LWN.net Weekly Edition for April 7, 2005
The kernel and BitKeeper part ways
Back in early 1999, your editor got a call from Larry McVoy. He was worried that Linus Torvalds was on the verge of burning out as the kernel project grew. The problems in those days were quite evident; Linus, it was being said, did not scale. But, according to Larry, a complete burnout was not inevitable. If Linus could be given the right tools, many of his problems (and the frustrations of other kernel developers) could be solved, and the system would run smoothly again. The right tool, according to Larry, was a thing called BitKeeper; if some sort of agreement could be made on licensing, Larry (along with his company, BitMover) was willing to make BitKeeper available for kernel development. In fact, Larry wanted to see BitKeeper used for all free software development; see this article from the March 25, 1999 LWN Weekly Edition for a view of how things looked at that time.Three years later, the situation did not look any better. The 2.4 kernel had taken almost a full year to stabilize after 2.4.0 came out. 2.5 had begun, but the process was looking rocky at best. Patches were being dropped, developers were complaining, and Linus was getting tired. After convincing himself that the tool had reached a point where it could do what he needed, Linus decided to give BitKeeper a try. There was no looking back.
Some of the development process issues could have been addressed by adopting any source code management system. But BitKeeper brought more than that; it established a model where there is no central repository. Instead, each developer could maintain one or more fully independent trees. When the time came, patches of interest could be "pulled" from one tree to another while retaining the full revision history. Rather than send patches in countless email messages - often multiple times - developers could simply request a pull from their BitKeeper trees. Meanwhile, the current development trees could be pulled automatically into the -mm kernel, allowing patches to be tested by a wider audience prior to merging into the mainline. BitKeeper enabled a work method and patch flow which naturally supported the kernel's development model.
Once the developers and the tools got up to speed, kernel development took off like never before. The rate at which patches were merged skyrocketed, the developers were happy, and the whole system ran smoothly. The public version of Linus's BitKeeper repository (and the repositories of many other developers) made the development process more transparent than ever. Anybody could look to see the up-to-the-minute state of the kernel and how it got there. Larry was right: with the right tools, Linus really could scale.
The only problem was that BitKeeper is proprietary software. Instead, it came (in binary-only form) with a license which allowed free use, but which imposed some significant restrictions. The free version of BitKeeper could only be used with open source projects; users could be required to make their repositories available on demand. The free version posted all changelog information on openlogging.org, and disabling the logging was not allowed. Users were required to upgrade to new versions, which could come with different licenses. And users were not only prohibited from reverse engineering the software, but they were prohibited from working on any sort of source code management system at all.
Larry wanted to have his cake and eat it too. He truly wanted to support the development of free software - as long as that software didn't threaten his own particular business niche. Supporting the kernel development cost real money - and supporting the business which created BitKeeper cost even more. Whenever BitMover felt that its business model was threatened, it responded; often the BitKeeper licensing terms were changed in response to perceived threats - to the point that the BitKeeper license became known in some circles as the "don't piss off Larry license."
Well, somebody pissed off Larry one time too many. The final straw, it seems, was a certain high-profile developer who refused to stop reverse engineering work while simultaneously doing some work for OSDL. BitMover is now withdrawing support for the free version of BitKeeper, and Linus has ceased to use it. BitKeeper is no longer the source code management system for the kernel. Proprietary software can be good stuff, but it always carries this threat: you never really know if it will be there for you tomorrow or not. BitMover has decided that it can no longer afford to make BitKeeper available for the free software community.
BitMover has issued a press release on this change:
The open source client, incidentally, enables the extraction of the current
version from a repository, but does little else.
The PR also states that "Our relationship with the Open Source
community has been evolving and many of the key developers have already
migrated to the commercial version of BitKeeper.
" Linus has,
however, made it clear that he is not one
of those "key developers":
What happens next is far from clear. The kernel developers will not go back to the previous way of doing things - no source code management system at all. Even the developers who can continue to use BitKeeper are unlikely to continue doing so if Linus is unable to pull their patches. So a replacement will have to be found. It is not clear that any of the free alternatives is up to the task of handling a project as large as the kernel. One of them may end up growing up in a hurry in order to take the load. Thanks partly to the example and motivation provided by BitKeeper, the free alternatives do look far more viable than they did three years ago, when Linus first started using BitKeeper.
Larry has made it clear that he blames the free software community for this turn of events:
If BitKeeper users were violating the license under which they received the software, they have indeed done something wrong. Every time we release code under a free license, we do so with the expectation that the terms of that license will be respected. To treat somebody else's license with less respect is hypocritical; if the license terms are not acceptable, do not use the software. That said, one could note a couple of other things. The notion that developers of proprietary software do not engage in reverse engineering - that it's "an open source community problem" - is debatable at best. And how, exactly, might the community be expected to do this sort of "policing"?
The ironic result of all this is likely to be the accelerated development of exactly what Larry claims to most fear: a free source code management system that, while it lacks much of what makes BitKeeper great, is "good enough" for a large portion of the user base. As the BitKeeper developers found out, hosting the kernel project is an effective way to shake out scalability and usability problems. Whichever system ends up hosting the kernel can be expected to go through a period of rapid improvement.
BitMover did, in fact, get a few benefits from hosting the kernel, even if, in the company's view, the benefits do not come close to equaling the associated costs. BitKeeper is a more scalable and robust system as a result of the use it saw in that role. There were also substantial PR benefits; see, for example, this 2004 press release with nice quotes from David Miller and Linus Torvalds. There can be no doubt that working with the kernel has brought a great deal of visibility to BitKeeper, and that must have resulted in some new business. The cynical among us might conclude (and some already have concluded) that BitMover simply decided that it had obtained most of the benefits it was going to get from hosting the kernel and decided to move on.
Whether or not that is the case, it cannot be doubted that Linux, too, has benefited strongly from its association with BitKeeper. We would not have a 2.6 kernel with anything near its level of capability, scalability, and robustness without the role played by BitKeeper. One could easily argue that the free source code management systems would not be as good as they are had BitKeeper not come along. BitKeeper was a gift to the community that was well worth accepting; now that it is gone, the best thing to do is to say "thanks" (with sincerity!) and figure out what comes next.
Ubuntu and UserLinux
Despite what you may have heard on Slashdot, UserLinux and Ubuntu aren't going to be merging anytime soon. A few weeks ago, Ubuntu's Jeff Waugh invited the UserLinux project to "collaborate with Ubuntu to build the finest platform and community for FOSS service providers". This was after a discussion about the problems of trying to build UserLinux around Debian when it's taking a long time for a new stable release from Debian. Waugh's invitation generated a fair amount of additional discussion on the UserLinux list, but little comment from UserLinux founder Bruce Perens. It's become clear that Ubuntu and UserLinux will remain separate for the foreseeable future, but we decided to check in with Perens to see what he had to say about the whole thing.
Perens was quick to note that he supports Ubuntu, but doesn't think that Ubuntu's corporate-sponsored model is the way to go for UserLinux.
In addition, Perens said that Debian's development process allows anyone to
become a developer and run for Project Leader or hold another Debian
office, which doesn't exist in other projects. "You can be part of
Ubuntu's community or Fedora's community, you don't get the chance to be
boss
".
Shortly after Waugh's invitation on the UserLinux mailing list, some of the
Ubuntu team created experimental
UserLinux packages for Ubuntu. The metapackages would allow creating
"a sort of Ubuntu-flavored UserLinux
". Unfortunately, the
packages were also in violation of the UserLinux trademark policy. When we
asked about the situation, Perens noted the importance of having a
trademark policy, given the abuse of the Debian trademark "in various
ways
" and that "the UserLinux guys get to say what can be
called UserLinux when they do their version of the Debian release.
"
He also said he didn't have a problem with labeling the packages "ul" or
something similar to distinguish them from official UserLinux packages. It
would appear, after a bit of friction, that the projects are
sorting
out the trademark issue so Ubuntu can include the metapackages.
But the Ubuntu effort highlights the problem of perceived inertia for UserLinux. Perens announced UserLinux in December of 2003. There was a great deal of interest in the idea at the time, but the wait for a Debian release has certainly had an impact on the momentum of the project.
Perens conceded that there was a perception among the Linux community that UserLinux had stagnated, but said that the perception can be overcome.
As far as UserLinux, I think what I would like to do, is once Debian has made a release, have our roster of support companies ready to support it, and to just start giving these things out at Linux-related business events and saying 'here's a system with full support, here's a price sheet, and we're going to give you a lower cost of ownership than Linux. We're going to beat other Linux distributions on TCO and we're going to give you more control because, more than Fedora, more than Ubuntu, you get a chance to determine exactly how the system is built, because it's tracking what the Debian organization does, it's not a Debian variant.
Perens also told LWN that the best way for someone to help with UserLinux is to be involved with Debian.
To outsiders, however, it may appear at times that the Debian Project is too
mired in political disagreements and flame wars to actually get anything
done -- which is a significant objection to wanting to be involved with
Debian. Perens said that there is a need to convince "a significant
portion of 1,000 active developers that your policy is right
" when
working with Debian, but "that in itself is a quality assurance
process
".
Perens said he was "heartened
" by the recent announcement that
Debian will soon be doing a release, and that "when Debian wants to
get off the dime, they can
". He also said that the Debian developers
have been "pretty embarrassed by the long delay of the
release
" and have bit the bullet to get it out the door. He also
predicted that the next Debian release after Sarge will be scheduled, and
it will be kept on schedule.
It will be interesting to see what happens after Debian Sarge is released,
and whether the UserLinux project can succeed as distribution for
"businesses of all sizes
".
GCJ - past, present, and future
GCJ (the GNU Compiler for the java programming language) is part of GCC (the GNU Compiler Collection) and provides a compiler, runtime environment, core libraries and tools for the Java language - it's an object oriented, strongly typed, garbage collected programming framework with a rich core library. GCJ is modeled after, and is a free replacement for, the proprietary Java platform. But like GNU is Not Unix, GCJ is not Java.The traditional Java platform is clearly not an ideal system, especially when combined with the traditional GNU system, but it is not too bad. The essential features seem to be good ones. Lots of Free Software is already written in the Java programming language so a free system compatible with the Java platform would be convenient for many hackers. GCJ is an extension of GCC and facilitates integration with other languages supported by GCC. GCJ 4, part of GCC 4.0, adds more features to easily integrate programs written using the GCJ development environment with the rest of the GNU platform while being even more compatible with the traditional Java platforms then previous releases. GCC 4.0 is scheduled to be released around April 15.
GCJ design history
Originally GCJ was designed as a “radically traditional” compiler for the Java programming language. It is an AOT (Ahead Of Time) compiler which automatically uses every GCC optimization available during compile time for a given architecture and produces binaries or (shared) libraries for the given platform. These programs run at full native speed without needing any interpreter or JIT (Just In Time) compilation. GCC is available for a large number of architectures and platforms so compiling directly to native code using the GCC back-ends makes programs written with GCJ much more portable then the traditional (proprietary) Java platform. This radically traditional approach makes all normal GNU tools like GDB available to the programmer writing code in the Java programming language just like when programming in any other language supported by GCC.
Thereafter, support for generating and interpreting byte code .class and .jar files was added. This made GCJ more compatible with traditional applications written in the Java programming language that are compiled to byte code. GCJ can be used in various modes:
- Compile and link .java source files to binaries, .o or .so files.
- Compile and link .class or .jar byte code files to binary.
- Compile .java source files to .class byte code
files (
gcj -C). - Interpret .class or .jar byte code files during
runtime (
gij).
The byte code interpreter is included as part of the standard runtime libgcj and can be used by programs to switch between interpreting byte code and executing natively compiled code on demand. So not all of the program has to be completely interpreted or completely compiled ahead of time at the same time.
To facilitate integration with code written in other languages, GCJ defines the CNI (Compiled Native Interface). CNI makes it easy to mix and match code and classes written in C, C++ and Java by allowing you to write some methods of a class in C++ and to catch and throw exceptions directly to and from parts of the program written in different languages. GCJ also support the more traditional JNI (Java Native Interface) for using code written in C from your programs.
Anthony Green posted the original design document for GCJ from 1998.
Drawbacks of the GCJ 3.x approach
GCJ 3.x provides a good “better than Java” development environment that allows tight integration with the rest of the GNU platform. But it has disappointed some traditional Java programmers. The possibility to mix and match native code with byte code in the compiler and libgcj runtime makes GCJ very flexible. But falling back to interpreting byte code doesn't really take full advantage of the whole “radically traditional” approach. Especially programs using advanced byte code based class loader tricks used to work slowly because they fell back to using the interpreter during runtime.
There are GCJ extensions to add support for using natively compiled
code all the time. But programs had to be adapted to use these
extensions. Instead of using .jar files containing byte code
definitions of new classes programs would have to use a new URL scheme
(gcjlib:) for their URLClassLoader uses. The
first “Fast Free
Eclipse” port to GCJ was done this way. The source code of
the plugin loading mechanism was adapted to search for natively
compiled plugins in shared library .so files besides ordinary
.jar byte code files. There was even a moderately popular
project, rhug, that
maintained a lot of patched versions of traditional free Java programs
that were adapted to gcj's view of the world. But these
patches were almost never adopted upstream and the maintenance of
these forks took a lot of time. So the benefits of the GCJ approach
were only seen by programs written explicitly for it, but not by
traditional Java programs.
One of the main goals of the GCJ 4 effort was to bring all the advantages of the “radically traditional” approach to any program written in the Java programming language without needing any application-level changes.
GCJ 4 enhancements
Probably the most visible enhancement of GCJ 4 comes from merging the libgcj runtime with the GNU Classpath core class library project. By collaborating with other free runtimes like the traditional kaffe environment and around 20 other projects, GCJ 4 is able to offer a core class library comparable to JDK 1.3 or 1.4. The collaboration of all these projects on a common core library implementation means that a lot of the libraries needed by applications, except for advanced Swing, Corba and sound usage, are available out of the box. Kaffe, for example, is being used by the Apache project to track the build of most of the jakarta projects using their Gump auto-builder.
The other big change is the addition of the -findirect-dispatch switch to the compiler. Using that option causes GCJ to generate native code for classes and methods that follow the precise same binary compatibility rules as described in the Java Language Specification. This means that native compiled code can now be used everywhere, even in the most tricky class loader situations, where previously the program would fall back to interpreted byte code. At the 2004 GCC Summit Tom Tromey and Andrew Haley described this new binary compatibility ABI for GCJ in more detail.
The new binary compatibility (BC) ABI makes it possible to transparently
compile programs to native code using gcj
-findirect-dispatch without having to change the application
source code or even the build process. To map byte code to GCJ
compiled native code, GCJ 4 introduces gcj-dbtool. This tool
is used by the packager during deployment of the application or
library to create a database mapping the bytecode of a class to the
native code during runtime. Programs can use different databases
using the gnu.gcj.precompiled.db.path system property. The
databases make it possible to create a cache of all native compiled
code that can be shared by different programs installed on the system.
The How
to BC compile with GCJ GCC wiki page has examples.
This approach is used by the native Eclipse packages in Fedora Core 4. No changes to the eclipse code base are necessary anymore and, after the project is bootstrapped, all resulting .jar files are BC compiled. To almost completely automate this process, Thomas Fitzsimmons created java-gcj-compat. A collection of wrapper scripts, symlinks and jar files that provide a Java-SDK-like interface to this new GCJ 4 tool set.
Future plans
The -findirect-dispatch switch can currently only be used for byte code and not in combination with CNI (JNI is already supported). This limitation currently prevents parts of the core class libraries from being BC compiled. Lifting this restricting will facilitate more integration with GNU Classpath.
With GCJ and GDB a programmer can step through native C, C++ and Java source code using the same tool. Traditional Java developers are more used to JDWP (Java Debugging Wire Protocol) for debugging their applications. Eclipse comes with built-in support for JDWP. Work is in progress to provide JDWP debugging support for the different execution mechanisms. This code will also be shared with the GNU Classpath project.
Benchmarks show that GCJ is comparable (sometimes faster, sometimes slower) to traditional execution mechanisms for Java programs. But GCJ currently doesn't really take advantage of the new GCC 4.0 Tree SSA optimizer framework. For 4.1 the GCJ developers hope to add a couple of GCJ specific optimizations.
Tom Tromey is currently working on GCJX, a new GCC frontend that will include support for the new 1.5 language additions, such as generics. And the GNU Classpath project has a separate branch for the core class libraries that depend on the new 1.5 language additions.
Escaping the Java Trap
GCJ 4 is the result of seven years of work by a large and active community of Free Software hackers. This new version is complete enough to replace most interesting uses of the proprietary Java platform. It adds a whole new set of core libraries and adds some new features to help integration with the rest of the GNU platform. Upcoming versions of some GNU/Linux distributions will use GCJ 4 to provide much more Java-based Free Software, including Eclipse, Jonas, OpenOffice.org 2, Tomcat and the Jakarta libraries. There is also a great deal of free software to integrate with traditional GNU/Linux distributions provided by the JPackage project. Both Debian and Fedora are working with the jpackage hackers to support more of these packages “out of the box”.
All this doesn't mean that we have escaped the Java trap yet. As pointed out by Richard Stallman in “Free But Shackled - The Java Trap” we have to actively work together to keep code safe and free. It looks like the main target projects for GCJ 4 (Apache Jakarta, Eclipse and OpenOffice.org 2), have all reacted positively to the feedback and patches provided to support free alternatives to the Java platform. The fact that the changes requested were for making the projects more portable ("don't use undocumented com.sun internal classes") rather than requests to dramatically change the code, (core) libraries used or build infrastructure has helped a lot. But the above projects were already free software projects at heart. It remains to be seen if other more traditional java projects will adapt so easily to support GCJ 4 out of the box.
Security
Blocking popups in FireFox
One of the most compelling features of Firefox, for many users, is its built-in pop-up blocking. However, the advertising networks and webmasters looking to inflict pop-up ads on users weren't content to allow Firefox users (or anyone else, for that matter) to browse in peace. It's not surprising that, as Firefox gains in popularity, the Mozilla team would be faced with an "arms race" with advertisers determined to spawn pop-ups on all visitors to sponsored sites.
This writer has recently noticed that some sites had begun spawning pop-ups, despite the fact that Firefox's preferences had been configured to block them. After so long without having to cope with pop-ups, it was doubly annoying to see the nuisance starting all over again.
For the most part, before Firefox and other pop-up blockers appeared on the scene, pop-ups and pop-unders were spawned by JavaScript as soon as a site loads. The Firefox pop-up blocking settings were very successful in blocking almost all pop-up ads. The notable exception, at least for this user, was the New York Times website, which was one of the first sites to find a workaround for Firefox's pop-up blocking.
JavaScript, however, is not the only method that can be used to spawn pop-ups. Notably, Flash, Java and other plugins are capable of spawning pop-ups and bypass the restrictions used to stop pop-ups spawned by JavaScript. To start blocking pop-ups on sites that take advantage of features in Flash or Java to spawn pop-ups, users can install the Pop-ups Must Die! extension.
Alternately, users can get the same effect by manually fine-tuning
Firefox's settings. The first change, adding
"privacy.popups.disable_from_plugins" is described here.
The extension also changes the value of
"dom.popup_allowed_events" to block all allowed pop-up
events. This can be done by entering "about:config" in the Firefox address
bar, and finding "dom.popup_allowed_events," and removing all
of the options. These are the only two changes made by the extension.
The changes seem to have been very effective -- perhaps a little too
effective. Several users have complained that the extension blocks
requested pop-ups as well. This is true, but Firefox still allows users to
whitelist sites after a pop-up has been blocked by the new settings. This
writer considers it a small price to pay to avoid unrequested pop-ups. For
those who would rather deal with the occasional unrequested pop-up, one may
change "privacy.popups.disable_from_plugins" to "1" to allow
pop-ups to be opened when a link is clicked. This will limit the number of
windows opened by a link, so nefarious webmasters cannot open an unlimited
number of windows.
Determined webmasters, however, can find ways to inflict advertising on
users in other ways. Consider this site which was pointed out
in the discussion
about the "Pop-ups Must Die!" extension. Rather than spawning a pop-up, it
creates a frame within the window that blocks the content of the site until
the frame "window" is closed. Without disabling frames, which would cause a
great deal of problems for sites that use them legitimately, it's difficult
to imagine how one could avoid this kind of "pop-up." (Note, disabling
frames by changing the value of "browser.frames.enabled" to
false appears to break Firefox entirely.)
Ultimately, the best solution may not rest with Firefox. Users who are offended by pop-ups, and other intrusive advertising, have an infallible weapon at their disposal -- stop visiting sites that insist on using pop-ups. While it would require a great number of users to be effective, even the most persistent webmasters and advertisers would have to reconsider their methods if they have no audience for their ads.
New vulnerabilities
Dnsmasq: poisoning and DoS
| Package(s): | dnsmasq | CVE #(s): | |||||||||
| Created: | April 4, 2005 | Updated: | July 21, 2005 | ||||||||
| Description: | Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing. | ||||||||||
| Alerts: |
| ||||||||||
gaim: buffer overflow, DoS
| Package(s): | gaim | CVE #(s): | CAN-2005-0965 CAN-2005-0966 | ||||||||||||||||||||||||||||||||||||
| Created: | April 5, 2005 | Updated: | May 15, 2005 | ||||||||||||||||||||||||||||||||||||
| Description: | Jean-Yves Lefort discovered a buffer overflow in the
gaim_markup_strip_html() function. This caused Gaim to crash when
receiving certain malformed HTML messages. (CAN-2005-0965)
Jean-Yves Lefort also noticed that many functions that handle IRC commands do not escape received HTML metacharacters; this allowed remote attackers to cause a Denial of Service by injecting arbitrary HTML code into the conversation window, popping up arbitrarily many empty dialog boxes, or even causing Gaim to crash. (CAN-2005-0966) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0400 CAN-2005-0749 CAN-2005-0750 CAN-2005-0815 CAN-2005-0839 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 1, 2005 | Updated: | July 1, 2005 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | More kernel vulnerabilities have been discovered including:
| ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
limewire: input validation errors
| Package(s): | limewire | CVE #(s): | CAN-2005-0788 CAN-2005-0789 | ||||
| Created: | March 31, 2005 | Updated: | April 6, 2005 | ||||
| Description: | LimeWire, a Java-based peer-to-peer client that works with the Gnutella file-sharing protocol, has two input validation errors that can allow a remote attacker to read arbitrary files with the permissions that LimeWire is running under. | ||||||
| Alerts: |
| ||||||
remstats: tempfile, missing input sanitizing
| Package(s): | remstats | CVE #(s): | CAN-2005-0387 CAN-2005-0388 | ||||
| Created: | April 4, 2005 | Updated: | April 6, 2005 | ||||
| Description: | Jens Steube discovered several vulnerabilities in remstats, the remote statistics system. When processing uptime data on the unix-server a temporary file is opened in an insecure fashion which could be used for a symlink attack to create or overwrite arbitrary files with the permissions of the remstats user. (CAN-2005-0387) The remoteping service can be exploited to execute arbitrary commands due to missing input sanitizing. (CAN-2005-0388) | ||||||
| Alerts: |
| ||||||
php4: denial of service vulnerabilities
| Package(s): | php4 | CVE #(s): | CAN-2005-0524 CAN-2005-0525 | ||||||||||||||||||||||||||||
| Created: | April 5, 2005 | Updated: | May 26, 2005 | ||||||||||||||||||||||||||||
| Description: | Two DoS vulnerabilities exist in PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3. One in the php_handle_iff function in image.c allows remote attackers to cause a denial of service (infinite loop) via a -8 size value. The php_next_marker function in image.c allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek. This later vulnerability also exists in PHP 3. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
sharutils: insecure temporary files
| Package(s): | sharutils | CVE #(s): | |||||||||||||||||
| Created: | April 4, 2005 | Updated: | April 14, 2005 | ||||||||||||||||
| Description: | Joey Hess discovered that "unshar" created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
sylpheed: buffer overflow on message
| Package(s): | sylpheed sylpheed-claws | CVE #(s): | |||||
| Created: | April 4, 2005 | Updated: | April 6, 2005 | ||||
| Description: | Sylpheed and Sylpheed-claws fail to properly handle messages containing attachments with MIME-encoded filenames. | ||||||
| Alerts: |
| ||||||
wu-ftpd: missing input sanitizing
| Package(s): | wu-ftpd | CVE #(s): | CAN-2005-0256 | ||||
| Created: | April 4, 2005 | Updated: | April 6, 2005 | ||||
| Description: | The wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current 2.6 prepatch is 2.6.12-rc2, announced by Linus on April 4. Changes this time include a number of architecture updates, an XFS update, some netpoll improvements, a big USB update, an ALSA update, a number of networking tweaks, and lots of fixes. Says Linus: "This is also the point where I ask people to calm down, and not send me anything but clear bug-fixes etc. We're definitely well into -rc land. So keep it quiet out there." The long-format changelog has the details.
No patches have been merged into Linus's BitKeeper repository since the -rc2 release. Given recent events, one should not expect more patches to end up there anytime soon.
The current -mm tree is 2.6.12-rc2-mm1. Recent changes to -mm include a new version of the crash dump code, a reiser4 update, a patch optionally removing all BUG() and printk() calls (shrinks the kernel but with significant side effects), an InfiniBand update, some scheduler tweaks, and various fixes.
The current 2.4 kernel is 2.4.30, which was released by Marcelo (with no changes from -rc4) on April 3.
Kernel development news
Time for a new semaphore type?
The Linux kernel uses two basic mutual exclusion primitives internally: spinlocks (which are fast, but require that critical sections be atomic) and semaphores (which are slower, but can sleep). These mechanisms are adequate for most uses, but there are exceptions. Trond Myklebust has encountered one of those exceptions when working on the NFSv4 code. In NFSv4, there are situations where non-atomic code must obtain a lock, but the thread cannot block at that point without risking deadlocks. So Trond set out to add an asynchronous capability to the Linux semaphore implementation - a way to request that a function be called at some point in the future when the semaphore becomes available. He encountered a little problem, however: each architecture implements its own, highly-optimized semaphore code, often in assembly language. To add functionality to semaphores, he would have to dig into more than 20 different implementations, and, somehow, ensure that they all still work afterward.Rather than dive into that jungle, Trond elected to start over. The result is a new semaphore type which Trond calls an "iosem." At its core, an iosem looks much like a regular semaphore:
#include <linux/iosem.h>
void iosem_init(struct iosem *sem);
void iosem_lock(struct iosem *sem);
void iosem_unlock(struct iosem *sem);
A call to iosem_lock() is similar to a call to down(); it will block until the semaphore is available.
The definition of an iosem structure is simple:
struct iosem {
unsigned long state;
wait_queue_head_t wait;
};
Whenever a thread releases the lock, it will perform a wakeup on the given wait queue entry. For the synchronous locking case, that will cause the threads waiting for the lock to be scheduled; one of them will then succeed in acquiring that lock. Everything works as one might expect.
2.6 wait queues are flexible things, however. In particular, it is possible to replace the function that is called when a wakeup occurs; this capability turns a wait queue into a fairly general notification mechanism. The iosem code takes advantage of this mechanism to allow different things to happen when an iosem becomes available. For example, consider this interface:
struct iosem_work {
struct work_struct work;
struct iosem_wait waiter;
};
void iosem_work_init(struct iosem_work *work,
void (*func) (void *), void *data);
int iosem_lock_and_schedule_work(struct iosem *sem,
struct iosem_work *work);
A thread using this interface sets up a function (func), then calls iosem_lock_and_schedule_work(). If the iosem is available, func will be called immediately, with the lock held. Otherwise, a special entry will be added to the iosem's wait queue, and the call to iosem_lock_and_schedule_work() will return immediately. At some future time, func will be called (with the lock held) by way of a workqueue. Either way, func must release the lock when it is done.
Other sorts of behavior could easily be added to this interface. Since the same code is used for all architectures, the iosem mechanism is relatively easy to extend. There has been some interest from maintainers of other parts of the kernel (asynchronous I/O, for example) in using this mechanism. There have been a few complaints, however, about the name and about adding a wholly new mutual exclusion primitive to the kernel. In particular, Benjamin LaHaise (who has recently resurfaced on the kernel lists) has stated that it would be better to rationalize the current semaphore implementation - and said that he would do the work. So, while an asynchronous semaphore implementation is likely to get into the kernel, the form it will take is not yet clear.
Finding the boundaries for stable kernel patches
Greg Kroah-Hartman started off the 2.6.11.6 process in the usual way: a posting of all patches proposed for inclusion in that kernel release. The development community was invited to complain about any patches which do not appear to meet the criteria for the extra-stable 2.6 kernels. This time around, somebody complained.The patch in question is a fix to the BIC TCP congestion control algorithm (congestion avoidance, including BIC, was covered here two weeks ago). BIC is supposed to perform a binary search to quickly find the optimal congestion window size. Due to a mistake in the TCP dropped packet code, however, that search was not being performed, and BIC was not working as expected. The (very small) patch makes BIC work the way its designers intended, and would seem to be a useful addition.
As Ted Ts'o pointed out, however, the rules for these kernels include:
It is safe to say that the kernel mailing lists have not been overwhelmed by users complaining that BIC was not converging properly on the best congestion window size. In fact, no users have complained. So, it could be argued, the BIC fix, while worthy, should be merged for 2.6.12 and left out of the 2.6.11.x series.
An answer came from David Miller:
David concluded that, since BIC is enabled by default in the 2.6 kernel, this sort of implementation fix should take a high priority. This view seems likely to prevail for this particular patch. Expect more debates, however, as the kernel developers figure out just where the line should be drawn for patches being considered for inclusion into the stable 2.6 kernels.
The kernel and binary firmware
Device firmware is a perennial issue in certain circles. As long as non-free firmware is safely contained within the device it controls, everybody seems to be happy. Increasingly, however, firmware must be loaded from the host system. People who want no non-free software on their computers resist the idea of having binary-only firmware linked into their kernel. Certain Debian developers have long tried to extract all non-free firmware from their distribution. Recently, the issue has come up again with a new twist: the fear that, even if a firmware blob comes with a free license, it cannot be distributed as part of the kernel because it's not in "the preferred form for modification."The form of a solution to everybody's concerns has been available for some time: extract the firmware from the kernel source, and load it from user space at device initialization time. The firmware can then carry its own license, worries about conflicts with kernel licensing can go away, and distributors can judge each firmware blob's free software credentials using their own criteria. It would seem like a solution which would make everybody happy; the reality, however, is that this approach has not been taken in many cases. One might conclude that nobody (not even the most vocal complainers) has been sufficiently motivated to get into the code and actually pull out the firmware in this manner. There is some truth to that claim, but there is also a little more going on. The simple fact is that the infrastructure needed to make the user-space firmware mechanism work well is not ready.
The kernel contains support for user-space firmware loading by way of request_firmware(). When a driver decides it needs a firmware blob to feed its device, it can call request_firmware(); that call will result in a hotplug event. User space can then see which device's firmware is needed, locate it in the filesystem, and feed it back to the driver.
One problem with this interface is that it is too simple. Some hardware, notably the tg3 network adaptor, does not want a simple firmware blob. Instead, its firmware looks like a regular executable image - it has text, read-only data, and writable data sections. There is also associated metadata needed for the driver to actually load the firmware into the card. To accommodate complex devices like the tg3, somebody will have to extend the request_firmware() interface; that work has not yet happened.
Once that issue has been dealt with, there is still the problem of actually getting the firmware onto the system. Loading the firmware often must be done before the host system will function in any useful way, so it must be present on a freshly-installed system. Often, it will have to be part of the initrd or initramfs image used at boot time. There is thus a clear case for packaging the firmware as part of the kernel source itself; the two depend on each other anyway. That solution would clearly displease some users, however, so a separate firmware distribution seems called for. Mechanisms will need to be put into place so that user space knows where to find the firmware distribution, so that the kernel build process can create bootable kernels, etc.
These problems are all clearly amenable to solution; it is simply a matter of a suitably-motivated developer finding the time to do the work. Whether that will happen remains to be seen; most of the commercial distributors, who might be expected to fund this sort of infrastructural work, do not appear to be overly concerned about the firmware issue. So solving this problem may fall on the Debian developers, and they have a few other things on their plate at the moment.
Patches and updates
Kernel trees
Architecture-specific
Build system
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Memory management
Networking
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Changes at Mandrakesoft
In recent weeks, Mandrakesoft has announced several wide-ranging changes affecting everything from the company's development model to incorporation of new technologies, and even its name. We have attempted to read between the lines of Mandrakesoft's press releases, interviews, FAQs, and IRC discussions, and this is what we think.First, the good news: Mandrakesoft is doing well. The company has recently been awarded two multi-million euro contracts by the French government and it is likely that private enterprises in France have also started to contribute towards the company's positive cash flow. As a result, there has been a shift of focus by Mandrakesoft from developing a predominantly home user's product into more profitable enterprise-grade solutions and support. This is hardly surprising as -- and let's be honest about it -- that's where the real money is. If this model works so well for Red Hat on the other side of the Atlantic, there is no reason why it shouldn't work for Mandrakesoft, albeit on a somewhat smaller scale within its own sphere of influence.
This success is probably the main reason behind the latest round of changes in the development and release process of Mandrakelinux. Since the company was established in 1998, Mandrakelinux releases came out in regular 6-month intervals, but the high release frequency of two architectures has been putting strain on the developers, as witnessed by the delays in each betas and release candidates of all recent Mandrakelinux releases. From that point of view, the newly introduced annual release plan will make sense. Unfortunately, it will probably alienate some users many of whom have perceived Mandrakelinux as a solid, up-to-date distribution with frequent releases incorporating all the latest Linux technologies. Especially the current Mandrakeclub members will have a reason to complain since the €120/year membership fee originally entitled them to two Mandrakelinux releases per year. As a compromise, Mandrakesoft is now offering to fill the gap with an interim product - just for the club members. Even so, the skeptics will argue that this is likely to be a poorly-tested snapshot of the development tree, which has historically suffered from stability issues.
How the acquisition of Conectiva fits into Mandrakesoft's future plans is less clear. Although Conectiva employs many talented developers and has a history of several successfully implemented ideas (the port of Debian's apt to RPM-based distributions springs to mind), there seems to be little that the Brazilian company can offer Mandrakesoft. Also, as anybody who has worked for a multi-national software company can confirm, managing software development in a country halfway across the globe will almost certainly result in a substantial overhead in terms of traveling, communication, and bandwidth cost. Add to it the language barrier, and the benefits of acquiring the services of a few dozens of talented developers can be easily overshadowed by the increased expenditure. As such, it seems that Mandrakesoft's acquisition of Conectiva is largely a public relations stunt devised to convey a message saying that "Mandrakesoft is back" - healthier and more profitable than ever.
That said, some of Conectiva's ideas might end up being incorporated into Mandrakelinux in one form or another. The Mandrakesoft developers have hinted that they are examining some of Conectiva's kernel hacks and evaluating the possibility of incorporating elements of its package management into Mandrakelinux. But will Conectiva's apt replace Mandrakelinux's urpmi? There are reasons to believe that it might. Although both apt and urpmi are released under the GPL, urpmi is not used by any distribution outside Mandrakelinux, while apt is widely deployed by many RPM-based projects and it even became a very popular third-party package management tool for Fedora Core and SUSE LINUX. In fact, several distributions that were originally based on Mandrakelinux were quick to drop urpmi in favor of apt (e.g. PCLinuxOS or ALT Linux). There is little point for the unified company to continue developing two package management tools, so if one of them has to go, it will likely be urpmi.
Besides the major modifications in its development model, speculations are rife that the company will also change its name. Shortly after acquiring Conectiva, Mandrakesoft registered several top-level domain names for Mandriva, as well as a large number of regional domain names in many parts of the world. Of course, this is less surprising given the long-standing trademark dispute between the company and a US-based syndicate holding the rights to the comic-strip character "Mandrake the Magician". If the name is indeed retired, it will mean the end of one of the best-known and best-loved brands in the history of Linux distributions.
How to keep its existing user base in the atmosphere of frequent release and development model changes is an important challenge for Mandrakesoft right now. Lack of predictability is starting to become a major weakness of the distribution, especially when compared to some of its competitors that have clearly defined release processes and support periods. But if Mandrakesoft can get more business from large enterprises, losing a few home users to other distributions will be a small price to pay. In this respect, Mandrakesoft is wisely following in the footsteps of Red Hat and Novell/SUSE, especially if they can stick to the current plan and resist introducing any major new changes for some time to come.
New Releases
Trustix Secure Linux 3.0 alpha
Trustix Secure Linux 3.0 alpha has been released. It has a new installer, X.org X11-libraries, GnuTLS, Hotplug, Memtest86+, plus lots of upgrades.
Distribution News
Debian sarge release update
A release update has gone out for Debian sarge. Things are coming along, but the distribution will drop support for the old 80386 architecture unless somebody comes along to maintain it. "With these changes done, we are now on the home stretch for the sarge release. We are now only waiting on the arm buildds to recover and catch up to a reasonable extent, and on one last glibc upload -- and then sarge is FREEZING."
FedoraForum.org designated Official Community Support Forum
FedoraForum.org has been designated the Official Community Support Forum of the Fedora Project. Nothing has changed about the existing mailing lists, but end-users are encouraged to go to the forums first if they have support questions.More Debian Announcements
Debian QA has announced QA Hacking @ HEL. "This is a cunning plot to increase interest in Quality Assurance among Debian contributors. There will be a QA Hacking event preceding Debconf5 in Helsinki."
Another update of Debian 3.0 (woody) is
underway. "The plan is to release this revision roughly two months
after the last update. However, it may be required that this happens
before the release of sarge or it won't happen at all. It may be the last
update if no updates to 3.0 are possible after sarge has been
released.
"
Here's the April 1st edition of Bits from the
DAMs (& Co). "While having a very s3kr1t Cabal[2]-Meeting a
bit ago, we decided that Debian doesn't work anymore the way it is running
right now. We gave you a chance to actually proove we are wrong with this
conclusion, but the huge flamewars following our testmail showed that we
are right. So we decided to have a clean restart with a small team[3] and
as such are deleting every account[4] somewhere around this evening
(UTC).
"
The third and final call for votes went
out, for the DPL election. "At the time of writing, half an hour
into the third (and final) week of the vote, we are still at a low ebb for
voter participation, though not by a huge margin. I do note, though, that
more people have gone back and re-cast their ballot this year than
previously, lending some credence to the theory that this year people are
just taking longer to muddle through deciding on their ballot.
"
Dropline GNOME 2.10.0 (GnomeDesktop)
Version 2.10.0 of Dropline GNOME, the premier GNOME desktop for Slackware Linux, has been announced. "Built entirely from scratch on Slackware 10.1, this marks our finest release to date."
New Distributions
64 Studio - a new distribution for creative x86_64 users
64 Studio is a new distribution aimed at audio and video applications. "64 Studio is a collection of software designed specifically for content creation on x86_64 hardware (that's AMD's 64-bit CPUs and Intel's EMT64 chips), including audio, video and design applications. It's based on the pure 64 port of Debian GNU/Linux, but with a specialised package selection and lots of other customisations. It will be marketed to hardware OEMs in the creative workstation and laptop markets as an alternative to the 64-bit version of Windows XP, or OS X on Apple hardware."
Distribution Newsletters
Debian Weekly News
The Debian Weekly News for April 5, 2005 is out. This week there's a report of a Hurd live CD, Debian adoption in some German government agencies, a proposal for a source-centric Debian?, a proposal to emulate slower architectures on faster machines, better support for chroot environments, and several other topics.Gentoo Weekly Newsletter
The Gentoo Weekly Newsletter for the week of April 4, 2005 looks at the GeNToo project and other April Foolishness, plus a more resource-friendly version of emerge webrsync, and more.Mandrakelinux Community Newsletter #102
Issue # 102 of the Mandrakelinux Community Newsletter has a special section on Mandrakelinux's future development, a look at Mandrakelinux Limited Edition 2005 RC2, and more.Ubuntu Traffic #24
Ubuntu Traffic covering the first week of February, 2005 is out. Topics include Language Packs and Locales, Alternate Live CD Kernels, Ubuntu-Devel and Split Mailing Lists, Autopackage, Framebuffer Activation, New Keyboard Selection Program, Ubuntu Reviews and Press, Reply-to-List on Ubuntu Users, and more.DistroWatch Weekly, Issue 94
The DistroWatch Weekly for April 4, 2005 is out. "This week we'll talk about Ubuntu Linux - the new leader in our Page Hit Ranking statistics, link to a couple of interesting articles about SUSE LINUX and Gentoo Linux, and bring you news about the first-ever live CD based on Red Hat Enterprise Linux 4. Also in this issue - is the Autopackage installer good for Linux? While its concepts might be sound, a Debian developer argues that its implementation has fatal flaws."
Package updates
Fedora Core
Updates for Fedora Core 3: selinux-policy-targeted-1.17.30-2.93 (various fixes), util-linux-2.12a-21 (changed nfsmount to only use reserve ports when necessary), util-linux-2.12a-23 (various fixes, added documentation), words-3.0-2.2 (sort with --ignore-case), e2fsprogs-1.36-1.FC3.1 (integrate FC4 changes, bug fixes), system-config-printer-0.6.116.1.4-1 (bug fixes), subversion-1.1.4-1.1 (update to 1.1.4).Red Hat up2date bug fix
Red Hat has updated up2date packages that fix a libgnat bug available for 64-bit platforms running RHEL 4.Slackware
Slackware has upgraded php-4.3.11 with "over 70 non-critical bug fixes". Also the php-5.0.4 packages in testing fix various bugs and security issues.
Trustix Secure Linux
Trustix has bug fixes available for cpplus, dev, m4, mod_php4, perl, php, php4, samba, setup, swup and vim for TSL 2.1, 2.2 and Enterprise Server 2 systems.
Newsletters and articles of interest
Gentoo 2005.0 All About Security (InternetNews)
InternetNews takes a look at Gentoo 2005.0. "The 2005.0 release also marks the beginning of a new six month release cycle for the Gentoo snapshots, up from the previous marker of three months. "We found that releasing every three months gave us little gain for quite a large amount of work," Gianelloni said. "Also, with the longer release cycle, it allows us to do more inventive things that would otherwise be impossible to test in the limited amount of time. We typically release on a set cycle since we aren't bound by package releases in the tree.""
Mark Shuttleworth Answers At Length (Slashdot)
Canonical/Ubuntu leader Mark Shuttleworth answers questions posed by Slashdot readers. "The Ubuntu team takes [Debian] Sid, every six months, and makes a secure, tested, and supported release of it. Hopefully many of the patches (published continuously at http://people.ubuntu.com/~scott/patches/ but don't let Scott tell you he personally made all of those patches :-) we make in the process are adopted by the Debian maintainers, so Sid gets better as a result of Ubuntu, it is designed to be a two-way street."
Distribution reviews
First Look at SUSE LINUX 9.3 Professional (Mad Penguin)
Mad Penguin reviews SUSE Linux 9.3. "SUSE has been one of the major players on the desktop for as long as I can remember, and for good reason. They have built a solid, sleek desktop ready for anyone who wanted to give Linux a shot but either had no luck with other distributions, or simply was curious but didn't have the time to fight their way through a long install or tedious configurations. SUSE was it. Does the distro that has kept so many people happy for so long still have what it takes to stay on top? We're about to find out..."
Distro review: The four-1-1 on Linspire Five-0 (NewsForge)
NewsForge reviews the Linspire Five-0 distribution. "Linspire includes very little software with the base distribution, at least in comparison to other popular desktop distros. It doesn't come with a graphics editing program, a dedicated FTP client, or a DVD player. If you want to be able to have that kind of functionality without using the command line to work around it, you'll have to pay U.S. $50 per year for a CNR membership. In fact, it often seems that Linspire as a distribution is not so much meant to be an operating system, but is intended as a vehicle for the CNR software subscription."
Linux in Government: Linux Desktop Reviews, Part IV - JDS (Linux Journal)
This edition of Linux Journal's Linux Desktop Reviews features Sun's Java Desktop System. "During the launch of Sun's Java Desktop System (JDS), the company touted its product as a real alternative to Microsoft Windows. During an interview, Peder Ulander, the then director of marketing for the Desktop Solutions team at Sun, said, "The Java Desktop System is a comprehensive and secure enterprise desktop environment that runs on Solaris and Linux. It provides the enterprise with the first viable alternative to Windows in 15 years, by offering a complete feature set at a fraction of the cost of a Windows upgrade.""
Red Hat Linux 4.0 offers power, security
ComputerWorld looks at Red Hat Enterprise Linux 4.0 Advanced Server. "Performance of RHEL 4.0 was very good to excellent overall, and a marked improvement over RHEL 3.0. We conducted tests on several platforms to gauge improvements between RHEL versions, as well as a comparison between 32- and 64-bit versions."
My Workstation OS: Yoper Linux (NewsForge)
NewsForge has this look at Yoper. "A commendable feature of Yoper is its speed and stability. In the world of resource hogging distros, Yoper works at an amazing speed, even on my low-end 851MHz Celeron with 256MB of RAM, thanks to features like prelinking, compiling specifically for i686, and several performance-enhancing patches. The fine performance doesn't come at the expense of system stability. Yoper hasn't crashed even once in the four months I've been using it, no matter how heavily I'm multitasking."
Page editor: Rebecca Sobol
Development
The DSpace Digital Repository System
DSpace is a jointly developed project from the MIT Libraries and Hewlett-Packard with project guidance provided by the DSpace Federation.The project is described as:
![[DSpace]](https://static.lwn.net/images/ns/dspace.png)
The
project introduction explains that DSpace can be used
for creating a variety of online archives. Supported
data types include
articles, papers, and reports, theses, data sets, images,
audio and video files, learning objects, and distributed library collections.
The DSpace Instances
document includes a long list of educational institutions that are
currently using the software.
Here are a few project details: the DSpace software is written in Java, it has been released under the BSD License. DSpace is cross-platform software, with support for Unix and Windows. Both command line and web-based user interfaces are provided.
The End User FAQ
has more general information on the project.
One interesting feature of DSpace is the use of the
Handle System as a method
of identifying data.
"The developers chose to use handles instead of persistent URLs to support citations to items in DSpace over very long time spans longer than we believe the HTTP protocol will last. Handles in DSpace are currently implemented as URLs, but can also be modified to work with future protocols.
"
The DSpace System Documentation and architecture documents describe the underlying system in more detail.
Version 1.2.2 beta 2 of DSpace was
announced this week:
"This release contains bugfixes and some minor new features from 1.2.2 beta 1. This includes postgres 8.0 compatibility, and community/collection strength display
".
DSpace is available for download
here.
System Applications
Audio Projects
Planet CCRMA Changes
The latest change from the Planet CCRMA audio utility packaging project includes an update to the Snd sound editor.
Database Software
Gentle.NET 1.2.2 released! (SourceForge)
Version 1.2.2 of Gentle.NET, a database independent object persistence framework, is available. "This release fixes a bug introduced in 1.2.1 affecting reserved word handling. A bug affecting concurrency handling when using unnamed parameters was fixed."
PostgreSQL Weekly News
The April 1, 2005 edition of the PostgreSQL Weekly News is online with the week's PostgreSQL database development news. "A new language translation set of .po files for into 1337. w3lc0m3 t0 t|-|3 n3\/\/ /\/\3/\/\|3rz 0f teh c0mm|_|n1t'/!!1!!"
Networking Tools
Hobbit Monitor Version 4
Version 4 of Hobbit Monitor, a systems and network monitoring system, has been announced. "Hobbit lets you monitor network services - e.g. Web-, mail-, LDAP- and DNS-servers - by sending them full requests and checking if the response is as expected. Clients can be installed on the monitored hosts to collect performance metrics, e.g. cpu-, disk- and memory-utilisation."
Printing
pkpgcounter 1.00 released
Version 1.00 of pkgcounter is available for the CUPS print system. "pkpgcounter is a generic Page Description Language parser which main feature is to count the number of pages in files ready to be printed. pkpgcounter is licensed under the terms of the GNU GPL. pkpgcounter is included in our PyKota print quota and accounting solution since 2003, but this is the first release made available independantly of PyKota."
VPN Software
SSL-Explorer v0.1.9 released! (SourceForge)
Version 0.1.9 of SSL-Explorer, an open-source SSL VPN solution, has been announced. "This release is mainly focused upon stability and includes many bugfixes and usability enhancements to the interface."
Web Site Development
ACollab 1.2 Released (SourceForge)
Version 1.2 of ACollab, a multi-group, Web-based collaborative work environment, is out. "This release includes a variety of feature enhancements and a few bug fixes. Current users may wish to upgrade to take advantage of the added functionality."
DocBookWiki version 0.7.1 released (SourceForge)
Version 0.7.1 of DocBookWiki, a web application for editing DocBook formatted documents, has been announced. Changes include improved documentation, generation of downloadable files, and installation work.mnoGoSearch 3.2.32 released
Version 3.2.32 of mnoGoSearch, a web site search utility, is available. See the change history document for details.Securing Web Forms with PEAR's Text_CAPTCHA (O'ReillyNet)
Marcus Whitney uses CAPTCHA with PEAR in an O'Reilly article. "You have probably seen the CAPTCHA project in action at some of your Web destinations. Its principal tool is a randomly created image that contains a phrase unmentioned in computer-readable text on the rendered page. The form asks the user to provide the phrase. If the form post does not contain the correct phrase, you can safely assume either the human made a user error, or it wasn't a human at all."
Desktop Applications
Audio Applications
Glame 2.0.1 released
Version 2.0.1 of Glame, a sound editor application, is out. Changes include improved GNOME 2.0 integration, bettwer wave drawing, and better XRUN handling.
CAD
BRL-CAD 7.2.2 Released (SourceForge)
Version 7.2.2 of BRL-CAD has been announced. "BRL-CAD is a powerful constructive solid geometry solid modeling system that includes an interactive geometry editor, ray tracing support for rendering and geometric analysis, network distributed framebuffer support, image and signal-processing tools." This version includes bug fixes and feature enhancements.
Data Visualization
PLplot Development Release 5.5.0
Development Release 5.5.0 of PLplot, a Scientific Plotting Library, has been announced. "This is a routine development release of PLplot, and represents the ongoing efforts of the community to improve the PLplot plotting package. The next full release will be 5.6.0."
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Epiphany 1.6.1 (bug fixes)
- Epiphany Extensions 1.6.1 (new features and bug fixes)
- Evince 0.2.0 (new features)
- gedit 2.10.2 (bug fixes and translation work)
- GLib 2.6.4 (bug fixes, documentation and translation work)
- gnome-panel 2.10.1 (bug fixes)
- gnubiff 2.1.3 (bug fixes)
- Pyphany 0.1.3 (API sync, new feature)
- Revolution 0.4 (new features)
KDE CVS-Digest (KDE.News)
The April 1, 2005 edition of the KDE CVS-Digest is available, here's the content summary: "ksvg2 can now do animations. Kexi gains read/write form support. Digikam adds a photo restoration plugin. New releases of Kile, amaroK and Kubuntu. Get ready for the move to Subversion!"
Xfce Weekly News
The Xfce Weekly News for March 14-31, 2005 is out. Here's the summary: "In this edition we see the first entry in what we hope to be a continuing series of short articles on the major new features and technologies in the coming 4.4 release of Xfce. This week, the mysterious and powerful panel widget"."
Electronics
New gEDA Suite CDROM ISO Released
A new CDROM ISO image of the gEDA Suite, a collection of electronics applications, is available. See the README document for content information.Open Collector Releases
The latest new electronics applications on Open Collector include Teal 0.93, microdev 0G1, MGEN/PARIS 1.5, nlc 0.9, MVSIS 1.0, EDIF Parser 0.2, and E.Smith.
Financial Applications
SQL-Ledger version 2.4.11 released
Version 2.4.11 of SQL-Ledger, a web-based accounting system, is available with bug fixes and other improvements.
Games
Cyphesis 0.3.9 Released
Version 0.3.9 of Cyphesis, a server for WorldForge games, has been announced. Changes include a number of bug fixes and support for building a relocatable binary package.
GUI Packages
FLTK News
The latest new software for FLTK, the Fast, Light ToolKit, includes two new snapshot releases of FLTK, Gmsh 1.60, and Monica 2.6, a monitor calibration utility.
Interoperability
Wine Traffic
The April 1, 2005 edition of Wine Traffic is available with the week's Wine project news.
Medical Applications
ClearHealth initial release (LinuxMedNews)
LinuxMedNews has the announcement for the initial release of ClearHealth. "ClearHealth is a next generation practice management system and EMR. This php based system takes DNA from the FreeMED and OpenEMR projects. It is based on the smarty templating engine. ClearHealth uses the FreeB2 medical billing engine."
Music Applications
KGuitar 0.5 released
Version 0.5 of KGuitar, a KDE utility for working on guitar tablature and chording, is out with lots of new capabilities.KMetronome 0.3 released
Version 0.3 of KMetronome, a MIDI-based metronome that works with the ALSA sequencer, is out. "This is the first public release."
Office Suites
OpenOffice.org Newsletter
The March 2005 edition of the OpenOffice.org Newsletter is online, read about OpenOffice.org 2.0 and more.
Peer to Peer
Furthur v.1.7.5 Released (SourceForge)
Version 1.7.5 of Furthur, a java-based P2P client with an emphasis on use for trading CD-quality audio and video, is available. "Version 1.7.5 is primarily a user-interface upgrade, improving the client's help and setup features, and enhancing the built-in chat engine. It also improves search results and download priority for users with faster Intenet connections, and updates the code for use with JRE v. 1.5."
Web Browsers
Gecko 1.8, Mozilla Firefox 1.1 and Mozilla Thunderbird 1.1 Release Plans (MozillaZine)
The release plans for new versions of Gecko, Mozilla Firefox, and Mozilla Thunderbird have been announced. "We were scheduled to freeze for 1.8 Beta 2 on March 15th at midnight but that clearly didn't happen. There is more work, front-end and back-end (cleaning up regressions from new features, completing the heavy lifting of the Thunderbird localization re-organization, fixing key bugs, analyzing and fixing topcrashers, getting XULRunner further along, etc.) that needs to happen before we're in a position to ship the Firefox and Thunderbird 1.1 alphas."
Improved Popup Blocker Available for Testing (MozillaZine)
The Mozilla Foundation is testing a patch for Mozilla Firefox that improves popup blocking. "This isn't the first time that the popup blocker has been modified in response to the evil tricks of webmasters. When the feature first debuted, it simply blocked all popups triggered by page loads, page unloads and timeouts. Since then, it has been enhanced to block popups triggered by a wide variety of events and also limit the number of simultaneous popups allowed."
Minutes of the mozilla.org Staff Meeting (MozillaZine)
The minutes from the March 21, 2005 mozilla.org staff meeting are online. "Issues discussed include releases, developer.mozilla.org, Camino and people."
Word Processors
AbiWord v2.2.6 Released! (GnomeDesktop)
Footnotes reports the release of AbiWord v2.2.6. "This releases includes a massive list of changes and bugfixes all over the map, ranging from the MS Word importer to the MacOSX port to a nice bunch of fixed crasher bugs. We hope we didn't break something in the process." Here is the change log.
Languages and Tools
Caml
Caml Weekly News
The March 29 - April 5, 2005 edition of the Caml Weekly News is out with new Caml language articles and resources.
Haskell
Pugs, an implementation of Perl6 in Haskell
Pugs is an implementation of Perl6 in the Haskell language. "The Pugs project is led by Autrijus Tang".
Java
JCA 1.5, Part 1: Optimizations and life-cycle management (IBM developerWorks)
David Currie presents part one of an IBM developerWorks series on the J2EE Connector Architecture. "In the first of a three-part series, Java developer David Currie introduces some Java 2 Enterprise Edition (J2EE) Connector Architecture (JCA) 1.5 optimizations that should make your existing or new outbound resource adapters go faster. He also takes a look at some additions that let resource adapters take on a new life of their own."
Perl
Perl 5.9.2 released (use Perl)
Version 5.9.2 of Perl 5 has been announced. "The Perl 5 developer team is pleased to announce the release of perl 5.9.2, the third development release of perl 5.9, incorporating developments towards the next major stable version of perl, perl 5.10."
More Lightning Articles (O'Reilly)
A new set of four Perl lightning articles have been published on O'Reilly. Topics include: Customizing Emacs with Perl, Debug Your Programs with Devel::LineTrace, Using Test::MockDBI, and Unnecessary Unbuffering.
PHP
PHP 5.0.4 and 4.3.11 Released
Two new versions of PHP have been announced. "The PHP Development Team would like to announce the immediate release of PHP 5.0.4 and 4.3.11. These are maintenance releases that in addition to non-critical bug fixes address several security issues. All Users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible."
Python
python-dev Summary
The March 16-31, 2005 edition of the python-dev Summary is out with coverage from the python-dev mailing list. "So, after nearly 2.5 years, this is my final python-dev Summary. Steve Bethard, Tim Lesher, and Tony Meyer will be taking over for me starting with the April 1 - April 15 summary (and no, this is not an elaborate April Fool's)."
Dr. Dobb's Python-URL!
The April 4, 2005 edition of Dr. Dobb's Python-URL! is online with another week's collection of Python language articles.Basic Threading in Python (Dev Shed)
Peyton McCullough illustrates Python threads in a Dev Shed article. "If you want your application to perform several tasks at once, you can use threads. Python can handle threads, but many developers find thread programming to be very tricky. Among other points, Peyton McCullough covers how to spawn and kill threads in this popular language."
Ruby
Ruby Weekly News
The April 3rd, 2005 edition of the Ruby Weekly News has been posted. It summarizes the latest news and discussion from the ruby-talk mailing list.Exploring Ruby on Rails (Linux Journal)
Ara Howard and Doug Fales discuss the Rails framework for Ruby on Linux Journal. "It seemed that every blog I read either was proclaiming Rails as the new juggernaut of Web frameworks or was damning it as the scourge of developers everywhere. Now, I generally assume anything that's simultaneously causing so much adoration, protest and reflection must have something going for it, and rumors that Dave Thomas was putting together a book on RoR only fueled my motivation to find out all that I could as fast as I could. So I installed Rails, raced through a few tutorials, started reading the source and called Doug to get the lowdown straight from the horse's mouth."
Tcl/Tk
Dr. Dobb's Tcl-URL!
The April 4, 2005 edition of Dr. Dobb's Tcl-URL! is out with the week's Tcl/Tk news and resources.
XML
Tip: Twisting XML with XSLT 2.0 (IBM developerWorks)
Jack Herrington works with XSLT 2.0 on IBM developerWorks. "The XML story has two sides: data creators and data consumers. XSL typically falls on the consumer side of the equation, and all too often the format of the data is fixed well before a template gets to it. Take a list of books, for example. You might have an XML file with a list sorted by title, but what if you want the list to be sorted by author, or you just want to display the distinct author names? Can XSL do that?"
Getting Started with XQuery (O'Reilly)
Bob DuCharme presents an introductory article on XQuery. "Although the W3C's XQuery language for querying XML data sources is still in Working Draft status, the recent XML 2004 conference showed that there's already plenty of interest and many implementations. While the Saxon implementation may not scale up as much as the disk-based versions that use persistent indexes and other traditional database features, you can download the free version of Saxon, install it, and use XQuery so quickly that it's a great way to start playing with the language in order to learn about what this new standard can offer you."
Understanding the Basic B2B Profile (IBM developerWorks)
Christopher Ferris introduces the Basic B2B Profile on IBM developerWorks. "The Basic Business-to-Business (B2B) Profile 1.0 is a profile that, in the fashion of the WS-I profiles, enables basic B2B integration scenarios using Web services technologies. In this paper, author Chris Ferris explain the profile's purpose and technical content."
IDEs
Eclipse Plugins Exposed, Part 2: Simple GUI Elements (O'ReillyNet)
Emmanuel Proulx continues his O'Reilly series on Eclipse plugins with part two. "Eclipse is largely composed of plugins, but you can't just write any arbitrary code and have Eclipse magically incorporate it. In part two of his series on Eclipse, Emmanuel Proulx introduces Eclipse's "extension points" by showing how to create toolbar buttons, menu items, and dialogs."
Miscellaneous
Making Packager-Friendly Software (O'Reilly)
Julio M. Merino Vidal discusses software packaging issues on O'Reilly. "A package maintainer, or packager, is a person who creates packages for software projects. He eventually finds common problems in these projects, resulting in a complex packaging process and a final package that is a nightmare to maintain. These little flaws exist because in most cases the original developers are not packagers, so they are not aware of them. In other words, if you do not know something is wrong, you cannot fix it. This article describes some of these common problems and possible solutions."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Samba, Soccer and Open Source (IT-Director)
Robin Bloor writes about free software in Brazil in this IT-Director column. "In 'The Road Ahead', Bill Gates himself wrote enthusiastically about the 'software ecosystem' that surrounded Microsoft in its early years. It made a huge contribution to the success of Windows, by creating an application-rich environment. The same kind of ecosystem now surrounds Open Source and it is growing quickly. I am amazed by its potential. It could completely undermine Microsoft's monopoly, and it probably will."
Enlightenment DR17 is coming - eventually (NewsForge)
Remember the Enlightenment window manager? Here's a NewsForge article stating that it's Not Dead Yet; the article provides a rather uncritical look at the upcoming DR17 release. "Now, after years of work, and years of work yet to come, we can expect DR17 to be a fully functional desktop environment with fantastic eye candy to augment its configurable and user-friendly interface. It will be fit to run on the hardware of yesterday (and even PDAs), scalable to any resolution, and be unprecedentedly easy to develop for."
No More Free BitKeeper (KernelTrap)
KernelTrap is reporting that the free version of BitKeeper, used heavily in kernel development, is being withdrawn. "In a post to the Linux Kernel mailing list in February of 2005, Larry [McVoy] discussed a 16 bit limitation of the existing free product. With nearly 64,000 changesets in the mainline kernel tree, future development will quickly exceed this limitation. For that reason, it is likely that BitMover will provide one final release of its free BitKeeper product, allowing kernel developers a graceful transition. By the end of July, the goal is to have completed the migration, therby [sic] terminating the free product and focusing fully on the commercial product."
BitMover's Larry McVoy has confirmed the story (he pointed us to it, actually) and says that an announcement is forthcoming.
Trade Shows and Conferences
KDE at Latin America Free Software Install Festival Report (KDE.News)
KDE.News covers the Latin America Free Software Install Fest. "Last Saturday saw the first Latin America Free Software Install Fest held simultaneously in 74 cities and 12 countries. KDE was present at the Santiago location for installation assistance and a talk by Maurucio Bahamonde on KDE 3.4. We offered Kubuntu Live CDs to try out the desktop and the team offered help to install."
Sun criticizes popular open-source license (News.com)
News.com reports on Sun President Jonathan Schwartz's talk at the Open Source Business Conference. "The GPL purports to have freedom at its core, but it imposes on its users 'a rather predatory obligation to disgorge all their IP back to the wealthiest nation in the world,' the United States, where the GPL originated, Schwartz said. 'If you look at the difference between the license we elected to use and GPL, there are no obligations to economies or universities or manufacturers that take the source code and embed it in (their own) code.'"
IBM: Proprietary technology not enough (News.com)
IBM's Irving Wladawsky-Berger spoke at the Open Source Business Conference, and News.com was there. "'A big part of your power is to have your people work with the communities and donate some of your intellectual property to those communities so they can get better. Then you build proprietary offerings on top of the open-source platform,' he said. 'Those proprietary offerings at some point will lose their value as proprietary offerings. Then there probably will be more value donating it to an open-source community, and on and on and on.'"
The SCO Problem
Highlights from SCO's 10K (Groklaw)
The SCO Group has finally caught up with its regulatory agency filings, and Groklaw picks out the highlights from the company's belated 10K. "Our Engagement Agreement with the Law Firms will require us to spend a significant amount of cash during fiscal year 2005 and could harm our liquidity position."
Companies
Intel to stop using open source license (News.com)
News.com reports that Intel has told the Open Source Initiative to take its open source license out of the list of approved licenses. "Smith said that it does not want the "de-approval" of the license to be retroactive to past uses, as it does not want to force companies to re-license code. Intel's decision was praised by Martin Fink, the vice-president of HP's Linux division, who recently told ZDNet UK that the number of open source license needs to be reduced from the current figure of more than 50 to "something less than 10"."
Linux Adoption
Deutsche Bahn dumps Intel, pumps SUSE onto IBM mainframe (Register)
The Register reports on a conversion to mainframe-based SUSE Linux by Deutsche Bahn. "Deutsche Bahn, Europe's biggest railway, is junking 300 Intel servers in favour of an IBM mainframe. But its OS of choice, SUSE LINUX Enterprise Server, has profited from the cull and will run business-critical apps such as Lotus Notes on the new IBM eServer zSeries 990 mainframe."
Windows VistA Client Running on Linux (LinuxMedNews)
LinuxMedNews covers the use of Linux by the US Veterans Administration. "In a major advance for FOSS in medicine, Joseph Dal Molin of WorldVistA reports success in getting the VA Computerized Patient Record System (CPRS) VistA client running on Linux using WINE and Crossover office. The CPRS client formerly ran only on the Microsoft Windows operating system and is widely deployed on thousands of workstations within the United States VA system."
Interviews
One-on-one with Miguel de Icaza (NewsForge)
Joe Barr talks with Miguel de Icaza. "Joe: Who started GNOME? Miguel: I did, with Federico Mena. Federico was already contributing to the GIMP, and I was busy with the Linux on the SGI, and I was trying to get Federico to do it, and Federico wouldn't do it. So then I said, I'll stop all the stuff on the SGI, let's do this thing together. So we launched GNOME in August, 1997. And it was the summer after, that I did Gnumeric."
Stallman on the State of GNU/Linux (OfB)
Open for Business interviews Richard Stallman. "I can't be entirely happy with Novell as long as it distributes non-free software, and in particular, I can't entirely approve of SuSe as long as it distributes non-free software. However, Novell's changes go in the right direction. The Ximian and SuSe programs that were non-free are free now."
Wind River's Linux transformation (News.com)
News.com talks with Wind River CEO Ken Klein about the company's Linux makeover. "We were taking a very adversarial approach toward Linux. We've turned 180 degrees. We're viewing Linux as incremental to our business. In set-top boxes, Linux is a great fit."
Resources
Anatomy of an Attack: The Five Ps (O'ReillyNet)
O'ReillyNet presents an excerpt from Managing Security with Snort & IDS Tools. "A surprising amount of information can be gathered from information stores on the Internet. The goal of [the probe] phase is to map out your network and determine details about the systems on your network, permitting the attacker to tailor an attack to exploit known vulnerabilities in the software version running on your system, or perhaps to a configuration error."
Reviews
The good and bad of Linux LiveCDs (ComputerWorld)
ComputerWorld describes the benefits of live Linux CDs, but then finds something to worry about: "A PC booted from a Linux LiveCD is transformed. It no longer has any of the user accounts, logging and security controls of its original host operating system. It has become a Linux system, completely under the control of the end user and loaded with an arbitrary selection of open-source software -- yet it still has access to the same hard drives, network, servers and other resources as before. The security threat this poses is obvious."
Securing your online privacy with Tor (NewsForge)
NewsForge reviews the network privacy application Tor. "Tor tries to keep your packets private by distributing your transactions over several places on the Internet, so there is no direct connection to your destination. As Tor's Web site puts it: "The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you -- and then periodically erasing your footprints.""
Miscellaneous
Open source strategy - a sword that cuts both ways? (IT-Director)
Here's an IT-Director article which claims that the eventual winners in the open source database arena will not be MySQL or PostgreSQL. "This is bad news for open source enthusiasts. Fans of the open source movement would, not unnaturally, like to see open source products adopted as strategic. But who are the vendors that are most likely to be accepted as strategic partners by users? If you think about databases it is going to be IBM (Cloudscape) and CA (Ingres) at the top of the list."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Linux Medical News Turns 5 (LinuxMedNews)
Linux Medical News has announced its fifth anniversary. "At the time Linux Medical News began, there were many FOSS medical projects underway, but none were ready for real world deployment and you could not easily get a service contract for one. That has all changed. There are now several thriving FOSS projects that are being used in the real world, supported by profitable companies which will sell you a service contract. In fact, competition among medical FOSS companies for service contracts is now occurring."
How to make Microsoft respect European Authorities (FSFE)
The Free Software Foundation Europe recommends that Microsoft be subject to permanent monitoring to insure compliance with the decisions of the European Court. "In order to write interoperable software, developers use so-called Interface Definition Language Files (IDL). These are currently held secret by Microsoft, so no one else can write interoperable software. In order to comply with its obligations, Microsoft should have to make these available, along with a description of the encryption methods they have employed, under a license enabling them to be implemented in Free Software."
Software patents putting International Financial Report Standards in danger (FSFE)
The Free Software Foundation Europe has sent an open letter to the president of the European Information & Communications Technology Industry Association (EICTA) concerning the dangers of software patents.
Commercial announcements
FreeMED 'Help Desk' Support Available Now (LinuxMedNews)
LinuxMedNews has an announcement for a help desk service for the FreeMED Electronic Medical Record and Practice Management system. "This service is intended to provide users with increased productivity by making support services more readily available for any problems, concerns and or operation questions about the systems."
New Study says Mid-Sized Companies Not Interested in Linux
Info-Tech Research Group has studied Linux adoption in mid-sized companies, finding that few will adopt Linux anytime soon. "The study highlighted the divide that is occurring between large companies who are increasingly embracing open source, and smaller companies who remain Microsoft-centric. Of the companies who did not already have Linux installed, 48 percent have no interest whatsoever and a further 15 percent are not sure."
LinuxGenius Launches LinuxCBT Mail Edition Training Software
LinuxGenius, LLC has announced a new CD-based Linux mail system training course. "LinuxCBT Mail Edition contains 40 hours of comprehensive, in depth training that focuses entirely on Linux Message Transfer Agents (MTAs) and associated mail components."
Mandrakesoft completes Conectiva Acquisition
Mandrakesoft has announced the completion of its acquisition of Conectiva. "Mandrakesoft shareholders, at the extraordinary shareholders' meeting on March 30th 2005, approved the acquisition of Conectiva, the Brazilian Linux company. The necessary resolutions have been adopted, and thus the acquisition is now effective."
Yet another Microsoft-funded anti-Linux study
Here's a press release from Microsoft touting another study it bought; this one claims that Windows is more reliable than Linux. "'Customers have told us that kernel uptime or availability of a single component is only one factor in how they view reliability; real customer pain is caused by the system itself failing to meet its reliability requirements over time,' said Martin Taylor, general manager of the Platform Strategy Group at Microsoft. 'This study shows that when compared to Red Hat Enterprise Linux 3.0, Windows Server 2003 is easier to maintain and predictable, and allows end users to access the resources they need in a timely manner.'"
OpenSolaris Community Advisory Board Formed
Sun Microsystems, Inc. has announced the names of the five individuals selected to participate in the OpenSolaris(TM) Community Advisory Board (CAB). "The five member board consists of two members who were nominated and elected by the OpenSolaris pilot community: Al Hopper, engineer consultant, Logical Approach; and Rich Teer, independent Solaris consultant and author of "Solaris Systems Programming." The three other members on the advisory board are Roy Fielding, chief scientist at Day Software and co-founder and member, the Apache Software Foundation; Simon Phipps, chief technology evangelist, Sun; and Casper Dik, senior staff engineer, Sun."
2005 O'Reilly ETech Conference Explores "Remix" Culture
O'Reilly has sent out a press release describing the recent ETech Conference. "Hackers and other innovators have embraced the do-it-yourself renaissance, tweaking here and integrating there, creating new tools and inspiring a resurgence of hands-on experimentation. These new, unexpected combinations--and the opportunities they present--were the driving force behind the 2005 edition of ETech, the O'Reilly Emerging Technology Conference, held in San Diego, California, March 14-17."
Sensory Networks will provide hw acceleration for ClamAV (SourceForge)
SourceForge has announced a partnership with Sensory Networks. "Sensory Networks, the leading provider of hardware acceleration for network security applications, started a partnership with us to provide hardware acceleration support for the Clam AntiVirus suite."
SGI Altix Outperforms others in HPC Challenge
SGI has announced that its Altix 3000 system has outperformed machines from IBM, Cray and Sun. "Results submitted March 2 by SGI show that a 64-processor SGI Altix system bested similarly configured servers from IBM, Cray and Sun on five of the HPC Challenge (HPCC) Benchmark's list of eight tests. The HPCC benchmark extends the Linpack benchmark used to determine the well-known Top 500 list of the world's fastest supercomputers."
SpikeSource Joins OSDL
SpikeSource has announced it is joining the Open Source Development Labs (OSDL). "Participation in OSDL initiatives will allow SpikeSource to collaborate with other members by sharing information and expertise on the latest open source projects, stacks, applications, system management tools, patches and bugs."
The SpikeSource PR flood
SpikeSource has decided that the time has come to unleash a torrent of press releases describing the company's offerings. This release describes the "Core Stack" offering - a combined packaging of several free projects (MySQL, Python, Apache, JBoss, ...) said to be tested as a whole; there are associated subscription and support offerings. The company has released a couple of tools for the testing and management of "open source assets." There is a testing service which is being offered for free to some open source projects. Finally, SpikeSource has announced an "ecosystem" of companies with which it is working.VA Linux offers kernel debugging services
VA Linux Systems Japan K.K. has announced the availability of its "VA Quest" offering - essentially a service for tracking down and dealing with kernel bugs which might be getting in its customers' way. "VA Quest offers consultation services by VA Linux's accomplished Linux kernel experts. They can thoroughly analyze failure on customers' GNU/Linux systems by reading the source code of the Linux kernel and memory dump, and then track the reason down, offer the way to fix or avoid the problem, provide patches, etc."
New Books
A Perl of a Higher Order (use Perl)
use Perl has an announcement for a new Perl book. "Mark Jason Dominus' book Higher-Order Perl is finally available. The subtitle is "Transforming Programs with Programs". It's about using perl's functional programming capabilities to write more powerful programs."
Resources
Update of "Why OSS/FS? Look at the Numbers!" paper
David A. Wheeler has announced a new version of his paper: "Why OSS/FS? Look at the Numbers!". "One of the biggest changes is the addition of a lot of market share data on Mozilla Firefox/Mozilla, compared to Internet Explorer."
Chap 5 of New CUPS Manual - Basic Printer Management
A new chapter from the CUPS printing system documentation has been announced. The topic covered is Basic Printer Management.Linux Gazette #113 is out
The April Linux Gazette has been released; topics covered include shell scripting, PyCon 2005 coverage, Crossover Office, and more.
Contests and Awards
Mozilla Foundation Pays Out Bug Bounties (MozillaZine)
The Mozilla Foundation has announced that Michael Krax has won cash prizes for finding five security bugs in the latest Mozilla bug bounty.
Upcoming Events
FUDCon2 @ LinuxTag, 24-25 June 2005, Call For Papers
A Call For Papers has gone out for FUDCon2, the event will be held on June 24-25, 2005 in Karlsruhe, Germany. Papers are due by April 22.Upcoming Lisp conferences
Three new Lisp language conferences have been scheduled for the next four months. "The events are the European Common Lisp Meeting, the International Lisp Conference, and the 2nd European LISP and Scheme Workshop."
samba eXPerience 2005
Samba eXPerience 2005 will be held on May 2-4, 2005 in Göttingen, Germany.YAPC::NA 2nd Call-for-Papers (use Perl)
Use Perl has posted a reminder that papers are soon due for YAPC::NA: "the Call-For-Papers deadline for Yet Another Perl Conference North America 2005 in Toronto is April 18".
Events: April 7 - June 2, 2005
| Date | Event | Location |
|---|---|---|
| April 7 - 8, 2005 | Black Hat Briefings Asia 2005 | Singapore |
| April 7, 2005 | FOSE 2005 | (Washington D.C. Convention Center)Washington, D.C. |
| April 8 - 10, 2005 | notanothercon(notacon) | (Holiday Inn Select Cleveland)Cleveland, Ohio |
| April 10 - 15, 2005 | 2005 USENIX Annual Technical Conference | Anaheim, California, USA |
| April 12 - 15, 2005 | Computers, Freedom and Privacy Conference 2005 | (Westin Hotel)Seattle, WA |
| April 15 - 17, 2005 | Debian Edu/Skolelinux workshop | (Nafplion)Athens, Greece |
| April 18 - 23, 2005 | linux.conf.au 2005 | (Australian National University)Canberra, Australia |
| April 18 - 21, 2005 | MySQL Users Conference and Expo 2005 | (Santa Clara Convention Center)Santa Clara, CA |
| April 18 - 20, 2005 | LinuxWorld Conference and Expo 2005 | (Metro Toronto Convention Centre)Toronto, ON |
| April 18 - 19, 2005 | Debian Miniconf 4 | Canberra, Australia |
| April 19 - 20, 2005 | San Francisco techCongress | (Rickey's Hyatt)Palo Alto, CA |
| April 20 - 23, 2005 | ACCU Conference 2005 | (Randolph Hotel)Oxford, England |
| April 21 - 24, 2005 | 3rd International Linux Audio Conference(LAC2005) | (Center for Art and Media (ZKM))Karlsruhe, Germany |
| April 21 - 23, 2005 | WebTech 2005 | Sofia, Bulgaria |
| April 23 - 24, 2005 | LayerOne Technology Conference | (Pasadena Hilton)Pasadena, CA |
| April 25 - 30, 2005 | UbuntuDownUnder | Sydney, Australia |
| April 30, 2005 | Hurricane Electric Linux Security Seminar | Fremont, CA |
| May 2 - 7, 2005 | DallasCon 2005 | (Richardson Hotel)Dallas, TX |
| May 2 - 4, 2005 | Samba eXPerience 2005 | (Hotel Freizeit)Göttingen - Germany |
| May 2 - 5, 2005 | International PHP Conference | (RAI Conference Center)Amsterdam, the Netherlands |
| May 4 - 6, 2005 | CanSecWest/core05 | Vancouver, B.C. |
| May 11 - 15, 2005 | php|tropics 2005 | (Moon Palace Resort)Cancun, Mexico |
| May 13 - 14, 2005 | BSDCan 2005 | (University of Ottawa)Ottawa, Canada |
| May 19 - 21, 2005 | GUADEC-es 2005 | A Coruña, Spain |
| May 22 - 25, 2005 | Gelato Federation Meeting | (HP's Palo Alto and Cupertino campuses)San Jose, CA |
| May 23 - 26, 2005 | PalmSource Worldwide Mobile Summit and DevCon | (Fairmont Hotel)San Jose, California |
| May 24 - 27, 2005 | XTech 2005 Conference | (Amsterdam RAI Center)Amsterdam, the Netherlands |
| May 25 - 26, 2005 | Linux World New York Summit 2005 | (New York City Marriott Marquis)New York, NY |
| May 29 - 31, 2005 | GNOME Users and Developers European Conference(GUADEC 2005) | Stuttgart, Germany |
| June 1 - 3, 2005 | The Red Hat Summit 2005 | (Hilton New Orleans)New Orleans, LA |
| June 1 - 4, 2005 | Fórum Internacional Software Livre(FISL) | Porto Alegre/RS, Brazil |
Web sites
O'Reilly Launches CodeZoo Open Source Component and Information Site
O'Reilly has launched its new CodeZoo site. "O'Reilly Media's new CodeZoo (www.codezoo.net) offers a repository of components plus a rich mix of related information from O'Reilly and the CodeZoo community. Created to help developers build on--and expand--the body of useful code created by the open source community, CodeZoo saves developers from starting each new application from scratch by making high-quality components easily available."
Page editor: Forrest Cook