provides a brief SPI update,
which includes the news that Bdale Garbee and Branden Robinson were elected
to a 3-year term on the SPI Board and the following officers have been
selected by the board: President, John Goerzen; Vice President, Benjamin
Mako Hill; Treasurer, Jimmy Kaplowitz; and Secretary, David Graham.
Steve Langasek reports on the status of the
libtiff transition. "Now that the gcc blockage has been addressed,
it's possible to get a clearer look at what's needed to complete the
libtiff transition for sarge. The answer is: quite a lot, really. What
follows is a summary of the packages we know to be involved in this
transition."
Another release task is sorting out sid
updates that need to be in Sarge. All package maintainers should
ensure that any bugs that have been fixed in sid are also fixed in Sarge.
Debian Sarge Bug-Squashing Week runs August
16 - 22. Help squash those release-critical bugs if you can.
Comments (none posted)
Issue #15 of the
Fedora News
Updates is out. This edition covers the announced end-of-life for
Fedora Core 1, many new updates in the Docs project, and plenty of talk
about porting Fedora to other platforms - Intel IXP2400, SGI's Altix
(ia64), and even Alpha. There is also some developer talk about updating
current releases, as well as developing test suites for Fedora, and more.
Fedora Core updates:
Comments (none posted)
The Mandrakelinux Community Newsletter for August 16, 2004 is out. This
edition covers the release of Mandrakelinux 10.1 Beta1 and other topics.
Full Story (comments: none)
New Distributions
Conectiva has announced (click below) the first beta release of Conectiva
Linux Live CD, based on CL 10. It comes in two flavors, KDE and GNOME.
Full Story (comments: none)
Minor distribution updates
distccKNOPPIX has released
v0.1.0
with major feature enhancements. "
Changes:
distccKNOPPIX now contains gcc versions 2.95, 3.2, 3.3, and 3.4. There are
now four different downloads depending on which gcc version you wish as
default. (although all gcc versions are on each ISO) The distcc version has
been updated to 2.16. You can now pass boot options to the kernel to
specify which gcc you wish as your default. You can also change the gcc
version at the command line with update-alternatives --config gcc. You can
also run from hard drive or RAM using the "toram" or "tohd" boot
options. Smarter detection of the node's IP address was added as
well."
Comments (none posted)
GeeXboX has released
v0.98
with major feature enhancements. "
Changes:
This release switches MPlayer to 1.0pre5, has better WiFi support and
drivers for RT2400 and ACX100 chipsets, adds control through joysticks,
support for SPDIF output, software decoding of DTS audio streams, a chapter
selector for DVDs and Matroska files, fixes the TV-Out problem with nVidia
cards, and adds support for external USB SmartMedia and CompactFlash card
readers."
Comments (none posted)
MoviX has released
eMoviX
0.9.0rc1 with minor feature enhancements. "
Changes:
Most 0.9.0pre1 bugs have been fixed. Many remotes have been imported from
MoviX, and all text handling (subtitles and filenames) is now based on
utf8. TrueType fonts are now used in the MPlayer menu, and translations in
several languages have been imported from MoviX."
MoviX2
v0.3.1rc2 is also available. "Changes:
This release includes the ability to adjust the size of the GUI fonts, NIC
selection when more than one NIC is detected, improved PCMCIA support, and
a few minor bugfixes."
Comments (none posted)
Distribution reviews
LinuxIT.br has
step-by-step
instructions (in Portuguese) for installing Slackware 10.0. (Thanks to
William da Rocha)
Comments (none posted)
Page editor: Rebecca Sobol
Development
MediaWiki
is a web wiki package that is being developed by the
Wikimedia Foundation.
MediaWiki is the collaborative editing software that runs Wikipedia, the free encyclopedia, and other projects. It's designed to handle a large number of users and pages without imposing too rigid a structure or workflow.
The code is based on PHP; it has been released under version 2 of
the GNU General Public License.
MediaWiki is derived from the older Wikipedia project, the
project history gives the details.
The future development plans for MediaWiki are spelled out in
the
project roadmap page.
Numerous web sites
use MediaWiki including
Wikipedia,
an online encyclopedia, and
Wikiquote,
a quote archive. For some amusement, search for Linus Torvalds
on Wikiquote.
MediaWiki has a rather lengthy
Feature List, some of the highlights include:
- A web-based user interface.
- Optional MySQL database support.
- A multi-level permission system.
- Caching functionality.
- Article cross-linking capabilities.
- Support for article revisions.
- Multi-lingual support.
- Multimedia extensions.
- Support for RSS syndication.
- Search and query support.
- Support for user-edited and user-uploaded data.
- Support for LaTeX mathematical functions.
- Generation of printable articles.
- Talk pages for user messaging.
- Watch list support for tracking changes.
Two new versions of MediaWiki were released this week.
version 1.3.0 came out with this note:
"
After an annoyingly long series of beta releases, say hello to MediaWiki
1.3.0! Everyone running the beta releases is _strongly_ recommended to
upgrade to the current code." An important security fix was
included in this release.
Version 1.3.1 was also
announced with this note:
"1.3.1 fixes some remaining issues from 1.3.0."
The Wikipedia
site speaks volumes about the usefulness and maturity the software,
visitors may even be inspired to contribute some content.
Comments (none posted)
System Applications
Audio Projects
Version 1.0.6 of the Alsa sound driver has been released with a long
list of changes.
"
The 1.0.6a driver package fixes the /proc problem with loading of the
sequencer client modules."
Full Story (comments: 4)
Version 0.2.35 of Esound is out with bug fixes, code cleanup, and more.
"
EsounD (the Enlightened Sound Daemon) is a server process that allows
multiple applications to share a single sound card."
Full Story (comments: none)
Database Software
Version 1.0.2 of JPOX, a Java Data Objects implementation,
is available with bug fixes.
Comments (none posted)
Version 1.1.6 of libgda/libgnomedb, a database development framework, is out.
"
This is another development release in the road to 1.2, which will be
the next stable release, and which shows a preview of the new features
getting into the 1.2 final release."
Full Story (comments: none)
Version 0.52 of Mergeant, a database user and administration tool
based on GNOME-DB, is out.
"
This is a development release, the first one after the splitting of
Mergeant into libmergeant and the GUI frontend, resulting in a much
better architecture."
Full Story (comments: none)
The August 16, 2004 edition of the PostgreSQL Weekly News is out.
"
While the initial response to PostgreSQL 8.0 beta has been very positive,
that wasn't the biggest news of this past weeks development. What really
shook things up was the discovery of a long standing bug in PostgreSQL's XLOG
COMMIT code. Even though there have never been any known reports of this bug
on any released version of PostgreSQL, the nature of the bug is one where,
given the right amount of bad luck, it is possible to incur some data loss".
Full Story (comments: none)
Version 1.0.2 of Slony, a replication engine for the PostgreSQL database,
has been announced.
"
With this version, the Slony-I replication system allows you to use its advanced node switching features to make version upgrades to PostgreSQL
8.0 in minutes, regardless of database size.
Version 1.0.2 also fixes minor bugs, and is a drop-in replacement for existing Slony-I 1.0.0 or 1.0.1 installations."
Comments (none posted)
Embedded Systems
Version 1.0.0-rc3 of
BusyBox,
a condensed collection of command line utilities for embedded systems,
has been released. See the
Change Log
for details.
Comments (none posted)
Interoperability
Stable release 2.2.11 of Samba has been announced.
"
Please note that the Samba 2.2 code tree will reach its
End-Of-Life on October 1, 2004. Administrators of existing
Samba 2.2 installations are encouraged to upgrade to the
latest Samba 3.0.x release prior to that date."
Full Story (comments: none)
Security
Version 2.2 of the Metasploit Framework, an exploit development platform,
is out. Those working in the field of computer security would be advised
to take a look.
"
The 2.2 release includes three user interfaces, 30 exploits and
40 payloads. Additionally, this is the first public release to contain
the new in-memory DLL-injection system and the VNC (remote desktop)
payload."
Full Story (comments: 2)
Web Site Development
Version 0.9.7 of phpwsBB, a native bulletin board module for the phpWebSite
CMS,
has been released. This version fixes a critical build problem.
Comments (none posted)
The third - and possibly final - Zope X3 beta has been released.
Zope X3 is a completely rewritten product with no backward
compatibility, but with the benefit of years of experience; more
information can be found on
ZopeX3
web page.
Full Story (comments: 4)
The July 29 - August 13 edition of the
ZopeMag Weekly News is online
with Zope information and a Weekly dose of useful Plone tips.
Comments (none posted)
Desktop Applications
Accessibility
Version 0.9.9 of gnopernicus, the GNOME desktop screen reader for
the visually impaired, is out. Changes include translation work,
group context change notification, and more.
Full Story (comments: none)
Audio Applications
Version 1.2.2-pre1 of
Audacity, an audio file editor, has been released.
"
Audacity 1.2.2-pre1 is a public test version of Audacity. Help us test the new features and bug fixes that will appear in our next stable version of Audacity later this month, including VU meters and multi-file export!"
Comments (none posted)
Version 0.17 of Mammut, an audio FFT tool, is out with improved
Jack initialization and other changes.
Full Story (comments: none)
Desktop Environments
Version 2.8.3 of the Metacity window manager for GNOME is out
with a number of bug fixes and some translation updates.
Full Story (comments: none)
The August 13, 2004 edition of the
KDE CVS-Digest is online, here's the content summary:
"
Mostly bugfixes this week, including fixes for the 3.3 release. Digikam implements EXIF based rotation in image editor. Krita adds gradient support. KOffice can now save styles to OASIS. Security fixes in khtml."
Comments (none posted)
KDE.News
interviews Waldo Bastian. "
There are of course cost saving aspects but I think the most important reason for companies to go with KDE is that it puts the company back in control over their corporate desktops. With KDE your IT department gets new opportunities to help make your desktop workers more productive instead of spending all day fighting to prevent things from falling apart."
Comments (4 posted)
Electronics
The
Open Collector
site features a number of new electronic tool releases this week.
Here's what has been released: The
ADMS 1.2.10 code generator, the MMTL 1.2.1 Multilayer Multiconductor
Transmission Line 2-D and 2.5-D electromagnetic modeling tool suite,
the Eclipse Verilog Editor version 0.2.0, the Alliance 5.0 VLSI
CAD framework, and the FXTurns-n-Layers 1.1.4 graphical transformer and
induction coil design aid. There is also an update from the Ronja
Tetrapolis project, which involves a point-to-point visible light
transmission link made with automotive LED tail light assemblies.
Comments (none posted)
Financial Applications
Stable version 6.0.3 of BIE, the Business Integration Engine,
has been released. BIE is a Java-based data integration
system for exchanging internal and external data.
Comments (none posted)
Games
Version 2.7.7 of gnome-games, a collection of games for the GNOME desktop,
is available.
"
A lot of the themes have been split into a separate package called
gnome-games-extra-data. The core package now contains only a minimum
amount of graphics, it is still functional, but your favourite themes
may not be there."
Full Story (comments: none)
The initial release of gnome-games-extra-data (verson 2.7.0) is out.
"
Most of
the graphics you will find here were formerly in the gnome-games
package. There are two additional tilesets for Mahjongg from Richard
Hoelscher based on the old GNOME 1.4 graphics."
Full Story (comments: none)
Version 1.4.1 of Stella, an Atari 2600 VCS emulator,
has been released. It features numerous bug fixes.
Comments (none posted)
GUI Packages
Version 2.4.6 of GLib is out with bug fixes and updated translations.
Full Story (comments: none)
Version 2.4.7 of GTK+, a graphical user interface toolkit,
is out.
"
This is an emergency bug fix release to fix two serious problems with
GtkFileChooser in GTK+ 2.4.6."
Full Story (comments: none)
Version 2.7.91 of Gtk2-Perl, the Perl bindings to GTK+, is out
with documentation fixes and improvements.
Full Story (comments: none)
Interoperability
Version 20040813 of Wine
has been announced.
Changes include
a new msiexec application, support for alpha blending,
sound support improvements, code cleanups, and bug fixes.
Comments (none posted)
Multimedia
Version 0.8.5 of GStreamer, a streaming media framework, is
available with lots of bug fixes and a few new features.
"
The 0.8.x series is a stable series aimed at end users.
It is not API or ABI compatible with the stable 0.6.x series.
It is, however, parallel installable with the 0.6.x series."
Full Story (comments: none)
News Readers
Version 0.5.3 of Liferea, the Linux Feed Reader, is out
with lots of changes and some bug fixes.
Full Story (comments: none)
Web Browsers
Stable version 1.2.8 of the Epiphany browser has been released.
Changes include support for the latest Mozilla API, confirm
before file overwriting, and lots of bug fixes.
Full Story (comments: none)
Development version 1.3.5 of the Epiphany browser
is out. Changes include removal of the startup script,
adaptation to the latest Mozilla API, bug fixes, translation
work, and more.
Full Story (comments: none)
Version 1.1.3 of Epiphany Extensions, the collection of extensions for
the Epiphany browser, is out.
"
Epiphany Extensions 1.1.3 is a development release for use with
the 1.3.x development series of Epiphany."
Full Story (comments: none)
MozillaZine
reports
that America Online has released Netscape 7.2. "
Based on Mozilla
1.7, this latest version features better popup blocking, vCard support, an
improved junk mail algorithm, better standards support, performance
enhancements and several hundred other bug fixes. It also includes patches
for recent security vulnerabilities."
Comments (none posted)
Word Processors
Eric Zen, editor of the AbiWord Weekly News, has declared the end of
the road for the publication.
"
In fact, I don't really think there should be an AWN. It's not that
AbiWord doesn't develop at a newsworthy pace, but so many other
projects do." RIP AWN.
Full Story (comments: none)
Stable version 2.0.10 of AbiWord
has been released.
"
This release is a bugfix release only."
Comments (none posted)
Miscellaneous
Version 2.0.1 of
gLabels,
a label printing application, is available for download.
This release features several bug fixes and has an updated
Japanese translation.
Comments (none posted)
Version 2.7.2 of GNOME Applets are out, changes are mostly in the
gweather component.
"
GNOME Applets are the little programs you run in your panel. Just about
everyone uses a GNOME Applet or two, the package includes applets like
the battery applet, CPU load applet, weather applet and mixer applet."
Full Story (comments: none)
Version 0.3.0 of Gnome OSD, an On Screen Display notification system for
the Gnome desktop, is out. The change overview says:
"
New control center preferences dialog, allowing configuration of
font and message position/alignment."
Full Story (comments: none)
Version 4.2.0 of HylaFAX, a Fax modem package,
has been announced.
"
This release includes nearly a year's worth of truly exceptional contributions from HylaFAX developers and users alike, and everyone should consider migrating to a HylaFAX-4.2.x release as soon as possible."
Comments (none posted)
Version 1.4.1 of OpenWFE
has been announced.
"
OpenWFE is an open source java workflow engine. It is a complete Business
Process Management suite, with 4 components : an engine, a worklist, a
webclient and a reactor (host for automatic agents). It can also be used
behind the scene. OpenWFE 1.4.1 is a bug fix release. One important concept
was introduced for stores : the order in which they are instantiated in the
worklist configuration file is now the order in which they are asked if they
accept a workitem for a given participant name."
Comments (none posted)
Languages and Tools
C
The August 18, 2004 edition of the
GCC Newsletter
is online. Read about a tentative gcc 3.5 release schedule, performance
benchmarking, C constant expressions proposals, and more.
Comments (none posted)
Caml
The August 17, 2004 edition of the Caml Weekly News is out with this
week's Caml language news.
Full Story (comments: none)
Java
Version 0.8.0-beta of SwingSet has been announced.
"
We are pleased to announce the
0.8.0-beta release of SwingSet, an open source Java toolkit that allows
the standard Java Swing components to be made database aware. For the
latest, version all components have been made into Java Beans which will
allow for better integration with Java IDEs."
Full Story (comments: none)
O'Reilly is running
an article on Swing widgets.
"
Swing includes a vast collection of GUI components, but sometimes you need
something that's unique to your application. Andrei Cioroianu returns with
an installment on how to code your own Swing widget."
Comments (none posted)
O'Reilly is running
an article on extending JavaSound.
"
The JavaSound API adds audio capabilities to the Java platform. It's been part of J2SE since version 1.3 and it supports the WAV, AU, and AIFF audio formats, and provides MIDI support. It doesn't support some other audio formats, such as MP3, but it provides a flexible plugin architecture allowing any third-party vendor to add custom audio format support through the JavaSound Service Provider Interfaces (SPIs). This article deals with this plugin architecture and API, how to write and use a custom SPI implementation, how metadata such as title, artist, and copyright are exposed, and how multiple SPI implementations could be integrated in an application such as player or a game."
Comments (none posted)
PHP
Two new releases of PHP
have been announced.
Here is the announcement for version 5.0.1:
"
This is a maintenance release that in addition to many non-critical bug fixes also includes new UNIX and Windows installation docs which are now auto-generated from the PHP Manual."
And the version 4.3.9RC1 announcement says:
"
This is the first release candidate and should have a very low number of problems and/or bugs. Nevertheless, please download and test it as much as possible on real-life applications to uncover any remaining issues."
Lastly, the online PHP manual's
Installation and Configuration
section has been reworked.
Comments (none posted)
David Sklar
shows some techniques for debugging PHP on O'Reilly.
"
David Sklar, author of Learning PHP 5, provides
some basic techniques for finding and fixing the problems in your programs.
In particular, he covers how to set up error reporting as you like it, how to
find parse errors, and how to inspect program data."
Comments (none posted)
Python
The August 18, 2004 edition of
Dr. Dobb's Python-URL! is out with the latest Python
language article links.
Full Story (comments: none)
Ruby
Version 0.10.1 of Ruby-GNOME2, the Ruby language bindings to GNOME 2,
is out.
"
This release fixes some serious bugs in Ruby-GNOME2-0.10.0 discovered
just after the release".
Full Story (comments: none)
Jack Herrington
works with E4X and Ruby in an O'Reilly article.
"
XML processing with SAX can be tricky, and is painful in the DOM. The new
E4X approach can make processing XML much easier. Jack Herrington explores
E4X and demonstrates a simple port to the Ruby programming language."
Comments (none posted)
XML
Uche Ogbuji
discusses SAX issues on O'Reilly.
"
In this article I discuss issues related to recent articles in this column, including some practical problems using XML facilities -- SAX in particular -- across Python versions and installed software configurations. I also revisit ElementTree's support for XML namespaces and discuss some other Python tools' support for breaking large documents into chunks."
Comments (none posted)
Editors
Version 2.7.91 of gedit, the GNOME text editor, is out with
work on the translations and several bug fixes.
Full Story (comments: none)
Test Suites
Version 0.82 of Marathon
has been announced.
"
This is a minor feature update and bug fix release. Marathon should work better on Linux now.
Marathon runs gui based acceptance tests against swing applications. It is composed of a runner, and recorder, and an editor. Tests scripts are expressed as python code."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Business Week
interviews
Linus Torvalds. "
I am a dictator, but it's the right kind of
dictatorship. I can't really do anything that screws people over. The
benevolence is built in. I can't be nasty. If my baser instincts took hold,
they wouldn't trust me, and they wouldn't work with me anymore. I'm not so
much a leader, I'm more of a shepherd."
Comments (9 posted)
Reason
interviews
John Perry Barlow.
"
Trying to own intellectual products and creating an economy of
scarcity around them as we do with physical objects is very harmful to the
development of culture and the ability to speak freely, and a very
important principle not talked about much, which is the right to know. I
think we have a right to know. It shouldn't be something we have to
purchase."
Comments (3 posted)
NewsForge
takes a
look at localization efforts in India. "
Developers can localize
only programs which are internationalized, explains Dr. Nagarjuna G,
Chairman FSF-India. Internationalized programs encode their messages and
names of commands in a standard such as Unicode and follow a framework, so
that the core program works completely independent of the natural
language."
Comments (8 posted)
The SCO Problem
Groklaw features
some comments about Rob Enderle's controversial keynote speech at
the SCOForum conference.
"
So, bottom line: why all the attacks on Groklaw all of a sudden? And why no Enderle apology? He didn't even apologize for his foul language. I will give you my theory. I noticed that Darl McBride in his speech at SCOForum made some predictions, after he took a jab at Groklaw too. He said he commended "open blogs" and sites like Slashdot, where everyone is free to say whatever they wish. He falsely claimed that any time anything positive is left as a comment on Groklaw, I remove it. Actually, I have no recollection of ever seeing a positive comment about SCO here on Groklaw and I certainly haven't removed any as a result."
Comments (4 posted)
For those interested in the details,
the full text of the order from the AutoZone case is now available on Groklaw, along with extensive commentary from PJ. "
The judge has
clarified some things and added some items that were not mentioned at the
hearing. It isn't open-ended discovery. It's a really fast track, but the
judge has given SCO a little more time. All discovery must be done by 90 days
from the date of the order."
Comments (none posted)
Robin Bloor
catches up with SCO in this IT-Director article, with a side trip into software patents.
"
As for SCO, sadly Linux doesn't seem to infringe any SCO patents. So this third legal possibility for SCO seems doomed. Indeed it looks to me as though SCO is not going to have much of a Christmas. Perhaps Santa Claus has decided that SCO CEO, Darl McBride, simply has not been a good enough child this year."
Comments (1 posted)
Companies
Vnunet
looks at efforts by
the BBC to produce an online archive site.
"
The BBC is doing some other navel gazing as its Charter comes up for review, and radical ideas are being thrown about.
It is developing an open source video codec, called Dirac, to replace the Real Networks software currently used to stream video from the BBC site. This could challenge other commercial formats, including Microsoft's Windows Media Player 9."
Comments (5 posted)
Silicon.com
covers
a collaboration between Motorola and HP that puts carrier grade Linux into
mobile phones. "
Joy King, director of worldwide marketing for HP's
network and service provider business unit, believes that Linux is evolving
into the standard to use. While Motorola isn't ready to dump its own
software just yet, she said, through this partnership, it has started down
that path." Here is the
press
release.
Comments (1 posted)
Linux Adoption
The Hindustan Times
reports
on a North Asian government alliance to promote the Linux operating
system. "
Lu said the topic was complicated by Oracle, which along
with Chinese software firm Red Flag is developing "Asianux", a standard
Linux operating system designed for Asia. The national alliance was not
involved with that project, he said. In China, the firm overseeing
development of the official software was Beijing Co-Create Open Source
Software Co Ltd."
Comments (none posted)
China Economic Net
reports on efforts to upset Microsoft's dominance in China.
"
It will be possible for Thiz Technology Group Limited, who focuses on personal desktop operating systems, to make its assault on Microsoft in the desktop field. The first step that they choose to take is talent cultivation, which has never happened before.
It is well known that at present there are two mainstream computer operating systems in the world, namely Microsoft's Windows and the globally open Linux. Among them, Windows that is familiar to personal computer users has been monopolizing the computer desktop market for almost 10 years, while Linux, which has been forced to simply cooperate with some corporate users, has failed to get the correct approach to cut into the personal computer desktop market."
Thanks to Chel van Gennip.
Comments (13 posted)
The Register
reports that the city of Munich is moving ahead with its
switch to Linux.
"
Patent fears will not derail Munich's move to Linux, city mayor Christian Ude
has told a press conference. Earlier this month the city put the brakes on
its Windows to open source migration while the implications of pending EU
patent legislation could be examined, but Ude has now said that the project
will go ahead, and that the city administration is merely pausing to consider
matters for a few days."
Comments (2 posted)
Groklaw
mentions a new job opening for a Linux expert in Munich.
"
"At the online job fair of the Bavarian State Capital 'talented and motivated staff' are wanted to maintain and administer the future Linux-based clients. The job ad underlines Major Christian Ude's announcement yesterday that the migration to Linux will be continued."
I like this mayor. He has courage."
Comments (none posted)
Computerworld
reports on a user-optional Linux migration plan in Vienna, Austria.
"
Next year, users of 7,500 of the 16,000 desktop workstations in the municipality of Vienna will have the choice of moving to Linux, according to Erwin Gillich, head of the city's information services. An evaluation of the test will follow in 2006.
Vienna is one of several European cities and organizations to switch to the open-source operating system. Compared with the decision made by the city of Munich, which plans to fully replace Microsoft Corp. operating systems with Linux, the municipality of Vienna is opting for a slow transformation."
Comments (none posted)
Linux at Work
Netcraft
looks
at the most reliable hosting providers during July. Of the top ten
systems, 4 use Linux and 4 use FreeBSD.
Comments (none posted)
Legal
eWeek
talks
with a few lawyers about Linux and software patents. "
Kelly
Talcott, an intellectual property partner in the New York office of the
national law firm of Kirkpatrick & Lockhart LLP, agreed. 'OSRM's
announcement simply puts a number to a fact that the software industry has
been living with for years. With the increasing number of issued software
patents comes the increasing possibility of being sued for
infringement. This affects all flavors of software, not just
Linux.'"
Comments (1 posted)
ZDNet Australia
covers Linux Australia Inc., a company that has secured Linus Torvalds'
support to register the word "Linux" as a trademark with Australia's
intellectual property regulator. "
The move is designed to prevent
local companies attempting to claim the word as their own, but it will also
throw open the possibility that local Linux vendors will start paying
royalties to trade on the term for the first time."
Comments (3 posted)
Here's
a
strange article in Business Week on "intellectual property uncertainty"
in Linux. SCO is not a problem, says the author, and neither are patents
(for now). The "murky" GPL is the big issue. "
Bright as it is, the
future of commercial open source might be considerably brighter if Linux
and other programs went to a more commerce-friendly license with fewer
complexities and ambiguities than the GPL. There's plenty of precedent. The
BSD license, the Mozilla Foundation license used for browsers, and the
Apache license all provide for free distribution of code and source code
with fewer restrictions than the GPL."
Comments (32 posted)
Open for Business
examines MySQL's license. "
The big question we wanted to know
was if MySQL was adding restrictions to the GPL or if the terms on the site
were simply a broad overview that represents suggestions that in no way
alter the permissions given by the license. Urlocker confirmed to us that
MySQL did not consider the page to be an addition to the GPL, but rather
information for those attempting to understand -- in simple terms -- why
they might need a MySQL commercial license."
Comments (16 posted)
Interviews
NewsForge
talks with
George Staikos about KDE 3.3. "
Staikos: Actually KDE PIM
(Personal Information Management) was one of the big focal points of this
release. An incredible amount of work has been done on all of the PIM
components -- KOrganizer, KAddressBook, KMail, Kontact, groupware,
resources, and more. We have definitely seen speed improvements, too,
especially in Konqueror file browsing, KMail, and the IMAP I/O
slave. Optimization work for 3.3 is still ongoing, and I expect to see
more."
Comments (none posted)
O'ReillyNet
looks at
MUTE, an open-source P2P application. "
[Jason] Rohrer, a
26-year-old programmer from Potsdam, New York, found inspiration in the way
ants stream toward a food source. From observing the creatures' behavior,
he mapped out a networking method that functions similarly -- essentially,
a shared file is the food source, and clients on the network are the ants
seeking the food. He then wrote his own P2P program putting this theory to
practice and christened it MUTE. Developed entirely in C++ and released as
open source, the program runs on Linux, Win32, and Mac OS X."
Comments (12 posted)
Netcraft has put up
an
interview with Bruce Schneier. On product liability for software bugs:
"
I presume there would be some exemption for open source, just as the
United States has a 'good Samaritan' law protecting doctors who help
strangers in dire need. Companies could also make a business wrapping
liability protection around open source software and selling it, much as
companies like Red Hat wrap customer support around open source
software."
Comments (1 posted)
Search Enterprise Linux
talks
with Paul Terry, CTO of Cray Canada. "
Terry: The Cray XD1
system, together with Cray's Red Storm platforms, will be the first Linux
system purpose-built to handle HPC workloads. It uses a new architecture
that presents a real alternative to clusters, while preserving the
economics of commercial components. The Direct Connected Processor
architecture breaks the communications bottleneck by embedding the
interconnect and removing the PCI bottleneck to directly connect processors
to each other and memory. The Cray Red Storm system, designed for Sandia,
take this same direct connect approach.
Comments (11 posted)
Resources
Linux Journal
takes a look
at frame styles in OpenOffice.org Writer. "
The more complex your
documents, however, the more you should know about how to use frame
styles. The number of options available are extensive enough that you can
fine-tune a frame's look and behavior almost as much as you can in a
desktop publishing program. You even can add blank frames (also called text
frames) and arrange them so that text flows automatically from one frame to
another. This feature allows the automation of complicated layouts, such as
folded brochures or newsletters in which a story begins on one page and
ends on the next. Beyond a doubt, knowing how to format text frames can
give your document design an extra edge."
Comments (none posted)
Tom Adelstein
counters
terrorism using open-source software, in this Linux Journal article.
"
Fortunately, a viable Linux solution to the task of connecting
disparate databases over the networks is in existence today. This extant
system connects a variety of government databases with a LAMP Web services
application that is freely downloadable from the Internet. It allows one to
search disparate databases in disparate geographical locations."
Comments (1 posted)
This Linux Journal article says that PHP isn't just for web scripting any more. "
Although most people use PHP primarily as a Web development scripting
system, it possesses all the characteristics of a proper general-purpose
language that can be useful in a variety of other environments. In
this article, I illustrate how it's possible to use the
command-line version of PHP to perform complex shell operations, such
as manipulating data files, reading and parsing remote XML documents
and scheduling important tasks through cron."
Comments (6 posted)
Reviews
O'ReillyNet
looks
at a mail server using Mailgraph. "
In a nutshell, installing
Mailgraph will allow us to see how our mail server performs through neatly
laid-out graphical and numerical representations of mail traffic flowing
through a particular mail server. If you've ever used a similar tool that
can display graphs, such as MRTG, you know that graphs often speak volumes
of invaluable information when trying to diagnose a problem quickly. Graphs
can portray information about the past, present, and sometimes even the
future."
Comments (1 posted)
Linux Journal
takes a dip in
the LilyPond. "
Last month we looked at some of the the basic
operations of the LilyPond music typesetting software. We saw that LilyPond
is a TeX-based language specifying the complexities of Western music
notation and capable of producing excellent PostScript printable
output. This month, we look at three GUI front-ends for LilyPond: the
Rosegarden sequencer, the NoteEdit music notation editor and the Denemo
LilyPond file preparation utility. I've also appended a brief account of
the music and sound topic presentations made at this year's Libre Software
Meeting."
Comments (none posted)
Miscellaneous
The Register
examines the latest efforts by Jon Johansen.
"
Norwegian programmer Jon Lech Johansen has decrypted and published the key that Apple's wireless hi-fi bridge, Airport Express, uses to protect music streams. He's also released the source code to a small Windows command-line tool he calls JustePort. In essence his crack opens the door for other applications to broadcast music to your hi-fi over a home WLAN network using Express, rather than just iTunes 4.6. For users on Linux machines, or with WMA or OGG format files, this could be a boon, as iTunes supports neither format out of the box."
Comments (1 posted)
vnunet has posted
an article suggesting that uptake on UserLinux will be small.
"
HP and IBM have no plans to support the distribution.
According to HP, too many distributions could confuse users. 'Having too many competitors is not good for the market,' said a spokeswoman for the company.
IBM said it already offered users plenty of choice by supporting and providing certification for Red Hat and SuSE. Oracle declined to comment."
Comments (15 posted)
LinuxWorld Magazine
takes exception to
Linux Journal's choice of "Best Game". "
Trying to get major game
publishers take Linux gamers seriously is a difficult task, and when
publications that much of the Linux community reads such as yours basically
blow games off and give a game award to a non-game, you make the task far
more arduous."
Comments (7 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The
California Performance
Review is the result of a massive committee effort; it seeks to advise
the state on how to become more efficient and responsive to its residents.
One of the reports many recommendations is
this
suggestion that the state should use more free software. "
In
summary, open source is not just about cost savings. Since the code is
open, it offers the flexibility for organizations to modify the code as
needed for specific uses. Many also feel that open source is more reliable
and secure than closed source. In closed source software, the code is
hidden from the user so it is difficult to identify potential security
risks in advance and to work proactively to make the system more
secure. Also, bug fixes and patches must be distributed from the
originating developer rather than originating from the users who have
identified the problem. In this regard, open source can provide superior
security than closed source."
Comments (2 posted)
In an effort to circumvent excessive banking fees on donations,
the Free Software Foundation Europe has set up a program that allows
contributors in Great Britain to donate locally.
"
Due to substantial bank fees charged for international money transfers,
small donations or standing orders are too expensive to be sent directly
to the Free Software Foundation Europe bank account. To rectify this,
FSFE in July 2004 entered into an agreement with UK based associate
organisation AFFS to collect donations and transfer them in larger
batches."
Full Story (comments: none)
Wilhelm Tux, a Swiss Free Software organization, has officially become an
associate of the Free Software Foundation Europe. "
"This is indeed
great news for all members and friends of Wilhelm Tux, as this adds a new
brick to the road ahead promoting Free Software in Switzerland. We are
eager to continue raising the interest for Free Software in a Free Society,
especially in Switzerland universally known as a land of Freedom", says
Myriam Schweingruber, president of Wilhelm Tux."
Full Story (comments: none)
ITTIA has launched db.*, an open source, small footprint embedded database
for open-source platforms. db.* is the open source version of a database
engine that has been developed and tested for more than 20 years, and been
used successfully in tens of thousands of applications. ITTIA is making it
available to the public in order to promote its tech support and consulting
business, and to promote Club ITTIA, its embedded database community.
Full Story (comments: 8)
Commercial announcements
F-Secure Corporation has announced that BlueCat Networks, Inc. has licensed
F-Secure Anti-Virus for Linux to embed into their Meridius Security Gateway
appliance.
Full Story (comments: none)
F-Secure has announced their new RSS feed with announcements of
all of the latest virus reports. It looks like most of the viruses
listed don't affect Linux systems.
Full Story (comments: none)
Lindows has sent out
a press release stating that it has put its initial public offering process on hold for now. "
'Lindows won't be forced into a cut-rate IPO by a fickle stock market. We
are fortunate to have cash in the bank, and we owe it to our stockholders to
wait until market conditions and public company valuations improve before we
proceed with a public offering,' said Michael Robertson, chairman and chief
executive officer of Lindows, Inc." That $20 million from Microsoft sure came in at the right time.
Comments (1 posted)
Linux Networx has
announced
delivery of two 256-processor Evolocity Linux Networx cluster computing
systems at US Department of Defense computing centers. "
Joint Forces
Command (J9) will utilize the clusters to simulate combat operations on a
world-wide virtual battlefield. Military personnel at J9, and other
distributed sites around the country, will interact directly with the
computers at MHPCC and ASC as they participate in large scale, high
resolution simulations not possible before the delivery of the new cluster
computers."
Comments (none posted)
MandrakeSoft has announced a shareholder meeting that deals with
transferring the company to a regulated market.
Full Story (comments: none)
New Books
O'Reilly has published the book
Enterprise JavaBeans, Fourth Edition
by Richard Monson-Haefel, Bill Burke, and Sacha Labourey.
Full Story (comments: none)
O'Reilly has published the book
Mono: A Developer's Notebook
by Edd Dumbill and Niel M. Bornstein.
Full Story (comments: none)
Resources
The August 8, 2004 edition of the Linux Documentation Project Weekly News
is online with the latest new documentation releases.
Full Story (comments: none)
The UNDP-APDIP International Open Source Network has put together an
introductory book called the
User Guide to Using
the Linux Desktop. It is available as a series of PDF files, and is
released under the Creative Commons
Attribution 2.0
license. "
The main aim
is to provide a self-learning guide on how to use a modern Linux desktop
system. It assumes that the user has no prior knowledge of Linux or PC
usage."
Comments (none posted)
Three tutorials from the KDE Community World Summit 2004
are available.
Topics include
Kolab 2, the OpenLDAP directory server and Samba 3.
Comments (none posted)
Research and Markets has
announced a new report on the mobile phone handset market.
"
Linux will Threaten Symbian Dominance. While Symbian will be the
market share leader in the next 24 to 36 months, thanks to its
endorsement by market makers Nokia and NTT DoCoMo, Linux will threaten
for long-term dominance. Linux leads other platforms in openness and
low cost - factors that are essentials to success in a market defined
by tight margins, rapid innovation, and standards adherence."
Comments (none posted)
Version 8 of the SPECviewperf graphics performance benchmark
has been announced.
"
SPEC/GPC's OpenGL
Performance Characterization (SPECopc) project group has released
SPECviewperf 8, a major new version of its software that measures
graphics performance for systems running popular CAD/CAM, digital
content creation, and visualization applications.
Windows, Linux and Unix versions of SPECviewperf 8 can be
downloaded without charge on the SPEC/GPC web site (www.spec.org/gpc)."
Comments (none posted)
Bioinformatics.org has an
announcement for version 3 of the
Bioinformatics Benchmark System
"
Many new features, bug fixes, and suggested changes have been made. New benchmarks have been added and updated for mpiBLAST, HMMer, NCBI BLAST, and others.
Benchmarks are described by XML documents. Output is via an XML document, which is manipulated by various tools for display, output, analysis, and submission."
Comments (none posted)
Upcoming Events
Registration has opened for the
Open Source CMS Conference 4. The event will be held in Zurich, Switzerland
on September 29 - October 1, 2004.
Full Story (comments: none)
Use Perl has a
Call for Participation for the The 7th German Perl workshop.
The event is tentativley scheduled for February 8-11, 2005, proposals
are due by October 31.
Comments (none posted)
The first international
Software Freedom Day is being organized at the Menlyn Park Events Arena
in Pretoria, South Africa on August 28, 2004.
"
The format of the event is still very flexible and will depend
on the exhibitors and attendees, but I'd love to have a combination
of exhibitions and technology showcases that will attract attention,
n 'install fest', public addresses by roleplayers and live
ntertainment offered by South Africa's best young talent. In short the
idea is to blow people's hair back!"
Full Story (comments: none)
| Date | Event | Location |
| August 21 - 29, 2004 | KDE Community World Summit 2004(aKademy) | (Filmakademie Ludwigsburg)Ludwigsburg (Stuttgart Region), Germany |
| September 2 - 3, 2004 | Python for Scientific Computing(SciPy) | (CalTech)Pasadena, CA |
| September 2 - 4, 2004 | 2nd Swiss Unix Conference | (Technopark)Zurich, Switzerland |
| September 9 - 10, 2004 | Linux Expo Shanghai | (Shanghai Exhibition Center)Shanghai, China |
| September 13 - 16, 2004 | Embedded Systems Conference | (Hynes Convention Center)Boston, MA |
| September 15 - 17, 2004 | YAPC::Europe 2004 | Belfast, Northern Ireland |
| September 20 - 23, 2004 | New Security Paradigms Workshop(NSPW) | (White Point Beach Resort)Nova Scotia |
| September 20 - 22, 2004 | Plone Conference 2004 | Vienna, Austria. |
| September 22 - 24, 2004 | OpenOffice.org Conference(OOoCon 2004) | (Humboldt University)Berlin, Germany |
| September 22 - 24, 2004 | php|works 2004 | (Holiday Inn Yorkdale Hotel & Conference Centre)Toronto, Canada |
| September 27 - October 1, 2004 | 4th International SANE Conference(SANE) | (Amsterdam RAI Centre)Amsterdam, The Netherlands |
| September 27 - 29, 2004 | ConSec '04 | (J.J.Pickle Research Center)Austin, Texas |
| September 29 - October 1, 2004 | OSCOM 4 | (Swiss Federal Institute of Technology)Zurich, Switzerland |
| October 2, 2004 | Ohio LinuxFest | Columbus, Ohio |
| October 6 - 7, 2004 | LinuxWorld Conference and Expo | (Olympia Exhibition Centre)London, England, UK |
| October 8 - 10, 2004 | Linucon | (Red Lion Hotel)Austin, TX |
| October 10 - 17, 2004 | MySQL Swell | Across the Mediterranean |
Comments (none posted)
Software announcements
Here are the software announcements, courtesy of
Freshmeat.net. They are available in
two formats:
Comments (none posted)
Miscellaneous
The
Open Collector
site has an announcement for a new group of open-source electronics
enthusiasts at MIT, known as
Free Dog.
"
Free Dog is an association of like-minded hackers and engineers interested in free and open EDA tools. We hold monthly meetings at MIT (Cambridge, MA, USA) featuring informal networking, speakers, and an after-hours gathering at a local watering hole. Our goals are to learn more about EDA software, share ideas about our current projects, and -- most importantly -- have fun with like-minded people."
Comments (none posted)
Page editor: Forrest Cook