|
|
Subscribe / Log in / New account

LWN.net Weekly Edition for March 10, 2005

A big setback on software patents

Up until the last moment, it looked like things might go the right way. The European Council's attempt to adopt the software patent directive as a no-debate item seemed doomed as a result of opposition from Denmark and a few other countries. In the end, however, the Council violated its own procedural rules by adopting the directive anyway, and nobody stood up to stop it. Barring an unlikely sequence of events, software patents will become the law in the European Union.

The unlikely sequence of events is this: the European Parliament will have a second reading of the directive in the next few months; at that reading, it will have the opportunity to reject or amend the directive. The Parliament had, the first time through, added amendments which made it clear that the patenting of software was not to be allowed, so there is reason for hope. The problem is that, on the second reading, an absolute majority of votes is required for any amendment. Simply getting enough members into the chamber to create a majority is often a problem with the European Parliament, so getting enough of them to vote for positive changes in the patent directive will be doubly challenging. To many observers, fixing a directive on the second reading seems just about impossible.

There is reason to hope, however. The fact that the Council ignored the Parliament's request to restart the procedure and the manner in which the directive was adopted has upset a number of members of Parliament. These members may just find enough energy to haul themselves down to the debate and vote to reassert the Parliament's authority. If these members continue to hear from their constituents in the mean time, they should be even more motivated.

In other words, now is not the time to give up and let up on the pressure. Instead, it is more important than ever that EU citizens express their views to their representatives. With enough effort, this battle might, just yet, be won.

And it is an important battle. The possible effects of software patents on small European businesses have been well discussed. But the absence of software patents in Europe has had a chilling effect on software patent enforcement in general. Currently, a patent holder could make life difficult for free software in the U.S., but European developers would just sneer in that smug manner unique to Europeans talking about American ways. So a patent challenge against, say, the Linux kernel could be a problem for an American company or developer, but it would be unlikely to impede Linux itself.

In a world with global software patent legislation, however, the situation is different. A patent challenge could shut down Linux over much of the planet; there would be no place for the software to run to. For this reason, European resistance to software patents helps to protect all of us; the forces behind software patenting understand that fact well. So we must hope that the European Parliament can find the energy to stand up for its rights.

Comments (26 posted)

Is the kernel development process broken?

According to some, the 2.6 development process has gone far out of control. Wildly destabilizing patches are routinely accepted, to the point that every 2.6.x release is really a development kernel in disguise. There are no more stable kernels anymore. As evidence, they point out certain high-profile regressions, such as the failure of 2.6.11 to work with certain Dell keyboards.

It is true that the process has changed in 2.6, and that each 2.6 release tends to contain a great deal of new stuff. The situation is nowhere near as bad as some people claim, however. The problems which have turned up have tended to be minor, and most have not affected all that many users. Big, embarrassing security bugs, data corruption issues, etc. have been mostly notable in their absence. Kernel developers like Andrew Morton don't think there is a problem:

I would maintain that we're still fixing stuff faster than we're breaking stuff. If you look at the fixes which are going into the tree (and there are a HUGE number of fixes), many of them are addressing problems which have been there for a long time.

Even so, there is a certain feeling that some 2.6 kernels have been released with problems which should not have been there. Last week, in an effort to improve the situation, Linus posted a proposal for a slight modification to the kernel release process. The new scheme would have set aside even-numbered kernel releases (2.6.12, 2.6.14, ...) as "extra-stable" kernels which would include nothing but bug fixes. Odd-numbered releases would continue to include more invasive patches. The idea was that an even-numbered release would follow fairly closely after the previous odd-numbered release and would fix any regressions or other problems which had turned up. With luck, people could install an even-numbered release with relative confidence.

Over the course of a lengthy discussion, an apparent consensus formed: the real problem is a lack of testing. In theory, most patches are extensively tested in the -mm tree before being merged. -mm does work well for many things, and it has helped to improve the quality of patches being merged into the mainline. But the -mm kernels are considered to be far too unstable by many users, so they are not tested as widely as anybody would like. Even quite a few kernel developers work with the mainline kernels, since they provide a more stable development platform.

The next step in the testing process is Linus's -rc releases. These kernels, too, are not tested as heavily as one might like. Many developers blame the fact that most of the -rc kernels are not really release candidates; they are merge points and an indication that a release is getting closer. Since users do not see the -rc kernels as true release candidates, they tend to shy away from them. For what it's worth, Linus disagrees with the perception of his -rc kernels:

Have people actually _looked_ at the -rc releases? They are very much done when I reach the point and say "ok, let's calm down". The first one is usually pretty big and often needs some fixing, simply because the first one is _inevitably_ (and by design) the one that gets the pent-up demand from the previous calming down period.

But it's very much a call to "ok, guys, calm down now".

The fact remains, however, that many people see a "release candidate" rather differently than Linus does.

There are some -rc kernels which clearly are release candidates; 2.6.11-rc5 is an obvious example. But even that kernel did not see enough testing to turn up the Dell keyboard problem.

The real problem seems to have two components. The first is that widespread testing by users is a vital part of the free software development process. This is especially true for the kernel: no kernel developer has access to all of the strange hardware out there, but the user community, as a whole, does. The only way to get the necessary level of testing coverage is to have large numbers of users do it. But here is where the second piece of the puzzle comes in: most users are unwilling to perform this testing on anything other than official mainline kernel releases. So certain classes of bugs are only found after such a release takes place.

A solution which was proposed was to bring back the concept of a four-number release: 2.6.11.1, for example. These releases would exist solely to deal with any show-stopper bugs which turn up after a major mainline release. Linus was negative about this idea, mostly because he didn't think anybody would be willing to do that work:

I'll tell you what the problem is: I don't think you'll find anybody to do the parallel "only trivial patches" tree. They'll go crazy in a couple of weeks. Why? Because it's a _damn_ hard problem. Where do you draw the line? What's an acceptable patch? And if you get it wrong, people will complain _very_ loudly, since by now you've "promised" them a kernel that is better than the mainline. In other words: there's almost zero glory, there are no interesting problems, and there will absolutely be people who claim that you're a dick-head and worse, probably on a weekly basis.

Linus went on, however, to outline how the process might work if a "sucker" were found who wanted to do it. The charter for this tree would have to be extremely restricted, with many rules limiting which patches could be accepted. The "sucker tree" would only take very small, clearly correct patches which fix a serious, user-visible bug. Some sort of committee would rule on patches, and would easily be able to exclude any which do not appear to meet the criteria. These conditions, says Linus, might make it possible to maintain the sucker tree, if a suitable sucker could be found.

As it turns out, a sucker stepped forward. Greg Kroah-Hartman has volunteered to maintain this tree for now, and to find a new maintainer when he reaches his limit. Chris Wright has volunteered to help. Greg released 2.6.11.1 as an example of how the process would work; it contains three patches: two compile fixes, and the obligatory Dell keyboard fix. 2.6.11.2 followed on March 9 with a single security fix. So the process has begun to operate.

Greg and Chris have also put together a set of rules on how the extra-stable tree will operate. To be considered for this tree, a patch must be "obviously correct," no bigger than 100 lines, a fix for a real bug which is seen to be affecting users, etc. There is a new stable@kernel.org address to which such patches should be sent. Patches which appear to qualify will be added to the queue and considered by a review committee (which has not yet been named, but it "will be made up of a number of kernel developers who have volunteered for this task, and a few that haven't").

The rules seem to be acceptable to most developers. There was one suggestion that, to qualify, patches must also be accepted into the mainline kernel. Being merged into the mainline would ensure wider testing of the patches, and would also serve to minimize the differences between the stable and mainline trees. The problem with this idea is that, often, the minimal fix which is best suited to an extra-stable tree is not the fix that the developers want for the long term. The real fix for a bug may involve wide-ranging changes, API changes, etc., but that sort of patch conflicts with the other rules for the extra-stable tree. So a "must be merged into the mainline" rule probably will not be added, at least not in that form.

How much this new tree will help is yet to be seen. It may be that its presence will simply cause many users to hold off testing until the first extra-stable release is made. This tree provides a safe repository for critical fixes, but those fixes cannot be made until the bugs are found. Finding those bugs requires widespread testing; no new kernel tree can change that fact.

Comments (32 posted)

The 2005 Debian Project Leader election

March 9, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The Debian Project Leader (DPL) election is fast approaching. The nomination period ended on February 28, and the campaigning period runs through March 21. The field of candidates is much broader than in recent years, with six serious candidates vying for the role of Debian Project Leader. Current DPL Martin Michlmayr is not running for re-election.

The candidates, and their platforms, for 2005 are Matthew Garrett, Andreas Schuldei, Angus Lees, Anthony Towns, Jonathan Walther, and Branden Robinson.

We sent a list of questions to each candidate to find out where they stand on issues facing Debian in 2005. The first question we posed to the candidates was how they would help to ensure that Sarge would be released this year, and if too much emphasis was placed on a new stable release.

In his platform, Walther endorsed the idea of a six-month release cycle, borrowed from the OpenBSD project, saying it could "turn Debian into a monster powerhouse of software goodness". In his response, he added that he was unsure of the limits of the DPL's authority, but would do "everything in my power to get Sarge out the door immediately, as-is, and formalize the OpenBSD/Ubuntu/Xouvert 6-month release cycle."

Towns responded that there were a variety of reasons that Sarge had been delayed, and that "the release team currently have a handle on them". He also said that releasing Sarge is "the highest priority for the project at this point, and the highest priority of the DPL is to do everything possible to ensure that the release team and those working on resolving the remaining issues have the support and resources they need to do their work quickly and effectively."

Lees pointed out that the DPL "is not a position with direct control over Debian's actions" and that the DPL "is there to provide a single point of contact with the outside world and to ensure the relevant groups within Debian coordinate effectively". He also said that he is confident that the Sarge release would go out this year without intervention from the DPL, but "would of course try to ensure that the relevant technical teams have the resources they need to avoid any further delays."

As for the importance of stable releases, Lees said that the stable releases are necessary to provide "a static fork to provide security fixes against and a known minimum point from which package maintainers must ensure smooth upgrades". The ideal release point, according to Lees, would be "around the 1.5-2.5 year point, so shorter than the Sarge release cycle - but not by much."

Garrett noted that Sarge is close enough to release that "anything the DPL does is more likely to slow things down than speed them up."

The release team have assured me that the list of awkward problems is now small and under control, and I'm inclined to trust them on this.

A more interesting question is probably how we can prevent Sarge from happening again. A large part of the problem is that many people have lost faith in us ever making timely releases, which ends up costing us a lot - without the feeling that you're working towards a release, there's far less incentive to make sure that your code is in good condition and help track down bugs in other packages. I want to deal with this problem by making people believe that we can actually make releases when we say we will, and I think the first step towards that will be to make sure that we have a list of concrete goals for our next release the moment we've finished with Sarge.

He also said that slow releases not only cost Debian users, but development effort as well.

Robinson told LWN that he would work closely with the Release Management team to find out what they need and "try to get those needs satisfied, whether they involve hardware for build daemons, additional personnel for the security or debian-installer teams, or simply general encouragement (some would say whip-cracking) to get the release-critical bug count down."

He also said that Debian is compared "unfairly and unfavorably to the bleeding-edge nature of some distributions" and could "greatly mitigate that criticism by establishing a more predictable and regular release cycle.".

Finally, Schuldei said that Sarge should be in "deep freeze already" by the time the next DPL takes office on April 17. Schuldei also said that regular releases "are important for Debian and are one of my priorities."

The next question we posed to the candidates is whether Ubuntu had hurt Debian by drawing away development effort, how Debian should work with projects derived from Debian and if Debian was "infrastructure" for other projects.

Schuldei responded that Ubuntu "cherry-picked from Debian's most active developers."

When your hobby becomes your job, it is easy to lose interest in participating in the hobby outside of work. And working in a start-up company can easily become an all-consuming activity. Given this combination, it was probably inevitable that developers working on Ubuntu would have less time and energy to expend on Debian itself.

Those Ubuntu developers who used to work on Debian infrastructure were missed painfully, indeed. I hope that "Small Teams" as described in my platform can help by building lots of small multiplying knowledge pools which would make Debian resilient against loss of single individuals and enable it to grow able successors very quickly.

Schuldei told LWN that Debian "should more actively incorporate the good things that it sees other distributions" do and that if Debian "managed the 'taking' as well as the 'giving' [to other projects] there would be little limit to its potential."

Robinson says that Canonical Ltd. (the company that sponsors Ubuntu) is a "mixed blessing."

Previous companies that centered their identities around Debian (such as Stormix and Progeny) have not had the resources to hire more than a handful of Debian developers. Canonical has hired many. It's a good thing to see so many Debian developers able to more closely align their careers with their passions -- it's something I've enjoyed for nearly five years, so I can hardly begrudge others that same condition.

At the same time, Canonical's interests are not identical to Debian's. If Canonical is to operate anything like a conventional business that realizes revenue, it cannot help but pursue paths to do so. The Debian Project doesn't have that pressure on it. Inevitably in such an environment, at least some Debian developers who work for a commercial interest are going to experience tension between what's good for Debian and what's good for their employer, even if that divergence is perceived as merely short-term. In the short term, Debian needs to release sarge. We cannot count on Canonical, Linspire, Progeny, Xandros, Hewlett-Packard, or any of Debian's other benefactors to solve our problems for us -- they will not supply the magical second step between "collect underpants" and "RELEASE!", to spin an old joke.

He also said that Debian has to be "frank about it" and accept that some developers may be drawn away from Debian.

Garrett pointed out that Ubuntu "has taken some effort away from Debian, but it's also contributed a lot back."

One of the major advantages that Ubuntu has over Debian is that their development process makes it much easier to push new technologies. We've already gained from that in at least one case, since Debian's Project Utopia stack is heavily based on the code in Ubuntu. That would have been much harder to coordinate if it hadn't been demonstrated in a working scenario first. Remember that Ubuntu hasn't existed for all that long - it's hard to have any great certainty what the long-term effects will be.

One of the fundamental reasons for free software is the right to produce derived works, and I think that making it as easy as possible for others to produce derived distributions is the best way for Debian to support that. The number of distributions based on Debian is large enough that I think we class as infrastructure, but don't think that's incompatible with making releases.

Providing employment for Debian developers is "a good thing" according to Lees, though he notes that "some inevitable divergence between Ubuntu and Debian as Ubuntu strives to differentiate itself."

The core axiom of free software however is that having someone copy and modify your software doesn't reduce its value to you. Whatever happens, Debian is a process not a product and it will eventually incorporate any code that the Developers deem worthwhile.

What I'm really excited about from Ubuntu is some of the tools they're working on, like bug trackers and version control tools. These tools are being developed specifically for the unique needs of distributors, rather than authors, and it will be very interesting to see what they become.

Towns said that the only way Ubuntu draws developers away from Debian "is by providing a better environment for hacking -- whether that be by paying for the work, or being more fun, or being more satisfying, or all of the above."

I think it's great that there are projects that some people find more enjoyable than Debian, and the great thing about free software is that those of us who prefer Debian can just take the work they do for Ubuntu and use it ourselves. And vice-versa, too -- all without anyone being unhappy about code theft or having to involve lawyers or formal agreements or anything of the sort.

I think Debian works quite well both as a distribution of its own, and as infrastructure for other distributions; I hope it will improve as both.

According to Walther, projects like Ubuntu or Knoppix help Debian rather than hurt it. "Because of our licensing, we can always fold things back in from other projects that work out well."

We also asked candidates if they had any idea why so many people were running this year, as opposed to past years that saw only a few candidates.

Walther quipped, "because the incumbent decided not to run for re-election."

Schuldei told LWN "some of the candidates clearly believe that Debian is in need of their special knowledge or ability. I myself believe that my vision for Debian and my experience in implementing change in social groups will help the Debian Project to reach new heights and strength."

Robinson said that "people are getting a better idea of what they want out of a Project Leader."

I don't know of many precedents in our field; no other free software project of Debian's size entrusts its entire membership with electing its leadership. We're striving to identify the right balance of personality traits and experience that will equip us to face new challenges with confidence, rather than butting our heads against the same old brick walls that have stymied us for years.

Garrett said that he can't speak for the other candidates, but "I'm standing because I think Debian has problems that need fixing, and I think being DPL is the best way that I can help fix them. Perhaps our problems are more obvious this year than in the past?" Lees told LWN that he has no idea why so many people are running for DPL, and that he's running "at the insistence of several other Debian developers, probably in response to some of the more radical factions that are gaining influence within Debian". Towns said that there have been "a lot of fairly controversial questions raised or decided...and in the midst of all this the next release of our operating system has continued slipping. It seems plausible to me that the range of candidates represent the range of different views within the project of how to approach these issues."

Another topic that comes up frequently when discussing delays for Sarge is dropping architectures. We asked the candidates if they thought Debian should drop any of its architectures in order to release on a more timely basis. There was not a great deal of enthusiasm for this idea among DPL candidates. Walther is against the idea of dropping architectures altogether. "I see no need to drop any architecture, but I do see it as a good thing to release each architecture separately. This prevents the lowest common denominator from retarding the distribution as a whole."

Towns said, simply, "That's a decision for the release and archive teams to make." Lees said that there was "no correlation between the number of architectures and any delay in release", as far as he could see. Schuldei said, "yes, that's one possible option."

Garrett told LWN that dropping architectures would not speed up the release, and would "undoubtedly reduce the quality of our distribution. There are whole classes of bugs that only show up when you port to a wide range of platforms."

In any case, which architectures should we drop? M68K is often used as an example, but is actually one of the better architectures in terms of keeping up. Mips and Arm aren't widely used on the desktop, but we get a great deal of enthusiasm from embedded developers.

If we get to the point where an architecture can't pull its weight, then we'll drop it. We're not there yet.

Robinson said that the idea that dropping an architecture would benefit the release cycle "seems to meander between a vague notion and an article of faith." He also said that he has yet to see a proposal that explains how it would benefit the release cycle, and that he needs "more convincing...to support such a dramatic step. For some architectures, Debian is the only modern option for a GNU/Linux installation. It'd be a shame to give that in exchange for an unproven benefit."

Finally, we asked the candidates what the biggest challenge facing the DPL would be. Schuldei told LWN that scalability was the biggest problem facing Debian.

A lot of Debian's hottest issues over the past few years have been capacity issues: making sure the autobuilder network scales to handle our package count; making sure the NM process scales to meet the number of incoming applicants; making sure the security team scales to handle the architecture count; etc. While many of these issues are largely technical in nature, the task of identifying and resolving chokepoints before they become a problem is one that requires managerial attention, and the DPL is best suited to provide this oversight. The social structure of Debian still stems from its early years. With the size of 900+ active developers the social bonds and self-regulatory functions are just not good enough any more nowadays for it to work as smoothly and effectively as it used to be.

The changes in the leadership and small team infrastructure as well as nurturing of good working climate will address this effectively and will allow Debian a new growth cycle.

Garrett sees communication as the largest hurdle for Debian:

We're bad at it. A large part of the problem facing the release is that half the time nobody's sure why we can't release yet. People get into arguments over whether or not people are passing on enough information. It's all wasted effort, and it's all entirely unnecessary. If there's one thing that I would hope to do as DPL, it's to ensure that people know who they're supposed to be speaking to whenever they have a problem. In principle, that's not too difficult, but it's something nobody's really succeeded at yet.

Lees told LWN that Debian "basically works" and said it was difficult to sort out a minor issue to highlight as a problem. He also touched on communication as a problem, and said VoIP would be an "interesting way to improve the quality of communication...since email seems to bring out the worst in people. I would hope that improving the nature of the communication would make it easier to address other issues that arise within Debian."

Towns said that the biggest single issue was "getting Sarge out the door, but that's primarily an issue for the release team to handle". Robinson didn't respond directly to the question of the biggest challenge for Debian, but also pointed out in his responses that "the collective psyche of the project gets antsy when a release process has dragged on for too long."

The general level of irritability seems to go up. We are nearly three years pregnant with sarge, and we need to be delivering our latest offspring soon. The challenge is to practice good obstetrics, and preserve the health and well-being of ourselves and our release. In my campaigns for Debian Project Leader over the years I've consistently prescribed medicine for our ails, and I'm ready to assist my fellow developers with the delivery.

Walther also told LWN that the release cycle is the largest problem for the project.

It has caused a stagnation where we focus on putting in new packages and fixing old bugs, but the mantle of fresh new innovation that made us stand out in the early days has been passing on to other distributions. With a quicker release cycle we can definitely get that back in short order. We have all the resources and manpower.

Debian Developers may begin voting for DPL on March 21, through April 11. The voting procedure is described in section A of the Debian Constitution. We'd like to thank each of the candidates for responding to our questions, and wish them good luck in the election.

Comments (7 posted)

Page editor: Jonathan Corbet

Security

A hole in PaX

Security software is, as a general rule, supposed to make a system more secure. So it is always discouraging when security code, instead, opens up new holes. The PaX patches are intended to harden the Linux kernel against various sorts of attacks; its developers have, at times, been quite harsh in their criticism of security in the mainline kernel. But, as this advisory shows, the PaX code, too, is not without its troubles.

One of the techniques used by PaX is VMA mirroring. The PaX code tries to defeat various types of code injection attacks by completely separating the instruction and data areas of memory as seen by Linux processes. The idea is that, even if an attacker is able to overrun a buffer and direct the processor to execute the resulting code, the attack will be foiled by the processor's segmentation hardware. Any part of memory which can be accessed via a data pointer is simply not accessible as code.

The problem is that some code segments in an executable file contain data as well - constant strings and such. So, when an executable ELF section is mapped into the code segment, it must also be "mirrored" in the data segment. This mirroring is accomplished by creating a special sort of virtual memory area (VMA) which refers to the same physical pages and backing store as code VMA, but which resides in the data portion of the address space.

The details of the exploit have not yet been released. From a quick reading of the PaX patches before and after the fix, it would appear that the PaX code did not adequately restrict the changes user space could make to the mirrored VMAs. The resulting inconsistencies in the kernel's representation of the address space could then be exploited to run arbitrary code.

The advisory notes that this vulnerability "...pretty much destroys what PaX has always stood and been trusted for." So the author is taking his marbles and going home; PaX will be discontinued at the end of this month. Certainly, introducing an exploitable hole into a security-related patch, where it lurked for a year and a half, could harm the trust users have in that patch. But giving up and leaving those users completely unsupported into the future seems likely to cause rather more damage. Bugs happen, even in the most carefully-written code. The best thing to do is to fix them and get on with life.

Comments (5 posted)

New vulnerabilities

abuse: several vulnerabilities

Package(s):abuse CVE #(s):CAN-2005-0098 CAN-2005-0099
Created:March 7, 2005 Updated:March 9, 2005
Description: Several vulnerabilities have been discovered in abuse, the SDL port of the Abuse action game. Erik Sjölund discovered several buffer overflows in the command line handling, which could lead to the execution of arbitrary code with elevated privileges since it is installed setuid root. Steve Kemp discovered that that abuse creates some files without dropping privileges first, which may lead to the creation and overwriting of arbitrary files.
Alerts:
Debian DSA-691-1 abuse 2005-03-07

Comments (none posted)

KDE dcopidlng: insecure temporary file creation

Package(s):dcopidlng CVE #(s):
Created:March 7, 2005 Updated:March 9, 2005
Description: Davide Madrisan has discovered that the dcopidlng script creates temporary files in a world-writable directory with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When dcopidlng is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.
Alerts:
Gentoo 200503-14 dcopidlng 2005-03-07

Comments (none posted)

hashcash: format string vulnerability

Package(s):hashcash CVE #(s):
Created:March 7, 2005 Updated:March 9, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw in the Hashcash utility that an attacker could expose by specifying a malformed reply address. Successful exploitation would permit an attacker to disrupt Hashcash users, and potentially execute arbitrary code.
Alerts:
Gentoo 200503-12 hashcash 2005-03-06

Comments (none posted)

HelixPlayer: buffer overflows

Package(s):HelixPlayer CVE #(s):CAN-2005-0455 CAN-2005-0611
Created:March 3, 2005 Updated:March 9, 2005
Description: The Helix Player 1.0 media player has two buffer overflows that can be exploited by playing specially crafted SMIL and WAV files. This can allow a remote attacker to execute code with the user's permissions.
Alerts:
Red Hat RHSA-2005:271-01 HelixPlayer 2005-03-03
Fedora FEDORA-2005-188 HelixPlayer 2005-03-03

Comments (none posted)

imagemagick: format string vulnerability

Package(s):imagemagick CVE #(s):CAN-2005-0397
Created:March 3, 2005 Updated:April 4, 2005
Description: The ImageMagick file name handling code has a format string vulnerability. Specially crafted file names can be used to crash ImageMagick and possibly execute arbitrary code.
Alerts:
Mandrake MDKSA-2005:065 ImageMagick 2005-04-01
Debian DSA-702-1 imagemagick 2005-04-01
Fedora FEDORA-2005-235 ImageMagick 2005-03-30
Fedora FEDORA-2005-234 ImageMagick 2005-03-30
SuSE SUSE-SA:2005:017 ImageMagick 2005-03-23
Red Hat RHSA-2005:320-01 ImageMagick 2005-03-23
Gentoo 200503-11 imagemagick 2005-03-06
Ubuntu USN-90-1 imagemagick 2005-03-03

Comments (none posted)

kdenetwork: file descriptor leak

Package(s):kdenetwork CVE #(s):CAN-2005-0205
Created:March 3, 2005 Updated:March 16, 2005
Description: The kdenetwork networking applications package has a bug with the handling of privileged file descriptors in kppp. A local user can use this to modify the /etc/hosts and /etc/resolv.conf files, allowing them to spoof domain information.
Alerts:
Conectiva CLA-2005:934 kdenetwork 2005-03-16
Debian DSA-692-1 kdenetwork 2005-03-08
Red Hat RHSA-2005:175-01 kdenetwork 2005-03-03

Comments (none posted)

less: heap based buffer overflow

Package(s):less CVE #(s):CAN-2005-0086
Created:March 8, 2005 Updated:March 9, 2005
Description: Victor Ashik discovered a heap based buffer overflow in less, caused by a patch added to the less package in Red Hat Linux 9. An attacker could construct a carefully crafted file that could cause less to crash or possibly execute arbitrary code when opened.
Alerts:
Fedora-Legacy FLSA:2404 less 2005-03-07

Comments (none posted)

libexif: improper validation

Package(s):libexif CVE #(s):CAN-2005-0664
Created:March 7, 2005 Updated:April 15, 2005
Description: Sylvain Defresne discovered that the EXIF library did not properly validate the structure of the EXIF tags. By tricking a user to load an image with a malicious EXIF tag, an attacker could exploit this to crash the process using the library, or even execute arbitrary code with the privileges of the process.
Alerts:
Debian DSA-709-1 libexif 2005-04-15
Mandrake MDKSA-2005:064 libexif 2005-03-31
Red Hat RHSA-2005:300-01 libexif 2005-03-21
Gentoo 200503-17 libexif 2005-03-12
Fedora FEDORA-2005-200 libexif 2005-03-08
Fedora FEDORA-2005-199 libexif 2005-03-08
Ubuntu USN-91-1 libexif 2005-03-07

Comments (none posted)

libXpm: new buffer overflows

Package(s):libXpm CVE #(s):CAN-2005-0605
Created:March 4, 2005 Updated:March 8, 2006
Description: A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.
Alerts:
Fedora-Legacy FLSA:168264 XFree86 2006-03-07
Fedora-Legacy FLSA:152803 lesstif 2006-01-09
Fedora FEDORA-2005-815 lesstif 2005-08-26
Fedora FEDORA-2005-808 openmotif 2005-08-25
Red Hat RHSA-2005:198-01 xorg-x11 2005-06-08
Red Hat RHSA-2005:473-01 lesstif 2005-05-24
Red Hat RHSA-2005:412-01 openmotif 2005-05-11
Debian DSA-723-1 xfree86 2005-05-09
Mandriva MDKSA-2005:081 XFree86 2005-05-05
Mandriva MDKSA-2005:080 xpm 2005-04-28
Red Hat RHSA-2005:044-01 XFree86 2005-04-06
Red Hat RHSA-2005:331-01 XFree86 2005-03-30
Fedora FEDORA-2005-273 xorg-x11 2005-03-29
Fedora FEDORA-2005-272 xorg-x11 2005-03-29
Ubuntu USN-97-1 xfree86 2005-03-16
Gentoo 200503-15 libXpm 2005-03-12
Ubuntu USN-92-1 lesstif1-1 2005-03-07
Gentoo 200503-08 lesstif 2005-03-04

Comments (none posted)

mlterm: integer overflow

Package(s):mlterm CVE #(s):
Created:March 7, 2005 Updated:March 9, 2005
Description: mlterm is vulnerable to an integer overflow that can be triggered by specifying a large image file as a background. This only effects users that have compiled mlterm with the 'gtk' USE flag, which enables gdk-pixbuf support.
Alerts:
Gentoo 200503-13 mlterm 2005-03-07

Comments (none posted)

perl: symlink vulnerability

Package(s):perl CVE #(s):CAN-2005-0448
Created:March 9, 2005 Updated:January 30, 2006
Description: The rmtree() function in the File:Path.pm module has a symlink vulnerability which could be exploited to create setuid binaries.
Alerts:
Fedora-Legacy FLSA:152845 perl 2006-01-24
Red Hat RHSA-2005:674-01 Perl 2005-10-05
Fedora FEDORA-2005-600 perl 2005-07-22
Mandriva MDKSA-2005:079 perl 2005-04-28
Debian DSA-696-1 perl 2005-03-22
Ubuntu USN-94-1 perl 2005-03-09

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpMyAdmin CVE #(s):
Created:March 4, 2005 Updated:March 9, 2005
Description: phpMyAdmin contains multiple vulnerabilities that could lead to command execution, XSS issues and bypass of security restrictions. See PMASA-2005-1 and PMASA-2005-2 for details.
Alerts:
SuSE SUSE-SR:2005:007 phpMyAdmin gpg 2005-03-04
Gentoo 200503-07 phpmyadmin 2005-03-03

Comments (none posted)

RealPlayer: buffer overflows

Package(s):RealPlayer CVE #(s):CAN-2005-0455 CAN-2005-0611
Created:March 3, 2005 Updated:March 21, 2005
Description: The RealPlayer media player has two buffer overflows that can be exploited by playing specially crafted SMIL and WAV files. This can allow a remote attacker to execute code with the user's permissions.
Alerts:
Red Hat RHSA-2005:299-01 realplayer 2005-03-21
SuSE SUSE-SA:2005:014 RealPlayer 2005-03-09
Red Hat RHSA-2005:265-01 RealPlayer 2005-03-03

Comments (none posted)

squid: race condition

Package(s):squid CVE #(s):CAN-2005-0626
Created:March 8, 2005 Updated:March 9, 2005
Description: A race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies.
Alerts:
Ubuntu USN-93-1 squid 2005-03-08

Comments (none posted)

xv: filename handling vulnerability

Package(s):xv CVE #(s):
Created:March 4, 2005 Updated:March 9, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team identified a flaw in the handling of image filenames by xv. Successful exploitation would require a victim to process a specially crafted image with a malformed filename, potentially resulting in the execution of arbitrary code.
Alerts:
Gentoo 200503-09 xv 2005-03-04

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current extra-stable 2.6 release is 2.6.11.2, which was announced by Greg Kroah-Hartman on March 9.

The current 2.6 release remains 2.6.11; Linus has not yet released any 2.6.12 prepatch. About 1000 patches have been merged into his BitKeeper repository, however; they include numerous driver updates, the address space randomization patches, a new packet classifier mechanism for the networking layer, a new workqueue API function (see below), a new function (set_pte_at()) which is intended to replace set_pte() in the memory management code, a Tiger digest algorithm implementation, the restoration of the Philips webcam driver, some software suspend improvements, some readahead improvements, a big block I/O barrier rewrite (which enables full barrier support on serial ATA drives), a set of patches to shrink the kernel for embedded use, a generic sort() function, high-resolution POSIX CPU clock support (not the full high-resolution timers patch), a USB API change (usb_control_msg() and usb_bulk_msg() now take a timeout in milliseconds rather than in jiffies), and lots of fixes.

The current -mm kernel is 2.6.11-mm2. Recent changes to -mm include a reiser4 update, the Open-iSCSI driver, a new SELinux multi-level security implementation, the return of the real-time rlimit patch (yes, that discussion is going again), and a big set of NFS and FAT filesystem updates.

The current 2.4 prepatch is 2.4.30-pre3, released by Marcelo on March 9. It consists of some driver updates and a few fixes.

Comments (none posted)

Kernel development news

Quotes of the week

I want to have people test things out, but it doesn't matter how many -rc kernels I'd do, it just won't happen. It's not a "real release".
-- Linus Torvalds

It's nice that patches are called "fix the frobnozzle gadget", but this analysis would be a lot easier if people would also label their patches "break the frobnozzle gadget" when that's what they do. Oh well
-- Andrew Morton

I don't think 2.2 and 2.4 models are applicable any more. There are more of us, we're better (and older) than we used to be, we're better paid (and hence able to work more), our human processes are better and the tools are better. This all adds up to a qualitative shift in the rate and accuracy of development. We need to take this into account when thinking about processes.
-- Andrew Morton

I think we should call the tree the "sucker tree", and if somebody wants to make a logo for it, make it be a penguin with a jokers' hat: exactly to remind people that it's not about the glory.
-- Linus Torvalds

Comments (none posted)

The kernel gets a formal security contact

The Linux kernel has been nearly unique in that it has operated without any sort of formal security organization. Security-related patches would be sent to a (hopefully) relevant maintainer, who would (hopefully) get it merged into the mainline. With luck, distributors would notice the merging of security-related patches and issue the appropriate updates.

The whole system was somewhat unwieldy (though it worked most of the time), but, with this message from Chris Wright, things are beginning to change. There is now an official security contact address - security@kernel.org - which is distributed to a set of "security officers" who will take the appropriate action in response to security-related bugs. The people behind that alias, as of this writing, are Linus Torvalds, Andrew Morton, Alan Cox, Marcelo Tosatti, H. Peter Anvin, and Chris Wright

The posting also includes a disclosure policy, which reads as:

The goal of the Linux kernel security team is to work with the bug submitter to bug resolution as well as disclosure. We prefer to fully disclose the bug as soon as possible. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested or for vendor coordination. However, we expect these delays to be short, measurable in days, not weeks or months. A disclosure date is negotiated by the security team working with the bug submitter as well as vendors. However, the kernel security team holds the final say when setting a disclosure date. The timeframe for disclosure is from immediate (esp. if it's already publically known) to a few weeks. As a basic default policy, we expect report date to disclosure date to be on the order of 7 days.

So the mechanism is now in place. What remains to be seen is how well it works when the next security hole turns up.

Comments (1 posted)

A unified device number allocator

Traditionally, device drivers have added their devices to the system with calls to register_chrdev() or register_blkdev(). These functions served two functions: allocating a portion of the device number space, and making specific devices available to user space. In 2.6, things changed a bit. For character devices, register_chrdev() was replaced by the combination of alloc_chrdev_region(), which allocates device numbers, and cdev_add(), which attaches a device to a specific number. On the block side, register_blkdev() has become optional, but it can still be used to allocate a block major number. The association of block devices with numbers is done with add_disk().

In other words, the allocation of device number space and the association of specific numbers with devices have been split in the 2.6 kernel. Matt Mackall was looking at the allocation side recently, where he noticed a fair amount of duplicated code between the char and block implementations. The current code is also unable to perform dynamic allocation of major numbers outside of the traditional 0..255 range. So Matt put together a patch which cleans things up a bit.

The new allocation scheme relies on simple linked lists. When a new device number request comes in, the code searches the (sorted) list to see if the request can be satisfied. If so, a new entry is added to the list, and the starting device number is returned. This work is done by the new function register_dev(): 

    int register_dev(dev_t base, dev_t top, int size, const char *name,
                     struct list_head *list, dev_t *ret);

This function requests that a range of size numbers be allocated from the given list. The first number should fall between base and top; if a suitable range is found, that first number will be returned in ret. The list is a simple, list_head structure which is initially empty; the caller must provide locking to prevent concurrent calls to register_dev() using the same list.

The new interface works; it also replaces a fair amount of common code in the char and block code. Other than some quibbles about potential performance problems resulting from the linear list search algorithm (which should not really matter, since device number allocation is a rare operation), there seem to be no real objections to the new scheme. So it may find its way into a -mm kernel before too long.

A future change would allow the dynamic allocation of device numbers in the expanded range; for now, dynamic major numbers are allocated from 254 in descending order, as has been done for many years. The patch also retains the register_chrdev() and register_blkdev() interfaces in a compatibility mode - even though both were essentially obsolete even before the change. At some point in the future, there may be an attempt to deprecate those interfaces; that move would force changes in a great many drivers.

Comments (none posted)

Some 2.6.12 API changes

The workqueue interface allows kernel code to request that a function be called at a later time, in process context. It can thus be used to arrange for work which cannot be performed immediately, perhaps because the current thread is running in an atomic mode. It is also possible to queue delayed work requests which are guaranteed not to run for a caller-requested delay period.

Sometimes the need arises to cancel tasks which have been queued to a workqueue in a delayed mode. The function which performs this task is: 

    int cancel_delayed_work(struct work_struct *work);

This function attempts to intercept the given work before it runs and remove it from the queue. If it is successful, it returns a nonzero value. If, instead, cancel_delayed_work() returns zero, it means that the delayed work request was fired off before the call; it might, in fact, be running on another CPU when the cancel attempt is made. The caller usually needs to know that the work function is not running, so the standard procedure is to call flush_workqueue(), which waits until all tasks currently in the queue are run. After flush_workqueue() returns, the work function is guaranteed not to be running anywhere in the system.

There is one remaining obnoxious detail, however: what if the work function resubmits itself to the workqueue while it is running? In this case, that function could run again when the rest of the kernel least expects it - possibly after the module which contains that function has been removed from the kernel. That is the sort of race condition which gives kernel developers cold sweats. In general, this problem can be avoided by creating a "do not resubmit yourself" flag which is set before calling cancel_delayed_work(), but not all programmers make that effort.

In an attempt to make safe cancellation easier, Arjan van de Ven has added a new function to the workqueue API: 

    void cancel_rearming_delayed_work(struct work_struct *work);

The implementation is straightforward; at its core, this function does the following: 

	while (!cancel_delayed_work(work))
		flush_workqueue(wq);

In other words, it simply keeps trying until it is able to catch the work request when it is not executing, and, thus, cannot resubmit itself. This approach works because it applies to delayed work - there has to be some time when the work request is sitting in the timer queue waiting to run. Sooner or later, the kernel is sure to catch it during that time and keep it from running again.

The new function has been merged for 2.6.12.

Meanwhile, there are two functions which are used by drivers to send messages to USB peripherals: 

    int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
                     void *data, int len, int *actual_length,
                     int timeout);

    int usb_control_msg(struct usb_device *dev, unsigned int pipe,
                        __u8 request, __u8 requesttype,
                        __u16 value, __u16 index,
                        void *data, __u16 size, int timeout);

In 2.6.11 and prior kernels, the timeout value is expressed in jiffies; for 2.6.12, the units of that parameter has been changed to milliseconds. Dozens of patches were merged to bring in-tree drivers up to the new version of the interface, but out-of-tree drivers will need to be changed explicitly. The situation is complicated a bit by the fact that the prototype of the function did not change, so the compiler will not flag callers which have not been updated.

Finally, David Howells has changed the rwsem implementation to use interrupt-disabling spinlocks. This change should be transparent to most callers. Anybody who calls down_read() or down_write() with interrupts already disabled will be in for a surprise, however. There should be no such callers, since those functions can sleep, but one never knows...

Comments (none posted)

Linux Kernel Development, Second Edition

The second edition of Robert Love's Linux Kernel Development is out. Actually, it has been out for a month or two, but your editor's copy has only just arrived. It should be noted that your editor is the author of a book which could be seen, by some, as a competitor to Mr. Love's work, and [Book cover] thus might be biased in what he writes. Let it be known, however, that your editor would never let such concerns get in the way of a fair review. Linux Kernel Development really is only suitable for paperweight duty, and, even then, only until the cheesy binding gives out.

Seriously, though, the first edition of Linux Kernel Development was reviewed here in November, 2003. It was, at that time, the only book covering version 2.6 of the kernel, and it did a good job of it. The coverage was not always as deep as one might like, but it was broad, touching on most parts of the kernel. It was, beyond doubt, a book that belonged on every kernel hacker's bookshelf.

The second edition has not messed with that format very much. The book now appears under the Novell Press imprint, but Novell does not appear to have called for any changes. So the basic structure of the book remains the same. The introductory chapter has been split into two, with some additional information on obtaining and building the kernel. There are two completely new chapters; the first looks at working with modules, and the other is a low-level introduction to kobjects and sysfs. The new chapters, like the existing material, are clearly and accurately written. Beyond that, the table of contents reads much like it did in the first edition.

Arguably, the most significant change is that the entire book has been updated to the 2.6.10 kernel. As readers of the LWN Kernel Page are aware, much has changed inside the kernel since the 2.6.0-test release which was the base for the first edition. It was time for an update, and Robert has done it with style. Your editor feels confident in saying that the second edition, once again, belongs on every kernel hacker's bookshelf. Then the first edition can be demoted to paperweight duty.

Comments (4 posted)

Patches and updates

Kernel trees

Andrew Morton 2.6.11-mm1 ?
Andrew Morton 2.6.11-mm2 ?
Greg KH Linux 2.6.11.1 ?
Greg KH Linux 2.6.11.2 ?
Alan Cox Linux 2.6.11-ac1 ?
Alan Cox PATCH: 2.6.11-ac2 ?
Con Kolivas 2.6.11-ck2 ?
Marcelo Tosatti Linux 2.4.30-pre3 ?
Willy Tarreau linux-2.4.29-hf4 ?

Architecture-specific

Jake Moilanen No-exec support for ppc64 ?
Jake Moilanen No-exec support for ppc64 ?

Core kernel code

Peter Williams PlugSched-3.0.2 for 2.6.11 ?
Pavel Machek swsusp: allow resume from initramfs ?
Christoph Lameter del_timer_sync scalability patch ?
David Howells rwsem: Make rwsems use interrupt disabling spinlocks ?

Development tools

Keith Owens Announce: kdb v4.4 is available for kernel 2.6.11 ?
Marty Ridgeway March Release of LTP now available ?
Tom Zanussi relayfs for linux-2.6.11-mm2 ?

Device drivers

Jeff Garzik netdev-2.6 queue updated ?
Jeff Garzik 2.6.x net driver updates ?
Jeff Garzik 2.6.x net driver updates ?
Jeff Garzik libata-dev-2.6 queue updated ?
Jeff Garzik libata-dev queue updated ?
Jeff Garzik 2.6.x libata updates ?
Jeff Garzik starfire net driver update ?
Pierre Ossman Secure Digital (SD) support ?
Greg KH I2C patches for 2.6.11 ?
Greg KH PCI update for 2.6.11 ?
Jean Tourrilhes IrDA patches for 2.6.12-rc1 ?
Wim Van Sebroeck Watchdog v2.6.11 patches ?
Alex Aizman Open-iSCSI High-Performance Initiator for Linux ?
Matthew Wilcox ncr53c8xx updates ?
Bagalkote, Sreenivas [ANNOUNCE][PATCH 2.6.11 2/3] megaraid_sas: Announcing new module for LSI Logic's SAS based MegaRAID controllers ?
Adam Belay PCI bridge driver rewrite (rev 02) ?
Matt Mackall unified device list allocator ?
Bartlomiej Zolnierkiewicz ide-dev-2.6 update ?
Alan Cox PATCH: Ressurrect the esp serial driver ?
Greg KH USB update for 2.6.11 ?
Russell King Hotplug parallel ports ?
Andy Fleming RFC: PHY Abstraction Layer II ?
Nick Sillik [PATCH] To add usabillity for the Maxtor Onetouch button on External Hard-drives ?

Documentation

Corey Minyard kref docs, take 2 ?
Chris Wright Security contact info ?

Filesystems and block I/O

Badari Pulavarty 2.6.11-mm1 "nobh" support for ext3 writeback mode ?
Badari Pulavarty 2.6.11-mm1 ext3 writepages support for writeback mode ?
Robert Love inotify for 2.6.11 ?
Evgeniy Polyakov bd: Asynchronous block device ?

Janitorial

Stephen Hemminger rearrange netdevice structure to save space ?

Memory management

David Howells BDI: Provide backing device capability information ?
David Howells BDI: Improve nommu mmap support ?
Mel Gorman 0/2 Buddy allocator with placement policy (Version 9) + prezeroing (Version 4) ?
Mel Gorman 1/2 Avoiding external fragmentation with a placement policy Version 9 ?
Mel Gorman 2/2 Prezeroing large blocks of pages during allocation Version 4 ?

Security-related

Stephen Smalley Enhanced MLS support ?
Stephen Smalley [PATCH][LSM/SELINUX] Pass requested protection to security_file_mmap/mprotect hooks ?
Evgeniy Polyakov Acrypto - asynchronous crypto layer for linux kernel 2.6 ?
David Howells keys: Discard key spinlock and use RCU for key payload ?

Miscellaneous

Netfilter Core Team Release of iptables-1.3.1 ?

Page editor: Jonathan Corbet

Distributions

News and Editorials

Linux in Europe

March 9, 2005

This article was contributed by Ladislav Bodnar

Two years ago Mandrakesoft was on the verge of bankruptcy and SUSE was trotting along with a 6-month release cycle and a shrink-wrapped software sales model. Now, Mandrakesoft is a profitable company, SUSE is part of Novell, and many large cities and regions of Europe are actively migrating to Linux-based solutions. Has the center of Linux adoption shifted from North America to Europe?

The widely reported decision of the European Council earlier this week to adopt software patent agreement highlighted the key difference between public participation in legal proceedings in the USA and Europe. While software patents were adopted in the USA without much publicity or protests, the European open source community has put up a strong fight and, at the very least, succeeded in delaying the adoption of the controversial law. It has mobilized many open source web sites to launch online protests against the patents, asked EU citizens to write to their legislators with explanations why software patents are wrong, and gathered a decent number of protesters, many of whom came from distant countries, in front of the EU Council in Brussels on the days when important decisions were being made. These actions not only resulted in several unscheduled trips by Bill Gates to Brussels to lobby for the speedy legalization of software patents, they have also attracted the attention of the mainstream European media.

As such, Europeans are probably more aware of the open source movement than citizens of most other parts of the world. SUSE especially has to be commended for maintaining their distribution agreements with many retailers around Europe. While practically all other distribution makers have abandoned the shrink-wrapped business model and rely exclusively on digital delivery of their software, SUSE Linux boxes continue to be available in book and software stores throughout Germany, Austria and most other European countries. In fact, walking into any medium-size news stand in Germany is like entering a Linux paradise, as you are likely to find perhaps a dozen Linux-related magazines in both German and English. Many of these magazines are regular monthly publications designed for Linux beginners, with friendly tutorials and easy explanations. This is in sharp contrast with the United States, where the only available Linux magazines are Linux Journal and Linux Magazine, both of which cater for senior system administrators, rather than general public. At present, there is no US-made printed magazine targeting Linux beginners.

Speaking about magazines, Poland's Software Wydawnictwo has emerged as one of the top open source publishers in Europe. It is currently offering a number of titles ranging from a general Linux magazine with a cover CD and DVD (Linux+) to specialist monthlies for PHP developers (PHP Solutions) and security topics (Hakin9). The publishing house also produces its own distribution (Aurox Linux), which it sells as part of the Aurox Linux magazine. All these publications are available not only in Polish, but also in German, French, Spanish and Czech, with more languages planned for the future. Recently, Software Wydawnictwo also launched a new title for the domestic market entitled "Linux w Szkole" (Linux in Schools), which leaves little doubt that Linux is already well-established in Polish educational institutions.

Mandrakesoft has emerged from its financial disaster two years ago rather nicely. It returned to profitability last year and has since been awarded two large contracts - one by the European Union and the other by the French Ministry of Education and Research. Its surprising acquisition last month of Conectiva, South America's oldest and best-known open source company might not be the only one; the recent trips of Mandrakesoft's CEO François Bancilhon to China and other countries seem to indicate that the company is looking around to further strengthen its position as a global Linux solution provider. Besides its successful range of Mandrakelinux products for the home user, Mandrakesoft has also been expanding into the corporate sector with its Corporate Desktop and Corporate Server editions.

Ubuntu Linux is another European project that has gained rapid momentum since its launch 6 months ago. The distribution has succeeded in creating large user communities in many European countries, as witnessed by several rapidly growing user forums and community web sites in Dutch, French, German and Spanish. Ubuntu has seemingly done everything right - as if they studied the mistakes of other similar projects and avoided them right from the start. Of course, the GNOME-centric distribution has the backing of a wealthy individual, but their work is still highly innovative, especially considering that no other distribution before has been able to build fully functional live CDs for PowerPC and AMD64 processors. With the upcoming release of version 5.04 next month, accompanied by a sister edition for the KDE fans (Kubuntu), the Ubuntu Linux user base is likely to grow even further.

No article about the European Linux scene will be complete without visiting Spain. Spain is one country that has gone further than any other in converting a large number of computers and users to Linux. It all started a few years ago by an initiative of the regional government of Extremadura (gnuLinEx) and spread like a virus to other parts of the country. Nowadays there are large areas of Spain where all school and public administration computers are running Linux exclusively! It is interesting to note that Spain has virtually standardized on Debian and Debian-based solutions and many of these regional initiatives are now forging closer ties with Ubuntu, which is seen as a more progressive project than Debian itself.

Other countries, regions and cities are, if not moving to Linux outright, doing feasibility studies or have set up pilot projects. Reports about the migration of Germany's Munich and Norway's Bergen have been well-publicized, but other large cities, including Paris, Rome and Vienna have also been in the headlines recently. It is likely that many smaller projects, both governmental and in the private sector, are under way without them wanting to raise any publicity. This is not only great news for Mandrakesoft, SUSE and Ubuntu, but also an opportunity for many smaller open source companies, such as the recently unveiled, Malta-based 2X Software, which is offering Linux-based terminal servers and thin clients for large-scale deployments. Many other small Linux companies are showcasing their solutions on this week's CeBIT exhibition.

All this evidence leads us to believe that Europe is now the undisputed leader in developing strategies for migration to Linux and open source software. In the process, it has created a vibrant open source economy, as well as a strong awareness among its population to resist controversial laws favoring large software monopolies and their commercial agendas. The tide is unstoppable. Let's hope that other regions will follow Europe's example.

Comments (9 posted)

Distribution News

Ubuntu Linux

The first test image of KUbuntu is available. "PLEASE DO NOT FILE BUG REPORTS IN BUGZILLA YET. Send any and all feedback to the ubuntu-devel mailing list. This is the first set of working CD images, and we're announcing them to the community in order to promote testing. They are likely to have many bugs, known and unknown."

The latest snapshot of Ubuntu's Hoary Hedgehog Array CD 6 is available for testing.

The existence of the ubuntu-hardened mailing list has been announced. "The list aims to be the place where Hardened Debian developers and contributors get in touch with both Ubuntu Linux users and developers, a place to collaborate, work together and give help to others to achieve and make possible the goals we want to achieve."

Here's a summary of the first Masters Of The Universe (MOTU) meeting.

Comments (none posted)

Debian Project Leader candidate platforms posted

The candidates for the role of Debian Project Leader in the coming year have posted their platforms on the election site.

Comments (none posted)

debconf5 CFP reminder and update

The period to submit papers for debconf5 expires March 15, 2005, 23h59 UTC. This debconf will be held in Helsinki in July.

Full Story (comments: none)

New Distributions

GoodGoat Linux

GoodGoat Linux is based on Gentoo. It's a simple desktop that can run from a USB key, hard drive or CDROM disk. Version 1.2(beta) was released March 4, 2005.

Comments (none posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for March 8, 2005 is out. This week's news includes campaigning on debian-vote, Debian derived distributions, better Asian support, the recent release team meeting, a Debian project leader team, and several other topics.

Full Story (comments: none)

Gentoo Weekly Newsletter

Here's the Gentoo Weekly Newsletter for the week of March 7, 2005. In this issue there is a look at the Gentoo 2005.0 security rebuild, the donation of an Opteron 246 server from Nvidia is now running the staging mirror and master rsync mirror, enhancements to the Gentoo Forums, and several other topics.

Full Story (comments: none)

Mandrakelinux Community Newsletter #101

This edition of the Mandrakelinux Community Newsletter looks at the Mandrakelinux and Conectiva merger, the Mandrakelinux 10.2 Beta 3 release, the media on the merger, Mandrakeclub interviews Wobo, and more.

Full Story (comments: none)

DistroWatch Weekly, Issue 90

The DistroWatch Weekly for March 7, 2005 is out. "Welcome to this year's 10th issue of DistroWatch Weekly! This week we will tell you about a secret meeting of Debian developers in Vancouver where they were to unveil their "Stunning New Release Strategy", give you a link to a valuable resource that will turn you into a better system administrator of Debian-based systems and direct you to a great new HOWTO to configure multimedia on SUSE LINUX. Also, a surprise for fans of the amaroK media player - a new PCLinuxOS-based live CD, bundled with some great free music. Enjoy!"

Comments (none posted)

Minor distribution updates

Astaro Security Linux 5.2 released

Astaro Security Linux has announced the release of v5.2 which adds gateway-based spyware protection.

Comments (none posted)

Puppy Linux Live-CD saves back to CD

Puppy Linux has learned a new trick with the multi-session-1.0.0alpha release. Just put your live CD in a CD-RW drive and at the end the session Puppy will save your configuration back to its CD.

Full Story (comments: none)

SME Server

The SME Server and its home Contribs.org have been going through some changes. After a short go-round with Lycoris, ownership of the distribution reverted to Resource Strategies, Inc. That didn't last either. As of March 5, 2005 Ruffdogs has taken possession of Contribs.org and is developing a Roadmap for the rebuilding of the Contribs.org community. The current stable release of SME Server is at version 6.0.1. The first release candidate for SME Server 6.5 is also available.

Comments (none posted)

Announcing YES Linux 2.2 Build 0

YES Linux Release Team has announced the immediate availability of YES Linux 2.2 Build 0. This is the first build of the YES Linux 2.2, with lots of updated packages, and a few new ones.

Full Story (comments: none)

Package updates

Fedora Core updates

Fedora Core 3 updates: tzdata-2005f-1.fc3 (updates for Israel and Azerbaijan), kernel-2.6.10-1.770_FC3 (various bug fixes), libtooll-1.5.6-4.FC3.1 (dependency on gcc version), firefox-1.0.1-1.3.2 (fix spacing issues in textareas), ipsec-tools-0.5-0.fc3 (update to 0.5), dmraid-1.0.0.rc6-1_FC3 (update v1.0.0.rc6), selinux-policy-targeted-1.17.30-2.85 (fixes for postfix in squirrelmail), ipsec-tools-0.5-1.fc3 (fix some packaging errors), gaim-1.1.4-1.FC3 (bug fixes), gimp-2.2.4-0.fc3.1 (update to v2.2.4), yum-2.2.0-0.fc3 (bug fixes).

Fedora Core 2 updates: tzdata-2005f-1.fc2 (updates for Israel and Azerbaijan), kernel-2.6.10-1.770_FC2 (various bug fixes), ipsec-tools-0.5-0.fc2 (update to 0.5), ipsec-tools-0.5-1.fc2 (fix some packaging errors), gaim-1.1.4-1.FC2 (bug fixes).

Comments (none posted)

Mandrakelinux updates

Mandrakelinux 10.1 updates: imap (adds a requires for xinetd - also for 10.0, Corporate Server 2.1, 3.0), unixODBC (fixes some issues with the GUI config tools), dynamic (now launches kaffeine).

Comments (none posted)

Slackware Linux

This week in slackware-current, mozilla-firefox-1.0.1-i686-1 and mozilla-thunderbird-1.0-i686-1 were added, some older browser packages were removed; new linux-2.6.11 packages are in testing. See the change log for details.

Comments (none posted)

Trustix Secure Linux bug fix advisory

New, improved apache, etcskel, gdbm, rootfiles, samba, squid and sudo packages are available for TSL 2.2.

Full Story (comments: none)

Distribution reviews

Review: Mandrake Corporate Desktop (NewsForge)

NewsForge has a review of Mandrakesoft's Corporate Desktop. "Mandrake Corporate Desktop is a little different, though: it is based on Mandrake Corporate Server, which is a tested and mature product on a calculated and lengthy release cycle. If you're used to some degree of instability or unpredictability with Mandrakelinux, you won't find it in Mandrake Corporate Desktop. One could roughly equate Mandrake Corporate Desktop to Red Hat Desktop, and Mandrakelinux to Fedora Core."

Comments (none posted)

Review: Astaro Security Linux 5.1 (NewsForge)

NewsForge reviews Astaro Security Linux 5.1. "One of the more popular uses for Linux is as a router/firewall to secure a local area network (LAN) against intruders and share an Internet connection. Several specialized distributions have sprung up to simplify this task. These range from small, diskette-based distros like the Linux Router Project and FREESCO to larger systems requiring a hard disk installation. Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which I recently reviewed as part of ongoing research into content filtering products. ASL is an RPM-based distribution that allows an administrator to easily turn an x86 PC or server into a router/firewall appliance."

Comments (none posted)

My Workstation OS: Knoppix (NewsForge)

Irfan Habib explains why he likes Knoppix on his desktop. "Knoppix has many uses. Many use it as a GNU/Linux advocacy tool, for which it is well-suited, as it comes with the latest and greatest FOSS software, which can be readily demonstrated to potential users. Knoppix is also a great rescue CD. And Knoppix lets me take my desktop anywhere by letting me save my settings to a configuration file. I can load Knoppix on any computer, load my customized settings, and mount a USB storage device as the home directory, and voilà! there's my desktop."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The GNOME 2.10 Desktop and Developer Platform

Version 2.10 of the GNOME 2.10 Desktop & Developer Platform was announced this week.

GNOME 2.10 includes a number of interesting new features, such as a video player and a CD ripping utility, and hundreds of bug fixes. Released on schedule, to the day, it is the culmination of six months effort by GNOME contributors around the world: hackers, documentors, usability and accessibility specialists, translators, maintainers, sysadmins, companies, artists, users and testers.

[GNOME 2.10] Digging a bit deeper, the What's New document describes a wide variety of improvements. Here are the highlights:

  • Nautilus file manager improvements:
    • Performance and stability improvements.
    • Better interoperability with web browsers.
    • Usability improvements.
    • Automatic renaming for new files.
  • New artistic desktop backgrounds to choose from.
  • Improved typing focus as per the Freedesktop.org standard.
  • Inclusion of the Totem video player.
  • Inclusion of the Sound Juicer CD ripper.
  • Epiphany web browser improvements:
    • A better full screen mode.
    • Secure site display in the location bar.
    • Exportable bookmarks.
    • A new extension manager.
  • Evolution email and groupware client improvements:
    • Support for offline email, contact, and calendar work.
    • The ability to attach files to events.
    • Support for exceptions on recurring events.
    • Support for US weather information.
    • Support for shared folders.
  • Inclusion of GnomeMeeting for VoIP and video conferencing.
  • Better keyboard layout selection through the control panel.
  • New and improved Panel Items (Applets):
    • Removal of the Actions panel menu.
    • New Places and Desktop menus.
    • An integrated modem control applet.
    • An optional panel trash can.
    • Built-in controls for mounting removable media.
    • An improved weather monitor.
    • A new sound mixer.
    • Support for the Sticky Notes note taking applet.
    • A processor speed monitor for laptops.
    • Removal of the CD applet, the Wireless applet, and the Mailbox Monitor.
  • GNOME Utilities improvements:
    • GNOME text highlighting and spell checking improvements.
    • A wider selection of archive formats for the Archive Manager.
    • The GNOME Dictionary adds word suggestions and online dictionary linking.
    • The Floppy Formatter adds support for USB drives.
  • System Administration improvements:
    • GNOME System Tools has improved support for wireless networking.
    • User and group administration has been improved.
    • More system changes are applied instantly.
    • The Log Manager now supports the viewing of multiple logs.
    • Archived logs can now be opened.
    • Logs can be copied to the clipboard.
  • Game Improvements:
    • A new version of Same GNOME has been added.
    • The Nibbles game adds browsing of the local network for other users.
  • The GNOME 2.10 Development Platform has API improvements.
  • Full Python language bindings are now included.

The Release Notes mention improved internationalization, continuing standards compliance, a few known issues (bugs) and more.

There is also a GNOME 2.12 release schedule, look for the next version in about 6 months.

GNOME 2.10 adds some useful features to what is already a mature and stable desktop environment.

The source code for GNOME 2.10 and a live CD are available for download here.

Comments (none posted)

System Applications

Database Software

Firebird 2.0 Call for testers

A call for testers has gone out for version 2.0 of the Firebird database. "The Firebird Project will soon be releasing the first public "alpha" release of Firebird 2.0. Version 2.0 is a long-awaited important major release of Firebird with many new features, enhancements and bugfixes (see alpha Release Notes for details). In number of changes, the jump in this release is equivalent if not greater than the transition from version 1.0 to version 1.5."

Comments (none posted)

Filesystem Utilities

Detox 1.1.0 is available

Version 1.1.0 of Detox is out. "Detox is a utility designed to clean up filenames. It replaces non-standard characters, such as spaces, with standard equivalents." See the Change Log for change information on this version.

Comments (none posted)

Networking Tools

Release of iptables 1.3.1

Version 1.3.1 of iptables, a firewall application, is out. "The final 1.3.1 version contains some minor bugfixes to the recently-released version 1.3.0".

Full Story (comments: none)

OpenSSH 4.0 released

OpenSSH 4.0 is out. There does not appear to be a big pile of new features to motivate the dot-zero version number; click below for the announcement and list of changes.

Full Story (comments: 2)

Peer to Peer

MantaRay version 1.6 released (SourceForge)

Version 1.6 of MantaRay, a peer-to-peer communication and messaging solution, has been annnounced. "MantaRay 1.6 includes new delivery algorithms that enforce stricter once and only once guaranteed delivery in queues and durable topic subscribers. The new algorithms also improved MantaRay's persistency. In order to better align MantaRay with the JMS specification, the receiver can now determine the message acknowledgment mode. In addition, several JMS bugs were fixed in this release."

Comments (none posted)

Printing

PyKota 1.21 released

Version 1.21 of PyKota, a Python-based print quota system for CUPS, has been announced. Changes include bug fixes, better documentation, and more.

Comments (none posted)

Telecom

Speex 1.1.7 Released

Version 1.1.7 of Speex, an audio CODEC, is out. "The changes for this release are very broad and include generic optimizations in the encoder, ARM-specific optimizations (gcc inline assembly), optional shortcuts in the encoder sacrificing quality for speed, fixed-point improvements (perceptual enhancement converted), reduction in memory usage, the Symbian code now uses the same API, and several bug fixes."

Comments (none posted)

Web Site Development

Midgard 1.6.3 "Threadened by Patents" Released

Version 1.6.3 of the Midgard Open Source Content Management Framework is out. "This is a maintenance release that includes some bug fixes and support for the new Zend Thread Safety (ZTS) mode in PHP."

Full Story (comments: none)

UnCommon Web 0.3.7 released

Version 0.3.7 of UnCommon Web, a web application development framework written in Common Lisp, is out. "This version makes it easier to upgrade live applications and provides a few changes to components."

Full Story (comments: none)

libannodex 0.6.1 Release

Version 0.6.1 of libannodex, a library for working with Annodex media, is available with bug fixes and other improvements.

Full Story (comments: none)

mod_annodex 0.2.1 Release

Version 0.2.1 of mod_annodex, an Apache module for working with Annodex media, has been released. It features support for a new time range format.

Full Story (comments: none)

Datamining Apache Logs with PostgreSQL (O'ReillyNet)

Robert Bernier looks at Apache log files through PostgreSQL on O'Reilly. "System log files encapsulate a wealth of information for administrators and developers. Teasing that data out of the logs into a format that reveals patterns may be a challenge, though. Robert Bernier shows how to parse, store, and query Apache httpd log data from PostgreSQL to find useful information."

Comments (none posted)

Desktop Applications

Desktop Environments

GNOME Software Announcements

The following new GNOME software has been announced this week:

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

Comments (none posted)

KDE CVS-Digest (KDE.News)

The March 4, 2005 edition of the KDE CVS-Digest is online, here's the content summary: "Beginnings of Subversion support in Cervisia. Cleanup of initial application sizing. KDevelop adds QT Designer support for Python. IDN issues fixed in Konqueror. Digikam adds more plugins: Insert Text, Channel Mixer, Infrared, Blur, Distortion, and a new ratio crop tool. Kmail adds an account setup wizard."

Comments (none posted)

Xfce Weekly News launched

The first issue of the Xfce Weekly News has been launched, it covers the week of February 25 - March 3, 2005. Thanks to Biju Chacko.

Comments (none posted)

Xfce Foundation Classes Website Online

The Xfce project has announced the availablilty of a new Xfce Foundation Classes web site. "In October of last year Jeff Franks made an interesting proposition on the Xfce-Dev list. Jeff had developed a relatively complete and lightweight GTK+ binding for C++ called GTK+ Foundation Classes. For a number of reasons, Jeff felt that GFC needed a new home, and Xfce seemed the best bet. Now, after many months of hard work, Jeff announced the new Xfce Foundation Classes, with a first developer release and stack of well written documentation, all available from the new." Thanks to Biju Chacko.

Comments (none posted)

Music Applications

Jesusonic for Linux 0.99 beta

Christian heavy metal rockers should checkout the latest version of Jesusonic, a Freeware-licensed guitar effects processor for the Debian distribution. "The Jesusonic is a fully programmable effects processor for guitar, bass, vocal and general use. Effects can interact with each other (for example, a volume detection effect can trigger a tremolo effect), or (especially in the case of the Jesusonic CrusFX 1000) with the user (you can assign triggers to effects like loop samplers, for example). A wide assortment of built-in effects are included and users can modify effects or write completely new effects on the fly."

Comments (none posted)

liblo 0.18 announced

Version 0.18 of liblo, an implementation of the Open Sound Control protocol for POSIX systems, has been announced. "This is bugfix release and fixes a critical bug in 0.17 that bites when trying to connect multiple clients to one server. All users of 0.17 should upgrade as soon as possible."

Full Story (comments: none)

soprano sax soundfont

A new soprano saxophone soundfont has been announced.

Full Story (comments: none)

Office Applications

DataVision 0.9.0 released (SourceForge)

Version 0.9.0 of DataVision, a reporting tool, is available with numerous changes. "DataVision is an Open Source reporting tool similar to Crystal Reports. Reports can be designed using a drag-and-drop GUI. They may be run, viewed, and printed from the application or exported as HTML, XML, PDF, LaTeX2e, DocBook, or tab- or comma-delimited text files."

Comments (none posted)

Office Suites

OpenOffice.org 2.0 beta released

Version 2.0 beta of OpenOffice.org has been released. "This beta release is the result of many months work in expanding the functionality, performance and compatibility of the office suite. This intense effort has yielded impressive results including the addition of a new database module, implementation of the OASIS OpenDocument XML file format and a host of other new features and capabilities."

Full Story (comments: 1)

OpenOffice.org build 1.9.79.1 is out

Build 1.9.79.1 of OpenOffice.org has been announced. "This package contains Desktop integration work for OpenOffice.org, several back-ported features & speedups, and a much simplified build wrapper, making an OO.o build / install possible for the common man. It is a staging ground for up-streaming patches to stock OO.o."

Full Story (comments: none)

Web Browsers

Mozilla's Weekend at FOSDEM 2005 (MozillaZine)

MozillaZine covers browser issues from FOSDEM 2005. "Marson reports that Tristan Nitot, president of Mozilla Europe, said that "a few companies" have installed Mozilla Firefox or Mozilla Thunderbird on 100,000 systems. He also says that some parts of the French government are considering switching to Firefox. Based on comments from Gerv, the story reports that a US-based Fortune 100 company has rolled out Thunderbird to 50,000 PCs and is paying the Mozilla Foundation to customise it. According to Tristan, enterprises that are deploying Mozilla aren't shouting about it because they want to avoid damaging their relationships with Microsoft."

Comments (1 posted)

Minutes of the mozilla.org Staff Meeting (MozillaZine)

The minutes from the February 28, 2005 mozilla.org staff meeting are online. "Issues discussed include Mozilla 1.8 Beta 1, Mozilla 1.8 final, Mozilla Firefox 1.0.1, Mozilla Firefox 1.1, Mozilla Thunderbird 1.1, FOSDEM, update.mozilla.org, developer.mozilla.org and the international domain name Punycode spoofing issue."

Comments (none posted)

Word Processors

AbiWord 2.2.5 Released (GnomeDesktop)

GnomeDesktop covers the release of AbiWord 2.2.5, a word processor. "While AbiWord v2.2.4 had a nice list of bugfixes, our users were kind enough to report that there were still nasty bugs running around. So here we are releasing AbiWord v2.2.5, shorty after the previous release. This release is a bugfix release only."

Comments (none posted)

Miscellaneous

Gourmet Recipe Manager 0.8.0 Released! (SourceForge)

Version 0.8.0 of Gourmet Recipe Manager has been announced. "Gourmet can import most major recipe formats, including mealmaster and mastercook, and can export a number of useful formats, including HTML. Version 0.8.0 marks a number of major improvements, including a new improved speed for imports, a new recipe card interface, infinite Undo throughout the interface, and experimental MySQL and SQLite backends."

Comments (none posted)

Nvu 0.9RC1 Released (MozillaZine)

MozillaZine has an announcement for the first beta release of Nvu 0.9, a cross-platform web authoring system. "Nvu 0.9RC1 includes improvements to the Link dialogue, printing fixes and a new default theme. There are builds for Windows, Linspire 5.0, Fedora Core 3 and Mac OS X, with a source tarball also available."

Comments (none posted)

Open Clip Art Library Release 0.11 Announcement (GnomeDesktop)

GnomeDesktop.org has the announcement for release 0.11 of the Open Clip Art Library, a collection of small images. "Some of the new clip art received this month includes more images of food, computer-related items and even a little boombox. In addition to the collected 0.11 package, each clip art file can now be found by keywords using developer Jonadab's new Keyword Search Tool."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The March 1-8, 2005 edition of the Caml Weekly News is out with the week's Caml language development news.

Full Story (comments: none)

Haskell

The Monad.Reader debut

The initial publication of The Monad.Reader, a monthly online Haskell language e-zine, is out. Thanks to Shae Matijs Erisson.

Comments (none posted)

HTML

Linking in XHTML 2.0 (IBM developerWorks)

Micah Dubinko explores the details of XHTML 2.0 hyperlinks on IBM developerWorks. "As a fundamental part of the Web, hypertext linking has been the subject of repeated attempts at standardization beyond the basic format allowed in simple HTML. Such attempts can be characterized as efforts to balance machine processing ability with authoring convenience. The latest specification in this area, XHTML 2.0, just might have gotten it right."

Comments (none posted)

Java

A Look at Commons Chain: The New Java Framework (O'ReillyNet)

Bill Siggelkow explores chains and the Java Framework on O'Reilly. "In part one of a two-part series, Bill Siggelkow covers the basics of Chain, a promising new framework from the Jakarta Commons subproject that lets you integrate Chain into the Struts build process."

Comments (none posted)

AOP and metadata: A perfect match, Part 1

Ramnivas Laddad discusses aspect oriented programming and metadata on IBM developerWorks. "In this first half of a two-part article, author Ramnivas Laddad provides a conceptual overview of the new Java™ metadata facility and shows where AOP could most benefit from the addition of metadata annotations. He then walks you through a five-part design refactoring, starting with a metadata-free AOP implementation and concluding with one that combines the Participant design pattern with annotator-supplier aspects."

Comments (none posted)

Aspect-Oriented Annotations (O'Reilly)

Bill Burke covers Aspect-Oriented Annotations on O'Reilly. "Annotations are one of the new language features in J2SE 5.0, and allow you to attach metadata onto any Java construct. Meanwhile, Aspect-Oriented Programming (AOP) is a fairly new technology that makes it easier for you to encapsulate behavior that is usually messier, harder, or impossible to do with regular object-oriented (OO) techniques. Together, they make a new powerful combination that gives framework developers a more expressive way of providing their APIs. This article dives into combining these technologies using the JBoss AOP framework in various coding examples to show how you can use this combination to actually extend the Java language."

Comments (none posted)

Assertion Extensions for JUnit

Tony Morris introduces the Assertion Extensions for JUnit on IBM developerWorks. "Unit lets you test software code units by making assertions that the intended requirements are met, but these assertions are limited to primitive operations. IBM Software Engineer Tony Morris fills the gap by introducing Assertion Extensions for JUnit, which provides a set of complex assertions that execute within the JUnit framework. Follow along as the author shows you how using this new package from alphaWorks can increase the reliability and robustness of your Java software."

Comments (none posted)

Lisp

McCLIM 0.9.1 released

Version 0.9.1 of McCLIM, an open-source implementation of the CLIM 2 (Common Lisp Interface Manager) specification, has been released. "This version changes the installation process, includes a new Max OS X Cocoa backend, provides improved documentation and new applications/examples, and more."

Full Story (comments: none)

SBCL 0.8.20 released

Version 0.8.20 of SBCL (Steel Bank Common Lisp) has been released. "This version provides performance improvements and several bug fixes."

Full Story (comments: none)

Perl

Parrot 0.1.2 'Phoenix' Released (use Perl)

Version 0.1.2 of Parrot, the Perl 6 virtual machine, has been announced. Changes include new string handling code, the beginnings of a generational garbage collector, better Python support, improved test coverage, and more.

Comments (none posted)

A Plan for Pugs (O'Reilly)

chromatic interviews Autrijus Tang on O'Reilly. "Autrijus Tang is a talented Perl hacker, a dedicated CPAN contributor, and a truly smart man. His announcement of starting an implementation of Perl 6 in Haskell on February 1, 2005 might have seemed like a joke from almost anyone else. A month later, his little experiment runs more code and has attracted a community larger than anyone could have predicted. Perl.com recently caught up with Autrijus on #Perl6 to discuss his new project: Pugs"

Comments (none posted)

Automate Perl module deployment (IBM developerWorks)

Martin C. Brown works with Perl module deployment on IBM developerWorks. "If you run Perl across many different computers of any sort, you know how frustrating it can be to install Perl extension modules across those machines. The administrative process is even worse if you have a Web server farm and need to keep each machine up to date with a set suite of extension modules for your installation. CPAN helps, but there are issues with CPAN that make it an unwieldy solution for use on a network. This article provides possible solutions before covering the final system. The main goals are a unified installation/module set, a single download, and a guaranteed unified set of version numbers across all the computers in the network."

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The March 7, 2005 edition of Dr. Dobb's Python-URL! is out with the week's Python language articles.

Full Story (comments: none)

python-dev Summary

The February 2-14, 2005 edition of the python-dev Summary is out with coverage of activity from the python-dev mailing list.

Full Story (comments: none)

python-dev Summary

The February 15-28, 2005 edition of the python-dev Summary is online with coverage of the python-dev mailing list traffic.

Full Story (comments: none)

Ruby

Ruby Weekly News

The March 6, 2005 edition of the Ruby Weekly News is available with the latest news and discussion from the ruby-talk mailing list.

Comments (none posted)

Rolling with Ruby on Rails, Part 2 (O'ReillyNet)

O'Reilly has published part two of a series on Rails with Ruby. "Curt Hibbs introduced Ruby on Rails by building a simple but functional web application in just a few minutes. Does the ease of use continue? He thinks so. In the second of two parts, Curt completes his example Rails application in merely 47 lines of code."

Comments (none posted)

Og: Teaching Ruby objects how to persist

George Moschovitis explains ObjectGraph (Og) on the RubyGarden. "RDBMS systems are a proven and robust technology for storing and querying data, but after experiencing the wonders of Ruby, it is hard not to wish for a better way to integrate the OOP and Relational paradigms. Og makes your dream come true! Og stands for ObjectGraph and provides a transparent way to make your objects persistent while leveraging the full querying power of an RDBMS system. In fact, Og is designed to use an RDBMS system like MySQL or PostgreSQL to implement the actual data store where the objects are serialized."

Comments (none posted)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The March 7, 2005 edition of Dr. Dobb's Tcl-URL! is online with another weekly roundup of Tcl/Tk articles and resources.

Full Story (comments: none)

XML

Batch processing XML with XSLT 2.0 (IBM developerWorks)

Jack Herrington writes about XML batch processing on IBM developerWorks. "A common problem with XSLT is that it takes only a single XML file as input. You can use a cross-platform Java™ tool to create an XML directory listing, then use XSLT to process every file in the directory from that listing. This tip covers installation and use of such a tool, as well as the corresponding XSL that processes multiple files from the directory listing."

Comments (none posted)

Show Me the Code (O'Reilly)

Joe Gregorio codes a bookmark service on O'Reilly. "In my inaugural article, I outlined the four basic steps you needed to follow when creating a RESTful web service. Now let's take those basic steps and follow them through a worked example. To stay on familiar ground we'll create something that you may find familiar: a web bookmark service."

Comments (none posted)

Getting Started with XQuery (O'Reilly)

Bob DuCharme has put together an introductory article about XQuery on O'Reilly. "Although the W3C's XQuery language for querying XML data sources is still in Working Draft status, the recent XML 2004 conference showed that there's already plenty of interest and many implementations. While the Saxon implementation may not scale up as much as the disk-based versions that use persistent indexes and other traditional database features, you can download the free version of Saxon, install it, and use XQuery so quickly that it's a great way to start playing with the language in order to learn about what this new standard can offer you."

Comments (none posted)

Gems from the Mines: 2002 to 2003 (O'Reilly)

Uche Ogbuji mines the XML-SIG mailing list on O'Reilly. "In this article I continue where the last one left off, mining the XML-SIG archives for 2002 and 2003. As always, I have updated code where necessary to use current APIs, style, and conventions in order to make it more immediately useful to readers. All code listings are tested using Python 2.3.4 and PyXML 0.8.4."

Comments (none posted)

Miscellaneous

Introducing the IBM Rational Unified Process (IBM developerWorks)

Mats Wessberg introduces IBM's Rational Unified Process (RUP) framework, and discusses improvements that can be made to the traditional process of software development. "To introduce beginners to the RUP framework, the process of software development is often compared to the construction process. But software development with the RUP is actually more like making a movie than building a house, as this article suggests."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Seven tips to help FOSS companies succeed (NewsForge)

NewsForge has some tips on how to make money with open source software. "The business community wants to know that a company is a reliable partner, a message that can be easily lost in the static of lingering suspicions about FOSS. By contrast, the FOSS communities want reassurance that the company does not simply exist to exploit their volunteer labor. They'll also ask questions about when the company is going to make contributions to the community -- usually code, but possibly also cash and marketing or the sponsorship of a conference. They want proof that the company is a credible member of the community."

Comments (none posted)

Sowing the Seeds of Open Source Advocacy (O'Reilly)

Jono Bacon suggests techniques for advocating open-source software on O'Reilly. "Within the open source community, advocacy is as critical as contributing source code, patches, or documentation. Although advocacy is not a technical contribution, it is critically important to spread the message of open source to other people in a language that is cohesive to their context. It is easy to preach to the converted when advocating open source to people at Linux user groups and trade shows, but standing in front of a board of executives who care little about computers--let alone a facet of computers, such as open source--is quite a challenge."

Comments (none posted)

Trade Shows and Conferences

KDE at FOSDEM 2005 Report (KDE.News)

KDE.News covers the KDE events at FOSDEM 2005. "FOSDEM is Europe's biggest meeting of Free Software developers and KDE turned out in force at it last weekend. As well as talks in the main track on KDE and KDevelop, the KDE Developers' room hosted a series of other talks. We also ran a stall and still found time for some hacking."

Comments (none posted)

Success Story: KDE for Science (KDE.News)

KDE.News looks at the use of multi-headed machines at the Tübinger Perception Conference 2005. "This setup was a little bit special, because one PC served 3 GeForce graphic adapters with 2 TFTs and 1 old SGI monitor, 3 keyboards and 3 mice attached. Under normal circumstances, you can only attach 1 monitor, 1 keyboard and one mouse to a computer."

Comments (none posted)

The SCO Problem

A Linux Nemesis on the Rocks (Business Week)

Business Week has a surprisingly complete article about the slow implosion of the SCO Group; it includes a report of today's announced restatement of SCO's 2004 numbers. "Well, the mouse that roared is barely squeaking these days. A string of recent setbacks raises grave questions about SCO's finances, its court case, and its management."

Comments (8 posted)

Bumbling Bully (Forbes)

Remember the long series of unpleasant Daniel Lyons stories about SCO in Forbes? It seems that even Mr. Lyons is figuring things out. "After two years, SCO still hasn't provided any evidence to back up its claim against IBM, something a judge recently chided it for. Now we find out it can't even handle basic accounting.... So maybe there is no big conspiracy. Maybe these guys are just in over their heads."

Comments (5 posted)

Declaration of SCO's Chris Sontag of December, 2004 (SCO v. IBM) (Groklaw)

GrokLaw has posted a declaration by Chris Sontag in the SCO case. "Here's Chris Sontag's latest declaration, in which he tries to support SCO's accusation IBM broke the law when it downloaded, from SCO's website, GPL'd Linux kernel code IBM itself wrote and owns the copyright on. IBM at the time was looking for evidence of copyright infringement, by the way. You know, like SCO's hero, the RIAA? SCO was in violation, IBM says, of the GPL by distributing that code in the first place, and hence SCO had no right to distribute that code to anyone, because they were violating IBM's copyright by so doing."

Comments (none posted)

Novell and SCO (Finally) Agree to Postpone Until May (Groklaw)

Groklaw reports that the next hearing on the SCO/Novell case (on Novell's motion to dismiss) has been pushed back to May. "I guess SCO decided, after reading the Novell motion, not to fight, and they stipulated eventually. But first they forced Novell to go to the expense and effort of drawing up a motion that both sides must have known Novell couldn't lose from day one. Just totally unnecessary. So it's May 25th at 3 PM, on stipulation by the parties, and so ordered by Judge Kimball."

Comments (none posted)

The Canopy-Noorda Answer (Yarro v Canopy) (Groklaw)

For those of you following along with the mess at the Canopy Group: Groklaw has the Noordas' side of the story from the court. "These Canopy lawyers thought of everything to throw in there. Like the song says, you have to know when to hold them and know when to fold them, and a settlement must have looked mighty good after Yarro, Mott and Christensen's attorneys read this Answer and realized the mountain they'd need to climb in this litigation to prevail."

It's worth noting that the Deseret News has posted an article stating that the rumors of a settlement in this case are premature.

Comments (none posted)

Companies

Wind River aims for open-source expansion (News.com)

News.com gives an overview of Wind River's open source makeover. "A week ago, Eclipse project organizers said they planned to expand Eclipse into the embedded-software arena. But Wind River's effort isn't a shoo-in. The company has weeks of work ahead in navigating a complicated approval process for top-level projects, said Mike Milinkovich, executive director of the Eclipse Foundation, adding that he expects Wind River's project eventually to be approved."

Comments (none posted)

Donors, takers size up free open source certificate support (NewsForge)

NewsForge looks at the GoDaddy.com offer of free SSL certificates to open source projects. "We thought it might be interesting to see what kind of response GoDaddy got, what it is doing to filter out the open source noise from the truly open source projects, and what it really takes to cash in on open source authenticity to score a free Turbo SSL Certificate from the Arizona company. Conversely, what must open source projects do to take advantage of this kind of free support -- whether it be SSL certs, hosting, or other services that can put more time and energy back on the code -- without compromising any control?"

Comments (2 posted)

Legal

Software patents make a mockery of European ideals (ZDNet)

ZDNet UK has run a critical column on the adoption of the software patent directive. "This affair has highlighted the mandarin mechanisms of Europe at their baleful worst. The killer argument that won the day for software patents? 'We are adopting the position for institutional reasons so as not to create a precedent which might have a consequence of creating future delays in other processes.' Lay down your keyboards, ye knights of open source; you have lost your freedom in a noble cause."

Comments (14 posted)

Interviews

The Spam Assassin Behind SpamAssassin (OSDir.com)

OSDir.com has an interview with Daniel Quinlan. "When most of us get email offering questionable herbal alternatives to Viagra or dubiously low prices on Adobe software, we simply delete it, having accepted long ago that receiving at least some unsolicited email comes with the price of using the Internet. But for Daniel Quinlan, it motivates him to figure out how to stop it -- for not just his sake but everybody else's. It's his job: He works as an anti-spam architect for an email security provider. And his paid work also carries over to his contributions to SpamAssassin, of which he currently chairs this free software's Project Management Committee."

Comments (none posted)

Conversation with a successful Linux services entrepreneur (NewsForge)

Here's a NewsForge interview with Con Zymaris. "Con Zymaris runs Cybersource, an IT service company in Melbourne, Australia. Cybersource started as a one-man Unix shop in 2001 and has gradually evolved into a decent-sized Linux/FOSS-based business that serves a client base Zymaris says is now 20% government, 20% corporate, and 60% small/medium-sized businesses."

Comments (none posted)

Resources

An Introduction to Embedded Linux Development, Part 4 (Linux Journal)

Linux Journal presents Part 4 in a four part series of articles on Embedded Linux Development. "We continue with the particular SBC that we used in Part 1, Part 2 and Part 3, the LBox from Engineering Technologies Canada Ltd. (Engtech). Despite the use of a specific SBC here, much of the material has broader application and should be useful generally for using the Background Debug Mode (BDM) with Motorola microcontrollers."

Comments (none posted)

Rev up your presentations with masks and movement (NewsForge)

NewsForge shows how to use OpenOffice.org and the Gimp to create truly obnoxious animated presentation slides. "Using masks and animating the resultant graphics along a path is an appealing way of getting an idea across to your audience. It's straightforward, clean, and high-impact."

Comments (5 posted)

Reviews

Review: Blender 3D (NewsForge)

NewsForge has published a review of Blender 3D, a three dimensional content creation and animation suite. "Modeling in Blender is quite fun, especially if you're doing organic modeling and using Blender's Subdivision Surface option. You can use optimal iso-lines for mesh editing, which makes it easy on the eye. Add to this the option to model meshes using vertex, edge or face, selection mode, and many tools such as extrude, bevel, cut and spin, screw and warp, noise and smooth, subdivision, and much more, and you have a complete modeling toolkit."

Comments (none posted)

An open source cookbook (NewsForge)

NewsForge has a review of two open-source recipe managers. "There are a number of different open source cookbook-related applications currently under active development in the community; a few of them even actually deal with food. If you're hungry for some open source code that will help feed you, Gourmet Recipe Manager and PHPRecipeBook are two applications that can help satiate your appetite."

Comments (1 posted)

2005 Text Mode Browser Roundup (Linux Journal)

Linux Journal takes a look at text mode browsers. "Considering the speed and convenience text mode browsers offer, even over SSH connection from half a continent away, text mode browsing is supremely useful. So let's take a look at the current state of text mode browsers."

Comments (11 posted)

Review: VIA Epia MII-12000 motherboard (NewsForge)

NewsForge reviews the VIA Epia MII-12000 Mini-ITX form-factor motherboard. "It's quiet, it's small, it's powerful enough for everyday desktop use and versatile enough to be a set-top media device or small home server. It takes PCMCIA cards, IDE drives, DDR memory, and a standard ATX power supply, yet it's smaller than a laptop computer. It has a built-in DVD decoder (no more DeCSS!) and with its built-in RSA chip it can encrypt and decrypt data faster than the most powerful Athlon 64 system."

Comments (none posted)

Miscellaneous

Red Hat exec takes over Open Source Initiative (News.com)

News.com reports that Michael Tiemann has taken over as president of the Open Source Initiative. "[Russel] Nelson was named OSI president Feb. 1, taking over from co-founder Eric Raymond. Tiemann took over Feb. 23 and will continue in his role at Red Hat. "We thought that Michael would be a better president," Nelson said of the change, declining to share further details. Nelson will remain a board member and active in the group, he said."

Comments (31 posted)

Firefox Is Heading Towards Trouble (eWeek)

Steven J. Vaughan-Nichols worries about the future of Firefox in eWeek. "Here's the long and short of it. If the Mozilla Foundation and Firefox friends like Google don't start spending money - right now - to hire more programmers, more project managers and more servers, it won't matter how many ads in the New York Times Firefox supporters take out, Firefox will have already reached its high tide of popularity and we can only wait for the ebb to begin." (Thanks to Steven G. Johnson).

Comments (13 posted)

Security patches issued for RealPlayers (News.com)

News.com mentions the availability of security updates for RealPlayer and Helix Player on Linux and other platforms. "RealNetwork's patches, released Tuesday, address vulnerabilities in the software that could allow an attacker to run arbitrary or malicious code on a person's computer when a malicious WAV or SMIL file is processed. Secunia, a security information company, rated the vulnerabilities as critical."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

European Cities will suffer from software patents

The Free Software Foundation Europe has sent an open letter to an EU official concerning the effect of software patents on European cities. "This will become a significant cost factor for three main reasons: Both software developers and users can be asked for almost any amount of money the software patent holder chooses. Many developers and companies will not be able to pay such demands and thus go out of business, turning tax-payers into people in need of social welfare. Finally, the price of the remaining software companies products will increase because of the need to refinance their software patent expenses and also because of reduced competition in the market."

Full Story (comments: none)

FFII: The patent directive and the European constitution

FFII has sent out a lengthy release containing a letter from Jonas Maebe on how the European Council reached its decision on the patent directive, and what the implications are for Europe and the proposed EU constitution. "There was simply no qualified majority (possibly not even a simple majority) in the Council for this text. It was purely due to diplomatic inertia and fear of doing something against whatever is customary that it slipped through. Unless the Constitution says somewhere 'the written rules always have precedence over diplomatic customs and fears', it won't change this."

Full Story (comments: 15)

Commercial announcements

eEye Announces Retina 5.2 Network Security Scanner

eEye Digital Security has announced version 5.2 of its Retina Network Security Scanner. "Retina 5.2 is one of the first in the industry to provide security and IT professionals with a more in-depth view of the Linux, UNIX and other non-Windows(R) devices on their network."

Comments (none posted)

Empower Technologies to Exhibit at ESC

Empower Technologies has announced that it will be demonstrating its Linux-based LDK5910 platform at the Embedded Systems Conference in San Francisco on March 6-10, 2005. "The LDK5910 combines LEOs, the OMAP5910 dual processor and an evaluation module (EVM) to afford a new level of cost and production efficiency to application development."

Comments (none posted)

Etnus Announces TotalView for IBM Blue Gene/L

Etnus has announced the availability of their TotalView debugger for the IBM Blue Gene/L supercomputer. "TotalView is an advanced 32- and 64-bit graphical debugger providing software engineers with complete control over parallel and threaded applications written in C, C++ or Fortran. Not your average debugger, TotalView also provides unique, proprietary memory debugging technology that neither instruments code nor alters libraries."

Comments (none posted)

Mandrakesoft signs agreement with French Ministry of Education and Research

Mandrakesoft has announced the signing of a distribution agreement with the French Ministry of Education and Research. "Mandrakesoft today announced an agreement with the French Ministry of Education and Research which allows the distribution of its line of products and services to Higher Education institutions, including universities and research laboratories, throughout France."

Full Story (comments: none)

Micro Focus Launches Support for 64-bit Linux

Micro Focus International Ltd. has announced at the Intel Developer Forum in San Francisco general availability of Server Express(TM) for 64-bit Linux applications running on Intel(R) Itanium(R) 2 processor-based platforms.

Full Story (comments: none)

PalmSource Joins the Consumer Electronics Linux Forum

PalmSource, Inc. has announced it has joined the Consumer Electronics Linux Forum (CELF) as an Associate member. ""We are pleased to join the Consumer Electronics Linux Forum and collaborate with other industry-leading companies and the open source community to advance the development of Linux-based products," said John Ostrem, lead scientist of PalmSource. "With PalmSource's recent acquisition of China MobileSoft and the Company's Linux expertise, we believe PalmSource is poised to make significant contributions to the CELF as it develops Linux-based phone software products.""

Comments (none posted)

Plextor releases open source SDK for video

Plextor Corp. has announced the availability of a free Linux Software Developers Kit (SDK) for ConvertX video capture devices. "Licensed under the GNU General Public License, the Linux SDK supports the popular Video for Linux 2 (V4L2) and Advanced Linux Sound Architecture (ALSA) specifications. It also supports deprecated Open Sound System (OSS) applications via the OSS compatibility layer provided by ALSA. The new driver, which requires the Linux 2.6 kernel, includes sample code that can be reused in open source or proprietary applications to help developers get started quickly."

Full Story (comments: none)

Bootable Linux iPods from Terra Soft

Terra Soft Solutions has announced that it is shipping iPods which are configured to boot Yellow Dog Linux. Note that Linux does not run on the iPod itself (though that is possible); instead, the iPod serves as a boot drive for Apple G4/G5 systems. Click below for the details.

Full Story (comments: none)

XACML 2.0 Access Control Markup Language Approved as OASIS Standard

The OASIS standards consortium has approved the XACML 2.0 Access Control Markup Language as a standard. "To meet the needs of a wide range of users across many different environments, XACML 2.0 incorporates new profiles for Role Based Access Control (RBAC), Privacy, and Lightweight Directory Access Protocol (LDAP). XACML 2.0 profiles also provide integration and hierarchical resources for the Security Assertion Markup Language (SAML) OASIS Standard."

Comments (none posted)

New Books

Signate's Asterisk Book and CD Set

Looking to set up your own VOIP private branch exchange? Signate is offering a book and CD set which includes a Linux distribution and the Asterisk PBX system.

Comments (none posted)

Syngress Releases "Black Hat Physical Device Security"

Syngress has published the book Black Hat Physical Device Security by Drew Miller.

Full Story (comments: none)

"Intrusion Prevention and Active Response" Released by Syngress

Syngress has published the book Intrusion Prevention and Active Response by Michael Rash and Angela Orebaugh.

Full Story (comments: none)

"Jakarta Struts Cookbook" Released by O'Reilly

O'Reilly has published the book Jakarta Struts Cookbook by Bill Siggelkow.

Full Story (comments: none)

Resources

Electric Cloud Creates Open Source ''GNU Make Standard Library''

Electric Cloud has announced the release of their GNU Make Standard Library (GMSL) under the GPL. "Until now, when developers wished to create a complex Makefile they were often forced to code, from scratch, common functions, or search the Internet for snippets of GNU Make code that could assist them. Now, with the GMSL, GNU Make developers have a single free collection of functions implemented using native GNU Make functionality. The GMSL includes list and string manipulation, integer arithmetic, associative arrays, stacks, debugging facilities and more."

Comments (20 posted)

FSF Europe Newsletter

The March 6, 2005 edition of the FSF Europe Newsletter is online with the latest FSFE news.

Full Story (comments: none)

Linux Gazette #112

The March issue of Linux Gazette is out. Articles in this issue include Running XBoard in Irssi, by Jason Creighton, RSA 2005 Conference and Expo, San Francisco - Special Report, by Howard Dyckoff, Free as in Freedom: Part Three: Open Source to the Corporate Bazaar, by Adam Engel, Experiments with the Linux Kernel: Process Segments, by R. Krishnakumar, and more.

Comments (none posted)

The LDP Weekly News

The March 9, 2005 edition of the Linux Documentation Project Weekly News is online with the latest documentation additions.

Full Story (comments: none)

LPI January Newsletter

The January 2005 edition of the LPI Newsletter is online with the latest Linux Professional Institute news.

Full Story (comments: none)

Updated Wheeler on Open Source: Look at the Numbers!

David Wheeler has recently updated his article on Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers!. (Found on LinuxMedNews)

Comments (none posted)

Contests and Awards

GNOME 2.10 Splash Screen Contest Results (GnomeDesktop)

GnomeDesktop has announced the closure of the GNOME 2.10 splash screen contest, the winning selection has been chosen.

Comments (none posted)

Upcoming Events

Debian-Edu developer meeting in Nafplion, Greece

The Debian-Edu developer meeting will be held in in Nafplion, Greece on April 15-17, 2005.

Full Story (comments: none)

Libre Software Meeting 2005 : Call for Contributions

A Call for Contributions has been posted for the Libre Software Meeting 2005. The event will be held on July 5-9, 2005 in Dijon, France.

Full Story (comments: none)

Linux Server Virtualization D.C. Event

A Linux Server Virtualization event will be held in Herndon, VA on March 22, 2005.

Full Story (comments: none)

LugRadio Live 2005

LugRadio Live 2005 is the expo for people who like some fun with their Linux. It will be held June 25, 2005 at the Terrace Bar, Molyneux Stadium, Wolverhampton, UK.

Comments (none posted)

Open Source Business Conference Announced

The second annual Open Source Business Conference (OSBC) will be held in San Francisco, CA on April 5 and 6, 2005.

Comments (none posted)

Events: March 10 - May 5, 2005

Date Event Location
March 10 - 16, 2005CeBIT 2005Hannover, Germany
March 12, 2005Gentoo UK 2005(University of Salford)Manchester, UK
March 12, 2005Third Hungarian PHP ConferenceBudapest, Hungary
March 14 - 17, 2005Emerging Technology Conference(ETech)(Westin Horton Plaza)San Diego, CA
March 20 - 25, 2005Novell BrainShare 2005Salt Lake City, Utah
March 21 - 24, 2005Bellua Cyber Security Asia 2005(Hotel Borobudur)Jakarta, Indonesia
March 21 - 24, 2005Open Source Modeling and IDEs Workshop(Caribe Royale All Suites Resort & Convention Center)Orlando, FL
March 23 - 25, 2005PyCon DC 2005(GWU Cafritz Conference Center)Washington, DC
March 26 - 27, 2005YAPC::Taipei 2005Taipei
March 30 - April 1, 2005PHP Quebec(Crowne Plaza Hotel)Montreal, Canada
March 31 - April 1, 2005Black Hat Briefings Europe 2005Amsterdam, the Netherlands
April 1 - 3, 2005Twisted SprintHobart, Tasmania
April 5 - 6, 2005Open Source Business Conference(OSBC)(Westin St. Francis)San Francisco, CA
April 7 - 8, 2005Black Hat Briefings Asia 2005Singapore
April 10 - 15, 20052005 USENIX Annual Technical ConferenceAnaheim, California, USA
April 12 - 15, 2005Computers, Freedom and Privacy Conference 2005(Westin Hotel)Seattle, WA
April 15 - 17, 2005Debian Edu/Skolelinux workshop(Nafplion)Athens, Greece
April 18 - 23, 2005linux.conf.au 2005(Australian National University)Canberra, Australia
April 18 - 21, 2005MySQL Users Conference and Expo 2005(Santa Clara Convention Center)Santa Clara, CA
April 18 - 20, 2005LinuxWorld Conference and Expo 2005(Metro Toronto Convention Centre)Toronto, ON
April 18 - 19, 2005Debian Miniconf 4Canberra, Australia
April 19 - 20, 2005San Francisco techCongress(Rickey's Hyatt)Palo Alto, CA
April 20 - 23, 2005ACCU Conference 2005(Randolph Hotel)Oxford, England
April 21 - 24, 20053rd International Linux Audio Conference(LAC2005)(Center for Art and Media (ZKM))Karlsruhe, Germany
April 23 - 24, 2005LayerOne Technology Conference(Pasadena Hilton)Pasadena, CA
April 25 - 30, 2005UbuntuDownUnderSydney, Australia
May 2 - 7, 2005DallasCon 2005(Richardson Hotel)Dallas, TX
May 2 - 4, 2005Samba eXPerience 2005(Hotel Freizeit)Göttingen - Germany
May 4 - 6, 2005CanSecWest/core05Vancouver, B.C.

Comments (none posted)

Web sites

KDE Wiki Gains New Host and Sponsor (KDE.News)

KDE.News has announced the movement of the KDE Wiki Home page. "I'm pleased to announce that the KDE Wiki has been moved to a new hosting solution sponsored by our very own Jason Bainbridge of the the KDE Web Team. As you might have noticed, we had outgrown the previous server which had been hosting both the Dot and the Wiki. After extended downtime and performance issues often related to having both services on the same machine as well as limited administration resources, Navindra Umanee and I decided to search for an alternate host for the Wiki."

Comments (none posted)

Miscellaneous

The latest version of the 'Cal-Induce Act'

Ed Felten comments on the latest version of a proposed California law which would require that all peer-to-peer software have built-in copyright and porn filters. "Fourth, it's not clear what the bill says about situations where there is no workable filtering software, or where the only available filtering software is seriously flawed. Is there an obligation to install some filtering software, even if doesn't work very well, and even if it makes the P2P software unusable in practice? The bill's language seems to assume that there is available filtering software that is known to work well, which is not necessarily the case."

Comments (8 posted)

Page editor: Forrest Cook

Letters to the editor

Haters of Open Source... use Open Source.

From:  Ken D'Ambrosio <kend-AT-xanoptix.com>
To:  letters-AT-lwn.net
Subject:  Haters of Open Source... use Open Source.
Date:  Tue, 08 Mar 2005 10:54:55 -0500

As everyone knows, the Alexis *de Tocqueville Institute hates Open
Source. They've gone to great lengths in their pathetic attempts to
discredit it, including publishing whitepapers trying to spread FUD
(eg., "Opening the Open Source Debate", and a book desperately trying to
show that Linus pirated Linux. [The Andrew Tannenbaum rants about that
book are almost as legendary as the Torvalds/Tannenbaum flamewars; see
www.cs.vu.nl/~ast/brown/ .]
 
It looks as if, however, AdTI has seen the light; the title tags at
www.adti.net now say, "*This site best viewed using Mozilla
Firefox(r)". Apparently, the closed-source software which the so firmly
believe in is a bit more security-hole ridden than the Open Source --
"Hybrid Source" in AdTI doublespeak -- alternative.
 
Nevertheless, one item of interest remains: I find it amusing and ironic
that an "Institute" that clearly feels pride in its elitism is capable
of mis-quoting one of the most famous speeches of one of our most famous
presidents -- right in their site's banner. The correct quote, Mr.
Brown, is "... not because they are easy, but because they are hard."
But hard work, and journalistic integrity, seem to evade AdTI.
 
Ken D'Ambrosio
kena@well.com

Comments (none posted)

Conclusions aren't bad, but your working-out's badly broken

From:  Leon Brooks <leon-olc@cyberknights.com.au>
To:  Paul Murphy <paul.murphy-AT-linuxworld.com>
Subject:  Conclusions aren't bad, but your working-out's badly broken
Date:  Mon, 7 Mar 2005 10:50:42 +0800
Cc:  LWN Letters <letters-AT-lwn.net>

http://enterprise-linux-it.newsfactor.com/story.xhtml?sto...
 
> Furthermore, the Linux operating system itself is neither a new
> invention nor a stand-alone product. It consists of a Linux kernel
> developed by Torvalds and his colleagues by radically improving an
> earlier open-source Unix released by Andrew Tannenbaum in 1987,
> the Gnu utilities developed by the free software foundation, several
> graphical user interfaces akin to Microsoft's Windows brand products
> and a slew of third-party applications.
 
Urgh. Where to start? (-:
 
Linus did _not_ improve Andrew Tannenbaum's MINIX, he _replaced_ it. Andy
complained about the difference in structure, generally bagging it for being
monolithic instead of microkernel; he and Linus continue (in a friendly
manner) to disagree about the relative merits of each system.
 
The GUIs are not a part of the Linux kernel, nor are they in any way necessary
to it. On a server they're often a liability, chewing up resources to no good
end. The FSF's GNU tool-set, especially the GNU Compiler Collection, has been
very helpful in building and supporting the Linux operating system but again
these are still not an inherent part of it.
 
Comparing MS Windows to any of the GUI window managers is comparing apples to
fruit-baskets. MS Windows is comparable to a Linux distribution, so comparing
Mandrake Linux or Gentoo to MS Windows is valid (except that most Linux
distributions ship with many thousands of useful applications, whereas MS
Windows (for example XP) ships with a hundred or so, pretty bare-bones in
comparison) but comparing MS Windows to "the Linux operating system" is a
type mismatch error.
 
One last honourable mention, then let's examine the conclusions:
> Apple, for example, uses a BSD variant called Darwin as the foundation
> for Mac OS X. Unix my grandmother can, and does, use. Sun Microsystems,
> meanwhile, is evolving Solaris into a network-based environment offering
> failure-free computing to business users both in the data center and on
> the desktop. A Sun Ray user interrupted at work can, for example, pull
> her java card from the machine she is working on, cross the country to
> another office, plug the card into a machine there, and continue typing
> where she left off.
 
Your grandmother doesn't use the Unix, she uses the GUI. It's technically
feasible to drop Carbon et al onto a Linux platform and it will work just the
same. You canm also run most of the "Linux" window managers as-is on OS X.
 
My grandmothers have all died, but my computerless mother-in-law has used KDE
without any undue hassles. My sister-in-law (http://www.goldenlight.bur.st/)
uses and anjoys the well-integrated features in KDE too. Others derive great
joy from GNOME, or from the simpler, faster interfaces like XFCE and FluxBox.
 
Yes, the Mac interface is even more graceful and better integrated; no, it's
not a magic bullet. A piece of the magic in Mac land that you seem to have
skipped over is consistent, 100% supported hardware. It Just Works, and
people expect to pay 1.5-2x as much for that.
 
The trick with the SunRay is nice, and looks really cool, but is hardly worth
the money in 99% of cases. Ask Sun how much more your network infrastructure
costs when you've set it up to arbitrarily pipe video all over the country.
 
If you're busy editing up an OpenOffice document on a similar thin client
connected to a Linux server and the thin client emits smoke or loses power,
you can walk to another one, log in, start OpenOffice and resume typing too.
 
The really useful part of Sun gear is again reliability of a kind you
generally don't get with commodity PCs. Linux can get you some of that; for
example, I installed a low-cost Motium (http://www.motium.com.au/) box in a
controlled environment a year and a half ago, and it hasn't blipped.
 
With a disproportionate amount of effort, MS Windows can begin to approach
that kind of reliability on good hardware. Serious players will either skip
the effort by using Linux on the same good hardware, or shell out a bit more
for SGI, Sun, IBM or whoever to do a proper job.
 
> Torvalds himself has never claimed to be more than he is, but tipping
> points aren't made out of technical reality. They're made out of
> perceptual change. Thus, it was the legend of Torvalds, not the reality
> of his actions as a kind of Wayne Gretzky of Unix development, that
> gave Linux the patina of political correctness needed for it to gain
> widespread public acceptance.
 
We're into opinion-land now, rather than hard facts and observations, but I
think this is still clearly off the mark.
 
Linux is winning because Linus provides a single no-arguments benevolent
dictator for it. As General Patton and presumably others before him have
pointed out, a good plan executed right now is often better than a perfect
plan executed slowly. Linus quickly pares away the fluff, and Linux has been,
by general concensus, a one-man one-vote system, Linus being the one man.
 
Linux is also winning because it's GPLed. That makes it very difficult to
legally hijack. Even if Trey Gates offers Linus fifty billion dollars to
retire from managing or coding for Linux or anything like it, and he takes
the bribe (-: I would! :-), Linux will go on growing.
 
Open Source in general is winning because of similar control issues. Microsoft
can change Internet Explorer in ways hostile to your line of business, and
there's nothing you can do about that if Internet Explorer is all you use.
But it's quite practical for even a small company to maintain a fork of
Firefox patched to do things in a friendlier way. Often when you update MS
Windows, you get MS "Virus Flypaper" Outlook reinstalled for free. If Fedora,
SuSE or Debian ever did something this ruderbit - and a "sawn off" version of whatever software offended would promptly
become available.
 
Self-centred enterprises just will not give you that control. Linux Australia
found itself moribund a few years ago despite the best of intentions, and the
people in charge had the courage and humility to bite the bullet, doing
radical surgery on the organisation's structure to open up real participation
to more people. Although not perfect, the result has so far has been
producing excellent resoults,

Comments (1 posted)

Page editor: Jonathan Corbet


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds