User: Password:
Subscribe / Log in / New account Weekly Edition for April 28, 2005

A wrapup

[LCA] might appear, at first glance, to be an event condemned to amateurish disorganization. This conference moves to a different city every year, where it is organized by a fresh crowd of volunteers with little or no previous experience in putting together this sort of event. Under the guidance of Linux Australia, a working formula appears to have been found. By bringing in previous years' organizers to give advice and oversight to the current event's team, manages to benefit from its past experience while simultaneously giving each set of organizers an opportunity to experiment and bring in new ideas. The result is, arguably, the best set of Linux conferences offered anywhere on the planet. 2005 was no exception. A few weblog entries hint at a bit of behind-the-scenes turbulence, but, to an attendee (or a speaker), this conference was flawlessly organized. The facility worked well, the talks were (mostly) great, the wireless network was ubiquitous and highly [Steven Hanley] reliable, and, yes, the coffee was good. The technical content was solid, but the event was also filled with a uniquely Australian sense of humor and fun. This year's organizers, led by Steven Hanley (picture at right) did an outstanding job.

Some of the talks have been covered in other LWN articles. Here are some quick notes on a few other talks that your editor was able to attend.

The GNOME miniconf covered many themes, but seemed to be dominated by two in particular: marketing the project and future development directions. The GNOME developers look, with a certain degree of envy, at the amount of publicity that Firefox has received, and wonder how they can get some of it for themselves. Part of the problem, as they see it, is that GNOME is not a nice, simple download like Firefox; it's more like a big, sprawling mess. The GNOME live CD project could help in this regard; it got some attention at LinuxWorld, but it needs some work and nobody has taken it on.

The other issue on the GNOME developers' minds is the GNOME 3.0 project. A 3.0 release gives the project the opportunity to break API compatibility, something it has carefully avoided doing across 2.x. The only problem is that the project does not really seem to have any idea of what it wants to accomplish in 3.0. The developers had a clear vision of usability which (whether you like their approach or not) carried them through a successful set of 2.x releases. An upgraded vision for 3.0 does not yet exist.

[Jeff Waugh] Perhaps the most interesting idea came from Jeff Waugh. There is much potential for network-enabled collaborative technologies - especially if you resist the temptation to call them "groupware." Some cool ideas are likely to see implementations in the next few months. The massive nature of makes it a difficult platform for this sort of experimentation, however, so much of the interesting work is happening with tools like AbiWord and gnumeric. We may soon see a time when, while remaining good at what it does, has been surpassed by its competitors, which make better platforms for playing with new ideas.

Andrew Tridgell's keynote covered more than the simple cloning of BitKeeper; the bulk of it related, instead, to the increasing use of advanced software development techniques in the free software community. The community is now at the forefront in many areas.

One example is the increased use of static analysis tools. For years, lint was the state of the art; now the gcc suite itself incorporates a wide variety of static checks beyond the standard warnings. Tools like "sparse" have helped the kernel developers to find many problems before users are bitten by them. The most notable thing, though, is that the development projects are actually using these tools. Runtime analysis has also come a long way; Tridge singled out valgrind as being one of the most important advances in a long time.

Automatic code generation is coming into its own; something like half of the Samba 4 code is created in this way. The trouble here is that it is difficult to create general-purpose code generation tools which produce what various projects really need. Samba ended up creating its own IDL compiler to generate much of its protocol code, and other projects may well end up doing the same. The effort paid off quickly: the resulting code is more robust, more correct, easier to instrument and debug, and easier to change.

Some time went into the "asynchronous server" problem: how does one write a server which deals with asynchronous requests from the outside world? None of the alternatives appeal: threads are evil, processes are ugly, and state machines "send you mad." For Samba 4, all of these techniques have been combined in a user-configurable way. Embedded users can collapse the whole system into a single process, while a multi-process, multi-thread configuration can be used on monster servers. The Samba hackers have managed to reduce the single user connection overhead to less than 20KB, a massive improvement from previous versions. State machines have been tamed with "composite functions," which take much of the hard-to-debug indirection out of the code.

Memory management is another area which has seen improvements; Tridge was especially pleased with the version of talloc() used in Samba 4. This memory allocation library allows dynamic memory allocations to be organized in a hierarchy; an entire subtree of the hierarchy can be freed (calling optional destructors) with one call. This scheme gives most of the advantages of a fully garbage-collected language without the associated overhead.

Finally, Tridge noted that projects are actually starting to use test coverage tools. The combination of static analysis, runtime analysis, and test coverage can be very effective in completely eliminating certain classes of errors (such as leaking data by writing uninitialized data to the net).

Keith Packard and Carl Worth talked about work in desktop graphics. Keith's discussion of the reworking of the X Window system has been covered on LWN before. Carl gave a good overview of the Cairo vector graphics library. Cairo, he notes, is being used in upcoming or test versions of dia, evince, gtk+, mozilla, scribus, and more. Most of these projects are still not using Cairo by default; it's too slow, still, for comfortable use. Cairo is headed toward a 1.0 release with a final API shakeup and the beginnings of the necessary performance work.

What audiences will likely remember from these talks, however, are the demonstrations. This year's eye candy is the rubbery window which distorts realistically when dragged across the screen. These windows can also be spun around and literally thrown three virtual desktops away. Anybody who has seen one of Keith's talks can imagine how much fun he was having flinging windows around. The funnest Cairo demonstration may well be roadster, a free map generation utility.

Elizabeth Garbee discussed her experiences in avoiding homework by designing tuxracer courses; she then proceeded to create a brutal new course in front of the audience. Not everybody can get away with creating a talk around playing games in front of a crowd. Her talk complemented an issue raised by Rusty Russell: he has apparently lost much time recently playing The Battle For Wesnoth, and was well impressed by the accompanying artwork and music. To continue to progress, our community will have to do better at attracting other sorts of contributors: artists, musicians, and so on. That means we will need to think about how we can create good tools for these contributors, and help them gently when they run into trouble.

Other stuff. Two other themes resonated through the conference. One is that everybody is concerned about the BitKeeper episode, and amused to learn how little was involved in the infamous "reverse engineering" of its network protocol. The other is that a large number of attendees were running Ubuntu. Even when the Canonical employees are factored out (the company seems to have moved its offices to Canberra for the conference), Ubuntu has clearly claimed a significant part of the distribution "market" among Linux developers.

Your editor gave two talks at the conference; the slides are available online for both: A Linux Kernel Roadmap and Kobjects, ksets, and ktypes. The kernel talk was covered in ComputerWorld, and, subsequently, The Inquirer. It is interesting to compare what was reported against the original slides. 2006 will be held in Dunedin, New Zealand, starting January 23, 2006. Your editor hopes to be there.

Comments (3 posted)

Eben Moglen's keynote

[LCA] The final keynote was delivered by FSF attorney Eben Moglen. It was, it must be said, one of the best talks your editor has seen in some time. Mr. Moglen can take an absolutely uncompromising approach to software freedom just as well as, say, Richard Stallman, but he can deliver the message in a way that is vital and effective for a far wider audience. While one would not want to distract him from his important legal work, it would be a good thing if Eben Moglen spoke a little more often.

The following is a poor attempt to summarize the talk.

[Eben Moglen] The "legal state of the free world" is strong. In particular, attacks on the General Public License have abated. One year ago, the SCO group was claiming that the GPL was invalid and in violation of the U.S. constitution. That kind of talk is not happening any more. SCO "has not completely flatlined," but it is almost there.

What were the legal consequences of the SCO attack? Certainly the invalidation of the GPL was not one of them. There were two outcomes, one positive, and one less so.

On the positive side, the industry (as composed of large vendors who make money from free software) has decided that the community needs better lawyers. In particular, the industry has concluded that financing good legal advice for the community early in the game, before problems develop, is a good investment. The result was the creation of the Software Freedom Law Center, with almost $5 million in funding. That figure can be expected to triple in the near future. There should be, soon, abundant legal help available for nonprofit organizations and developers working in the free software area.

In this sense, the dotcom bust was a fortuitous event as well. As technology jobs went away, numerous technical people found their way into law school. Many of them were not too happy about it, but these were the students Eben had been waiting for the last fifteen years. Soon, there will be a new crop of lawyers who understand technology and who can read code - and they will be funded to work for the community. This is a very good outcome, and we owe thanks to Darl McBride for helping to bring it about.

The other outcome from the SCO attack is the general realization, in the boardrooms of companies threatened by free software, that copyright attacks are of limited value. SCO and its backers brought a heavily funded attack against a project set up fifteen years ago by a student in Helsinki who didn't think he had any need for lawyers - and that project sustained the attack easily. Copyright does not appear, any more, to be a legal tool which can be used to impede the spread of free software.

Patent attacks are a different matter, and "we are going to face serious challenges" in that area. There will probably not be much in the way of patent infringement suits against individual developers; those developers simply do not have the deep pockets which might attract such a suit. Instead, the attacks will come in the form of threats to users.

This is happening now: corporate officers will get a visit from "the monopoly" or others and be told about the sort of trouble waiting for it as a result of its use of patent-infringing free software. That trouble can be avoided by quietly paying royalties to the patent holder. This is happening "more than we would believe" currently - companies are paying royalties for their use of free software. It remains quiet because it is in nobody's interest to make this sort of shakedown public. The victims will not come forward; they will not even tell their suppliers.

Defending against patents is a complicated task. An important part is destroying patents - getting the (U.S, mainly) patent office to reevaluate and (hopefully) invalidate a threatening patent. This is what was done with Microsoft's FAT patent, for example. When it works, it is by far the most cost-effective way of dealing with patent problems; it is far cheaper than trying to litigate a patent case later on.

This process is tricky. Typically, a group wishing to invalidate a patent gets a single shot, in the form of its initial request to the patent office. After that, the process becomes confidential, and involves communications with the patent holder. So that first shot has to be a very good one. They are getting better at it.

Killing patents makes people in the industry nervous - they have their arsenal of patents too, after all. There is, however, an "agonizing [Eben Moglen] reappraisal" of the patent system going on within the industry. Some companies in the technology industry are starting to get a sense that the patent system does not work in their favor. It will be interesting to see what happens within IBM, in particular. In general, patent reform is going to be a big issue over the next couple of years. Some parts of industry will favor reform, others (such as the pharmaceutical industry) are happy with the system as it stands now. There will be groups trying to redirect the reform process to favor their own interests, and many "false friends" appearing out of the woodwork. There will be opportunities for serious reform, but the community will have to step carefully.

Meanwhile, Samba 4, in particular, may not be safe; there are likely to be patents out there. "Expect trouble."

[In a separate session, Eben encouraged free software developers to record their novel inventions and to obtain patents on the best of them. Free legal help can be made available to obtain patents on the best ideas. Until the rules of the game can be changed, we must play the game, and having the right patents available may make all the difference in defending against an attack.]

Back to the GPL: the work done by Harald Welte getting the German courts to recognize and enforce the GPL has been a very good thing. Eben, however, is also pleased by the fact that, over the last decade or so, he has not had to take the GPL to court. Threats to enforce the GPL are entirely credible - there are few volunteers to be the first defendant in a GPL infringement suit in the U.S. It also helps that the Free Software Foundation, in enforcing the GPL, seeks neither money nor publicity. Instead, what they want is compliance with the license. "I get compliance every single time."

Enforcement against embedded manufacturers ("appliances") has been problematic in the past. These manufacturers have less motivation to comply with the GPL, and the costs of compliance (especially after a product has been released) are higher. The working strategy in this case recognizes that the company actually guilty of the infringement (usually a relatively anonymous manufacturer in the far east) is highly receptive to pressure from its real customers: the companies who put their nameplates on the hardware and sell it to the end users. If you go to a company with a big brand and get that company to pressure the initial supplier, that supplier will listen.

Meanwhile, the appliance manufacturers have started to figure out that posting their source is not just something they have to do to comply with the GPL - it can be good business in its own right. When the source is out there, their customers will do some of their quality assurance and product improvement work for them - and remain happier customers.

In summary, the problems with GPL compliance by appliance manufacturers will go away in the near future.

There is not much to be said, at this point, about what will be in version 3 of the GPL. Much, however, can be said about the process. The GPL currently serves four different, and sometimes conflicting goals. Any attempt to update the GPL must preserve its ability to serve all of those goals. The components of the GPL are:

  • A worldwide copyright license. Worldwide licenses are exceedingly rare; they are typically tuned to each legal system in which they operate. The GPL cannot be issued in various national versions, however; it must work everywhere.

  • A code of industry conduct - how players in the free software world will interact with each other. Any new code of conduct must be negotiated with the industry; it cannot just be imposed by fiat.

  • The GPL is a political document; it forms, in a sense, the constitution of the free software movement.

  • It is the codification of the thought of Richard Stallman, and must continue to adhere to his beliefs.

Updating the GPL will be a long process. Eben will be putting together an international gathering of copyright lawyers to help with the crafting of the copyright license portion of the GPL. A separate gathering of industry representatives will be needed to hammer out the necessary compromises on the code of conduct; this is a part of the process which may not sit well with Richard Stallman, but it must happen anyway. The constitutional part of the GPL, instead, should see minimal changes - there has been no fundamental change in the wider world to motivate the creation of a new constitution. On the last point, there will be no revision of the GPL which does not meet with the approval of Richard Stallman and the Free Software Foundation.

When a new license nears readiness, it will be posted with a long explanation of why each decision was made. Then will come the comment period, as the FSF tries to build a consensus around the new license. The revision of the GPL is, perhaps, the most difficult task Eben has ever taken on, and he is not sure that he is up to it. The job must be done, however.

As for when: "soon." He did not want to undertake revisions of the GPL while it was under attack - updating the GPL should not be seen as a defensive maneuver. Now, however, the GPL is not under attack, and "the monopoly" is distracted for the next couple of years trying to get its next big software release out. This is the time to get the work done, so something is going to happen.

In response to a question about software-controlled radios: that is a global problem, not just limited to the United States. Japan, it seems, is the worst jurisdiction in this regard; there have been threats to arrest foreign software radio developers should they set foot there. Fixing the software radio problem is a key part of ensuring freedom of communication in the future, and it is currently Eben's most pressing problem. There has been little progress so far, however, and new strategies will be required.

In general, freedom is under threat worldwide. The events since 9/11, in particular, have accelerated trends toward a repressive, surveillance-oriented world. If we want to ensure our political freedoms in this environment, we must work for technological freedom. Without the ability to control our own systems, to communicate freely in privacy, and to interact with others, we will not have the wider freedoms we hope for. The free software movement is the heir to the free-speech movements which started in Europe centuries ago; we are at the forefront of what has been a very long and difficult fight for freedom. The difference is that "this time we win."

Standing ovations for speakers at Linux conferences are a rare thing; Eben Moglen received two of them.

Comments (49 posted)

Debian sarge and amd64

April 27, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

One of the big questions surrounding the release of Debian "Sarge" (aside from "when?") is why the amd64 architecture is not making the cut. It's not as if the amd64 port is unready, as indicated by this status report from Andreas Jochens of the amd64 porters team.

Inclusion of amd64 in Sarge has been the subject of some heated exchanges on the Debian-devel list, as far back as July of 2004. To the average user, it probably seems logical that the amd64 port should be included, since the work seems to be done, and other packages like GNOME 2.8 and KDE 3.3 have found their way in. To get clarification, we invited comment from Jochens and Debian Release Manager Steve Langasek.

According to Langasek, the decision not to include amd64 in Sarge is strictly due to mirror space.

When sarge is released, the size of the Debian archive is going to balloon, as full mirrors are asked to carry all of woody, sarge, etch (the new testing), and sid. While it's true that there are many Debian mirrors that will be glad to make room for amd64 -- unofficial or not -- we also know that there are plenty of other mirrors that have limited space available for Debian, and some of them may have to drop us after sarge is released because of this size increase. Making the archive even larger by adding amd64 to sarge means more mirrors that will have to drop Debian.

After the release, Langasek said that the FTP team plans to put a solution in place that will allow "partial by-architecture mirroring for etch using the limited toolkit demanded by our mirror operators... At that point, we will be much better able to accommodate amd64 without penalizing the existing architectures."

However, some disagree that adding amd64 to the mirrors would be an unreasonable burden. Branden J. Moore, for example, says that the Debian archive is not that large compared to other distributions.

These are the numbers from a dh -h on the mirror I admin:

Debian: 111GB
Debian-cd: 51GB
Fedora: 152GB
Gentoo: 112GB
Mandrake: 240GB
RedHat: 71GB

While others mirrors may very well be suffering from space constraints... they do have the ability to use proper --exclude lines in rsync to avoid mirroring the debs from the archs that they don't want. I know it's not the best solution, as their Packages.gz file becomes bad, but it works.

Jochens is not offended by the decision to keep amd64 out of Sarge, and says it's a "good thing" that the release will be supported separately by the amd64 porting team.

This could even be an example how other Debian ports could be handled in the future. I view the Debian archive mainly as a source archive which can be compiled for a large set of different architectures. The most important thing is, that fixes for architecture specific problems will be applied to the package sources. Debian package maintainers usually do a very good job at this.

We were also curious about the criteria used by the release team to decide what goes in. For example, why were GNOME and KDE updated, but will not be included until Etch? Langasek says that the decisions have to do with making sure that someone will continue to do updates for the software, and that it would not derail the Sarge release process:

So the KDE and GNOME updates have happened because the KDE and GNOME teams have worked with the release team to make them come about in a non-disruptive way. For X, which is very near the bottom of the dependency tree and one of the more hardware-dependent components of the system, I'm not sure any transition to could have been non-destructive; and the X Strike Force, our X maintenance team, opted not to push for it. We all know that a stable release is going to be perceived as "old" by the end of its life cycle whether or not we succeed in establishing a predictable release cycle for etch, so the difference between shipping an X server that's three, six, or nine months behind upstream is small when weighed against, say, causing a one, two, or three month delay in a release that's already overdue.

As for amd64, this was never the release team's decision to make; we work closely with the FTP team in preparation of a release, but it's the FTP team who has to make the judgment calls about how our infrastructure will or won't scale to handle new projects... All the reasons for keeping it out are logistical ones that people are intent on addressing soon after the sarge release, and I have every confidence that this will happen in the timeframe for etch.

Indeed, even the GNOME and KDE releases now in Sarge are somewhat outdated. While Sarge (including amd64) looks poised to ship with GNOME 2.8, KDE 3.3 and XFree86, Ubuntu is shipping with GNOME 2.10, KDE 3.4 and a fresh release of However, not all packages in Ubuntu are newer than Sarge. Vim shipped with Ubuntu for x86_64 is version 6.3.46, while Vim is at 6.3.68 in the Alioth repository.

Even though amd64 will not be released to mirrors as part of Sarge, Jochens said that the release "is not 'unofficial' anymore."

It is supported by the Debian release team, the Debian kernel team, the Debian installer team and others. The only difference to other ports is that the binary package archive for amd64 is maintained by the porting team instead of the ftp-master team. Again, I consider this a good way to share responsibilities and an example for other ports.

Jochens also assured us that the amd64 team will be able to maintain the amd64 release throughout the Sarge lifecycle, saying that it is "mostly a matter of compiling the updated Debian sources when they become available...amd64 specific security issues will be coordinated with the Debian security team."

For all intents and purposes, it would seem that the discussion is purely academic at this point. Debian users who want Sarge on amd64 will be able to get it, though perhaps not from official Debian mirrors. For those who are interested in trying out the amd64 port, the project is currently hosted on Alioth with a Debian on AMD64 HOWTO.

Comments (none posted)

Page editor: Jonathan Corbet


No legacy for Fedora x86-64

April 27, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

As Fedora Core 2 (FC2) is transferred to the Fedora Legacy Project, some users may be surprised to find that the project will be focusing only on the i386 platform, leaving users of FC2 on x86_64 platforms to fend for themselves when it comes to security updates and bugfixes.

For those not familiar with Fedora Legacy, the project provides support for Red Hat 7.3, Red Hat 9, and Fedora Core releases past their "end-of-life." With Fedora Core releases, the project uses a "1-2-3 and out" policy. When Red Hat's Fedora team stops providing support for an FC release, the Fedora Legacy project begins maintaining the release, for two additional releases. Note that the idea behind the Legacy project is not to provide new packages for retired releases, but only to provide security updates and necessary fixes. Users who want the newest software need to look to newer FC releases.

Unlike Fedora Core, the Fedora Legacy project is not directly sponsored by Red Hat, though the group does receive some assistance from Red Hat. We talked to Jesse Keating, Fedora Legacy Project Leader, about the lack of support for FC2 on x86_64, what alternatives users have, and whether the project will be supporting future x86_64 releases.

Keating said that the project lacks the developers to keep up with x86_64 in addition to maintaining i386 versions of FC:

Primarily it is lack of developers/testers for package testing and approval. Starting off with the small set we have, and trying to subset them into x86_64 users is pretty tough. Further reasons include lack of physical resources (build hardware, rack space, bandwidth), build software changes, and publishing changes necessary to handle x86_64.

Indeed, it does seem that the Legacy project is a bit short-staffed. The (volunteer) positions page lists quite a few vacancies.

We also asked Keating how the project was building packages, whether they used a system similar to Debian buildd or something else. Keating said that the project is using a version of mach to build packages, and that they're looking to have a system that can produce i386 and x86_64 packages.

This allows us to build in a fresh chroot each time, and do multiple builds of a package for different RH/FC releases. It works pretty well for what we need it for. In the near future we will look at moving to the new Fedora Extras build system that is currently in development. Our goal is to be able to have one build system we can use to produce both 32bit and 64bit packages. Currently 32bit packages have to be built on a 32bit host and 64bit packages will have to be built on a 64bit host. The main build hardware that Pogo Linux donated to the project is x86_64 capable (dual Opteron) but we're using it in a 32bit mode currently. Given the price of rack space and bandwidth and all things associated we may not be able to afford a second 64bit build system. So we'll probably have to wait until the new build software is complete and re-design/deploy our Legacy build server.

Users who are in no hurry to upgrade to later FC releases can try building the source RPMs on x86_64. Keating invited those users to offer feedback on the packages, and said that users "typically" don't run into issues when trying to compile i386 packages on x86_64.

Keating did say that it's likely that there would be support for x86_64 in the future, given that there are more users for x86_64 with each new FC release. Since the Legacy project is strictly a volunteer operation, the best way to see to it that there is support for x86_64 is for users to get involved with the project.

Comments (3 posted)

New vulnerabilities

Convert-UUlib: buffer overflow

Package(s):Convert-UUlib CVE #(s):
Created:April 26, 2005 Updated:April 27, 2005
Description: A vulnerability has been reported in Convert-UUlib where a malformed parameter can be provided by an attacker allowing a read operation to overflow a buffer. The vendor credits Mark Martinec and Robert Lewis with the discovery.
Gentoo 200504-26 Convert-UUlib 2005-04-26

Comments (none posted)

eGroupWare: XSS and SQL injection vulnerabilities

Package(s):eGroupWare CVE #(s):
Created:April 25, 2005 Updated:April 27, 2005
Description: Multiple SQL injection and cross-site scripting vulnerabilities have been found in several eGroupWare modules. An attacker could possibly use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie based authentication credentials, potentially compromising the victim's browser.
Gentoo 200504-24 egroupware 2005-04-25

Comments (none posted)

kimgio input validation errors

Package(s):kimgio CVE #(s):CAN-2005-1046
Created:April 22, 2005 Updated:July 19, 2005
Description: KDE has issued a security advisory for kimgio. This is found in kdelibs as shipped with KDE 3.2 up to including KDE 3.4. kimgio contains a PCX image file format reader that does not properly perform input validation. A source code audit performed by the KDE security team discovered several vulnerabilities in the PCX and other image file format readers, some of them exploitable to execute arbitrary code.
Ubuntu USN-114-2 kdelibs 2005-05-27
Red Hat RHSA-2005:393-01 kdelibs 2005-05-17
Mandriva MDKSA-2005:085 kdelibs 2005-05-12
Ubuntu USN-114-1 kdelibs 2005-05-03
Fedora FEDORA-2005-350 kdelibs 2005-05-02
Debian DSA-714-1 kdelibs 2005-04-26
Gentoo 200504-22 kimgio 2005-04-22

Comments (none posted)

Kommander untrusted code execution

Package(s):kommander CVE #(s):CAN-2005-0754
Created:April 22, 2005 Updated:May 20, 2005
Description: KDE has issued a security advisory for Kommander. Quanta 3.1.x, KDE 3.2 and new up to including KDE 3.4.0 are vulnerable. Kommander executes without user confirmation data files from possibly untrusted locations. As they contain scripts, the user might accidentally run arbitrary code.
Gentoo 200504-23:02 kdewebdev 2005-04-22
Ubuntu USN-115-1 kdewebdev 2005-05-03
Fedora FEDORA-2005-345 kdewebdev 2005-04-28
Gentoo 200504-23 kdewebdev 2005-04-22

Comments (none posted)

lsh: buffer overflow and more

Package(s):lsh-utils CVE #(s):CAN-2003-0826 CAN-2005-0814
Created:April 27, 2005 Updated:April 27, 2005
Description: The lsh implementation of SSH2 suffers from a number of vulnerabilities, including an exploitable buffer overflow.
Debian DSA-717-1 lsh-utils 2005-04-27

Comments (none posted)

openmosixview: insecure temp file

Package(s):openmosixview CVE #(s):CAN-2005-0894
Created:April 21, 2005 Updated:April 27, 2005
Description: openMosixview and the openMosixcollector daemon can create an insecure temporary file, this can be exploited by a local user to overwrite arbitrary files via symbolic links.
Gentoo 200504-20 openmosixview 2005-04-21

Comments (none posted)

Rootkit Hunter: insecure temporary file creation

Package(s):rkhunter CVE #(s):CAN-2005-1270
Created:April 26, 2005 Updated:April 27, 2005
Description: Sune Kloppenborg Jeppesen and Tavis Ormandy of the Gentoo Linux Security Team have reported that the script and the main rkhunter script insecurely creates several temporary files with predictable filenames.
Gentoo 200504-25 rkhunter 2005-04-26

Comments (none posted)

xine-lib: two heap overflow vulnerabilities

Package(s):xine-lib CVE #(s):CAN-2005-1195
Created:April 26, 2005 Updated:June 2, 2005
Description: Heap overflows have been found in the code handling RealMedia RTSP and Microsoft Media Services streams over TCP (MMST). See Xine Advisory XSA-2004-8 for details.
Mandriva MDKSA-2005:094 xine-lib 2005-05-26
SuSE SUSE-SR:2005:013 xine kimgio 2005-05-18
Ubuntu USN-123-1 xine-lib 2005-05-06
Slackware SSA:2005-121-02 xine 2005-05-02
Gentoo 200504-27 xine-lib 2005-04-26

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current stable 2.6 release remains; it dates back to April 7. A set of patches has been proposed for the .8 release, but there is some debate over a couple of them.

The current 2.6 prepatch remains 2.6.12-rc3; Linus has released no prepatches over the last week. About 100 patches have found their way into his git repository, however; they include a tg3 driver update, a "simple action" capability for the packet scheduler, and various fixes.

There has not been a -mm release since 2.6.12-rc2-mm3 on April 11. Andrew is still getting caught up from his travels and the SCM changes.

The current 2.4 prepatch is 2.4.31-pre1, released by Marcelo on April 25. It consists of a very small set of patches, most of which are x86-64 fixes.

Comments (none posted)

Kernel development news

Andrew Morton at

[LCA] The Friday morning keynote was delivered by Australian expatriate Andrew Morton; his wide-ranging talk touched on many aspects of the kernel development process.

Andrew has brought a different approach to kernel development, and it showed early in the talk. He noted that Linus has often characterized his job as being rejecting patches, rather than accepting them. Andrew disagrees with that approach. If somebody has gone to the trouble to put together a patch, even a really poorly-done one, there was probably some sort of underlying need which motivated that work. A patch identifies a problem, at least for some users; you can't just reject it or the kernel as a whole will lose out. So Andrew sees his role as helping to get patches into the kernel, rather than taking pride in rejecting them. According to Andrew, anybody who goes to the trouble of submitting a patch deserves a response. If the patch is not merged, the developer is entitled to an explanation of why.

He does not want to have to understand all of those patches himself, however. It's up to the subsystem maintainers to evaluate patches and, eventually, merge them. Andrew's job is to get the maintainers to get [Andrew Morton] involved. Techniques he can employ include the "troll merge," simply adding the patch to -mm to force the maintainer to react. Asking "dumb questions" on the mailing lists can also help. One way or another, Andrew works to get a response from the relevant maintainers.

Andrew's goal is to bring more professionalism to the kernel development process. He believes that is happening; among other things, he notes, patch traffic now slows down significantly on weekends - that was not always the case. He'd like to settle down the process, and, eventually, hand off pieces of it to others. One such piece, most likely, would be bug tracking. He cautioned, however, that these kernel maintenance tasks are not part-time jobs.

The new development model was revisited; much of what was said will be familiar to LWN readers. He noted that the older process failed one of the kernel's most important customers: the distributors. By getting features merged, tested, and ready for deployment quickly, the new process serves the distributors better. There has, perhaps, been some cost to another set of customers: those who run the mainline kernel on their systems. Andrew will be working hard to increase the stability of the mainline releases to make life easier for that group of users.

Meanwhile, he notes, the developers are shoveling about 10MB of patches into the kernel every month.

The stable 2.6 series (currently at is, according to Andrew, not sure to succeed. He believes that it does not get enough developer attention, and that the bar for patches has been set too high. And it does not address the real problem: that mainline releases have regressions that cause breakage for some users. Really fixing the problems, he says, requires getting the developers to be more careful and more focus on fixing known bugs. He says the process might yet move to an even/odd release scheme, where even-numbered releases (2.6.14, say) would be limited to bug fixes.

On testing: Andrew notes that, while the development process is highly dependent on a large community of testers, it has no real way of rewarding them for their work. He will look into acknowledging testers in the kernel changelogs; if you helped to find a bug, your name can appear alongside that of the developer who fixed it.

On the BitKeeper front, Andrew stated that he was never entirely happy with the decision to use that tool. It imposed an opportunity cost: had the kernel hackers gone off three years ago to build the source code management system they really needed, they would have something quite nice by now. He noted that version control appears to be one of those problems which drives developers crazy, and that's a problem. If you depend on a tool with insane developers, things will "end in tears." Now he's keeping his head down and waiting to see how the whole thing settles out.

Finally, he noted that many developers who think they need a source code management system really don't. If your real purpose is to keep a set of patches in sync with an evolving mainline kernel - which is the case for many developers - then a tool like quilt makes more sense.

Comments (10 posted)

Supporting RDMA on Linux

RDMA (remote direct memory access) is an attempt to extend the DMA mechanism to a networked environment. Using RDMA, an application can quickly transfer the contents of a memory buffer to a buffer on a remote system. On high-speed, local-area networks, RDMA transfers are intended to be significantly faster than transfers done with the regular socket interface. Not everybody likes the RDMA way of doing things, but it exists regardless, and some users expect to see it supported by Linux. Implementations exist for InfiniBand and a number of high-speed Ethernet adaptors.

Since the goals of RDMA include speed and low CPU overhead, implementations attempt to bypass as much kernel processing as possible. Typically, they simply pass the address of a user-space buffer directly to the hardware, and expect that hardware to do the rest. Drivers which need to make user-space memory available to their hardware will call get_user_pages(), which achieves two useful things: it pins the pages into physical memory, and generates an array of physical addresses for the driver to use. The current RDMA implementations use this approach, but they have run into a problem: get_user_pages() was never designed for the usage patterns seen with RDMA.

The typical driver which calls get_user_pages() keeps the pages pinned for a very short period of time. Often, the pages will be released before the driver returns to user space. Sometimes, usually when asynchronous I/O is used, the release of the pages will be delayed for a short period, but only as long as it takes the I/O operation to complete. The problem is that RDMA operations do not "complete" in this manner. An RDMA user can reasonably set up a buffer, pass a descriptor to a remote system, and expect data to show up in the buffer sometime next week. The whole idea is to do the relatively expensive buffer setup once, then be able to transfer the (changing) contents of that buffer an arbitrary number of times. So pages pinned by the driver can remain pinned for a very long time.

Several problems come up in this scenario. get_user_pages() does not do any sort of privilege checking or resource accounting for the pages it pins; it's supposed to be a short-term operation. So a hostile application could use an RDMA interface to lock down large amounts of memory indefinitely, effectively shutting down the system. There is no mechanism for notifying the driver if the process owning the pages exits, so cleanup can be a problem. There are also interactions with the virtual memory system to worry about: if the process forks (causing its data pages to be marked copy-on-write) and writes to a pinned page, it will get a new copy of that page and will become disconnected from its pinned buffer.

Various approaches to solving these problems have been discussed. The resource accounting issues can be partially solved by requiring the process to lock the pages itself (using mlock()) before setting them up for RDMA; that will bring the normal kernel resource limits into play. There are still potential problems if the process is allowed to unlock the pages while the RDMA buffer still exists, however, so some changes would have to be made to prevent that case. Current implementations have dealt with the process exit issue by setting up a char device as the control interface for the RDMA buffer; when the device is closed, all RDMA structures are torn down. The copy-on-write problem can be addressed by forcing RDMA buffers to be in their own virtual memory area (VMA) and setting the VM_DONTCOPY flag on that VMA, preventing the pages from being made available to any child processes. This approach would require that RDMA buffers occupy whole pages by themselves. Then there are little issues like what happens when the process creates overlapping RDMA buffers. The whole thing gets a little complicated.

All of this can clearly be patched together, but it is inelegant at best, and is clearly getting complicated. So an entirely different approach has been proposed by David Addison. This technique does away with the need to pin RDMA buffers entirely, but would, instead, require network drivers to become rather more aware of how the virtual memory subsystem works.

David's patch assumes that the network interface device contains a simple memory management unit of its own, and can deal with its own paging details. This assumption turns out to be true for a number of contemporary high-speed cards. These cards can translate addresses and properly ask for help if they need to access a page which is not currently resident in memory. Thus, when using this sort of card, RDMA buffers can be set up without the need to pin them in memory; the hardware will cause them to be faulted in when the time comes.

Needless to say, the hardware will need a considerable amount of help in this process; it cannot be expected to work with the host system's page tables, cause page faults to happen on its own, etc. So the card's MMU must be loaded with a minimal set of page mappings which describe the RDMA buffer(s), and those mappings must be kept in sync as things change on the system. With that in place, the card can perform DMA to resident pages, and ask the driver for help with the rest.

The device driver can load the initial page tables, but it will need help from the kernel to know when the host system's page tables change. To that end, David's patch defines a structure with a new set of hooks into the virtual memory subsystem:

typedef struct ioproc_ops {
    struct ioproc_ops *next;
    void *arg;

    void (*release)(void *arg, struct mm_struct *mm);
    void (*sync_range)(void *arg, struct vm_area_struct *vma, 
                       unsigned long start, unsigned long end);
    void (*invalidate_range)(void *arg, struct vm_area_struct *vma, 
                             unsigned long start, unsigned long end);
    void (*update_range)(void *arg, struct vm_area_struct *vma, 
                         unsigned long start, unsigned long end);
    void (*change_protection)(void *arg, struct vm_area_struct *vma, 
                              unsigned long start, unsigned long end, 
                              pgprot_t newprot);
    void (*sync_page)(void *arg, struct vm_area_struct *vma, 
                      unsigned long address);
    void (*invalidate_page)(void *arg, struct vm_area_struct *vma, 
                            unsigned long address);
    void (*update_page)(void *arg, struct vm_area_struct *vma, 
                        unsigned long address);
} ioproc_ops_t;

An interested driver can fill in one of these structures with its methods, then attach it to a given process's mm_struct structure with a call to ioproc_register_ops(). Thereafter, calls to those functions will be made whenever things change.

The release() method will be called when the process exits; it allows the driver to perform a full cleanup. The sync_range() and sync_page() methods indicate that the given page(s) have been flushed to disk; this tells the driver that, should the interface modify those pages, they must be marked dirty again. invalidate_range() and invalidate_page() inform the driver that the given page(s) are not longer valid - they have been swapped out or unmapped. Calls to update_range() and update_page() happen when a valid page table entry is written; when a page is brought in, mapped, etc. The change_protection() function is called when page protections are changed.

The patch has already, apparently, been looked over by Andrew Morton and Andrea Arcangeli, so one might assume that there would not be a great many show stoppers there. The comments posted so far have had to do mostly with coding style, though one poster noted that it might make more sense to attach the hooks to the VMA structure, rather than the top-level memory management structure. Unfortunately, the patch does not include any code which actually uses the proposed hooks, making it harder to see how a driver might employ them. Meanwhile, conversations continue on how an interface using page pinning could be made to work. A real solution may be some time yet in coming.

Comments (2 posted)

FUSE and private namespaces

Two weeks ago, we looked at the opposition to FUSE, or, more specifically, to the strange filesystem semantics it implements. FUSE overrides the VFS permission checking code to establish its own set of rules; the intent is to keep users (even root) from accessing each other's private filesystems. Few people dispute the goal, but the approach that was used failed to please.

FUSE hacker Miklos Szeredi has tried to address the concerns with a new patch implementing "private mounts." The patch creates a new mount flag (MNT_PRIVATE); if that flag is set, then only processes belonging to the owner of the mount can see the mounted filesystem at all. To all other processes on the system, these private mounts would be entirely invisible. With this change in place, the permission checking change is no longer needed.

Unfortunately, nobody likes this idea either. This patch creates a different set of filesystem semantics; in this case, setuid programs run by a user who has private mounts will see a different filesystem than any other process. The filesystem hackers do not wish to see namespaces which change in surprising ways.

So what is the solution here? Linux does allow for different processes to have different views of the filesystem ("namespaces"). The namespace mechanism could be brought into play to hide FUSE mounts. The problem is that namespaces were never really meant to be shared across the system. A namespace is a process attribute, like the controlling terminal; it is inherited by child processes, but there is no mechanism for passing a namespace to a process which has not inherited it. Users would like to mount their private filesystems and have them available to all of their processes on the system, so having those filesystems in a namespace which is only available to one process tree does not solve the problem.

As it turns out, there is one way to access namespaces outside of the creating process tree. Jamie Lokier noticed that each process's root directory is accessible via /proc/pid/root. A new process can be put into another process's namespace simply by setting its root with chroot(). If all works as it seems it should, a user-space solution can be envisioned: write a privileged daemon process which can create namespaces and, using file descriptor passing, hand them to interested processes. Those processes can then chroot() into that namespace. chroot() is a privileged operation, but the code to handle the user side of this operation could be hidden within a PAM module and made completely invisible.

All that's left is for somebody to actually code this solution. At that point, a glitch or two could come up, but they should be easily fixed with small patches. So there might just be an answer to the FUSE problem after all.

Comments (1 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers


Filesystems and block I/O

Memory management




Page editor: Jonathan Corbet


News and Editorials

First Look at Libranet 3.0

April 27, 2005

This article was contributed by Ladislav Bodnar

Despite positive media reviews and a dedicated user community, Libranet GNU/Linux has never really impressed me. It always seemed like a re-packaged Debian with a price tag - a distribution with two noteworthy features: an intuitive installer and "Adminmenu", a functional (though ugly) graphical system administration utility. The developers have never provided a clear roadmap or release schedule and Libranet has always looked like a project that might follow some of the early "user-friendly" Debian-based distribution, such as Corel or Storm, and fold with the end of the dotcom boom. And indeed, the developers announced, at one point in 2001, that the Libranet GNU/Linux party was just about over - until one of the distribution's most devoted fans threatened to walk all the way from California to Vancouver (the home of Libranet) to help with development, just to keep the project alive!

Perhaps thanks to that heart-moving love affair of a single user for his favorite Linux distribution, the now 21-year old Libra Computer Systems survived. Yes, you read that correctly - Libra was established in 1984 as a small UNIX company, providing installation services and technical support for SCO, HP/UX and Solaris. The company's inaugural Linux release came out in 1999 which marked the beginning of a promising, but bumpy road of Linux distribution development. As such, it is fair to say that Jon and Tal Danzig, the two brothers behind Libranet, are probably some of the most experienced UNIX/Linux hackers in the distribution world today.

It was with these preconceptions, as well as a little skepticism, that I inserted the Libranet 3.0 installation DVD into the DVD tray of a 1.4 GHz Pentium 4 computer and began taking notes.

The first impression lasts, as they say, and it must be true, because from the moment the initial splash screen came up I knew that Libranet 3.0 was a very different product than any of the previous Libranet releases. It has a fully graphical installer now, launched after having auto-detected and auto-configured the system's native video drivers. Granted, by today's standards, this is hardly a major innovation, but up until version 2.8, the Libranet installation program was text-mode only, and even in 2.8 it was just the package selection module that was graphical. The installation program has been completely re-written and has become one of the best in the industry, competing with those of Xandros, Fedora or Conectiva in terms of usability and attention to detail. It also comes with a fully automatic hardware detection feature, partition resizing options, a package selection screen, and the usual user, network, and boot loader setup modules. In a word, the new Libranet installer is intuitive, powerful and beautiful.

Encouraged by these positive experiences, I was eager to reboot and start examining the new operating system. It booted into a somewhat re-designed GDM login screen which provided ways for selecting one's preferred language and desktop environment. By default, Libranet has historically booted into IceWM and this is still true in its latest release, but GNOME (2.8.1), KDE (3.3.2) and a number of smaller window managers are also available. Any of them would take the user to a desktop with a rather bland wallpaper and a handful of desktop icons, of which the "Adminmenu", and its user-level offspring "User Adminmenu", were clearly meant to differentiate Libranet from other distributions on the market and give it that proverbial leading edge.

In the previous releases of Libranet, Adminmenu was an application that would probably end up rock bottom in any GUI design competition. Fortunately, the utility has been completely re-programmed, incorporating, it seems, some ideas from SUSE's YaST (see screenshot). The left pane carries a long list of administration modules - everything from package and security updates to hardware and software configuration. Some of the less frequently seen items include options for installing Microsoft's Core Fonts or to create a Libranet boot CD - this can be useful if the system's boot loader fails at its task for some reason. There is even an option to re-configure and re-build the kernel right from within the Adminmenu's graphical interface. But the package management module could do with some improvements - the fact that there is no search function seems like a major oversight, especially since Libranet 3.0 comes with thousands of packages spread over 5 CDs. Luckily, the Synaptic Package Manager, which does include a search option, is just a mouse click away.

The rest of the operating system is pretty much what one would expect from any modern Linux distribution. It needs to be said, however, that despite superior hardware detection and a user-friendly installer and administration tool, Libranet, unlike say Linspire or Xandros Desktop, is not designed for your average granny. Its menus are mostly left in their default states and the Xterm icons are clearly visible on the desktop toolbars. The distribution comes with no custom documentation, whether printed or online. In other words, Libranet users are expected to be reasonably knowledgeable about computers, which would probably place this distribution in direct competition with the likes of SUSE or Mandriva, both of which provide much the same as Libranet.

And this is also true when it comes to price. At $80, Libranet 3.0 is no longer cheap, but the added value in custom utilities and the increased number of available applications (Libranet 2.8 came on two CDs only) perhaps justifies the price increase. Still, SUSE LINUX comes with three thick manuals in the box, while Mandriva's PowerPack includes a number of commercial applications. Libranet has none of those while, at the same time, it lacks the name and fame of its two big commercial competitors. As such, it will likely have hard time to compete in this market segment.

Summarizing these several hours of investigating Libranet's latest release is not particularly easy. It is a nice enough distribution that works as advertised. Despite that, one is left with a feeling that it is missing some spice, that it lacks something truly remarkable or fabulously innovative. Libranet 3.0, improvement as it is over the previous release, offers nothing that hasn't been seen elsewhere. Some would argue that it does have a friendly, knowledgeable, and dedicated user community on its mailing lists and forums and that's certainly true. For many people, belonging to a friendly family of users is a valid enough reason to buy each new release. But for Libranet to grow and for the company to prosper, there needs to be something more remarkable: more innovation, more awe, more passion. Maybe something to think of before the next release?

Comments (5 posted)

New Releases

Terra Soft Releases 64-bit Yellow Dog Linux

Terra Soft Solutions has announced the release of Yellow Dog Linux v4.0.90 for 64-bit POWER PCs. ""With Tiger 'unleashed' in 48 hours and even Microsoft caught-up in the 64-bit wave, we give into peer pressure and release this interrum set of ISOs. A compilation of our work to date as we move toward the early summer release of v4.1, Yellow Dog Linux v4.0.90 is built upon eighteen months in-house and customer experience with 64-bit," states Kai Staats, CEO Terra Soft Solutions."

Full Story (comments: none)

Tamil Linux Operating System Released (GeekInformed)

GeekInformed notes the release of Red Hat Enterprise Linux Tamil Edition. Tamil Linux will join the ranks of other local Indian language versions such as Bangla, Punjabi, Hindi and Gujarati. ""We were able to do localization in a year and a half. This not only shows our commitment to the local market but also of the community that contributes to Linux (code)," said Javed Tapia, director, Red Hat India during the launch of Tamil Linux."

Comments (none posted)

Distribution News

An amd64 Debian sarge release in the works

One of the most controversial features of the upcoming Debian "sarge" release is that it does not include the amd64 (x86-64) architecture. The amd64 team has just sent out an announcement that it will be creating an independent sarge release for that architecture - and that it will be providing updates and security support as well. This release may not be quite as good as official Debian inclusion of amd64, but it is still good news for amd64 users.

Full Story (comments: 13)

Debian Project Leader report for 2005-04-24

Branden Robinson provides his first report as Debian Project Leader. Topics includes the Sarge release Challenges and Progress, Woody Security Updates, Debian Assets, Leadership Team Status Report, Interviews and Public Appearances, and more.

Full Story (comments: none)

More Debian News from Debian Planet

Debian Planet reports that Jordi Mallach has announced the availability of GNOME 2.10 packages for Debian. "The packages are currently spread across experimental and the pkg-gnome archive on alioth whilst waiting for some new and updated packages to enter experimental."

Some problems with XFS support in Sarge's kernel are discussed in this article. "There are certainly no plans to replace 2.6.8 in the sarge installer since this would require a significant amount of work at a really bad time. You should aim to immediately upgrade your kernel as soon as possible. With a bit of cunning you can even do this before your first boot."

Here is a look at official Debian support for the 80386 sub-architecture in Sarge, which may be dropped in favor of newer architectures.

This article contains links to some resources for Debian system administrators.

Comments (none posted)

New Distributions

Peachtree Linux

Peachtree Linux hit our radar screen this week by sending several security alerts to bugtraq. Peachtree (not related to Peachtree accounting software) is being developed by several students/former students at the Georgia Institute of Technology. It's been in the works since the fall of 2002, according to the website, but Release 1 (codename "Atlanta") only dates back to last February. Peachtree Linux aims to be a small system for the seasoned Linux user. No GNOME or KDE, and generally only one program per any task. Atlanta is available for Pentium II and higher x86, NewWorld Power Macintosh, and Digital Alpha systems.

Comments (none posted)

Distribution Newsletters

Debian Weekly News

The Debian Weekly News for April 26, 2005 looks at the rise of Free Software in Europe, GNOME 2.10 in Experimental, GFDL and Debian, a user poll on removing non-free documentation, the Debian Day (at LinuxTag) Call for Papers, a new policy for Debian consultants and much more.

Full Story (comments: none)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for the week of April 25, 2005 is out. This week's edition looks at Project Dolphin, a new experimental subproject to provide a feature-enhanced LiveCD version targeted at system rescue, two new international mailing lists, and several other topics.

Full Story (comments: none)

DistroWatch Weekly, Issue 97

The DistroWatch Weekly for April 25, 2005 is out. This edition looks at PC-BSD, Momonga Linux 2, and more.

Comments (none posted)

Minor distribution updates

Foresight Desktop Linux, now cooler looking! (GnomeDesktop)

Footnotes announces the release of Foresight Desktop Linux v0.8. "FDL 0.8 includes many updates to existing packages, great hardware detection using hal/udev/gnome-volume-manager, and a new bootsplash."

Comments (none posted)

Package updates

Fedora updates

Fedora Core 3 updates: libtiff-3.6.1-10.fc3 (add jpeg support), mc-4.6.1-0.14.FC3 (fix invalid memory allocation and other bugs), net-snmp-5.2.1-10.FC3 (new upstream version & fixes for 64 bit issues), dia-0.94-5.fc3 (rebuild).

Comments (none posted)

Peachtree Linux updates

Peachtree has security updates for PHP (remote code execution and remote DoS vulnerability), Gaim (multiple remote vulnerabilities), MPlayer (remote buffer overflow and possible code execution), libcdaudio (remote DoS and possible code execution), libexif (remote DoS vulnerability), CVS (buffer overflow, memory leaks, and NULL pointer dereference).

Comments (none posted)

Slackware updates

Slackware Linux has updates for binutils, cvs, python and more. Click below for this week's changelog entries.

Full Story (comments: none)

Trustix Secure Linux updates

Trustix has updates for lots of packages in two multi-bugfix advisories. Advisory #2005-0014 covers amavisd-new, apache, courier-imap, cpplus, cyrus-sasl, dev, hwdata, libpcap, libtiff, mysql, netpbm, nfs-utils, ntp, openldap, portmap, postfix, postgresql, samba, spamassassin, sqlgrey. Advisory #2005-0016 covers bind, courier-imap, cpplus, cyrus-imapd, cyrus-sasl, hwdata, php, php4, postfix.

Comments (none posted)

Newsletters and articles of interest

An Interview with Branden Robinson (Bloggage and Dunnage)

Rob Levin has put up an interview with Branden Robinson, the newly elected Debian Project Leader. "Rob: What are the most important tasks ahead for you as DPL? Branden: In the short term, the most important thing for me to do is to make certain I don't get in the way of the release managers. They have a long-awaited release to get out. While I have ideas for reform, I'm not really crazy about the thought of starting a big flame war with some novel idea of mine when people should keep their attention on the release." Debian Planet has links to other interviews on Linux Magazine and

Comments (3 posted)

Creating a custom Linux LiveCD With PCLinuxOS (NewsForge)

This NewsForge article looks at how to create a custom LiveCD using PCLinuxOS. " The mklivecd tool, which is used to create a LiveCD Linux, can also be used with Mandrakelinux. However, PCLinuxOS has a couple of advantages that make it better suited for a LiveCD Linux project. First off, PCLinuxOS comes with mklivecd already installed and configured, so you don't have to spend time doing it yourself. Second, the Synaptic package manager that comes as part of PCLinuxOS offers an easier and more fool-proof way of adding and removing software than RPM-based systems. Finally, PCLinuxOS comes on a single CD and offers only a small set of programs by default, which makes it less time-consuming to remove unwanted software packages."

Comments (none posted)

Desktop Computing, Served up BSD Style (KDE.News)

KDE.News takes a look at PC-BSD, an OS that combines FreeBSD with KDE. "PC-BSD aims to be user-friendly, especially in the area of software installation and management. Of course PC-BSD comes with a nice graphical installer which can also be used by other Free-BSD users to install the OS in a modern fashion. Screenshots and an ISO for Download are available immediately."

Comments (2 posted)

My Workstation OS: Damn Small Linux (NewsForge)

NewsForge has this report from a Damn Small Linux fan. "I run DSL on an old Pentium II with 128MB of RAM. With every new release I reinstall the operating system to the hard drive, which admittedly kind of sucks, but since my initial install I have began saving most everything to CD-RW. Running from LiveCD would make the update process easier, or eliminate it all together, but I must put my old 1.2GB hard drive to use somehow."

Comments (none posted)

Distribution reviews

Review: Kubuntu 5.04 'Hoary Hedgehog' (NewsForge)

News Forge reviews Kubuntu 5.04. "Kubuntu is a pleasure to use: a snappy, well-designed distro that puts the power of Debian in a easy-to-use package. It's worth a look from new and experienced users alike. Kubuntu Linux is built upon Linux kernel 2.6.10, incorporates the Debian/APT package management system and 6.8.2, and the brand new KDE 3.4."

Comments (2 posted)

Ubuntu Linux: Free and Fabulous (PC World)

PC World reviews the Hoary Hedgehog. "It's hard to come up with a list of gripes about Hoary. The annoyances are mostly minor--there's no pretty startup screen at boot time, for instance. The only glaring blemish is an unfortunate decision to change the default behavior of Nautilus, the Gnome file manager."

Comments (2 posted)

Fedora Core 4 Test 2--Plenty to Look Forward to in FC4 (LinuxPlanet)

LinuxPlanet reviews Fedora Core 4 Test 2. "Fedora Core 4 Test 2 brings lots of goodies to Linux users everywhere. Not only does it provide the latest versions of GNOME (2.10) and KDE (3.4.0) for desktop users regardless of your political persuasion, but it also includes a preliminary version of GCC 4.0 for the developers among us. Since GCC 4.0 was officially released in late April, I'm sure that the official release of FC4 will include GCC 4.0, which promises to be a true milestone for GCC, as it introduces a new optimization framework that promises better and higher-performance code than ever before."

Comments (1 posted)

Mandrake Corporate Server 3.0: Server software made easy (NewsForge)

NewsForge reviews the Mandriva Corporate Server 3.0. "I've always liked Mandrake's various distributions, but I've often had trouble getting them to work properly -- especially when they first come out and are in need of updates. The concept of Mandrake Corporate Server 3.0 is a good one -- it's lighter, faster to install and boot, and cheaper than comparable products from Red Hat and Novell. It's got nice GUI configuration tools that make it easy to manage."

Comments (none posted)

Kanotix: Debian/Sid on steroids (LinuxTimes.Net)

LinuxTimes reviews Kanotix. "To wrap it up, I must say that I am really impressed with Kanotix. It does nothing that has not been done before, but it's Knoppix done right. While Knoppix is a great live CD to demonstrate the power of GNU/Linux or to use it as a rescue tool, it is too messy and bloated for a HD install, at least for my taste. Kanotix successfully combines Knoppix' hardware detection with a good interface. Like Kano writes about Knoppix: "I like it much, but I had to improve it :)""

Comments (none posted)

Review: Libranet 3.0 (NewsForge)

Bruce Byfield reviews Libranet for NewsForge. "Building on a 2.6.11 kernel, Libranet offers an overwhelming array of packages. An automatic installation includes more than a dozen editors. Most, like gedit and Kate, are graphical, as you might expect in a desktop distribution, although Vim and nano are also included. Similarly, a half-dozen Web browsers are installed, including current versions of Mozilla, Epiphany, Firefox, and Opera. Games are even more exhaustively represented, with more than 60 in the default installation and two to three times that number installed if you select the Game package category. All software versions are those currently in Debian testing, which makes them relatively current, if not always cutting-edge."

Comments (none posted)

Page editor: Rebecca Sobol


The GCC 4.0 Release Series

Release Series 4.0 of GCC, the GNU Compiler Collection, was announced this week.

GCC 4.0 features a long list of changes. [GCC] This release includes the merge of the Tree SSA (Static Single Assignment) optimization framework branch into the mainline code (LWN covered Tree SSA one year ago). "This merge has brought in a completely new optimization framework based on a higher level intermediate representation than the existing RTL representation." This should result in improved performance.

Also, GCC 4.0 adds Swing Modulo Scheduling: "SMS is intended to schedule instructions of loops rather than the traditional scheduler (in GCC) that does not give a special handling for loops." SMS is optionally activated with the -fmodulo-sched switch.

Highlights of the language specific improvements include:

  • The C Family
    • Addition of a new sentinel attribute for warning about non Null-terminated functions.
    • Aliases to undefined symbols now cause errors.
    • An error is generated when the address of a register variable is taken.
  • C and Objective-C
    • New warnings enforce more strict aliasing.
    • Several deprecated extensions have been removed.
    • The fwritable-strings option has been removed.
    • The #pragma pack() semantics have been made similar to those used by other compilers.
    • An error is generated when an array with an incomplete element type is encountered.
  • C++
    • Performance has been improved when compiling without optimizations.
    • ELF visibility attributes can now be applied to a class type, easing cross-platform project development.
    • The new -fvisibility-inlines-hidden option can hide exported symbols to improve binary load times.
    • The G++ minimum and maximum operators have been deprecated.
    • Several modifications to the handling of friends of classes have been added.
  • Java
    • Several naming conflicts with external tools have been resolved.
    • The -findirect-dispatch argument now produces code that adheres to the binary compatibility rules of the Java Language Specification.
    • libgcj now supports using GCJ as a Just In Time (JIT) compiler.
    • Numerous improvements have been added to the class library.
  • Fortran
    • The GNU Fortran 77 front end has been replaced by the newer GNU Fortran 95.
  • Ada
    • Ada support has been extended to more platforms.
    • New Ada 2005 features have been added.
  • Runtime Library
    • The Runtime Library has been optimized, new features have been added.
Target-specific improvements have been added to the AMD64, IA-64, MIPS, S/390 and zSeries, SPARC and NetWare platforms.

Support has been declared obsolete for the Intel i860, Ubicom IP2022, National Semiconductor NS32K, SPARClite, and OpenBSD 32-bit SPARC platforms

The build status document shows the list of platforms that the new release has been successfully tested on. More information on this and upcoming releases is available on the GCC Wiki.

Thanks should go to the long list of GCC contributors, GCC continues to be one of the most important cornerstones of Linux kernel and open source application development.

It may be interesting to follow the comment thread on the original LWN announcement.

Comments (none posted)

System Applications

Backup Software

Bacula Version 1.36.3

Version 1.36.3 of Bacula, a system backup utility, is available. See the release notes for details.

Comments (none posted)

Database Software

PostgreSQL Weekly News

The April 24, 2005 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL database information and resources.

Full Story (comments: none)


ESP Ghostscript 8.15rc3

Version 8.15rc3 of ESP Ghostscript has been announced. "ESP Ghostscript 8.15rc3 is the third release candidate based on GPL Ghostscript 8.15 and includes an enhanced configure script, the CUPS raster driver, many GPL drivers, support for dynamically loaded drivers (currently implemented for the X11 driver), and several GPL Ghostscript bug fixes. The new release also fixes all of the reported STRs from ESP Ghostscript 7.07.x."

Comments (none posted)

Web Site Development

CGI Calendar 2.7 released (SourceForge)

Version 2.7 of CGI Calendar, a web site calendar application, has been announced. "This version of the calendar introduces multi-lingual capability. Delivered translations include English, German, French, Spanish, Dutch, Polish, Hungarian, Russian, Japanese, and Esperanto. If you're interested in providing an additional translation, please let me know. Additional translations will be released as they become available."

Comments (none posted)

Five 1.0 released!

Version 1.0 of Five is available. "The Five team is happy to release Five 1.0. Five is a Zope 2 product that allows you to integrate Zope 3 technologies into Zope 2, today. There are no big feature additions compared to Five 0.3, but does include significant bugfixes, along with some minor tweaks. We went directly to 1.0 as we feel that Five is production-ready software."

Full Story (comments: none)

MediaWiki 1.4.2 released (SourceForge)

Version 1.4.2 of MediaWiki has been announced. "MediaWiki 1.4.2 is a security and bug fix release for the 1.4 stable release series. A cross-site scripting injection vulnerability was discovered, which affects only MSIE clients and is only open if MediaWiki has been manually configured to run output through HTML Tidy ($wgUseTidy). Several other bugs are also fixed in 1.4.2."

Comments (none posted)

Desktop Applications

Audio Applications

jamin 0.95.0 release

Release 0.95.0 of jamin, the JACK Audio Mastering interface, is out. "This is a maintenance update, fixing some problems in preparation for a future release 1. JAMin is a GPL-licensed, realtime mastering processor designed to bring out the detail in recorded music and provide a final layer of polish. Every effort has been made to ensure a clean, distortion-free signal path. All processing elements use linear-phase filtering to eliminate phase distortion."

Full Story (comments: none)

Data Visualization

PLplot Development Release 5.5.2 (SourceForge)

Development Release 5.5.2 of PLplot has been announced. "This announcement is for a routine development release of PLplot (Scientific graphics plotting library, supporting multiple languages), and represents the ongoing efforts of the community to improve the PLplot plotting package. Development releases represent a "work in progress", and we expect to provide installments in the 5.5.x series every few weeks. The next full release of PLplot will be 5.6.0."

Comments (none posted)

Desktop Environments

GARNOME 2.10.1 Released

Version 2.10.1 of GARNOME has been released. "Welcome to the "point 1" release, where we've tried to squash as many of the existing bugs as possible and bring everyone another high quality release that shows off the talents of the GNOME Desktop."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

Comments (none posted)

KDE CVS-Digest (KDE.News)

The April 22, 2005 edition of the KDE CVS-Digest is online, here's the content summary: "KTTS can use new Hungarian mbrola voice. Kexi adds a new script editor and classes in Python bindings. Kopete sees start of MSN webcam support. Continued progress in Kicker, khtml, Wifi and many others."

Comments (none posted)


GSpiceUI Version 0.7.01

Version 0.7.01 of GSpiceUI, a GUI frontend for the GNU-Cap and Ng-Spice circuit simulation engines, has been announced. Numerous enhancements have been added.

Comments (none posted)

QtDMM Version 0.8.3

Version 0.8.3 of QtDMM is out with support for Qt-3. "QtDMM is a DMM readout software including a configurable recorder."

Comments (none posted)


XBGM# v0.8 Release (SourceForge)

Version 0.8 of XBGM# has been announced. "XBGM# is a free Xbox Game Manager. It allow you to send (extract) xdvdfs (xbox iso) directly to the xbox via ftp using a GUI. It is working on Linux and Win32 platforms and should work on Mac OS X. XBGM# can be used with various implementations of the CLI, including .NET, Mono, and DotGNU Portable.NET."

Comments (none posted)

GUI Packages

FLTK 1.1.x Weekly Snapshot r4296

Release 4296 of the FLTK 1.1.x Weekly Snapshot has been announced, it features bug fixes and other improvements.

Comments (none posted)

wxWidgets 2.6.0 has been released

Version 2.6.0 of wxWidgets, a cross-platform UI framework, is out. "This is the first official, stable release for a long time but we think the wait has been worth it." See the download page for change information.

Comments (none posted)


Wine Traffic

The April 22, 2005 edition of Wine Traffic is out with the latest Wine project news.

Comments (none posted)

Music Applications

Freecycle 0.21 alpha released

Version 0.21 alpha of Freecycle has been announced. "Freecycle is a beat slicer running on GNU/Linux platform, providing amplitude domain and frequency domain beat matching / zero crossing algorithms. It exports sliced audio chunks and generates a MIDI file which can be used to play the sliced loop. Freecycle also exports AKAI S5000/S6000/Z4/Z8 .AKP file to be used with your favorite sampler."

Comments (none posted)

Office Applications

GanttProject 1.11 (SourceForge)

Version 1.11 of GanttProject, a Gantt chart plotting application, is out. "This release adds a new major feature everybody has been waiting for: support for weekends. One may define weekends when creating new project; it is also possible to add weekends to existing projects. Two other main features of this release: improved horizontal scrolling of the chart (no more two-monthes jumps!) and upload of exported projects to FTP server."

Comments (none posted)

Web Browsers

Mozilla Cairo Vector Graphics Update (MozillaZine)

MozillaZine covers the movement of Mozilla graphics to Cairo. "Robert "roc" O'Callahan has posted an update on the work to move Mozilla's graphics infrastructure to Cairo. Formerly known as Xr or Xr/Xc, Cairo is a cross-platform open-source vector graphics library. According to roc, migrating to Cairo will "give us modern 2D graphics capabilities (such as filling, stroking and clipping to paths, general affine transforms, and ubiquitious support for alpha transparency)." Cairo can send its output to a number of different backends, making it suitable for producing graphics for both screen and print."

Comments (none posted)

Minutes of the Staff Meeting (MozillaZine)

The minutes from the April 18, 2005 staff meeting are online. "Issues discussed include Mozilla Firefox 1.0.3, Mozilla Thunderbird 1.0.3, Mozilla Firefox 1.1, Mozilla Thunderbird 1.1, the Volunteer Awards and the proposed CA certificate policy."

Comments (none posted)

Languages and Tools


Caml Weekly News

The April 19-26, 2005 edition of the Caml Weekly News is online with the latest Caml language articles.

Full Story (comments: none)


Enterprise Streaming (O'ReillyNet)

Amir Shevat discusses Java I/O streams on O'Reilly. "The Java Message Service is a lynchpin of J2EE, but is in some ways more difficult and less flexible than more basic forms of communication, like the stream model of the package. However, as Amir Shevat writes, the two are not mutually exclusive--you can write to JMS topics and queues with streams."

Comments (none posted)

Five Favorite Features from 5.0 (O'ReillyNet)

David Flanagan reviews Java 5.0 on O'Reilly. "A lot has been written about Java 5.0's great new features, leaving David Flanagan to focus on this review of five of his favorite new API features: the Callable and Future interfaces, new APIs for varargs and autoboxing, new ability interfaces, the @Override annotation, and MatchResult."

Comments (none posted)


SBCL 0.9.0 released

Version 0.9.0 of Steel Bank Common Lisp is out. "This major release provides changes to GC hooks, performance improvements, better documentation, and many bug fixes."

Full Story (comments: none)


This Week in Perl 6 (O'Reilly)

The April 12-19, 2005 edition of This Week in Perl 6 has been published. Take a look for the latest Perl 6 news.

Comments (none posted)


Urwid 0.8.7 Released

Version 0.8.7 of Urwid, a curses-based UI library for Python, is out. "This release adds a number of new widget classes as well as feature enhancements for existing widget classes. It also comes with a new example program similar to the dialog(1) command."

Full Story (comments: none)

Dr. Dobb's Python-URL!

The April 25, 2005 edition of Dr. Dobb's Python-URL! is online with the latest Python language article links.

Full Story (comments: none)


Ruby Weekly News

The April 24th, 2005 edition of the Ruby Weekly News has been posted. It is a summary of the ruby-talk mailing list.

Comments (none posted)


Dr. Dobb's Tcl-URL!

The April 20, 2005 edition of Dr. Dobb's Tcl-URL! is out. Take a look for the latest Tcl/Tk articles and resources.

Full Story (comments: none)

Dr. Dobb's Tcl-URL!

The April 26, 2005 edition of Dr. Dobb's Tcl-URL! is out with another round of Tcl/Tk articles and resources.

Full Story (comments: none)


Making Old Things New Again (O'Reilly)

Uche Ogbuji discusses XML document creation APIs on O'Reilly. "There have been recent releases of two of the Python-XML projects in which I'm involved; 4Suite and Amara XML Toolkit. One common theme in both releases was marked improvements to the XML document creation APIs. These improvements are significant enough to discuss and compare to the other systems for XML output I have presented in this column."

Comments (none posted)

XVTV -- Voice-operated television! (IBM developerWorks)

Marc White and Jeff Paull build a voice activated remote control on IBM developerWorks. "For those of you who have always wanted to control your TV using only your voice, you are going to love the XVTV remote control system. With XVTV in your home you can do anything from change channels to program a PVR (Personal Video Recorder) using simple voice commands. XVTV controls external devices by using a multimodal browser, an XHTML + Voice (X+V) Web page, and a USB Universal Infrared Transmitter (USB-UIRT)."

Comments (none posted)

Forming Opinions (O'Reilly)

Micah Dubinko writes about web forms and XML on O'Reilly. "Recently, the W3C published a new Member Submission: Web Forms 2.0, or WF2, based on a numbering system where the 1.0 version is the forms chapter of HTML 4.01 plus some DOM interfaces, which I collectively call "classic forms". To be clear, the Submission process is designed to "to propose technology or other ideas for consideration by the Team" — that is, W3C staffers. Unlike documents on the Recommendation track, Submission status doesn't imply any future course for the W3C or any endorsement of the content."

Comments (none posted)


FLDev 0.5.4 released

Version 0.5.4 of FLDev, a C++ IDE that works with FLTK, is available. Here are the changes: "I fixed a few bugs, e.g. the Transparency of the App Icon, the missing undo-feature in the menu, the window hiding after calling fluid, etc..."

Comments (none posted)

Wing IDE 2.0.3 Announced

Version 2.0.3 of Wing, an IDE for Python, is available. "This release adds new keyboard personality for OS X, debugging support for 64-bit Linux versions of Python, and editor performance improvements."

Full Story (comments: none)


Luban Programming Language Beta 1.2 Released

Version Beta 1.2 of Luban, a component-oriented scripting language, is available. "Based on feed back from increasing number of Luban users, we release Luban Beta 1.2 that major changes are for enhancement sof Luban command line interpreter interface. We thank Luban users for giving feed back."

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Trust and Zeal in Open Source Advocacy (O'ReillyNet)

Jono Bacon discusses advocacy in this O'ReillyNet article. "The important difference between an evangelistic zealot and a consultant is the authenticity of the advice; a zealous evangelist may advise you to go the open source route irrespective of whether it is right for you, yet a consultant is far more likely to identify what your needs are and determine how--and if--open source can help you. The latter is most certainly the approach you should seek. It is the only path I try to advise."

Comments (5 posted)

Nikon's photo encryption reported broken ( reports that programmer Dave Coffin has successfully broken a proprietary encryption scheme that is used in some Nikon digital cameras. "Because Nikon scrambled a portion of the file, legal worries have kept third-party developers like Adobe Systems from supporting Nikon's uncompressed "raw" photos in their software. Nikon sells its Nikon Capture utility for $100. "It's an open format now," said programmer Dave Coffin, who posted the decryption code on his Web site this week. "I broke that encryption--I reverse-engineered it."" The application, dcdraw, is available for Linux.

Comments (19 posted)

Linux on the desktop is not enough (

This LinuxWorld article looks at Linux on the laptop. "So how does Linux fare on your average laptop today? Actually, pretty well. Most distributions correctly identify laptop screens, pointing devices, and other peripherals. Support for wireless networking is functional for many chip sets. PCMCIA cards are well-supported. Even basic power-saving features are in place. Although these are all impressive achievements, they're not enough."

Comments (23 posted)

Trade Shows and Conferences

LWCE Toronto: Day 3 (NewsForge)

NewsForge covers day 3 of LinuxWorld 2005. "The third and final day of Toronto's LinuxWorld 2005 had the meat I was looking for. First, I attended Mark S. A. Smith's presentation entitled "Linux in the Boardroom: An executive briefing". Next, I listened to David Senf of IDC discuss the top 10 CIO concerns with open source. And finally, I wrapped my attendance to this year's LinuxWorld Toronto with another session by the energetic Marcel Gagné in a presentation entitled "Linux Culture Shock""

Comments (none posted)

A Look at the Linux World Canada Show (Linux Journal)

Linux Journal has this report on the recent LinuxWorld Conference & Expo Canada. "Although a number of fee workshops and tutorials were offered, admission to the show floor and the keynote speeches was free. In my case, I was involved in setting up and supporting the Toronto Linux User Group booth at the show, so although the show did not cost me money, it did cost me some sweat equity."

Comments (none posted)

Reports from the European Common Lisp Meeting

Paolo Amoroso has assembled links to a number of reports from the recent European Common Lisp Meeting.

Full Story (comments: none)

Bosworth's Web of Data (O'Reilly)

O'Reilly covers Adam Bosworth's MySQL Users Conference 2005 keynote speech. "In his Thursday morning keynote at the MySQL Users Conference 2005, Google's Adam Bosworth suggested that we "do for information what HTTP did for user interface." Ten years ago, when he first started paying attention to the web, he was interested in the idea that he could zero install applications and that they could be accessed from anywhere at any time. He said that a personal computer to him is like a phone: it is a useful access point but it is not where he stores stuff."

Comments (none posted)

The State of the Dolphin at the MySQL Users Conference 2005 (O'Reilly)

O'Reilly covers the MySQL Users Conference 2005 State of the Dolphin talk. "In fact, squashing bugs is their theory on MySQL's success. There is a cycle. You need good bug reports to stabilize and improve your product. But the community needs to feel that the company is responding to the bug reports and fixing them in a reasonable time frame. This response leads to more bug reports, which, in turn, leads to a more valuable product. They make the analogy that open source is like a democracy. It's not perfect, but you can see what's wrong. Even in the free community edition, all the features are available."

Comments (none posted)

The SCO Problem

Order on Motion for Reconsideration (Groklaw)

Groklaw reports that Judge Wells has issued her Order regarding the IBM Motion for Reconsideration. "So, for now, IBM does not have to turn over the files of the 3,000 individuals who have contributed the most to AIX and Dynix. That is deferred. They have to turn over for 100 individuals in 90 days, and then SCO can ask for more details if they want to. It's a much more balanced order."

Comments (none posted)


AMD releases dual-core server chips ( covers the release of dual-core processors by AMD. "Intel may have come out with dual-core processors a few days earlier, but Advanced Micro Devices says it is bringing out dual-core chips to the market where it counts. The Sunnyvale, Calif.-based chipmaker on Thursday released its first three dual-core Opteron processors for servers. It plans to follow that release with three more server chips and a desktop line during the next two months."

Comments (9 posted)


Open wallets for open-source software ( is carrying a New York Times story on an upsurge in venture funding for open source companies. "Venture capitalists are again embracing open-source technology companies. JBoss, which offers a layer of software for controlling Web applications, was one of 20 such businesses that raised $149 million in venture money in 2004, according to estimates by research firm VentureOne. At least three open-source start-ups raised $20 million last month alone. But given some spectacular open-source failures in the late 1990s, a natural question may be whether some of these venture capitalists have perhaps lost their minds."

Comments (3 posted)

Linux at Work

Desktop Adapted for Dad (The Linux Box)

Adam Trickett sets up a Debian/KDE system for his father, in this Linux Box article. "My father is in his late 60s, and has never used a computer before, though he has seen others use them. There are a lot of people that now fall into this so called "silver surfer" category. Like most people his age, his eyesight is less than perfect and he wears bi-focals. He has never used a mouse or keyboard, and his co-ordination is significantly less than that of an experience hacker."

Comments (4 posted)


Fortinet settles GPL violation suit ( reports that Fortinet has settled its GPL violation suit. "Fortinet has agreed to provide the source code of the Linux kernel and other GPL-licensed components to any interested party. The code is available upon request, for the cost of distribution, from the Fortinet Web site. The company has also agreed to modify its licensing agreement to include the GPL licensing terms with all Fortinet shipments. The settlement agreement also states that no Fortinet partners are subject to legal action."

Comments (22 posted)


UBL: Another Opportunity for FOSS in the Enterprise (Linux Journal)

Linux Journal talks with Jon Bosak and Lars Oppermann about UBL, the Universal Business Language. "E-business still lacks a universal, cheap and easy-to-implement standard language. At least, this was the case until a few months ago. Today, the Universal Business Language (UBL) is ready to fill this gap, and it looks to be solid offering rather than yet another bunch of buzzwords. UBL comes from OASIS), the same folks who standardized the OpenDocument format for office files, and UBL is equally as open."

Comments (none posted)

One year as president of a LUG (NewsForge)

Jim Westbrook reflects on a year as President of the Austin LUG, on NewsForge. "I readily admit that I enjoyed my term as President of the LUG. I also have to admit that I am looking forward to being "just a member" for a while. What I really learned is that the more you are involved in LUG activities, the more you learn about and enjoy using Linux."

Comments (none posted)

An Interview with Jack Kelliher of pcHDTV (O'Reilly)

O'Reilly has published an interview with Jack Kelliher of the pcHDTV project. "When I was in college, I always felt that programming was artwork. When decisions came out that made it illegal to write code, or patents prevented me from writing code, I felt that my ability as an artist was infringed. Joining the Linux community made me very upset with the status quo. Contributing to Linux was a way to keep my rights. Did you know, open source isn't just software, either? FPGAs [programmable logic chips] are getting so cheap now that you can build custom hardware. It's the next step for open source."

Comments (none posted)


Book Sales as a Technology Trend Indicator (O'Reilly)

Tim O'Reilly looks at technology trends as indicated by book sales statistics. "In terms of computer languages, PHP (up 16%) continues its strong growth. C# (up 2.5% over last year) was the only other programming language whose growth was in positive territory. By contrast, sales of books on Java (down 10%), Visual Basic (down 23%), C/C++ (down 4%), Perl (down 14%), Python (down 9%), and Javascript (down 12%) were all lower than they were in the same period a year ago."

Comments (16 posted)

Hacking Firefox (O'ReillyNet)

O'ReillyNet presents an excerpt from Firefox Hacks. "So far, our example has concerned adding a menu item to the Firefox Tools menu, but there are other areas of the Firefox UI into which you can overlay. It's possible to overlay into any area of the visible UI, once you know the id of the widget to which you want to add. For example, the Download Manager Tweak extension ( adds a button to the Downloads panel in Firefox's Options window."

Comments (none posted)

Designing a Course in Linux System Administration (Linux Journal)

Linux Journal has this report on how one professor designed a class on Linux system administration. "Assessment itself should be another learning experience. So instead of the traditional tests where students get to fill in the blanks, be creative! After class one day, go in and "break" the students machines. That way, when they all get to class the next day, they won't be able to log on. Give them 30 minutes to fix the problem, and at the end of the time, give them some hints or explain the problem. Troubleshooting can be fun unless, of course, it is your own machine. When Dr. Moorman and I last ran the class, it was only a matter of days before a student had his machine cracked from the outside. Luckily, we had planned a demonstration on security that day, so it worked out perfectly."

Comments (1 posted)

An Overview of Linux USB (Linux Journal)

Rami Rosen explains USB in a Linux Journal article. "Learn some of the basics of the USB subsystem, including how URBs work and what kind of host controllers are available."

Comments (none posted)

The Daemon, the Gnu and the Penguin, Ch. 4 & 5 - by Peter H. Salus (Groklaw)

Here's the next installment of Peter H. Salus's history, The Daemon, the Gnu and the Penguin. "Interestingly, Bill Joy created vi in 1976 and Richard Stallman (together with Guy Steele and Dave Moon) created Emacs the same year. The original version was based on TECMAC and TMACS, two TECO editors. Stallman and Michael McMahon ported it to the Tenex [for the DEC-10] and TOPS-20 [for the DEC-20] operating systems. [James Gosling, the creator of Oak/Java, wrote the first Emacs for UNIX at Carnegie-Mellon in 1981. RMS began work on GNU EMACS in 1984.]"

Comments (4 posted)

Porting Windows IPC apps to Linux (IBM developerWorks)

Srinivasan S. Muthuswamy and Kavitha Varadarajan show how to port Windows applications to Linux on IBM developerWorks. "The wave of migration to open source in business has the potential to cause a tremendous porting traffic jam as developers move the ever-pervasive Windows® application to the Linux™ platform. In this three-part series, get a mapping guide, complete with examples, to ease your transition from Windows to Linux. Part 1 introduces processes and threads."

Comments (none posted)


KDevelop vs Microsoft VS.Net (NewsForge)

NewsForge has published a comparison of Windows and Linux Integrated Development Environments. "Over the past few years, Linux has been hitting Windows hard in different places and, blow by blow, won points against the OS behemoth. Good application software is an important selling point for any operating system, and good development tools are crucial to those writing application software. The leading desktop operating system, Microsoft Windows, has a strong integrated development environment (IDE) in Visual Studio .Net, while the upstart Linux platform's KDE environment has KDevelop. Let's pitch them against each other and see which ends up the last IDE standing."

Comments (none posted)

KDE Kiosk - Battening Down the Hatches (KDE.News)

KDE.News points to an article by Barry O'Donovan on KDE Kiosk. "The KDE Kiosk is a framework that has been built into the K Desktop Environment since version 3. It allows administrators to create a controlled environment for their users by customising and locking almost any aspect of the desktop which includes the benign such as setting and fixing the background wallpaper, the functional such as disabling user log outs and access to the print system and the more security conscientious such as disabling access to a command shell."

Comments (1 posted)

Review: Mandriva Limited Edition 2005 (NewsForge)

NewsForge reviews Mandriva's transitional release. "Put an encrypted DVD into your DVD-ROM and the Kaffeine video player pops up a window that checks for the required libraries and codecs. If some are not found -- Win32 and libdvdcss are not installed with the distribution because of legal issues in some countries -- you're told where to go to get them. Click the provided links, download the RPMs, install them using Mandriva's software installer, and within five minutes you have DVD and Windows media file playback capabilities."

Comments (1 posted)

A Brief Look at Mod_Python (Dev Shed)

Dev Shed reviews mod_python. "Python's Apache interpreter is available as an Apache module, mod_python. This module reduces the time it takes to deliver a given page to a client. It is also capable of a great deal more, including interacting with Apache itself in various powerful ways. This article gives you just a taste of what mod_python can do."

Comments (none posted)

Cross Platform PIM on a Stick (KDE.News)

KDE.News looks at KDE-PIM. "Available for memory sticks on Windows or Linux, the new release KDE-PIM/Platform independent lets you carry around your favourite KDE applications and your personal data in the palm of your hand. This device independent software can import your data directly from Outlook and sync it with KDE-PIM running on other computers."

Comments (1 posted)

Detecting suspicious network traffic with psad (NewsForge)

NewsForge takes a look at the Port Scan Attack Detector (psad). "psad is a valuable tool for those wanting to know who is probing their network and what they are looking for. It is lightweight, uses your existing firewall setup, and is customizable to your level of paranoia. Its integration with Dshield helps to make the Internet safer for everyone."

Comments (none posted)


Tridgell speaks out in BitKeeper war (ZDNet)

ZDNet looks into a somewhat exaggerated "war" between Andrew Tridgell and Linus Torvalds. "Andrew Tridgell has made his first public comments on the dispute between himself and Linux originator Linus Torvalds over source code management for the Linux kernel, describing much of the coverage and commentary on the issue as "trivial and crazy"."

Comments (33 posted)

Hai Ti Comic Teaches KDE (KDE.News)

KDE.News covers a Namibian education comic featuring KDE. "Named Hai Ti ("Listen up!" in the Oshiwambo language), the comic features the super-hero like SchoolNet project showing student and teachers their KDE desktop. SchoolNet is a Namibian organisation whose aim is to bring computers and the Internet to all schools in the country."

Comments (none posted)

Page editor: Forrest Cook


Commercial announcements

MontaVista Delivers Mobilinux, a Linux OS for Mobile and Wireless Devices

MontaVista Software, Inc. has announced Mobilinux 4.0, the core of the Mobilinux Open Framework, an industry-wide program for the creation and promotion of Linux-based handset reference architectures.

Comments (none posted)

Novell partners with CS2C in China

Here's a Novell press release stating that the company is getting serious about China, and partnering with China Standard Co ("the leading Linux firm in China"). "Under the agreement, Novell and CS2C will cooperate to provide technology, services and marketing to optimize and promote Linux to the Chinese market. As a result, Chinese companies, organizations and individuals will gain access to leading Linux technology, enterprise-class Linux services and local and global support."

Comments (none posted)

Open Sense Solutions Announces Groovix GK4 Multi-User Public Access Computer

Open Sense Solutions LLC has announced the Groovix GK4, a four-user public access computing system. "Libraries and schools, long the sites of public access computers, have watched as the demand for computer availability has increased. What often has not increased, however, are the budgets allocated for this purpose. The arrival of the Groovix GK4 and Open Sense's Simultaneous Local Independent Multi-User (SLIM) technology allow one computer to drive four work stations, yielding extraordinary value. Groovix systems enable these traditional public access locales to provide more for less." According to this MozillaZine article the system uses Debian GNU/Linux, Mozilla Firefox, and other free software.

Comments (2 posted)

O-Ya Software Announces DeepDive Search SDK Platform

O-Ya Software has announced its DeepDive Search SDK Platform. "O-Ya Software DeepDiveTM uses best of class open source building blocks to create a best of class open source enterprise platform, including the following building blocks: gSOAP, libcurl, Xerces C++ Parser, PostgreSQL, MySQL, OpenSSL, Pthreads."

Full Story (comments: none)

New Books

Pragmatic Bookshelf Releases "Data Crunching"

Pragmatic Bookshelf has published the book Data Crunching: Solve Everyday Problems Using Java, Python, and More by Greg Wilson.

Full Story (comments: none)

"Developing Feeds with RSS and Atom" Released by O'Reilly

O'Reilly has published the book Developing Feeds with RSS and Atom by Ben Hammersley.

Full Story (comments: none)

"Spring: A Developer's Notebook" Released by O'Reilly

O'Reilly has published the book Spring: A Developer's Notebook by Bruce A. Tate and Justin Gehtland.

Full Story (comments: none)


The LDP Weekly News

The April 20, 2005 edition of the LDP Weekly News is online with the latest new documentation releases.

Full Story (comments: none)

The LDP Weekly News

The April 27, 2005 edition of the Linux Documentation Project Weekly News is online with more new documentation releases.

Full Story (comments: none)

Paper on applying open source more generally

Danny O'Brien points to an online paper about open-source efforts. "Here's a paper that discusses and explains the Linux development model (as well as other "open source"-like community efforts, such as the Wikipedia), and seeks to extend them to other areas."

Full Story (comments: none)

LQ Radio Interview #1 has posted the first of its live LQ Radio interviews. "The interview features Tom Adelstein and Sam Hiser. Topics covered include an in-depth look at the Sun Linux strategy, current trends in the Linux market, thoughts on Novell and Red Hat, Linux OEM preloads, the importance of open document formats, Linux in emerging areas, Open Sourcing OS/2, Linux standards and much more."

Full Story (comments: none)

Contests and Awards

TuxMobil GNU/Linux Award 2005

TuxMobil is holding a contest. "TuxMobil announces the first "TuxMobil GNU/Linux Award". The award honors Free Software projects, which improve Linux for mobile computers. Pri[z]es are sponsored by companies selling pre-equipped mobile Linux devices or compatible accessories. The first pri[z]e will be a SHARP SL-6000L (Zaurus) Linux PDA. If you want to nominate programs, drivers, ports or documentation for laptops, notebooks, PDAs, mobile phones and portable media players, write to <> until June 30th 2005."

Full Story (comments: none)

Upcoming Events Conf 2005 - vote for the location Deadline: April 30, 2005

A vote is being held to decide the location of the 2005 Conference, the voting deadline is April 30. "Koper, Slovenia and Lyon, France have been proposed as locations for the Conference 2005."

Full Story (comments: none)

French Perl Workshop 2005 (use Perl)

use Perl has an announcement for the next French Perl Workshop. "The Marseilles Perl mongers are proud to announce that the second edition of the French Perl Workshop will be held at Marseilles, France on June 9 and 10, 2005."

Comments (none posted)

Schedule and Registration for II Guadec-es (GnomeDesktop)

GnomeDesktop has an announcement for the Second GUADEC-es conference. "The On-line Registration and the very interesting Schedule of events are available for the 2nd edition of the GUADEC-es (International conference for Spanish speaking GNOME users and developers), that will be held this year in A Corunha (Galicia, north-west of Spain), on 19-21 May."

Comments (none posted)

LinuxWorld Summit New York

IDG World Expo has announced the LinuxWorld New York Summit 2005. "The two-day LinuxWorld Summit is scheduled to take place May 25-26, 2005 at the New York City Marriott Marquis and includes a highly-focused, contemporary, conference program."

Comments (none posted)

The O'Reilly Where 2.0 Conference

O'Reilly has announced early registration for the Where 2.0 Conference, the event will be held in San Francisco, California on June 29-30, 2005. "Location-determining technologies like GPS, RFID, WLAN, cellular networks, and networked sensors are paving the way for a growing array of capabilities around local search, mapping, mobile social applications, business analytics, asset tracking, and e-commerce. These ubiquitous location-aware technologies and services are driving a renaissance in business strategy and opportunity."

Full Story (comments: none)

2006 Australian LinuxWorld Conference and Expo

IDG World Expo has announced the dates for the 2006 Australian LinuxWorld Conference & Expo. The event will be held in Sydney on March 28-30, 2006.

Comments (none posted)

Events: April 28 - June 23, 2005

Date Event Location
April 28 - 30, 2005UbuntuDownUnderSydney, Australia
April 30, 2005Hurricane Electric Linux Security SeminarFremont, CA
May 2 - 7, 2005DallasCon 2005(Richardson Hotel)Dallas, TX
May 2 - 4, 2005Samba eXPerience 2005(Hotel Freizeit)Göttingen - Germany
May 2 - 5, 2005International PHP Conference(RAI Conference Center)Amsterdam, the Netherlands
May 4 - 6, 2005CanSecWest/core05Vancouver, B.C.
May 11 - 15, 2005php|tropics 2005(Moon Palace Resort)Cancun, Mexico
May 13 - 14, 2005BSDCan 2005(University of Ottawa)Ottawa, Canada
May 19 - 21, 2005GUADEC-es 2005A Coruña, Spain
May 22 - 25, 2005Gelato Federation Meeting(HP's Palo Alto and Cupertino campuses)San Jose, CA
May 23 - 26, 2005PalmSource Worldwide Mobile Summit and DevCon(Fairmont Hotel)San Jose, California
May 24 - 27, 2005XTech 2005 Conference(Amsterdam RAI Center)Amsterdam, the Netherlands
May 25 - 26, 2005Linux World New York Summit 2005(New York City Marriott Marquis)New York, NY
May 28 - 29, 2005Linux Unix Group of Bulgaria SeminarStara Zagora, Bulgaria
May 29 - 31, 2005GNOME Users and Developers European Conference(GUADEC 2005)Stuttgart, Germany
June 1 - 3, 2005The Red Hat Summit 2005(Hilton New Orleans)New Orleans, LA
June 1 - 4, 2005Fórum Internacional Software Livre(FISL)Porto Alegre/RS, Brazil
June 9 - 10, 2005Austrian Perl Workshop(Kapsch CarrierCom)Vienna, Austria
June 9 - 10, 2005The French Perl Workshop(Faculté des Sciences de Luminy)Marseille, France
June 11, 2005PHP WestVancouver, BC, Canada
June 15 - 17, 2005AstriCon Europe 2005(Auditorium Madrid Hotel)Madrid, Spain
June 17 - 19, 2005RECON 2005Montreal, Quebec, Canada
June 19 - 22, 2005International Lisp Conference 2005(ILC 2005)(Stanford University)Palo Alto, CA
June 22 - 25, 2005LinuxTag 2005(Kongresszentrum)Karlsruhe, Germany
June 23 - 24, 2005Italian Perl Workshop 2005(University of Pisa)Pisa, Italy

Comments (none posted)

Page editor: Forrest Cook

Letters to the editor

US Government Discriminates against Non-Microsoft users

From:  Tim Mattox <>
Subject:  US Government Discriminates against Non-Microsoft users
Date:  Wed, 20 Apr 2005 20:54:26 -0400

To whom it may concern,
I am a Ph.D. student in the USA with over a dozen publications, who has
not used a Microsoft OS in any significant amount (no more than a few
hours total) in the last 5 or 6 years. I was greatly disturbed today to
find out about the move by the US Federal Government to require the use
of a Microsoft Operating System to apply for any federal grants. See
this webpage for a glimpse of the problem:
Here is an open letter from a fellow academic that describes the issue
in greater detail:
I find it very disturbing, and outright wrong, that the US federal
government will soon require that I give money to Microsoft (either for
Virtual PC, or a version of Windows itself) to be able to apply for
grants through Microsoft was convicted of abusing their
monopolistic position in the USA. This is just wrong in so many ways
that I am at a loss for where to start.
The NSF Fastlane system should have been used as a model for how to
approach this "all federal grants" system. Fastlane doesn't require any
particular operating system to use, basically it needs just a web
I find it a slap in the face that the maker's of PureEdge posted a
whitepaper (!SSL!/WebH...)
saying they have chosen to just let
Microsoft's Virtual PC package solve their problem of supporting
Macintosh users. Virtual PC is not a particularly inexpensive piece of
software! And it's not available on so many other operating systems
that are actively in use today. And to say that, oh, in MS Office 10 it
will be included makes the horrible assumption that I'd buy MS Office.
I use LaTeX (among other free/open source programs), like most other
academic researchers for my publications work. I don't use, and don't
ever intend to buy another Microsoft product until they are actually
held accountable for their criminal activities as an abusive
monopolistic company. But even then, I would have been "getting along
fine" creating journal publications and doing my research work without
the use of Microsoft products.
Please point me to an alternative to PureEdge for using, or
tell me what is being done to solve this problem. What is the timetable
for PureEdge, or more importantly, being usable on these
operating systems: Linux, FreeBSD, OpenBSD, NetBSD, Solaris, MacOS X,
and MacOS 9
P.S. - There is an ongoing discussion of this issue at these links:
Tim Mattox - -

Comments (2 posted)

Page editor: Jonathan Corbet

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds