User: Password:
Subscribe / Log in / New account Weekly Edition for April 21, 2005

LCA2005: The state of Debian

Bdale Garbee led off the 2005 Debian "miniconf" with a discussion of the state of the Debian project as he sees it. He covered [LCA] several topics of interest to the Debian community - and beyond.

With regard to the recently-concluded project leader election: Bdale was clearly not entirely comfortable with Branden Robinson as a project leader candidate. He did say, however, that Branden clearly wants to do the right thing with Debian, and that the community should work with him to make that happen. It will, he says, be interesting.

In general, there are difficulties with the whole concept of the Debian project leader. The Debian community prizes cooperation and working together to create the best distribution possible, but the project leader process focuses, instead, on singling out an individual. The job is too much for one person to handle, and, in any case, that one person can only do so much to affect the development of Debian. And the election process, which extends over a nine-week period, takes far too long relative to a one-year term.

The Debian technical committee is not working as well as it could be either. Its current composition needs to be reviewed; some of the committee's members have not been active participants for some time. The committee could take a more active role in directing Debian's development. [Bdale] At the same time, the people who complain that the committee is insufficiently active could also step forward and try to influence things on their own.

Project Scud is an initiative to create a sort of advisory committee to help the Debian project leader in his work. This project was endorsed by Branden Robinson, so one assumes that it will be implemented in some form. Bdale noted that not everybody is comfortable with this idea. The committee's role, as it relates to the project's constitution, is not particularly clear. The committee is self-selected, and is not necessarily representative of the entire project. Some people feel left out. Bdale feels that Scud might improve the situation. But, he says, it's a hack, and the project can do better.

Bdale's proposal for doing better is to amend the constitution to bring about a significant change in the project's governance. The Debian project leader would be replaced with an elected board. A board could divide up the work, and, hopefully, give more attention to what needs to be done. Board candidates could emphasize how well they can work with a team. Running for a board seat is less intimidating than going for a single position. The result of all this could be that more qualified people run for (and are elected to) board seats.

Bdale hopes to get some discussion of this idea at Debconf5, to be held in Helsinki this July. If some sort of consensus emerges, a general resolution could be proposed to the community as a whole. The idea could change a lot in the process, but, Bdale says, there is a pressing need to think creatively about how to evolve Debian, or it will eventually cease to be interesting.

With regard to the sarge release: Bdale noted (jokingly) that he was the last Debian project leader to have overseen a Debian stable release. There comes a point where you have to simply list the remaining hurdles and summon up the will to deal with them. Debian is, he says, getting to the point where it is ready to do this and get sarge out the door. After that, he would like to see Debian go to a more predictable (and shorter) release schedule.

A question was asked about shipping XFree86 4.3 in sarge, long after most other distributions have moved over to the X.Org release. It is, of course, simply a question of getting the sarge release out the door. Now is not the time to replace such a large and fundamental component of the system. It would have been better if sarge had shipped some time ago so that this sort of issue would not come up, but there is little to be done about that now.

Meanwhile, Bdale's plots of the number of Debian maintainers and the number of packages continue to show a linear increase over many years. Debian continues to grow, and is showing no sign of stopping. The project must, it seems, be doing something right.

Comments (1 posted)

How Tridge reverse engineered BitKeeper

[LCA] Andrew Tridgell delivered the first keynote on Thursday morning. The bulk of the talk covered software engineering techniques and how the free software community is taking a leading role in adopting those techniques. It was a good talk, and your editor will attempt to write it up later on.

At the end, however, Tridge touched on his role in the separation of the kernel project and BitKeeper. He couldn't talk about much, and he did not announce the release of his BitKeeper client. But he noted that there has been quite a bit of confusion and misinformation regarding what he actually did. It was not, he says, an act of wizardly reverse engineering. Getting a handle on the BitKeeper network protocol turned out to be rather easier than that.

[Tridge] He started by noting that a BitKeeper repository has an identifier like bk:// So, he asked, what happens if you connect to the BitKeeper server port using telnet? A quick demonstration sufficed:

    telnet 5000
    Connected to
    Escape character is '^]'.

Once connected, why not type a command at it?

    ? - print this help
    abort - abort resolve
    check - check repository
    clone - clone the current repository
    help - print this help
    httpget - http get command

Tridge noted that this sort of output made the "reverse engineering" process rather easier. What, he wondered, was the help command there for? Did the BitKeeper client occasionally get confused and have to ask for guidance?

Anyway, given that output, Tridge concluded that perhaps the clone command could be utilized to obtain a clone of a repository. Sure enough, it returned a large volume of output. Even better, that output was a simple series of SCCS files. At that point, the "reverse engineering" task is essentially complete. There was not a whole lot to it.

Now we know about the work which brought about an end to the BitKeeper era.

Comments (23 posted)

Security in Firefox

April 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

Perhaps even more than Linux, Firefox is rapidly becoming the poster child for open source. Many users who wouldn't even consider installing Linux on their desktop have happily installed Firefox, looking for features not found in Internet Explorer, and trusting in Firefox's reputation as a more secure alternative than IE.

This reputation has been a bit tattered in recent weeks, though perhaps unfairly. The Mozilla project has released three security updates since February, which has prompted some to call into question the respective security of Firefox in particular, and open source products in general.

Is this proof that Firefox or the Mozilla Suite suffer from as many serious security vulnerabilities as Internet Explorer? Maybe, but the evidence that's in so far suggests otherwise. We spoke to Chris Hofmann, Mozilla's director of engineering, about the recent security fixes and the Mozilla Foundation's security policies.

Hofmann said that Mozilla has built "a larger security community since the Firefox 1.0 release, with "some experts working with us to examine the code and identify potential problems." He also acknowledged that there will be vulnerabilities, but the project is committed to providing a secure browser and repairing problems as quickly as possible.

The latest update closed nine security vulnerabilities three tagged "critical," two rated "high" severity and four rated as "moderate" vulnerabilities. Some of the vulnerabilities have yet to be disclosed, despite the fact that the update is now available. Hofmann said that the project was respecting the wishes of the person reporting the bugs, and that the project tries to use "best judgement" about providing information about exploits. He also noted that it gives users ample time to install updates prior to releasing information that might be used to exploit vulnerabilities.

We also checked on the Mozilla Project's security policies to see what they had to say about disclosure:

The original reporter of a security bug may decide when that bug report will be made public; disclosure is done by clearing the bug's "Security-Sensitive" flag, after which the bug will revert to being an ordinary bug. We believe that investing this power in the bug reporter simply acknowledges reality: Nothing prevents the person reporting a security bug from publicizing information about the bug by posting it to channels outside the context of the Mozilla project. By not doing so, and by instead choosing to report bugs through the standard Bugzilla processes, the bug reporter is doing a positive service to the Mozilla project; thus it makes sense that the bug reporter should be able to decide when the relevant Bugzilla data should be made public.

Interested readers may also want to peruse the rest of the Mozilla project's security policies.

The 1.0.3 release went through several release candidates before it was finally officially released. We asked Hofmann about the length of time required to release a security fix, what was involved and why it took several weeks to push out a patch. Hofmann said that the Mozilla team was capable of putting out a release quickly, and noted the 24-hour turnaround with the shell exploit discovered last fall.

It mostly depends on the vulnerability that's discovered and time that we want to go through and evaluate that there's a comprehensive patch, and adequate testing for the change we're making... this time, changes did require more testing and feedback that the patch was comprehensive and at the right level.

Hofmann also pointed out that the Mozilla team has pushed out security updates in a matter of days or weeks, whereas Microsoft has been known to push out fixes for vulnerabilities that have been known for months rather than just a short time.

He also noted that the team needs to push out documentation updates, and get information out to application developers and authors of extensions. Hofmann said that a couple of the changes in the 1.0.3 release will require some extension authors to make "adjustments to be forward-compatible" and that most extensions that were affected already have new versions available for Firefox 1.0.3.

At any rate, as pointed out on MozillaNews, there have been more vulnerabilities documented by Symantec that affect Mozilla browsers, but that IE has a greater number of high-severity vulnerabilities. It should also be noted that the vulnerabilities listed for Firefox have not been widely exploited, while IE has been widely exploited. Several critical issues in IE remain open. To be fair, a few vulnerabilities are still listed for Firefox as well.

It's certainly true that Firefox and the Mozilla Suite are not perfect, and do not offer a 100 percent guarantee against security problems simply because the projects are open source. The increased attention being paid to Firefox almost assures that further vulnerabilities will be found. However, the project is developing a good track record of fixing security vulnerabilities as they are discovered, and proactively seeking out security problems. To date, Hofmann says that he is not aware of any exploits in the wild that affect Firefox or Mozilla, which means that the vulnerabilities that have been reported have not had any real impact on the Mozilla userbase aside from the inconvenience of upgrading -- which can hardly be said for Internet Explorer.

Those with a careful eye for distinguishing between the severity of vulnerabilities, the length of time required to find fixes and actual exploits, will find that Firefox is still the better choice for security-conscious users.

Comments (5 posted)

The Grumpy Editor's Guide to Image Management Applications

This article is part of the LWN Grumpy Editor series.
Your editor has, on and off, been interested in photography for more than 25 years. In the beginning, the bleeding-edge technology available included dim red lights, special trays to keep chemicals at the right temperature, and a disk on a stick for those advanced burning and dodging techniques. Though your editor thinks that he can take an OK picture, LWN readers can probably be thankful that this remains a text-oriented publication.

The technology of photography has moved forward in recent years, but certain issues remain. Your editor's closets contain numerous binders full of carefully organized negatives, contact sheets, and slides. Said closets also contain several boxes full of rather less carefully organized photographic output. There's a lot of great pictures there, but chances are good that nobody will ever see them. Organizing photographs is hard.

Now your editor's hard drive looks rather like those boxes in the closet; several years worth of digital photos have accumulated in a messy directory hierarchy with no easy way to find anything of interest. The move to the digital format has, if anything, made the mess worse. How can one cope with all those images? Your editor decided that there must be a free application out there which might help; here is what he found.

Features to look for

Any graphical file manager can enable mouse-based navigation through a directory tree full of images. An application tuned to image management, however, should offer more than that. Anything that can be done to help find a specific image - searching by date, where the picture was taken, who is in it, etc. - is more than welcome. One should not have to dig through a huge box of photos to find that darling shot of one's toddler performing gravity research with the new laptop. This sort of searching requires the creation and maintenance of metadata for images; a good application will make that task easy.

Images from digital cameras include a significant amount of embedded data in the exchangeable image file format (EXIF). The EXIF data can contain the date and time of the picture and a great deal of information on the state of the camera. An image manager should provide easy access to that data, and make use of it when appropriate.

Image management also involves various types of image manipulation. At the simple end of the scale, this means quickly getting rid of the unsuccessful (or incriminating) shots, and, perhaps, changing the orientation of portrait-mode shots. Your editor has found that the family does not always appreciate receiving full-resolution images from his 7 megapixel camera, so the ability to rescale images is needed. Cropping is another common task, both to remove uninteresting imagery or to fit a specific aspect ratio. From there, one can get into color balance tweaking, red-eye removal, noise removal, in-law removal, and advanced psychedelic effects. A good image manager should make the simpler tasks quick and easy, and the harder tasks possible - even if that just involves dumping the user into the Gimp.

An image manager should work well with the rest of the system; it doesn't necessarily help to fix up an image if you can't find the result afterward. An image manager which claims ownership over images and makes them hard to find outside of the application is making life harder. Similarly, some graphical users may appreciate a "move to trash" capability, but the more grumpy among us still like files to simply go away when asked, and have no use for a trash can; an image manager should be able to make files just go away. A good image manager will make printing easy, including selecting high-quality modes, printing multiple images per page, etc. An added bonus for some users might be the ability to quickly create a web page with a set of images. The ability to write a set of images to a CD might also be useful for some.

Your editor reviewed five image management applications, and spent a long day valiantly trying to build a working version of a sixth. Each tool was used to work with its own copy of a directory hierarchy containing about 3000 photos taken over many years. This has been a fun project; there is some good work being done in this area. Free image management tools are still in a relatively primitive form, however; some of them are maturing quickly, but there is some ground yet to cover.


Your editor reviewed DigiKam once before, as part of a previous article on camera interface tools. We'll return to digiKam (and [digiKam screenshot] gthumb, below) to examine its image management capabilities. DigiKam is a KDE-based application under active development; version 0.7.2 was released on March 4.

DigiKam wants to organize images into "albums." An album is a simple directory full of image files, though digiKam goes out of its way to hide that fact. Files can be "imported" into an album from anywhere; if the file comes from outside the album's directory, however, a copy will be made. The importing process for a large tree of images can be slow, but it only has to be done once. A binary file (digikam.db) appears to track all of the albums known to the application.

The digiKam window shows a pane with the album hierarchy, and a large area with thumbnails from the currently-selected album. By default, the thumbnails are annotated with the size of the image (only); the presentation used consumes a relatively large amount of screen space. Double-clicking on a thumbnail will produce a new window displaying the image itself.

The left-hand pane also includes an area called "My Tags." A few predefined tags ("Events," "People") exist; adding others is easily done with the menus. Clicking on a tag will bring up all images which currently have that tag assigned to them. There appears to be no way to get a view of more than one tag at once. Tags are hierarchical, but there is no inheritance by default. So, for example, if you create tags for each family member under "People," and assign those tags to images, clicking on "People" will not display any of those images. There is a configuration option to change this behavior, however.

Assignment of tags to images is done by way of a right-button menu attached to the thumbnail images. There is also a separate "comments and tags" dialog which, in addition to tag management, allows comments to be associated with images. Both comments and tags are displayed underneath each thumbnail image.

Other dialogs available from the thumbnail view include a "file properties" window and an EXIF information browser. The properties dialog allows the name and permissions of the file to be changed; it will happily make an image file setuid if you ask. There is also a histogram display which gives information on color distribution in the image. The EXIF browser provides full (read-only) access to the metadata stored within the image file; it has a help window describing (briefly) what each EXIF field means.

The image window displays the picture itself, and provides a set of editing options. Rotation, resizing, and cropping are done here; there appears to be no way to constrain the aspect ratio of a cropped image. Rotation of images in digiKam is not optimal: each image must be brought up separately in the image window, rotated, then saved. When you've just pulled dozens of images from your camera, you would like a quicker way to get that job done. Your editor's research indicates that the image window rotation is not lossless. There is said to be a plugin available which can do lossless rotation, but your editor was not able to get it installed.

Printing is a big hole in digiKam's capabilities. There appears to be no option to print multiple images at once (much less N-per-page capabilities). The image view window can print a single image, but it requires the user to type in a print command. At this point in the development of the Linux desktop, we can do better than that.

Like most KDE applications, digiKam is highly configurable; most users will want to tweak at least a few options. By default, digiKam wants to use a "trash can" when asked to remove images, but it can be convinced to simply delete them instead. There is also a plugin mechanism which can be used to add image editing tools.

In summary, digiKam is a capable and useful tool with a few remaining shortcomings. Given its pace of development, chances are that those issues will be ironed out in short order.


Perhaps the newest entry into the image management space is f-spot, currently at version 0.0.12. It is a Mono application, written in C#. Despite its youth, f-spot already shows considerable promise, and is a useful application.

f-spot does not bother with albums, directories, or any such nonsense. Instead, it implements a single, time-sorted stream of images with the ability to sort on various types of metadata. Images must be imported into [f-spot] f-spot before use, and the import process can be quite slow. After the import process, the user gets a window with a list of tags on the left, an information area on the bottom left, and a large pane with (possibly thousands of) thumbnails. The thumbnails are not rendered until needed, thankfully.

A feature unique to f-spot is a timeline at the top; clicking on a given month will scroll the thumbnail window to pictures taken on that date. The timeline is not updated when the thumbnail window is scrolled, however, so the two can get out of sync. The sorting of images depends on the date stored in each image's EXIF data; if that data does not exist, the images are given the current date. There appears to be no way to fix an image with a missing date, so it will be forever displayed in the wrong place.

Clicking on a thumbnail causes the lower-left window to be updated with information on that image - date, resolution, and exposure information. Once an image has been selected, a number of editing options are available, including color manipulation, focus adjustment, and rotation. It is possible to select multiple images (by holding down the control key) and rotate them in a single operation.

There is a separate window which can be requested (from the "View" menu) to look at the EXIF information stored in an image.

f-spot allows the user to assign tags to images in a manner very similar to digiKam's. The application also implements the concept of "categories." Your editor was not able to figure out what categories are supposed to do, and how they relate to tags. It was impossible to create new top-level tags (or categories). In general, the tag mechanism appears to need a little work. At the basic level, however, it functions just fine: clicking on a tag will narrow the thumbnail to images with that tag assigned; it is also possible to narrow further to a specific date range.

It would be nice to be able to automatically attach one or more tags to images when they are imported.

Double-clicking on a thumbnail replaces the thumbnail pane with the selected image. It is, thus, not possible to view the thumbnail directory and a specific image at the same time. At the bottom of the image window [f-spot] is a line clearly intended for the entry of comments (though the comments are used nowhere else). There is also a pulldown for the desired aspect ratio; using the mouse, a box (constrained to the chosen ratio) can be drawn over the image, and a click on the scissors icon will crop accordingly. There is a red-eye removal option; the user must first select an area to be affected. In your editor's experience, the selection must be done very carefully, or the red-eye removal will leave obvious artifacts. Given the nature of the task, it would be nice to be able to select elliptical areas, rather than squares, for red-eye removal. There is also a color editing dialog available. Nicely, the mouse wheel will quickly zoom the image in and out.

f-spot handles image editing in an interesting way. The original image is never overwritten; instead, f-spot creates a new version (called "modified" by default). Different versions are selectable via a pulldown in the image information area. Since f-spot seems to assume you'll never do anything with the files directly, it feels free to give modified versions names like "dsc00450 (Modified (2)).jpg".

There is a full set of "export" options for getting images out of f-spot. Images can be exported, for example, to Flickr, to a web gallery, or burned to a CD. The CD writing process seems to work, though some things are unclear - does the program write the original form of an image, or the modified form? The printing support in f-spot is minimal, relative to some of the other tools reviewed here; there is little control over layout and it is easy to get it to attempt to print pages which do not fit on the paper.

f-spot shows some clear potential, especially for those who like the "tagged flat" method of organizing things. Its youth is apparent, but it would seem to be growing up fast; f-spot is worth watching.


flphoto is a simple image manager based on the FLTK toolkit. It may be suitable for those looking for a lightweight application, but it has been left behind by the competition in a number of ways. Your editor also found this application relatively easy to crash. Version v1.2 was released in January, 2004; there does not appear to have been a great deal of development activity since then.

Like digiKam, flphoto works with the concept of "albums," into which photos must be imported. Unlike digikam, however, flphoto cannot import a whole directory hierarchy at once; instead, each directory must be fed to the [flphoto] application separately. An album itself is really just a ".album" file which contains a list of image file names.

The flphoto window consists primarily of an image viewing area. Thumbnails are presented in a long, horizontally scrolling window at the bottom; they show up in the order in which they were imported. Clicking on a thumbnail brings the image itself into the main part of the window. To your editor's eye, the quality of the image rendering is poorer than with other applications.

Some image editing options are available, including rotation, scaling, cropping (with aspect ratio constraints), sharpening, and red-eye reduction. There is an "edit" option which fires up the GIMP on the selected image. There is no way to rotate multiple images at once. There is a "properties" window which shows basic EXIF information and allows the entry of comments; those comments are not used for anything, however. flphoto has no concept of tags, or of searching for images in any way.

Printing works well, with a fair amount of flexibility in how images are printed, and even a simple calendar generator. There is a function for exporting images to a web page; flphoto is not able to burn images to a CD.

Overall, flphoto is a tool with some capability, but your editor would recommend that people looking for a new image management utility look elsewhere.


gthumb is a GNOME-based application; in many ways it is the most fully-featured of the set. Unlike many other image management applications, gthumb is very much directory-oriented. It is happy working with any directory tree it is pointed to; no need to create albums, import pictures, etc. It thus works well for people who use other applications in their directory hierarchy, or for those who simply want to get started quickly.

[gthumb] The main gthumb window should look familiar by now; it has the usual directory pane and area full of thumbnails. The gthumb "folder" pane only shows one level of the hierarchy, however, which increases the amount of clicking required to wander around in a directory tree. A number of operations can be applied to images in the thumbnail view; these include lossless rotation, series renaming, and series format conversion. There is also a tool for locating duplicate images.

Double-clicking on a thumbnail brings up the image view; it is not possible to have thumbnails and a full image on the screen simultaneously. EXIF [gthumb image view] information is available in the image view - if you happen to tell gthumb to show "comments." There are reasonable tools for scaling and cropping (with aspect ratio constraints), and a number of more advanced (but not always useful) image manipulation capabilities. There is no red-eye removal, however.

Tags in gthumb are called "categories"; they are not hierarchical. gthumb supports comments on images; it also maintains the location of the image separately. Dates for images are supported; they can be taken from the EXIF information, the file date, or entered manually. The default, however, is "no date," even if the image has EXIF metadata; getting gthumb to actually use that metadata requires bringing up a dialog for each image. There does not appear to be a way to change that unfortunate default.

gthumb has the most complete image searching capabilities of any of the tools tested; if you take the time to enter metadata for your images, quite a few search options are available. Searches can be done on any subset of the file name, the image comment (it greps for substrings), the location, the date (on, before, or after - there is no way to specify a date range bounded on both ends), and the categories assigned to the image. If you want to look for all pictures of Aunt Tillie taken at home since the beginning of the year, gthumb can do it.

While gthumb normally works with the directory hierarchy, it also implements "catalogs," which are its version of albums. Images can be added to multiple catalogs at will. A special catalog contains the results of the most recent search; those images can be added, in bulk, to another catalog if desired. Thus, the search mechanism can be used to create catalogs relatively quickly - if you have your metadata in place. "Libraries" can be used to create hierarchies of catalogs.

Printing support in gthumb is flexible, with the ability to print up to 16 pictures per page. What gthumb lacks (as do all the others) is the ability to specify advanced printing options, such as print quality and paper type. Since that is just the sort of thing one might want to adjust when printing photographs, this omission is a true shortcoming.


KimDaBa (the KDE Image Database) is the final tool which your editor was able to make work. It has some powerful capabilities, but could benefit from some usability work. KimDaBa 2.0 was released in October, 2004.

The first time a user runs KimDaBa, it asks for an image directory; all images managed by KimDaBa must be kept underneath that directory. If the number of images is large, the import process can take a very long time. When, eventually, the user quits the application, it will ask "do you want to save the changes?" without specifying what the changes are. If the user elects not to "save the changes," KimDaBa will not write its special XML file, and the whole import process must be done again the next time.

As it turns out, if you modify an image, KimDaBa will happily exit without asking about saving changes, and those changes will be lost.

[KimDaBa main window] The initial window is dismayingly textual for an image manager. It gives a few entries with names like "Folder" and "Locations"; the bulk of the window, however, consists of lines like "View images (1-100) 100 images." Clicking on one of those lines will bring up a thumbnail view with exactly 100 images in it. Images are sorted in no clear order; it has little to do with the date or the underlying directory structure. The default background is black (that can be changed), which is a little jarring.

KimDaBa does provide other ways of sorting images. The "Folder" line will yield a flattened, directory-oriented view. Users can assign three types of tags to images: "persons," "locations," and "keywords." There is a separate view for each type of tag, allowing quick access to all photos of a specific person, taken in a specific place, or with a given keyword attached to it. The "search" line pops up a dialog which enables a search for a combination of tags. There is also the ability to look at all images within a given date range - but the date filtering does not work in conjunction with the tags.

[KimDaBa image window] Clicking on an image pops up a window with the full image view. The image window has options for assigning tags to images and for performing rotation; there is no way to do rotation from the thumbnail view. There is also a button on the properties window which will delete the image. Amusingly, KimDaBa offers a "draw on image" option; it allows the user to add arrows, circles, and squares (in black only) to the picture. It is not clear how this capability would be useful.

KimDaBa does not provide a way to get at an image's EXIF information, though it is able to use the date found there. In fact, the application will not even display an image's resolution; there seems to be no way to get that information. There is also no option to resize an image.

There is a bizarre "lock images" function which causes the application to refuse to display them until the password is entered. Said password, as it turns out, is stored, in plain text, in the "index.xml" file. It would be better to leave out this sort of option; all it provides is a false feeling of security.

KimDaBa offers no printing options at all, no web page export, and no CD burning. There is an export operation; it creates a special file which can be imported into KimDaBa running on another system.

Work continues on KimDaBa; it appears that version 2.1 will include a plugin mechanism (presumably for image editing functions) and a date bar similar to the one provided by f-spot.


One application which your editor was unable to make work is imgSeek. It is a Python program; its unique feature is the ability to look for images which are similar to a drawing made by the user. Version 0.8.4 of imgSeek was released in September, 2004; development seems to be quite slow since then. The version of imgSeek in Debian sid does not run as of this writing. Your editor hopes that imgSeek is able to move forward; this application's developers are trying to do some interesting things.

In general, there is a lot going on in this area. Clearly the time has come for the free software world to produce some high-quality image management applications.

That said, none of the tools reviewed here can truly be said to be complete, and your editor will resist the temptation to pick a "winner" from the set. Printing support is, perhaps, the weakest area at the moment; Linux now has the capability to provide a great deal of control over printing, but the image managers are not yet using it. Still, the applications reviewed here have reached the point where they are useful tools. It will be fun to see where they go from here.

Comments (67 posted)

Page editor: Rebecca Sobol


Brief items

Buffer overflows in XV

April 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

What do you do with security problems in programs that aren't freely licensed, and the maintainer has stopped responding when notified of security problems and so forth? One example of this is the XV image viewing and editing application. The application is getting a bit long in the tooth, to say the least. The last release is more than ten years old, but it is still shipped by Novell/SUSE (at least in 9.2), Gentoo and others. Even grumpy editors continue to find XV an attractive choice, albeit less than acceptable due to its licensing.

Several vulnerabilities have been reported in XV since its development came to a halt, including a buffer overflow last August that was not completely addressed by vendor patches. The lack of security updates from the original author, John Bradley, is something of a problem. There have been patches and updates from other sources since the last official release, but the XV page itself seems to have been last updated in March of 2001.

Greg Roelofs has released a patch that is supposed to take care of the problem in his jumbo patches to add features to XV. (Note that the vulnerability that affects XV has also been reported by Bruno Rohee to affect Gwenview and ImageMagick.)

However, this doesn't address the problem of getting the patches into the upstream version. We attempted to contact Bradley, but received no response to our e-mail. Presumably, Bradley is not particularly interested in maintaining XV at this point, but has not seen fit to release the code to anyone else for maintainership, either.

Though the code is available for XV, the license precludes another person or group from picking up maintainership of the project. XV has a "shareware" license that is relatively liberal, allowing personal use without registration, and distribution is permitted for non-commercial purposes. In short, the license allows for distribution of patches and so forth, but it does not allow for a third party to assume control of the project and give it the care and feeding it obviously needs.

Given the amount of effort that has gone into patches for XV, it would seem more logical for interested parties to turn their attention to image viewers and editors that are not encumbered by proprietary licenses. XV provides yet another cautionary tale for users considering software that is "free enough" without actually having an open source license that allows the project to be carried by users interested in its further development.

Comments (none posted)

Main AGNULA Host attacked (and potentially compromised)

The main AGNULA host was attacked on April 16. Although they do not believe that the unknown attacker was successful in his attempts to install a backdoor, they are taking no chances. "However, following good security practices and common sense, we can not guarantee the integrity of the host. Since we had already planned an extensive upgrade of the server, we decided to go down the safer route: completely wipe out the system, reinstall everything from scratch and recover backup data from the day before the attempted compromise." AGNULA should be back in action by April 25.

Full Story (comments: none)

New vulnerabilities

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2005-0753
Created:April 18, 2005 Updated:July 13, 2005
Description: CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error. These can be used to launch a remote denial of service or to remotely execute arbitrary code.
Debian DSA-742-1 cvs 2005-07-07
Fedora-Legacy FLSA:155508 cvs 2005-05-12
Ubuntu USN-117-1 cvs 2005-05-04
Red Hat RHSA-2005:387-01 cvs 2005-04-25
Gentoo 200504-16:02 cvs 2005-04-18
Slackware SSA:2005-111-01 cvs 2005-04-22
Trustix TSLSA-2005-0013 cvs 2005-04-20
Mandriva MDKSA-2005:073 cvs 2005-04-20
Fedora FEDORA-2005-330 cvs 2005-04-20
Gentoo 200504-16 cvs 2005-04-18
SuSE SUSE-SA:2005:024 cvs 2005-04-18

Comments (none posted)

geneweb: insecure file operations

Package(s):geneweb CVE #(s):CAN-2005-0391
Created:April 19, 2005 Updated:April 20, 2005
Description: Tim Dijkstra discovered a problem during the upgrade of geneweb, a genealogy software with web interface. The maintainer scripts automatically converted files without checking their permissions and content, which could lead to the modification of arbitrary files.
Debian DSA-712-1 geneweb 2005-04-19

Comments (none posted)

htdig: unescaped output

Package(s):htdig CVE #(s):
Created:April 19, 2005 Updated:April 20, 2005
Description: Unescaped output in htsearch and qtest causes security problems.
Fedora FEDORA-2005-367 htdig 2005-04-19

Comments (none posted)

info2www: missing input sanitizing

Package(s):info2www CVE #(s):CAN-2004-1341
Created:April 19, 2005 Updated:April 20, 2005
Description: Nicolas Gregoire discovered a cross-site scripting vulnerability in info2www, a converter for info files to HTML. A malicious person could place a harmless looking link on the web that could cause arbitrary commands to be executed in a user's browser.
Debian DSA-711-1 info2www 2005-04-19

Comments (none posted)

logwatch: denial of service

Package(s):logwatch CVE #(s):CAN-2005-1061
Created:April 19, 2005 Updated:April 20, 2005
Description: A bug was found in the logwatch secure script. If an attacker is able to inject an arbitrary string into the /var/log/secure file, it is possible to prevent logwatch from detecting malicious activity.
Red Hat RHSA-2005:364-01 logwatch 2005-04-19

Comments (none posted)

monkeyd: multiple vulnerabilities

Package(s):monkeyd CVE #(s):
Created:April 15, 2005 Updated:April 20, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a double expansion error in monkeyd, resulting in a format string vulnerability. Ciaran McCreesh of Gentoo Linux discovered a Denial of Service vulnerability, a syntax error caused monkeyd to zero out unallocated memory should a zero byte file be requested.
Gentoo 200504-14 monkeyd 2005-04-15

Comments (none posted)

Mozilla Firefox, Mozilla Suite: multiple vulnerabilities

Package(s):mozilla CVE #(s):CAN-2005-0989
Created:April 19, 2005 Updated:July 18, 2005
Description: The following vulnerabilities were found and fixed in the Mozilla Suite and Mozilla Firefox:
  • Vladimir V. Perepelitsa reported a memory disclosure bug in JavaScript's regular expression string replacement when using an anonymous function as the replacement argument (CAN-2005-0989).
  • moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM nodes from the content window, allowing privilege escalation via DOM property overrides.
  • Michael Krax reported a possibility to run JavaScript code with elevated privileges through the use of javascript: favicons.
  • Michael Krax also discovered that malicious Search plugins could run JavaScript in the context of the displayed page or stealthily replace existing search plugins.
  • shutdown discovered a technique to pollute the global scope of a window in a way that persists from page to page.
  • Doron Rosenberg discovered a possibility to run JavaScript with elevated privileges when the user asks to "Show" a blocked popup that contains a JavaScript URL.
  • Finally, Georgi Guninski reported missing Install object instance checks in the native implementations of XPInstall-related JavaScript objects.
The following Firefox-specific vulnerabilities have also been discovered:
  • Kohei Yoshino discovered a new way to abuse the sidebar panel to execute JavaScript with elevated privileges.
  • Omar Khan reported that the Plugin Finder Service can be tricked to open javascript: URLs with elevated privileges.
Gentoo 200507-17 Thunderbird 2005-07-18
Fedora-Legacy FLSA:152883 mozilla 2005-05-18
Red Hat RHSA-2005:384-01 Mozilla 2005-04-28
SuSE SUSE-SA:2005:028 firefox 2005-04-27
Red Hat RHSA-2005:386-01 mozilla 2005-04-26
Slackware SSA:2005-111-04 mozilla 2005-04-22
Red Hat RHSA-2005:383-01 firefox 2005-04-21
Gentoo 200504-18 mozilla-firefox 2005-04-19

Comments (none posted)

MPlayer: heap overflows

Package(s):mplayer CVE #(s):
Created:April 20, 2005 Updated:July 12, 2005
Description: Heap overflows have been found in the code handling RealMedia RTSP and Microsoft Media Services streams over TCP (MMST). By setting up a malicious server and enticing a user to use its streaming data, a remote attacker could possibly execute arbitrary code on the client computer with the permissions of the user running MPlayer.
Mandriva MDKSA-2005:115 mplayer 2005-07-11
Gentoo 200504-19 mplayer 2005-04-20

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CAN-2004-0957
Created:April 14, 2005 Updated:April 20, 2005
Description: MySQL has a vulnerability in which a user with grant privileges can can grant privileges in other databases. In order to use this exploit, the database must have an underscore character in the name.
Conectiva CLA-2005:947 MySQL 2005-04-20
Mandriva MDKSA-2005:070 MySQL 2005-04-12

Comments (1 posted)

php4: integer overflow and denial of service

Package(s):php4 CVE #(s):CAN-2005-1042 CAN-2005-1043
Created:April 14, 2005 Updated:July 13, 2005
Description: The php4 EXIF module has two vulnerabilities. An integer overflow in the exif_process_IFD_TAG() function can be exploited to cause a buffer overflow for the purpose of arbitrary code execution. EXIF headers with a large IFD nesting level can be used to cause a denial of service. Remote exploits are possible.
Fedora-Legacy FLSA:155505 php 2005-07-10
Red Hat RHSA-2005:406-01 PHP 2005-05-04
Red Hat RHSA-2005:405-01 PHP 2005-04-28
Mandriva MDKSA-2005:072 php 2005-04-18
Ubuntu USN-112-1 php4 2005-04-14

Comments (none posted)

realplayer: arbitrary code execution

Package(s):realplayer helixplayer CVE #(s):CAN-2005-0755
Created:April 20, 2005 Updated:June 27, 2005
Description: RealNetworks, Inc. has fixed a security vulnerability that offered the potential for an attacker to run arbitrary or malicious code on a customer's machine. Linux RealPlayer 10 (10.0.0 - 3) and Helix Player (10.0.0 - 3) are vulnerable.
Red Hat RHSA-2005:523-01 RealPlayer 2005-06-23
Red Hat RHSA-2005:517-01 HelixPlayer 2005-06-23
Gentoo 200504-21 realplayer 2005-04-22
Red Hat RHSA-2005:394-01 RealPlayer 2005-04-20
Red Hat RHSA-2005:392-03 HelixPlayer 2005-04-20
Red Hat RHSA-2005:363-03 RealPlayer 2005-04-20
Fedora FEDORA-2005-329 HelixPlayer 2005-04-20
SuSE SUSE-SA:2005:026 RealPlayer 2005-04-20

Comments (none posted)

squid: denial of service

Package(s):squid CVE #(s):CAN-2005-0718
Created:April 14, 2005 Updated:April 29, 2005
Description: Squid has a remote denial of service vulnerability that can be triggered by a remote connection abort during a PUT or POST request, leading to an eventual server crash.
SuSE SUSE-SR:2005:012 multi 2005-04-29
Mandriva MDKSA-2005:078 squid 2005-04-28
Conectiva CLA-2005:948 squid 2005-04-27
Ubuntu USN-111-1 squid 2005-04-14

Comments (none posted)

vixie-cron: crontab allows any user to read another users crontabs

Package(s):vixie-cron CVE #(s):CAN-2005-1038
Created:April 15, 2005 Updated:March 15, 2006
Description: crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. See also this Security Focus report.
Red Hat RHSA-2006:0117-01 vixie-cron 2006-03-15
Red Hat RHSA-2005:361-01 vixie-cron 2005-10-05
Fedora FEDORA-2005-320 vixie-cron 2005-04-15

Comments (none posted)

XV: multiple vulnerabilities

Package(s):xv CVE #(s):
Created:April 19, 2005 Updated:July 19, 2005
Description: Greg Roelofs has reported multiple input validation errors in XV image decoders. Tavis Ormandy of the Gentoo Linux Security Audit Team has reported insufficient validation in the PDS (Planetary Data System) image decoder, format string vulnerabilities in the TIFF and PDS decoders, and insufficient protection from shell meta-characters in malformed filenames. Successful exploitation would require a victim to view a specially created image file using XV, potentially resulting in the execution of arbitrary code.
Slackware SSA:2005-195-02 xv 2005-07-15
Gentoo 200504-17 xv 2005-04-19

Comments (none posted)


BCS Asia 2005 Slides and pictures

Proceeding slides and photos from the Bellua Cyber Security Asia 2005 conference are online. "44 speakers from Asia, Europe and the Americas joined Bellua Cyber Security Asia 2005 to discuss present and future information security issues through an intensive series of presentations, demonstrations and technical sessions."

Full Story (comments: none)

Page editor: Forrest Cook

Kernel development

Brief items

Kernel release status

[Andrew Morton] The current 2.6 prepatch is 2.6.12-rc3, which was announced by Linus on April 20. This is the first such created with "git" rather than BitKeeper. The patches are mostly fixes, but there is a rework of the kobject API in there as well. The long-format changelog has the details.

There have been no -mm trees released in the last week; Andrew Morton is currently traveling (though, as can be seen from the picture to the right, not away from his computer).

Comments (none posted)

Kernel development news

Quotes of the week

Looks good from your explanation, but I'm too tired to look at the code. It's 1AM, and the kids get up at 7. I'm not much of a hacker, I usually crash by 10PM these days ;^)
-- Linus Torvalds

And we should all digitally sign every single object too, and we should use 4096-bit PGP keys and unguessable passphrases that are at least 20 words in length. And we should then build a bunker 5 miles underground, encased in lead, so that somebody cannot flip a few bits with a ray-gun, and make us believe that the sha1's match when they don't. Oh, and we need to all wear aluminum propeller beanies to make sure that they don't use that ray-gun to make us do the modification _outselves_.
-- Linus Torvalds, not impressed by SHA worries.

Comments (none posted)

A very quick guide to starting with git

Linus has posted a git archive containing the 2.6.12-rc2 kernel source with a small series of patches. His current plan is to not populate that repository with the full development history reclaimed from BitKeeper. Adding the history would massively bloat the size of the repository, and git currently lacks the tools to do anything interesting with that history anyway. So the repository starts with a clean slate and goes from there.

If you want to experiment with the new setup, the steps are relatively simple. The first of which is to be sure that you are sufficiently interested to pull down a 120MB repository and play with bleeding-edge tools; in many cases, it might be better to wait a little longer. Should you choose to continue, the first step is to grab the latest git-pasky distribution, found at Untar it, and go through a series of steps like:

    git pull pasky

That will yield the current git, with Petr's added tools. Put said tools into your path, create a directory for the kernel tree, and run:

    git init rsync://

The command will appear to do nothing for quite some time; it will eventually pull down the entire repository and check out a copy. You'll now have a copy of the current Linus mainline tree.

Typing "git log" will print out the checkin log messages in reverse chronological order. "git pull" will update the tree to the current mainline. Just typing "git" will yield a list of possible commands. The capability is there, at this point, to check in changes, merge changes from other trees, generate patches, etc. Enjoy, but expect things to continue to change in a hurry.

Comments (14 posted)

Big-endian I/O memory

The kernel provides a set of functions for working easily with I/O memory. Those functions assume that the memory is stored in little-endian byte order. This assumption is usually valid - PCI peripherals, for example, are supposed to always use that ordering. There are devices out there, however, which export big-endian I/O memory. Dealing with these devices has required implementing special-purpose code in the drivers.

One of the few significant changes merged after 2.6.12-rc2 is a new set of I/O memory functions for working with big-endian devices. These functions are:

    unsigned int ioread16be(void __iomem *addr);
    unsigned int ioread32be(void __iomem *addr)
    void iowrite16be (u16 datum, void __iomem *addr);
    viod iowrite32be (u32 datum, void __iomem *addr);

These functions will handle the necessary byte swapping (or lack thereof) to present properly-ordered values on the host architecture. They are exported to modules.

Comments (1 posted)

An introduction to KProbes

April 18, 2005

This article was contributed by Sudhanshu Goswami



KProbes is a debugging mechanism for the Linux kernel which can also be used for monitoring events inside a production system. You can use it to weed out performance bottlenecks, log specific events, trace problems etc. KProbes was developed by IBM as an underlying mechanism for another higher level tracing tool called DProbes. DProbes adds a number of features, including its own scripting language for the writing of probe handlers. However, only KProbes has been merged into the standard kernel.

In this article I will describe the implementation of KProbes as present in the kernel. KProbes heavily depends on processor architecture specific features and uses slightly different mechanisms depending on the architecture on which it's being executed. The following discussion pertains only to the x86 architecture. This article assumes a certain familiarity with the x86 architecture regarding interrupts and exceptions handling. KProbes is available on the following architectures however: ppc64, x86_64, sparc64 and i386.

A kernel probe is a set of handlers placed on a certain instruction address. There are two types of probes in the kernel as of now, called "KProbes" and "JProbes." A KProbe is defined by a pre-handler and a post-handler. When a KProbe is installed at a particular instruction and that instruction is executed, the pre-handler is executed just before the execution of the probed instruction. Similarly, the post-handler is executed just after the execution of the probed instruction. JProbes are used to get access to a kernel function's arguments at runtime. A JProbe is defined by a JProbe handler with the same prototype as that of the function whose arguments are to be accessed. When the probed function is executed the control is first transferred to the user-defined JProbe handler, followed by the transfer of execution to the original function. The KProbes package has been designed in such a way that tools for debugging, tracing and logging could be built by extending it.

[KProbes architecture] The figure to the right describes the architecture of KProbes. On the x86, KProbes makes use of the exception handling mechanisms and modifies the standard breakpoint, debug and a few other exception handlers for its own purpose. Most of the handling of the probes is done in the context of the breakpoint and the debug exception handlers which make up the KProbes architecture dependent layer. The KProbes architecture independent layer is the KProbes manager which is used to register and unregister probes. Users provide probe handlers in kernel modules which register probes through the KProbes manager.

KProbes Interface

The data structures and functions implementing the KProbes interface have been defined in the file <linux/kprobes.h>. The following data structure describes a KProbe.

struct kprobe {
    struct hlist_node hlist;                    /* Internal */
    kprobe_opcode_t addr;                       /* Address of probe */
    kprobe_pre_handler_t pre_handler;           /* Address of pre-handler */
    kprobe_post_handler_t post_handler;         /* Address of post-handler */
    kprobe_fault_handler_t fault_handler;       /* Address of fault handler */
    kprobe_break_handler_t break_handler;       /* Internal */
    kprobe_opcode_t opcode;                     /* Internal */        
    kprobe_opcode_t insn[MAX_INSN_SIZE];        /* Internal */

Let's first talk about registering a KProbe. Users can insert their own probe inside a running kernel by writing a kernel module which implements the pre-handler and the post-handler for the probe. In case a fault occurs while executing a probe handler function, the user can handle the fault by defining a fault-handler and passing its address in struct kprobe. The prototypes for these are defined as below.

typedef int (*kprobe_pre_handler_t)(struct kprobe*, struct pt_regs*);
typedef void (*kprobe_post_handler_t)(struct kprobe*, struct pt_regs*, 
              unsigned long flags);
typedef int (*kprobe_fault_handler_t)(struct kprobe*, struct pt_regs*, 
             int trapnr);

As can be seen the pre-handler and the post-handler both receive a reference to the probe as well as the registers saved for the context in which the probe was hit. These values can be used in the pre-handler or post-handler or if required, they can be modified before returning control to the subsequent instruction. This also means that the same handlers can be used for multiple probe locations. The flags parameter is currently unused. The trapnr parameter (for the fault handler function) contains the exception number which occurred while handling the KProbe. A user defined fault handler can return 0 to let KProbe handle the fault further. It returns 1 if it has handled the fault and wants to let the execution of the probe handler continue.

Note that currently the pre-handler cannot be NULL for a probe, although the use of post-handler is optional. This is considered a bug since there may be cases where the pre-handler may not be required but a post-handler is needed. In such situations the user will still have to define a pre-handler. Another bug (which can oops the kernel) is related to probes which are activated on the ret/lret instructions. Yet another bug is related to probes activated on int3 instructions. All of these problems should be fixed in the 2.6.12 release of the kernel. However, these bugs can be easily avoided so they do not present any serious issues for someone who wants to use KProbes immediately without applying patches.

The KProbe registration functions are defined as shown below.

int register_kprobe(struct kprobe *p);
int unregister_kprobe(struct kprobe *p);

The registration function takes a reference to the KProbe structure describing the probe. Note that the user's module which registers the probe should keep a reference to the structure until the probe is unregistered. Since access to KProbes is serialized, a probe can be registered or unregistered anytime except from inside the probe handlers themselves, which will deadlock the system. This is because probe handlers execute after the spinlock used for locking KProbes has been acquired. The same spinlock is locked just before unregistering the probe. So if an attempt is made to unregister a probe inside a probe handler the same path will try to lock the spinlock twice.

Multiple probes cannot be placed on the same address as of now. However, a patch has been submitted to the kernel mailing list which allows multiple probes to be registered at the same address through another interface. It might be included in the next release of the kernel. Until then, if such an attempt is made register_kprobe() returns -EEXIST.

JProbes are used to give access to a function's arguments at runtime. This is achieved by providing a JProbe handler with the same prototype as that of the function being probed. At runtime, when the original function is executed, control is transferred to the JProbe handler after copying the process's context. On return from the JProbe handler, the context - consisting of the process's registers and the stack - is restored, so any modifications to the context of the process in the JProbe handler are lost. The execution continues from the point at which the probe was placed with the original saved state. A JProbe is represented by the structure given below.

struct jprobe {
    struct kprobe kp;
    kprobe_opcode_t *entry; 	/* user-defined JProbe handler address */

The user places the address of the function which will handle this probe in the entry field. The addr field in struct kprobe should be populated with the address of the function whose arguments are to be accessed. The functions used to register and unregister a JProbe are given below.

int register_jprobe(struct jprobe *p);
void unregister_jprobe(struct jprobe *p);

The JProbe handler which is written by the user should call jprobe_return() when it wants to return instead of the return statement.

KProbes Manager

The KProbes Manager is responsible for registering and unregistering KProbes and JProbes. The file kernel/kprobes.c implements the KProbes manager. Each probe is described by the struct kprobe structure and stored in a hash table hashed by the address at which the probe is placed. Access to this hash table is serialized by the spinlock kprobe_lock. This spinlock is locked before a new probe is registered, an existing probe is unregistered or when a probe is hit. This prevents these operations from executing simultaneously on a SMP machine. Whenever a probe is hit, the probe handler is called with interrupts disabled. Interrupts are disabled because handling a probe is a multiple step process which involves breakpoint handling and single-step execution of the probed instruction. There is no easy way to save the state between these operations hence interrupts are kept disabled during probe handling.

The manager is composed of these functions which are followed by a simplified description of what they do. These functions are architecture independent. A side-by-side reading of the code in kernel/kprobes.c and these steps will clarify the whole implementation.

void lock_kprobes(void)
Locks KProbes and records the CPU on which it was locked

void unlock_kprobes(void)
Resets the recorded CPU and unlocks KProbes

struct kprobe *get_kprobe(void *addr)
Using the address of the probed instruction, returns the probe from hash table

int register_kprobe(struct kprobe *p)
This function registers a probe at a given address. Registration involves copying the instruction at the probe address in a probe specific buffer. On x86 the maximum instruction size is 16 bytes hence 16 bytes are copied at the given address. Then it replaces the instruction at the probed address with the breakpoint instruction.

void unregister_kprobe(struct kprobe *p)
This function unregisters a probe. It restores the original instruction at the address and removes the probe structure from the hash table.

int register_jprobe(struct jprobe *jp)
This function registers a JProbe at a function address. JProbes use the KProbes mechanism. In the KProbe pre_handler it stores its own handler setjmp_pre_handler and in the break_handler stores the address of longjmp_break_handler. Then it registers struct kprobe jp->kp by calling register_kprobe()

void unregister_jprobe(struct jprobe *jp)
Unregisters the struct kprobe used by this JProbe

What happens when a KProbe is hit?

[Kprobe execution diagram] The steps involved in handling a probe are architecture dependent; they are handled by the functions defined in the file arch/i386/kernel/kprobes.c. After the probes are registered, the addresses at which they are active contain the breakpoint instruction (int3 on x86). As soon as execution reaches a probed address the int3 instruction is executed, causing the control to reach the breakpoint handler do_int3() in arch/i386/kernel/traps.c. do_int3() is called through an interrupt gate therefore interrupts are disabled when control reaches there. This handler notifies KProbes that a breakpoint occurred; KProbes checks if the breakpoint was set by the registration function of KProbes. If no probe is present at the address at which the probe was hit it simply returns 0. Otherwise the registered probe function is called.

What happens when a JProbe is hit?

[JProbe execution diagram] A JProbe has to transfer control to another function which has the same prototype as the function on which the probe was placed and then give back control to the original function with the same state as there was before the JProbe was executed. A JProbe leverages the mechanism used by a KProbe. Instead of calling a user-defined pre-handler a JProbe specifies its own pre-handler called setjmp_pre_handler() and uses another handler called a break_handler. This is a three-step process.

In the first step, when the breakpoint is hit control reaches kprobe_handler() which calls the JProbe pre-handler (setjmp_pre_handler()). This saves the stack contents and the registers before changing the eip to the address of the user-defined function. Then it returns 1 which tells kprobe_handler() to simply return instead of setting up single-stepping as for a KProbe. On return control reaches the user-defined function to access the arguments of the original function. When the user defined function is done it calls jprobe_return() instead of doing a normal return.

In the second step jprobe_return() truncates the current stack frame and generates a breakpoint which transfers control to kprobe_handler() through do_int3(). kprobe_handler() finds that the generated breakpoint address (address of int3 instruction in jprobe_handler()) does not have a registered probe however KProbes is active on the current CPU. It assumes that the breakpoint must have been generated by JProbes and hence calls the break_handler of the current_kprobe which it saved earlier. The break_handler restores the stack contents and the registers that were saved before transferring control to the user-defined function and returns.

In the third step kprobe_handler() then sets up single-stepping of the instruction at which the JProbe was set and the rest of the sequence is the same as that of a KProbe.

Possible problems

There could be several possible problems which could occur when a probe is handled by KProbes. The first possibility is that several probes are handled in parallel on a SMP system. However, there's a common hash table shared by all probes which needs to be protected against corruption in such a case. In this case kprobe_lock serializes the probe handling across processors.

Another problem occurs if a probe is placed inside KProbes code, causing KProbes to enter probe handling code recursively. This problem is taken care of in kprobe_handler() by checking if KProbes is already running on the current CPU. In this case the recursing probe is disabled silently and control returns back to the previous probe handling code.

If preemption occurs when KProbes is executing it can context switch to another process while a probe is being handled. The other process could cause another probe to fire which will cause control to reach kprobe_handler() again while the previous probe was not handled completely. This may result in disarming the new probe when KProbes discovers it's recursing. To avoid this problem, preemption is disabled when probes are handled.

Similarly, interrupts are disabled by causing the breakpoint handler and the debug handler to be invoked through interrupt gates rather than trap gates. This disables interrupts as soon as control is transferred to the breakpoint or debug handler. These changes are made in the file arch/i386/kernel/traps.c.

A fault might occur during the handling of a probe. In this case, if the user has defined a fault handler for the probe, control is transferred to the fault handler. If the user-defined fault handler returns 0 the fault is handled by the kernel. Otherwise, it's assumed that the fault was handled by the fault handler and control reaches back to the probe handlers.


KProbes is an excellent tool for debugging and tracing; it can also be used for performance measuring. Developers can use it to trace the path of their programs inside the kernel for debugging purposes. System administrators can use it to trace events inside the kernel on production systems. KProbes can also be used for non-critical performance measurements. The current KProbes implementation, however, introduces some latency of its own in handling probes. The cause behind this latency is the single kprobe_lock which serializes the execution of probes across all CPUs on a SMP machine. Another reason is the mechanism used by KProbes which uses multiple exceptions to handle a single probe. Exception handling is an expensive operation which causes its own delays. Work needs to be done in this area to improve SMP scalability and improving the probe handling time to make KProbes a viable performance measuring tool.

KProbes however cannot be used directly for these purposes. In the raw form a user can write a kernel module implementing the probe handlers. However higher level tools are necessary for making it more convenient to use. Such tools could contain standard probe handlers implementing the desired features or they could contain a means to produce probe-handlers given simple descriptions of them in a scripting language like DProbes.

Related Links

An introductory article on KProbes with some examples on how to use it.
The scriptable tracing tool for Linux which works on top of KProbes.
Network Packet Tracing Patch
This patch is used to trace the path of network packets traveling through the kernel stack using DProbes.
KProbes debugfs patch
This patch lists all probes applied at any addresses through debugfs
SysRq key for KProbes Patch
This patch enables the use of SysRq key to be used for listing all applied probes.
The Linux Kernel Tracing Tool - in the works.


The author will like to thank his editor Jonathan Corbet, Kalyan T.B. (HP), Siddharth Seth (IIITB) and Bharata B. Rao (HP) for going through this article and giving their feedback, comments, suggestions etc. and helping to improve this article.

Comments (8 posted)

Patches and updates

Kernel trees


Core kernel code

Development tools

Device drivers


Filesystems and block I/O



Page editor: Jonathan Corbet


News and Editorials

Checking in on Componentized Linux

April 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

It's been a while since the spotlight was on Progeny's Componentized Linux (CL), "a platform for building specialized Linux distributions," but now seems like a good time to check in on CL.

Progeny is working towards a release of Componentized Linux 3. Last week, Progeny's Ian Murdock provided a roadmap for the future of CL 3 and announcement that CL was becoming a fully supported Progeny product. Previously, CL was mostly an internal technology for Progeny use, which the company also shared with the community at large as a "skunkworks" project.

Murdock was kind enough to take a few minutes out of his vacation to discuss Progeny's plans for CL, the Linux Core Consortium, the Sarge delay, Ubuntu and other topics.

The company is focusing on the Linux Standard Base 3.0 specification for CL 3 (the CL version number tracks the LSB standard it is based on). A preview of LSB 3 is out now (LSB 3.0preview2), and the final release should be out by the end of Q2, if all goes according to schedule. Progeny is adopting an 18-month release cycle for CL, to track the LSB schedule.

There are a few other changes with CL 3 as well. According to the roadmap, CL 3 adopts a "hierarchical component model," which allows a component to contain packages or other components. This allows developers to build a component from a collection of other components. The new feature will be used "to subdivide the relatively coarse-grained LSB component into a number of finer-grained components" to make the CL 3 release a "better platform for building small-footprint distros for resource-constrained or embedded environments than CL 2.

In addition to technical changes, the company is also looking at a "shift away from services, more towards a product" with CL 3 that would allow customers to create their own custom distributions. Using Progeny's "component compiler," Murdock said it should be possible for a developer to do their own custom distribution "within 20 minutes, 30 minutes." This sounds like a great tool for companies that need a customized distribution, but what about Progeny? If Progeny shifts to the product model, as opposed to direct services, how do they plan to continue to make money? By putting the development tools directly in the hands of their customers, what will they need Progeny for? Murdock said that Progeny would still deliver something of value to its customers.

Murdock said that the company is looking at delivering components "in a form of a service...delivered across some type of authenticated API," which customers would pay for over time -- a sort of subscription service. He noted that the details of this have not been worked out yet, and that Progeny wants to "compete on adding value, not on putting up arbitrary restrictions. We want people to pay us because they're getting value." He also added that if another company could deliver better service than Progeny, "we deserve what we got."

Since Componentized Linux is based on Debian Sarge, which is still unreleased, we asked if the delay had caused any problems for Progeny. Murdock said that the delay "is causing problems for all organizations that depend on Debian, [but] it doesn't affect us more than the others."

It is frustrating, we're trying to build a product that's compatible with Sarge, and we've found that people out in the world want Debian, not some derivative of Debian. In the commercial space, you have to have a predictable release cycle. It doesn't matter so much what it is, just that it's predictable.

After our conversation, Murdock noted on his weblog that Debian "needs to get Sarge out the door as soon as possible, and once Sarge is released, Debian should adopt a time-based release cycle as well. If the GNOME project can do it, there's no reason that Debian can't too."

The company is prepared, no matter what happens with the Sarge release. If Sarge has not been released by June, but the release is "imminent," the CL release may be delayed to wait for the final release. If not, Progeny will base CL Core 3.0 on "a late June snapshot of sarge and incorporate the final Sarge release into a later point release."

We were also curious about the status of the Linux Core Consortium (LCC) project, which has been oddly quiet since its inception. The project was scheduled to release the "common core" during the first quarter of this year, a target that it won't be making, according to Murdock. Part of the problem, of course, stems from the merger of LCC members Mandrake and Conectiva, which has no doubt taken some of the focus off LCC while the companies finish their integration. Murdock said that the LCC is still working towards a release, and that "it actually works out for the better anyway, because we can jump right in to LSB 3.0 without an interim 2.0 release." He also said that the LSB 18-month release cycle "is exactly what we wanted for LCC as well."

According to the roadmap, CL Core 3.0 would include the RPM platform as well as the Debian platform if the LCC development team makes its schedule.

Murdock has also recently made a few comments about the compatibility of Ubuntu packages with Debian Sarge. Murdock says that "A package built on Progeny should work on Linspire; a package built on Linspire should work on Ubuntu; a package built on Ubuntu should work on Progeny." However, Ubuntu packages do not always "just work" on Debian Sarge, which can be a problem given that Ubuntu is gaining in popularity rather quickly.

His suggestion is that Ubuntu, and others presumably, use a compatibility layer to allow packages to work on multiple Debian-based distribution. He notes that he's "a big believer" in what Ubuntu is trying to do, and also said that he's been in talks with Mark Shuttleworth of Canonical about Ubuntu about "Debian-derived distros and compatibility," and also hinted that there may be an "LCC-like" effort for Debian distributions in the next few months.

Developers should be able to get their hands on the first CL 3 preview on or around April 22, according to the roadmap. The preview release will be "essentially the same as CL RC2" but with its packages updated to the current Sarge packages, and with subsequent releases tracking Sarge as it continues towards a final release.

Comments (none posted)

New Releases

Debian GNU/Linux 3.0 updated (r5)

The fifth update of Debian GNU/Linux 3.0 (woody) is now available. This revision mainly adds security updates to the stable release, along with a few corrections to serious problems. Those who frequently update from won't have to update many packages and most updates from are included in this update.

Full Story (comments: none)

Novell Ships SUSE Linux Professional 9.3

Novell, Inc. has announced the availability of SUSE LINUX Professional 9.3. "SUSE LINUX Professional 9.3 includes a leading edge Linux operating system, over 3,000 open source packages, including a complete set of desktop applications, convenient installation media, and comprehensive documentation and installation support."

Comments (1 posted)

SUSE Linux Live CD

SuSE Linux has released a Live CD version of SUSE LINUX Professional 9.3. From the README file: "For rich, reliable and secure home computing, there's no better choice than SUSE LINUX Professional 9.3. It provides everything today's Linux user needs for home computing and computing-on-the-go. This live DVD will boot directly from the DVD without modifying the hard disk. It enables users to learn about and test the functions and applications of this new system without installing it on the hard disk and consequently offers an easy and convenient way to review the operating system. In addition to English, German, Spanish, Italian, French, and Dutch, the LiveDVD supports a variety of other languages."

Comments (1 posted)

openMosix 2.6 update and AMD_Opteron Port

The openMosix Project has announced (click below) the release of openMosix version 2.6. "openMosix 2.6 moves much of the patch’s code from the kernel to user space. This brings a very significant improvement which provides improved performance, makes user land tools easier to implement, and most significantly, simplifies porting to new kernel versions including AMD Opteron, Intel EM64T, and PowerPPC." openMosix extensions are used by distributions such as ClusterKnoppix, Sentinix, PlumpOS and CHAOS.

Full Story (comments: none)

Breezy suite now open for business

Ubuntu has the first bleeding edge version of the Breezy Badger ready for testing.

Full Story (comments: none)

Trustix Secure Linux 3.0 beta

Trustix Secure Linux 3.0 beta is out. "Our rapidly expanding new customer base has meant we only had to concentrate on one area of improvement - making installation really, really simple. "Viper" our new installer should meet everyone's needs....customers old and new, and many new features are ideal for our growing enterprise community."

Full Story (comments: none)

Red Hat launches Hindi Linux in MP

The Hindu notes the release of a Hindi version of Red Hat Enterprise Linux v.4 in Madhya Pradesh. "While crossing over language barriers, local language desktops will ensure that benefits are available to millions of Indians who otherwise have no access to expensive proprietary desktop systems that have interfaces in English, Red Hat India Enterprise sales head, Sachin Dabir told reporters here."

Comments (none posted)

Distribution News

A Componentized Linux roadmap

Ian Murdock has posted a lengthy roadmap for Componentized Linux on his weblog. "Beginning with 3.0, the LSB is adopting an 18-month release cycle, with periodic point releases as necessary that don't break compatibility and/or certifications. We will closely track the LSB with CL Core (a.k.a. the LSB component), adopting a synchronized 18-month release cycle and version numbering scheme to match the LSB specification CL implements. Thus, we will release and LSB-certify CL Core 3.0 in July 2005."

Comments (3 posted)

Mandriva (ex Mandrake) Linux LE2005 now on mirrors

Mandrivalinux Limited Edition 2005 is available for download on about one hundred FTP mirrors worldwide.

Full Story (comments: none)

Ubuntu Hardened volunteers recruitment

The Ubuntu Hardened project is seeking volunteers. "If you think you have something to contribute with or you just want to know the experience of working with people with common goals, ideas and wishes of learning and contributing to Ubuntu Linux (and also Debian in the long term), don't hesitate and drop us a line."

Full Story (comments: none)

New Distributions


Archie is a complete live Arch linux system (originally based on v0.7) to be run from a CD/USB, built with the KISS philosophy in mind. This is a full Arch Linux system, while striving for the fastest performance with no extensive bloating. Archie uses its own hardware detection tool (lshwd) and supports a wide range of hardware with low detection time. Archie also provides extended features like multi-lingual, nesting capabilities and hd-install. Here's the announcement for Archie v0.4.1.

Comments (1 posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for April 19, 2005 looks at old bug reports, Debian based Desktops in Munich, an interview with Branden Robinson, the Woody update, Debian Kernel Team meetings on IRC, and much more.

Full Story (comments: none)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of April 18, 2005 is out. This week's edition looks at documentation project updates including a USB Guide, a paper on configuring Fluxbox, and Sparc documentation, and the Gentoo Releng Team meeting looking at the 2005.0 release, new official Gentoo IRC channels, and several other topics.

Full Story (comments: none)

DistroWatch Weekly, Issue 96

The DistroWatch Weekly for April 18, 2005 is out. This week's topics include Viva VIA, Brazil - Domino Theory Revisited, Ian Murdock on Ubuntu and more.

Comments (none posted)

Minor distribution updates

BLAG30000 Released

BLAG Linux and GNU has released BLAG30000. This 100% Free Software distribution is based on Fedora Core 3 plus updates, and extra applications from Dag, Freshrpms, NewRPMS and custom packages.

Full Story (comments: none)

Libranet 3.0 released

Libranet has announced the release of Libranet 3.0. "At last the long awaited Libranet 3.0 is released. Libranet 3.0 represents a considerable investment on the part of the Libranet developers. We hope you will be able to show your support for Libranet and purchase this most excellent distribution."

Comments (none posted)

Package updates

Fedora Core 3 updates

This update covers upgrades, bug fixes and some license changes to fifteen packages: dbh-1.0.22-3.fc3, libxfce4util-4.2.1-3.fc3, libxfcegui4-4.2.1-4.fc3, libxfce4mcs-4.2.1-3.fc3, xfce-mcs-manager-4.2.1-3.fc3, xfce4-panel-, xfce4-iconbox-4.2.1-3.fc3, xfce4-systray-4.2.1-4.fc3, xfce-utils-4.2.1-3.fc3, xffm-4.2.1-5.fc3, xfwm4-4.2.1-5.fc3, xfce-mcs-plugins-4.2.1-4.fc3, xfwm4-themes-4.2.1-3.fc3, xfdesktop-4.2.1-3.fc3, xfprint-4.2.1-3.fc3.

More updates: at-3.1.8-70_FC3 (fixes a call to pam_setcred), aspell-bg-0.50-8.fc3 (removes false words), urw-fonts-2.3-0.FC3.1 (update to 1.0.7pre40), alsa-lib-1.0.6-8.FC3 (fix for ICH6 family), foomatic-3.0.2-13.4 (minor bug fixes).

Comments (none posted)

Mandriva update to kdelibs

Mandriva updates kdelibs, fixing various bugs for Mandrivalinux 10.1.

Full Story (comments: none)

Newsletters and articles of interest

Linux Distribution Tames Chaos (Wired)

Wired News takes a look at Chaos. "In early 2004, Chaos emerged as a Linux distribution that could be booted from either a CD-ROM or a network. It turned an ordinary Pentium computer into a working openMosix node. OpenMosix is software that is added to the Linux kernel that allows computers running Linux to work together in a cluster. With a cluster of nodes (or PCs) linked together, the master node can serve processes to them, drastically reducing the time needed to complete a specific task -- and without touching the computer's hard drive."

Comments (none posted)

Bastille Linux update: Hardening the OS with help from Uncle Sam (NewsForge)

NewsForge has an interview with Bastille Linux project leader Jay Beale. "NF: You mentioned recently that Bastille Linux has been under major development -- please talk a little bit about what is happening. Beale: Until today, Bastille could only harden or "lock down" systems. It did this by deactivating unnecessary operating system components and better configuring the ones that remained. It took proactive steps to make a system harder to compromise, reducing the probability that the next item in the attacker's toolkit will be successful against your system. We've just finished adding reporting functionality to Bastille, so that it can tell you what parts of the system aren't locked down."

Comments (1 posted)

Mandriva's Limited Edition 2005 Brings The Ultimate To Linux Enthusiasts (LinuxElectrons)

LinuxElectrons takes a quick look at Mandrivalinux Limited Edition 2005. "Linux power users will welcome the advanced Web experience, enhanced hardware compatibility and expanded development options brought by Limited Edition 2005, along with significant performance gains. Firefox 1.0.2 offers the most advanced Web browsing experience, with multi-tabbed navigation, pop-up blocking, increased speed, and unmatched security. Limited Edition also offers the RSS reader Akregator. RSS is a format used to simplify the aggregation and syndication of Web content. RSS feeds contain news and updates from websites and blogs, providing personalized access to information."

Comments (none posted)

Distribution reviews

Linux in Government: Linux Desktop Reviews, Part 6 - Ubuntu (Linux Journal)

Linux Journal looks at the suitability of Ubuntu for an Enterprise Desktop. "I anticipate that Ubuntu will become the mainstream Linux distribution globally. As the saying goes, though, only time will tell. However, if you do your due diligence on the company, the sponsor, the spirit of innovation and success of the Ubuntu people, you probably will come to the same conclusion. All the elements have gone into play for rapid success. As they say in my part of the country, this dog can hunt. In addition, it can point and win a show or two if need be."

Comments (none posted)

411 on 2005 (

Tuxmachines reviews Mandrivalinux 2005 Limited Edition. "The list of included applications and desktop environments is as always unsurpassed. This release of Mandriva is definitely a step in the right direction for Mandrivalinux. I was impressed by the speed of operations and the stability of the system. I haven't felt this good about a Mandrake/Mandriva release in a long time. One might miss the bleeding edge applications until they work within this new stable release, then one can appreciate the effort Mandriva is making eliminate bugs and provide a reliable system."

Comments (none posted)

Linux Made Easy: Linspire 5.0 (ExtremeTech)

ExtremeTech reviews Linspire Five-0. "This release of Linspire comes with a brand new look and feel. We found it to be slick and easy on the eyes. The Linspire desktop is well organized and has everything you need to get started using the operating system, including the usual My Computer, browser, email, and printer icons."

Comments (none posted)

CentOS 4 Offers Strong RHEL Alternative (LinuxPlanet)

LinuxPlanet reviews CentOS 4. "Likely many CentOS users will fall into the category of Fedora users that need better stability but don't want to pay any more than they are paying for Fedora, i.e. Free. While I'm a huge fan of Fedora, it can be a difficult distribution to put in place and maintain for servers (in my case app and file servers) that you really don't want to have to fully upgrade up to three times a year. I suspect that for many technically adept small enterprise users, CentOS 4 will fit the bill as a stable and reliable enterprise Linux offering."

Comments (none posted)

Page editor: Rebecca Sobol


Debugging free Java with SableVM and Eclipse

April 20, 2005

This article was contributed by Grzegorz B. Prokopski

The SableVM Project involves the development of a liberally-licensed free virtual machine for Java. SableVM has just made a preview release branch of SableVM that supports the JVMDI (Java Virtual Machine Debugging Interface) and JDWP (Java Debug Wire Protocol). These standard protocols are commonly used by tools like Eclipse (see the screen shots) to provide a rich and user-friendly system with visual debugging support.

This release is an important breakthrough because SableVM is the first Open Source Java virtual machine that supports these protocols. This support is most important for the development of basic class libraries, like those of GNU Classpath. [SableVM]

Normal Open Source applications can usually be debugged with a non-free Java Virtual Machine. This method does not work with the most basic class libraries, because to debug them, one needs a Virtual Machine that actually runs on them. In other words, one needs a Java Virtual Machine that runs with free Java libraries, like GNU Classpath, and talks via JVMDI and JDWP. This is exactly what this release of SableVM provides.

The implementation of the Java Virtual Machine Debug Interface JVMDI, has been a considerable effort. It took a year of one person's work to complete SableVM. The code was created in a modular and extensible manner. The high quality of the SableVM source code is rarely encountered even in much smaller projects. Also, SableVM is an interpreter, so accessing the many structures and implementing the special mechanisms required by JVMDI was much easier than in a virtual machine featuring a Just-In-Time compiler (JIT). This might be one of the reasons why no other Java virtual machines have had this feature implemented.

SableVM's implementation is not yet fully finished, this is why it is a preview release. But the code that is there already allows for all of the standard operations like setting breakpoints, inspecting the stack and values of variables, and more.

The installation of a debug-enabled SableVM snapshot is rather painless, the Quick Start instructions are provided along with the Troubleshooting FAQ. As always, SableVM developers and users will gladly provide any needed support via the mailing lists.

Bugs in the Free Java -- run for your life!

Comments (1 posted)

System Applications

Audio Projects

Planet CCRMA Changes

The latest changes from the Planet CCRMA audio utility packaging project include new versions of the rtirq startup script, Fedora Core 3 releases of Libcddb, Libcdio, Vcdimager, Libdvdread, Dvdauthor, OpenEXR, LCMS, Cinepaint, Libjackasyn, and more.

Comments (none posted)

Database Software

Glom 0.8.22 announced

Version 0.8.22 of Glom, a database table design application, is out with bug fixes and lots of new features and capabilities.

Full Story (comments: none)

PostgreSQL Weekly News

The April 17, 2005 edition of the PostgreSQL Weekly News is online with new PostgreSQL database articles and resources.

Full Story (comments: none)


Samba 3.0.14a Available for Download

Version 3.0.14a of Samba has been released with bug fixes. "Samba 3.0.14a is the latest stable release of Samba. This is the version that production Samba servers should be running for all current bug-fixes."

Full Story (comments: none)

Samba 3.0.15pre2 Available for Download

Version 3.0.15pre2 Samba has been released. "Samba 3.0.15pre2 is a preview release of the Samba 3.0.15 code base and is provided for testing only. This release is not intended for production servers. However, there have been several bug fixes and new features added since 3.0.14a that we feel are important to make available to the Samba community for wider testing. There are still more changes planned before the final 3.0.15 release. "

Comments (none posted)


libannodex 0.6.2 released

Version 0.6.2 of libannodex has been released, it has several new API calls and bug fixes. "libannodex is a C library providing a simple programming interface for reading and writing Annodex media. Annodex is an open standards based technology that extends the World Wide Web's hyperlinking, searching, and compositing infrastructure to time-continuous data, enabling video surfing, searching for clips of audio and video files using ordinary Web search engines, and on-the-fly composition of a video on a Web server from previously annodexed clips."

Full Story (comments: none)


AFPL Ghostscript 8.51

Version 8.51 of the AFPL Ghostscript PostScript interpreter has been announced. "Artifex Software, Inc. and artofcode LLC are pleased to announce the release of AFPL Ghostscript 8.51. This is a maintenance release in the new stable series. It contains numerous bug fixes and improvements, particularly in the area of PDF 1.6 handling. We recommend upgrading to all our free users."

Comments (none posted)

Web Site Development

The buzz about Apache Beehive (IBM developerWorks)

Kunal Mittal writes about Apache Beehive on IBM developerWorks. "Beehive is a new Apache project that simplifies Java™ 2 Platform, Enterprise Edition (J2EE) and Web services programming. This article shows how to get started with Beehive and offers a sneak preview of Pollinate, an Eclipse plug-in that creates Beehive applications."

Comments (none posted)

Catalyst MVC Web Framework 5.00 Released (use Perl)

Version 5.00 of the Catalyst MVC Web Framework has been announced. "The Catalyst development team is proud to announce the release of Catalyst version 5. Catalyst is an "Elegant MVC Web Application Framework", which means it provides an easy-to-use API for gluing together database models (Class::DBI), web templates (Template Toolkit, Mason), and your custom web actions/controllers and running it all on your web server."

Comments (none posted)

mod_annodex 0.2.2 released

Version 0.2.2 of mod_annodex, an Apache module that supports annodex media, is available with new capabilities, code improvements, and bug fixes.

Full Story (comments: none)

phpBB 2.0.14 released (SourceForge)

Version 2.0.14 of phpBB, a web-based bulletin board package, has been announced. "This release addresses some bugfixes as well as fixing some minor non-critical security issues."

Comments (none posted)

Web Services

Introduction to Web Services for Remote Portlets (IBM developerWorks)

Bryan Castle introduces WSRP on IBM developerWorks. "Get an introduction to Web Services for Remote Portlets (WSRP), a specification which defines how to leverage SOAP-based Web services that generate mark-up fragments within a portal application. By defining a set of common interfaces, WSRP allows portals to display remotely-running portlets inside their pages without requiring any additional programming by the portal developers. To the end-user, it appears that the portlet is running locally within their portal, but in reality the portlet resides in a remotely-running portlet container, and interaction occurs through the exchange of SOAP messages."

Comments (none posted)

Desktop Applications

Audio Applications

Ardour 0.9beta29 released

Version 0.9beta29 of Ardour, a multi-track audio recording package, has been released: "Another massive set of fixes, changes etc. before we reach 0.99".

Comments (none posted)

Desktop Environments

The GNOME Desktop and Developer Platform version 2.10.1

The first point release of the stable 2.10.x series of GNOME is available. "This is the first in a series of stable releases containing bugfixes, translation updates and other improvements."

Full Story (comments: none)

Dropline GNOME 2.10.1 Released (GnomeDesktop)

Version 2.10.1 of Dropline GNOME, a version of GNOME for the Slackware distribution, has been announced. "Most of the changes were bugfix updates from We've also updated a few other non-GNOME components (such as Firefox 1.0.3) as well."

Comments (none posted)

GNOME Software Announcements

The following new GNOME software has been announced this week:

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

Comments (none posted)

KDE CVS-Digest (KDE.News)

The April 15, 2005 edition of the KDE CVS-Digest is online, here's the content summary: "digiKam adds two new effects plugins: blowup and photograph inpainting. Kmail import filters: Evolution, Thunderbird, Sylpheed Claws and maildir. KChart can export charts as bitmap files. KOffice gets new icons."

Comments (none posted)


GTKWave 1.3.58 is out

Version 1.3.58 of GTKWave is available. "GTKWave is a fully featured GTK+ based wave viewer for Unix and Win32 which reads LXT, LXT2, and VZT files as well as standard Verilog VCD/EVCD files and allows their viewing."

Comments (none posted)


Eris 1.3.4 Released

Version 1.3.4 of Eris is available from the WorldForge game project. "Eris is the WorldForge client-side session layer, used by many existing clients. This release fixes bugs, improves the API and addresses some internal issues discovered since the previous version. The test code now works reliably on all platforms it has been built on, and the coverage of the tests has been extended. This is a development release, as the API will change prior to the final release of Eris 1.4.0. That said, any API changes should be minor and easy to incorporate into clients - testing is recommended and appreciated."

Comments (none posted)


Making a plastic texture with The GIMP (NewsForge)

Jozsef Mak makes textures with the GIMP in a NewsForge article. "I got the idea for this project during a visit to a jewelry art exhibition. The artwork on display incorporated an amazing range of unconventional media, including rusted iron, precious stones and metals, wood, plastic, and the like. One of the most interesting creations among the "wearable art pieces" was a plastic object with a satin finish. I liked this satin effect so much that I decided to re-create it as a graphic material using the GIMP."

Comments (2 posted)


Wine Release 20050419

Release 20050419 of Wine has been announced. Changes include Mailslot support, support for side mouse buttons Richedit improvements, loading of Windows registry files disabled, code cleanups and bug fixes.

Comments (none posted)

Music Applications

Amuc - the Amsterdam Music Composer

Amuc is a new music composition application. "It is stand-alone and only needs X-windows and OSS- or ALSA drivers. You get the choice among 6 real-time instruments and 6 sampled percussion instruments. Except real-time sound you can export WAVE files and MIDI files for further processing."

Full Story (comments: none)

Office Suites build 1.9.92 released

Build 1.9.92 of has been released. It features numerous bug fixes and several new features.

Full Story (comments: none)

Web Browsers

Mozilla Firefox 1.0.3/Suite 1.7.7 Released (MozillaZine)

MozillaZine reports that Firefox 1.0.3 and Mozilla 1.7.7 are out. There are some worthwhile security fixes, but also the possibility of broken extensions.

Comments (4 posted)

Zack Rusin to Finish Integrating Mozilla Firefox with KDE (MozillaZine)

MozillaZine looks at the effort to get Mozilla Firefox integrated with KDE. "Zack writes: "So anyway, getting back on track: probably very soon I'll start committing code again and will be finishing KDE integrated Firefox because some of the KDE folks asked me for it." He also attacks those who say the Mozilla code is too complicated. Together with Lars Knoll, Zack was a member of the 'Kecko' team that started working on getting Mozilla running natively on KDE at the aKademy 2004 conference last year. When completed, the work of the Kecko hackers will also allow Gecko to run as a KPart (reusable KDE component) that can be used in any KDE application."

Comments (none posted)

Mozilla Gains Canvas Element Support (MozillaZine)

MozillaZine covers the addition of canvas support to Mozilla. "Stuart "pavlov" Parmenter reports that support for the HTML canvas element has been checked in to Mozilla. This new element allows Web content providers to use scripting to draw arbitary bitmap graphics on to a designated area of a webpage. The canvas element is part of the Web Applications 1.0 specification, which is being created by the Web Hypertext Application Technology Working Group."

Comments (none posted)

Mozilla Firefox Spatial Navigation Builds (MozillaZine)

Spatial Navigation builds of Mozilla Firefox are available. "The spatial navigation feature lets you select links by holding Shift+Alt and one of the four cursor keys. The links are selected based on their visual position on the page rather than their position in the HTML source code."

Comments (none posted)

Minutes of the Staff Meeting of Monday 28th March 2005 (MozillaZine)

The minutes from the March 28, 2005 staff meeting have been announced. "Issues discussed include Mozilla Firefox 1.0.2, Mozilla Thunderbird 1.0.2, Mozilla 1.7.6 and"

Comments (none posted)

Minutes of the Staff Meeting of Monday 11th April 2005 (MozillaZine)

The minutes from the April 11, Staff Meeting have been announced. "Issues discussed include Mozilla Firefox 1.0.3, Mozilla 1.7.7, Mozilla Thunderbird 1.0.3, Mozilla 1.7.6, Mozilla Firefox 1.1 and Mozilla Thunderbird 1.1."

Comments (none posted)


Nvu 1.0 Preview Release Available (MozillaZine)

A preview release of Nvu 1.0, a web authoring system, has been announced. "This version includes full support for editing HTML 4.01 Strict, HTML 4.01 Transitional, XHTML 1.0 Strict and XHTML 1.0 Transitional documents. There's also new help content and a user guide. In addition, many other bugs have been fixed."

Comments (none posted)

Languages and Tools


Caml Weekly News

The April 12-19, 2005 edition of the Caml Weekly News is online with another round of Caml language articles.

Full Story (comments: none)


JSF conversion and validation (IBM developerWorks)

Rick Hightower and Paul Tabor discuss Java Server Faces on IBM developerWorks. "Java Server Faces (JSF) provides a standard conversion, validation, and messaging framework that accommodates most form-processing needs while ensuring data-model integrity. In this third article in the JSF for nonbelievers series, Paul Tabor and Rick Hightower show you how simple it can be to plug-in your own custom flavor of conversion or validation, even for complicated applications."

Comments (none posted)

Using the Strategy Design Pattern for Sorting POJOs (O'Reilly)

Olexiy Prohorenko writes about the Strategy Design Pattern on O'Reilly. "I wouldn't be exaggerating if I said that all of us use POJO's—"Plain Old Java Objects"— in our everyday application development. We use them with Hibernate or with entity beans, sometimes we use them as simple transfer (value) objects, and we use them while creating domain models. But what is POJO itself?"

Comments (none posted)

Taming Tiger: Beyond the basics of enumerated types (IBM developerWorks)

John Zukowski covers enumerated types on IBM developerWorks. "In this month's Taming Tiger, columnist John Zukowski explains how to work with enumerated classes and their predefined methods and shows how to add constructors, override methods, and have instance variables."

Comments (none posted)


This Fortnight in Perl 6 (O'Reilly)

The April 4-11, 2005 edition of This Fortnight in Perl 6 is online with the latest Perl 6 discussions and news.

Comments (none posted)

Building Good CPAN Modules (O'Reilly)

Rob Kinyon explains techniques for making good Perl modules for the CPAN site in an O'Reilly article. "When you are planning to release a module to CPAN, one of your first tasks is figure out what OS, Perl version(s), and other environments you will and will not support. Often, the answers will come from what you can and cannot support, based on the features you want to provide and the modules and libraries you have used. Many CPAN modules, however, unintentionally limit the places where they can work. There are several steps you can take to remove those limitations."

Comments (none posted)


Dr. Dobb's Python-URL!

The April 18, 2005 edition of Dr. Dobb's Python-URL! is online with the week's Python article roundup.

Full Story (comments: none)


Ruby Weekly News

The April 17, 2005 edition of the Ruby Weekly News has been posted. It summarizes the ruby-talk mailing list.

Comments (none posted)


Dr. Dobb's Tcl-URL!

The April 17, 2005 edition of Dr. Dobb's Tcl-URL! is online with a new collection of Tcl/Tk articles.

Full Story (comments: none)


XML Matters: Program with SVG (IBM developerWorks)

David Mertz works with SVG on IBM developerWorks. "Scalable Vector Graphics (SVG) is an XML format that describes scale-independent graphics, with good support in free software and commercial tools. In this installment, David introduces scripting and animation with SVG, and touches on manipulating SVG through DOM. Because SVG is XML, it lends itself to transformation and/or generation with any of the tools and libraries you might use for XML generally."

Comments (none posted)

XML Namespaces Don't Need URIs (O'Reilly)

Michael Day discusses XML Namespace issues on O'Reilly. "The decision to identify XML namespaces with URIs was an architectural mistake that has caused much suffering for XML users and needless complexity for XML tools. Removing namespace URIs altogether and simply using namespace prefixes to identify namespaces would make it easier for people as well as software to read, write, and process XML."

Comments (none posted)

Going Native, Part 2 (O'Reilly)

Ronald Bourret continues his O'Reilly series on native XML databases with part two. "The second major use of native XML databases is data integration. XML is well-suited to data integration because of its flexible data model and machine-neutral text format. In addition, XQuery is a good data integration language because of its ease of use, support for transformations, and ability to join data from different documents (data sources). Finally, there are a large number of tools for converting data from various formats to XML."

Comments (1 posted)

Cross Assemblers

gputils 0.13.1 Released

Version 0.13.1 of gputils, a collection of tools for working with Microchip PIC microcontrollers, is available. The comments say: "Fixed bugs."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Getting Flat, Part 1 (Linux Journal)

Doc Searls digs into It's a Flat World, After All, by Tom Friedman. "The two-part format also works thematically. The first part deals with Tom Friedman's treatment of Linux and open source. The second will deal with the solutions to flat-world challenges he hopes will come from both large companies and our educational system."

Comments (none posted)

Fighting anti-Linux FUD, part 263 (NewsForge)

Joe Barr isolates the FUD from a recent Info-Tech Poll on IT Priorities. "But Koelsch contradicted himself. Earlier in the conversation, when he was justifying the use of "most," he said "there's another large portion, another 15 percent, that aren't sure." Never mind that he changed that portion size from 14 to 15 percent. Look at the way he describes it. In Koelsch's world, 10 percent deciding to implement Linux is tiny, while 14 percent uncertain is large. The size seems to depend not on the actual percentage, but on what's being sold."

Comments (none posted)

Lack of developers delays (ComputerWorld)

ComputerWorld reports from the miniconf, where some problems were discussed. "Sun Microsystems' chief technology evangelist Simon Phipps acknowledged the challenges faces and put it down to its monolithic code base rather than Sun's contribution governance. 'For something that was originally written for Windows 3.1 and OS/2, the fact that it now runs on Linux and Solaris is a significant achievement,' Phipps said.... 'Ask IBM why it uses OpenOffice but doesn't contribute to it,' he said."

Comments (34 posted)

Trade Shows and Conferences

LWCE Toronto: Day 1 (NewsForge)

NewsForge reports from LinuxWorld Conference and Expo in Toronto. "The first day of Toronto's LinuxWorld Conference and Expo was made up of a pair of 3-hour long tutorial sessions on various networking and Linux related topics. I selected from among the list of available sessions System & Network Monitoring with Open Source Tools for the morning and Applying Open Source Software Practices to Government Software for the afternoon. Unfortunately, the latter was cancelled at the last minute and I went to Moving to the Linux Business Desktop instead."

Comments (none posted)

LWCE Toronto: Day 2 (NewsForge)

NewsForge covers LinuxWorld in Toronto. "LinuxWorld Day 2 started at 08:30 with another round of sessions. The was day broken down into one-hour blocks. I attended several, starting with Dee-Ann LeBlanc's presentation on "Linux for Dummies" and keynotes by HP Canada's Paul Tsaparis and Novell's David Patrick."

Comments (none posted)

MySQL Users Conference Press Releases

Here are the Monday press releases from the MySQL Users Conference:

Comments (1 posted)

The 12th VistA Community Meeting (LinuxMedNews)

LinuxMedNews covers the 12th Vista Community Meeting, the event was held in Boston on April 7-10, 2005. "There were many, many goings on at the event, including installation workshops, histories of VistA and MUMPS as well as major announcements by the Pacific Telehealth and Technology Hui of the formation of the VistA Institute and Medsphere's enhancements to the VA fileman."

Comments (none posted)

The SCO Problem

SCO Posts Loss, Revenue Down -- What Else is New? (Groklaw)

Groklaw looks at the latest SCO financial results. "The Lindon, Utah, company posted a net loss of $2.96 million, or 17 cents a share, in the fiscal first quarter ended Jan. 31, compared with a loss of $2.49 million, or 18 cents a share, a year earlier."

Comments (1 posted)

SCO blames Groklaw for IP licensing disappointment (CBR)

According to Computer Business Review, SCO has figured out its problems: it's all Groklaw's fault. "So who is Pamela Jones? [Darl] McBride would not say. 'We're still digging to the bottom of this. I think once we have all of the facts complete we'll be glad to do [share] that,' he said. Perhaps the bigger question might be why SCO, a company McBride claimed is 'steadfastly focused on winning in both the court room and in the market place' is so concerned with what a small community web site thinks about its claims."

Comments (34 posted)

SCO's 1Q 2005 Earnings Conference Call (Groklaw)

Groklaw has assembled a transcript (with accompanying mp3 audio) from the recent SCO 1Q conference call. "My overview impression of the call is that it was an attempt to resurrect SCO's old bullying persona, to go back to the "good old days", when a few companies bought SCOsource licenses and we were all under the impression the litigation was about Linux, and the stock went flying. Is it about Linux? You tell me. If you say it is, kindly also inform me exactly what code is allegedly infringing will you? With specificity? My inquiring mind wants to know. We've been asking that question for two years now. Silence from SCO. Or evidence the judge found not credible."

Comments (5 posted)

The SCO Boomerang and the Strength of Linux (CIO Today)

Groklaw's Pamela Jones has written an article on CIO Today that discusses how the SCO case may have actually helped the growth of Linux. "Linux is growing by leaps and bounds. If Microsoft's anti-Linux campaign got one thing right, it's when it said it was like "a cancer" -- only not the way they meant it. It was trying to say something mean, and inaccurate, about the GPL, the license under which Linux is made available. But in reality, Linux really does seem to be growing at an unstoppable pace. I believe the SCO case, while designed to slow Linux adoption, actually might have encouraged it. I call it the SCO Boomerang."

Comments (1 posted)


Macromedia, Adobe make peace for bigger fight ( covers Adobe's acquisition of Macromedia. "Today, analysts expect the upcoming presentation environment in Windows, which includes an XML-based language called XAML (Extensible Application Markup Language), to be able to do many of the things that Macromedia's Flash and Adobe's Acrobat software do. Microsoft's tools are optimized for Windows, while Adobe and Macromedia have been committed to a more diverse desktop environment including the Mac OS and now Linux."

Comments (9 posted)


Big-ticket software gets a haircut ( reports on a slowdown in sales growth for big-ticket server software, partly as a result of open-source alternatives. "The middleware category that is seeing the most price pressure is application servers, software that runs custom-written programs and handles transactions. On top of JBoss, there are other open-source application servers in the market, including Jonas and Geronimo, which are based on the Java 2 Enterprise Edition, or J2EE, standard. Gartner forecasts that the total revenue from application server license sales will start to decline in 2006."

Comments (none posted)

Linux Adoption

Brazil is pressing for free software (azcentral)

azcentral looks at Brazil's PC Conectado program. "By the end of April, the government plans to roll out a ballyhooed program called PC Conectado, or Connected PC, aimed at helping millions of low-income Brazilians buy their first computers. If the president's top technology adviser gets his way, the program may offer computers only with free software, including the operating system, instead of giving consumers the option of paying more for, say, a basic edition of Microsoft Windows."

Comments (1 posted)

City of Munich picks its Linux distro (ZDNet UK)

ZDNet UK reports that the City of Munich has chosen to migrate its 14,000 desktops to Debian. "Munich's migration from Microsoft Windows NT to Linux on the desktop was given final approval in June last year, after a year-long pilot project run by SuSE Linux and IBM. The contract for the project was put out to tender in the summer and the City said it considered several alternatives before choosing Debian, which it said offered the best solution in terms of technical competence and price."

Comments (31 posted)

Linux at Work

Key Medical Workstation Client Runs on Linux (LinuxMedNews)

LinuxMedNews looks at the use of Linux by the US Veterans Administration. "As many as 98,000 people die each year as a result of preventable medical errors which Free and Open Source electronic medical records software could reduce. A contender in this area is the Veterans Administration (VA) public domain VistA codebase and large community. In a major advance for FOSS in medicine, Joseph Dal Molin of WorldVistA reports success in getting the VA Computerized Patient Record System (CPRS) VistA client running on Linux."

Comments (none posted)


Project of the Week: Kubuntu (

OSDir has named Kubuntu Project of the Week and celebrates with an interview with Andreas Müller and Jonathan Riddell. "Andreas Mueller: As foundation-stone for kubuntu's success, it's the success/simplicity of the rock solid base of Ubuntu's Desktop. KDE with it's version 3.4 improved the accessibility on the applications layer. Last not least, is the great community behind Ubuntu/Kubuntu." (Found on KDE.News)

Comments (none posted)

Project of the Week: Quanta Plus (

OSDir interviews Eric Laffoon, project leader of Quanta+. "Quanta Plus, or Quanta+, is a web development tool for KDE. Its features include dynamic preview, project management support, templates, multiple toolbars, multiple syntax support, and more. It is modular in design and integrates well with KDE's KIO slaves."

Comments (none posted)

MySQL Founders: Kill All the Patents (eWeek)

eWeek talks with MySQL founders David Axmark and Michael "Monty" Widenius about MySQL 5.0 and software patents. "The duo sat down with Database Editor Lisa Vaas after their opening keynote at MySQL AB's third user conference Tuesday. They were bullish on the upcoming enterprise-class features of 5.0 and on their beloved community, upon which the company relies for scrupulous bug fixing, but they also had some choice words for what they consider the undemocratic notion of software patents."

Comments (5 posted)

A Chat with PostgreSQL (OSDir)

OSDir talks with PostgreSQL developers. "When most people think of open source database products what comes to mind more often than not is MySQL. But that is changing in the enterprise market, and among demanding developers. The PostgreSQL project has been steadily clawing its way up the ladder in mindwidth since its inception almost ten years ago. Many say they've changed from MySQL to PostgreSQL and never looked back. I recently had a chance to chat with a few of the project's dedicated developers."

Comments (3 posted)

Interview: Fred Trotter on Medical Billing (LinuxMedNews)

LinuxMedNews interviews Fred Trotter of the FreeB medical billing project. "LMN: Why should we care about Free and Open Source medical billing software versus non-free? FT: ...There are two main reasons that people want FOSS. The Free Software people really care about the problem of software licenses being used to control people. The Open Source people are more focused on the benefits of having a more streamlined and efficient development model. Those two reasons apply to medical software in spades. Medical computing is critical to lives of individuals and a society. As such, the licenses that govern medical software should be in the interest of individuals and society, rather than the companies that write the software."

Comments (none posted)


The Daemon, the GNU and the Penguin - by Peter H. Salus - Ch. 2 & 3 (Groklaw)

Groklaw presents chapters 2 and 3 of The Daemon, the GNU and the Penguin, a History of Free and Open Source, by Dr. Peter H. Salus. "In spring 1969, AT&T decided to terminate its involvement in a project called Multics -- Multiplexed Information and Computing Service -- which had been started in 1964 by MIT, GE and Bell Labs. This left those at AT&T Bell Labs who had been working on the project -- notably Doug McIlroy, Dennis Ritchie and Ken Thompson -- at loose ends. Doug immediately got involved with other things in Murray Hill, NJ, but Dennis and Ken had been interested in the project per se and wanted to explore several of its ideas."

Comments (1 posted)

Drag n' Drop CD Ripping in Konqueror (Dave's Desktop)

Dave's Desktop has an article on creating MP3 CDs under KDE. "These days, with the global adoption of the iPod (as well as many other portable players on the market), making MP3s from CD collections is one of the most popular things to do with a home computer. This task use to take a bit of doing and know-how in order to pull off successfully. However, with the advancements in the KDE desktop and the Konqueror file manager, the job of ripping tracks from CD into OGG or MP3 format couldn't be much simpler." KDE.News has additional commentary on the article.

Comments (none posted)

Securing Linux, Part 3: Hardening the system

developerWorks has an introductory article on hardening a Linux system. "In this series of articles, learn how to plan, design, install, configure, and maintain systems running Linux in a secure way. In addition to a theoretical overview of security concepts, installation issues, and potential threats and their exploits, you'll also get practical advice on how to secure and harden a Linux-based system. We will discuss minimal installation, hardening a Linux installation, authorization/authentication, local and network security, attacks and how to protect against them, as well as data security, virus, and malware programs."

Comments (none posted)

Userspace Filesystem Encryption with EncFS (O'ReillyNet)

O'ReillyNet has this article on protecting data with an encrypted file system. "For a long time now, computer-related theft has been a real problem. The most likely victims of these thefts are laptops and USB sticks, which are obviously very easy to lift (and leave with). Desktop computers and backup media are stolen less frequently. In all of these cases, much of the time, the data stored in the media is more valuable than both the computer and the media. An important question is how to protect valuable data in our computer's storage areas."

Comments (none posted)


Professional Sound Editing with Audacity (O'ReillyNet)

Here's a look at the Audacity sound editor (with screenshots) on O'ReillyNet. "In the Linux world, Audacity may not be as advanced or powerful as other audio editors (which also function as music composers), but it does stand out as one of the easiest to use. Mazzoni and other developers on the Audacity team borrow the best ideas and features from several audio editors and digital audio workstations, but with the goal of presenting everything under an interface accessible even to inexperienced users."

Comments (none posted)

At the Sounding Edge: What's Going On with Csound? (Linux Journal)

Dave Phillips reviews the Csound5 software sound synthesis language, in a Linux Journal article. "Csound has been in development since the 1970s, predating personal computers. As might be expected, its codebase has become a bit dusty, particularly regarding modern programming techniques. Csound's ease of extensibility has promoted a great broadening of its processing powers, but at the lower levels, the code currently is undergoing a complete revision. Almost every aspect of the original source tree has come under new scrutiny that should result in a faster, more efficient Csound."

Comments (none posted)

Page editor: Forrest Cook


Non-Commercial announcements

ClearHealth Forums Available (LinuxMedNews)

LinuxMedNews reports on the launch of new forums for ClearHealth. "ClearHealth is a next generation practice management system and EMR. This php based system takes DNA from the FreeMED and OpenEMR projects. It is based on the Smarty templating engine. ClearHealth uses the FreeB2 medical billing engine. The ClearHealth Project now has a discussion Forum."

Comments (none posted)

Fedora Extras: Get involved more easily!

The Fedora Extras project has announced a new automated system for accessing CVS. "If you'd like to become a Fedora Extras developer, but the process of getting CVS access seemed too slow before, please visit to use the new automated system."

Full Story (comments: none)

An injunction against Fortinet for GPL violations

A district court in Munich has granted a preliminary injunction against Fortinet Inc., preventing it from distributing its products in Germany. It turns out that the company's "FortiOS" was just Linux, hidden behind a bit of crypto. "'This violation by Fortinet is especially egregious since the vendor not only violated the GPL, but actively tried to hide that violation,' said Harald Welte, Linux Kernel developer and founder of the project. 'We are not in any way opposed to the commercial use of Free and Open Source Software and there is no legal risk of using GPL licensed software in commercial products. But vendors have to comply with the license terms, just like they would have to with any other software license agreement.'" Click below for the announcement from the project.

Full Story (comments: 13)

NLnet sponsors Parrot (use Perl)

Use Perl has announced that NLnet will be sponsoring development work on Parrot, the Perl 6 virtual machine. "Allison writes "NLnet, a non-profit organization supporting open source network technology research and development, announced on Friday that it will sponsor US $70,000 of Parrot development work. The funding will go to Leopold Tötsch who has been the pumpking for Parrot since 2003 and Chip Salzenberg who recently stepped into the role of chief architect for Parrot."

Comments (none posted)

Commercial announcements

Centrify Certifies DirectControl Suite for Red Hat Enterprise Linux 4

Centrify Corporation has announced support for Red Hat Enterprise Linux 4. "Centrify Corporation today announced Red Hat Ready certification of DirectControl(TM) which integrates Red Hat(R) Enterprise Linux 4 environments into Microsoft's Active Directory. As a member of the Red Hat Ready Partner program, Centrify has added support for Red Hat Enterprise Linux 4 to its existing product line, which already includes support for Red Hat Enterprise Linux 2.1 and 3 as well as Fedora Core 3."

Comments (none posted)

ESP Print Pro 4.5.4

Version 4.5.4 of ESP Print Pro has been announced. "Easy Software Products today announced the release of ESP Print Pro v4.5.4, a complete cross-platform printing solution. The product is based on the company's Common UNIX Printing System technology and is available for AIX, HP-UX, IRIX, Linux, MacOS X, and Solaris. A separate client printing package is available for Microsoft Windows 2000, XP, and 2003. ESP Print Pro 4.5.4 fixes two GUI crash bugs and problems with the German localization."

Comments (none posted)

OPERA 8 Web Browser Released

Opera Software has launched a new version of its browser, Opera 8 for Windows and Linux. Internet users can now surf the Web faster, safer and easier than before. Opera 8 is a substantial upgrade from previous versions, and includes new features such as a security information field that indicates the trustworthiness of banking and shopping Web sites and voice interaction capabilities.

Full Story (comments: none)

PIKA Technologies launches LinuxOnDemand Program

PIKA Technologies has launched its LinuxOnDemand Program for developers of voice and fax solutions. "In support of the ever-increasing number of Linux developers, PIKA Technologies announced today a program that will make available versions of their SDK (API and drivers) that run on an expanded number of Linux distributions/kernels (distros)."

Full Story (comments: none)

SGI announces new Open IT Platform

SGI has announced its new Prism systems, which are aimed at video processing applications. "By integrating industry standards-based, 64-bit Intel(R) Itanium(R) 2 processors, the 64-bit Linux(R) scalability found in SGI Altix high-performance server products, and scalable ATI(R) graphics processors (GPUs), SGI offers a system to solve the most demanding content creation and management at a dramatic new price point."

Comments (1 posted)

SkypeIn and Skype Voicemail betas launched

Global Internet Telephony Company Skype has announced a beta launch of SkypeIn and Skype Voicemail. "SkypeIn provides an affordable, flexible alternative to costly mobile phone roaming charges with SkypeIn personal numbers. SkypeIn customers can receive inbound calls to their Skype client from fixed telephones or mobile phones while they travel worldwide, providing seamless interconnectivity without having to pay costly roaming charges. Skype Voicemail enables users to manage incoming voicemail messages, making their Skype usage more ubiquitous."

Full Story (comments: none)

TransactTools Announces Partnership with QuickFIX

TransactTools has announced a partnership with QuickFIX. "TransactTools, the leading provider of enterprise solutions for electronic trading connectivity, announced today a new partnership with QuickFIX, the freely-availableopen source FIX engine project. Under the terms of the partnership, TransactTools will contribute source code, resources, and support to QuickFIX."

Comments (none posted)

Major Contracts Awarded to 'VA Quest' Linux Kernel Solution Service

VA Linux Systems Japan K.K. (VA Linux) has announced that several Japanese companies have awarded early contracts to VA Quest, a new VA Linux failure analysis solution service for Linux kernel launched earlier this month.

Full Story (comments: none)

Versant Proposes to Lead Open Source JSR220 in Eclipse Community

Versant Corporation has announced that it has proposed to lead a new Eclipse community project for standards-based, object-relational mapping. JSR220 is the specification defining the standard for object-relational mapping in Java.

Comments (1 posted)

New Books

"Ant: The Definitive Guide, Second Edition" Released by O'Reilly

O'Reilly has published the book Ant: The Definitive Guide, Second Edition by Steve Holzner.

Full Story (comments: none)

Firefox and Thunderbird Garage released by Prentice Hall

Prentice Hall PTR has announced the publication of Firefox & Thunderbird Garage by Chris Hofmann and Marcia Knous.

Comments (none posted)

"Mastering FreeBSD and OpenBSD Security" Released by O'Reilly

O'Reilly has published the book Mastering FreeBSD and OpenBSD Security by Yanek Korff, Paco Hope, and Bruce Potter.

Full Story (comments: none)

"Network Security Tools" Released by O'Reilly

O'Reilly has published the book Network Security Tools by Nitesh Dhanjani and Justin Clarke.

Full Story (comments: none)

"Snort Cookbook" Released by O'Reilly

O'Reilly has published the book Snort Cookbook by Angela Orebaugh, Simon Biles, and Jacob Babbin.

Full Story (comments: none)

"Test Driving Linux" Released by O'Reilly

O'Reilly has published the book Test Driving Linux by David Brickner.

Full Story (comments: none)


Chapter 3 of New CUPS Manual - Standard Printer Options

Chapter 3 of the CUPS printing system Manual is online. Standard Printer Options are covered.

Comments (none posted)

Fibre Channel State of the Union

Christoph Hellwig has posted a new Fibre Channel state of the union document. "With the upcoming merge of the current SCSI development branch (probably after the 2.6.12 release), Linux will have more advanced Fibre Channel support than any currently available operating system."

Full Story (comments: 2)

LPI February/March 2005 Newsletter

The February/March 2005 edition of the LPI newsletter is online with the latest Linux Professional Institute news.

Full Story (comments: none)

Patent Resource Page (Groklaw)

Groklaw introduces a new Patent page, a collection of patent resources around the web.

Comments (none posted)

A Reading List for Linux in the Classroom (Linux Journal)

Linux Journal has assembled a reading list for educational purposes. "Below is a reading list that you may find interesting and useful. Specifically, the HOWTO articles that describe using Samba as a primary domain controller (PDC) in a mixed Linux and Windows environment and using OpenLDAP for single sign-on should prove useful."

Comments (none posted)

Comprehensive guide on RPM building released

Guru Labs has announced a new guide on RPM building. "Guru Labs has released a section of our courseware under a Creative Commons license that has very comprehensive coverage of building RPMs. It has treatment of the whole spectrum of issues including making proper patches, the menu specification, and ancillary files like logrotate.d files, cron.*/ files, SysV init files along with chkconfig, etc."

Full Story (comments: 1)

Contests and Awards

USENIX Honors GNOME and KDE Architects for Contributions to Open Source Community

The USENIX Association has awarded GNOME co-founder Miguel de Icaza and KDE creator Mattias Ettrich the Software Tools User Group (STUG) award for their accomplishments in developing user friendly graphical user interfaces for the open source desktop.

Comments (3 posted)

KDE Art: digiKam Contest, Icon Marathon, KDE Logo Worldwide (KDE.News)

KDE.News has several announcements concerning the development of KDE artwork. "The KDE artist community has been busy recently. The winners of the digiKam contest have been announced, has had a major update and the KDE logo is on a worldwide tour. Coming soon are The First Annual Icon Marathon, a completely new and improved KDE Artist website and introducing Kollaboration, where your art meets their code!"

Comments (none posted)


Linux Developers Embrace Non-Commercial Distributions

Evans Data Corp. has released a new Linux Development Survey. "As Linux has matured and found an ever increasing foothold on developer and end user machines, there has been a noted preference for commercial versions of Linux over non-commercial versions. The main reason for the allegiance to commercial Linux has been support that’s less available for the non-commercial versions. But, as the knowledge base of Linux and its own special set of installation and maintenance issues grows, the need to rely on support has diminished and the largest increase in responses to the question “What is the biggest advantage of a commercial version of Linux?” was “None”, which grew by my than 50% in the last six months."

Full Story (comments: none)

Upcoming Events

Evolution of Open-Source Code Bases (EVOSC05)

A deadline extension has been given for paper submissions to the Evolution of Open-Source Code Bases (EVOSC05) conference. The event will be held in Genova, Italy on July 11, 2005.

Full Story (comments: none)

Linux Audio Conference 2005 Live Audio/Video streams

The Linux Audio Conference 2005 will have live audio and video streams available. The event takes place in Karlsruhe, Germany on April 21-24.

Full Story (comments: none)

AstriCon Europe 2005 to Be Held in Madrid in June

Digium has announced AstriCon Europe 2005. "IPsando, an information technology company focusing on Internet Protocol (IP) communications consulting and Digium, the creator of open source telephony, today announced that AstriCon Europe 2005, the first of two annual Asterisk user conferences, will be held June 15-17, 2005 at the Auditorium Madrid Hotel in Madrid, Spain."

Comments (none posted)

Austrian Perl Workshop CfP (use Perl)

A call for papers has gone out for the Austrian Perl Workshop. "The Second Austrian Perl Workshop will take place on the 9th and 10th June in Vienna, Austria."

Comments (none posted) 2005 - Call for Papers

A Call for Papers has gone out for the 2005 convention. "The purpose of the convention is to give an open and free playground where people can discuss the implication of new technologies in the society. is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg on Friday/Saturday 14-15 octobre 2005."

Full Story (comments: none)

Announcing PAKCON II

PAKCON II, Pakistan's Underground Hacking Convention will be held in October, 2005 at the Pearl Continental Hotel in Karachi, Pakistan.

Full Story (comments: none)

PAKCON II: Call for Papers

A Call for Papers has been posted for PAKCON II, Pakistan's Underground Hacking Convention.

Full Story (comments: none)

Samba eXPerience 2005

Samba eXPerience 2005 will be held in Göttingen, Germany on May 2-4, 2005.

Full Story (comments: none)

Events: April 21 - June 16, 2005

Date Event Location
April 21 - 23, 2005(Australian National University)Canberra, Australia
April 21, 2005MySQL Users Conference and Expo 2005(Santa Clara Convention Center)Santa Clara, CA
April 21 - 24, 20053rd International Linux Audio Conference(LAC2005)(Center for Art and Media (ZKM))Karlsruhe, Germany
April 21 - 23, 2005ACCU Conference 2005(Randolph Hotel)Oxford, England
April 21 - 23, 2005WebTech 2005Sofia, Bulgaria
April 23 - 24, 2005LayerOne Technology Conference(Pasadena Hilton)Pasadena, CA
April 25 - 30, 2005UbuntuDownUnderSydney, Australia
April 30, 2005Hurricane Electric Linux Security SeminarFremont, CA
May 2 - 7, 2005DallasCon 2005(Richardson Hotel)Dallas, TX
May 2 - 4, 2005Samba eXPerience 2005(Hotel Freizeit)Göttingen - Germany
May 2 - 5, 2005International PHP Conference(RAI Conference Center)Amsterdam, the Netherlands
May 4 - 6, 2005CanSecWest/core05Vancouver, B.C.
May 11 - 15, 2005php|tropics 2005(Moon Palace Resort)Cancun, Mexico
May 13 - 14, 2005BSDCan 2005(University of Ottawa)Ottawa, Canada
May 19 - 21, 2005GUADEC-es 2005A Coruña, Spain
May 22 - 25, 2005Gelato Federation Meeting(HP's Palo Alto and Cupertino campuses)San Jose, CA
May 23 - 26, 2005PalmSource Worldwide Mobile Summit and DevCon(Fairmont Hotel)San Jose, California
May 24 - 27, 2005XTech 2005 Conference(Amsterdam RAI Center)Amsterdam, the Netherlands
May 25 - 26, 2005Linux World New York Summit 2005(New York City Marriott Marquis)New York, NY
May 28 - 29, 2005Linux Unix Group of Bulgaria SeminarStara Zagora, Bulgaria
May 29 - 31, 2005GNOME Users and Developers European Conference(GUADEC 2005)Stuttgart, Germany
June 1 - 3, 2005The Red Hat Summit 2005(Hilton New Orleans)New Orleans, LA
June 1 - 4, 2005Fórum Internacional Software Livre(FISL)Porto Alegre/RS, Brazil
June 9 - 10, 2005Austrian Perl Workshop(Kapsch CarrierCom)Vienna, Austria
June 11, 2005PHP WestVancouver, BC, Canada
June 15 - 17, 2005AstriCon Europe 2005(Auditorium Madrid Hotel)Madrid, Spain

Comments (none posted)

Web sites

Mozilla Update Relaunches (MozillaZine)

MozillaZine has an announcement for the newly reopened Mozilla Update site. ""In case you haven't noticed, the UMO Developer Control Panel has officially reopened! Also included with the site update are a new search engine (not Google!), real RDF parsing for install.rdf, security bug fixes, and the ability to post comments. UMO is also looking for volunteers to review extensions and soon more people to help do PHP coding.""

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

I don't think pushing readers' buttons is very nice

From:  Leon Brooks <>
Subject:  I don't think pushing readers' buttons is very nice
Date:  Tue, 19 Apr 2005 19:46:46 +0800

Laura DiDio has been in the habit of saying things that could most kindly be
described as "poorly considered" and if given a fair reading would be
characterised as wildly inaccurate, wilfully ignorant and negligent.
The things she says are read and believed by gullible people in positions of
authority, and decisions are made as a result which undermine and destroy the
patient work of many technical people, for example, by ordering the
replacement of their most useful tools by inferior ones which require much
more effort for their upkeep. In some cases, the very livelihood of the
technical person is put at risk when the business' IT infrastructure is moved
entirely outside the skill-set of the person concerned.
Naturally, this destruction and the threat of more of it is not going to be
welcomed by the people involved.
At every stage Laura has received outraged feedback, much of it rich in
exactly the technical detail and real-world examples she needs to bring her
viewpoint into line with observable reality. She has always ignored this
useful information in preference for the more sensational emotive issues.
This should be painfully obvious to anyone who reads the comments posted
against anything Laura publishes.
One falling leaf does not an autumn make, but if you are also receiving much
more than the usual "background" amount of random abuse, perhaps it's a sign
that you're swimming out of your depth yourself, hurting people through lack
of understanding, and need to step back and get a better grip on the issues.
Please consider.
Cheers; Leon

Comments (1 posted)

Page editor: Forrest Cook

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds