LWN.net Weekly Edition for May 12, 2005
SSH as a worm vector
It has been quite some time since a serious Unix/Linux worm has made its way through the Internet. Such worms seem difficult to write, but few people would argue that they are impossible. To many, it is just a matter of time until a Linux-based worm gets loose. This event will slightly reduce the level of smugness in the community, and greatly reduce the credibility of claims that Linux is a more secure system. It is not something to look forward to.Meanwhile, a crucial security-related component of many systems is SSH, usually in the form of OpenSSH. Even the most severely locked-down systems will often have an SSH port open. So any sort of compromise which involves SSH is seriously frightening. Now, a paper [PDF] written by four MIT researchers (and commented on by Bruce Schneier) describes how SSH could be used as a vector for worm attacks. This threat appears to be real, and deserves attention from anybody responsible for the security of network-attached systems.
SSH maintains a per-user "known hosts" file, where it stores the public keys of remote systems it knows about. This file enables SSH to issue that obnoxious warning whenever a host key changes; its purpose is to help prevent "man in the middle" attacks. It may be possible to redirect an SSH connection via a DNS compromise, but it will not normally be possible to keep SSH from noticing the switch. This is a good thing.
The known hosts file, however, is a handy little database listing all of the systems a given user connects to. If that user's account is compromised, the known hosts file becomes a list of logical systems to attack next. If the user's password is known, chances are good that it will work on at least some of the systems found in the known hosts file. If the user has set up no-password, key-based logins to some of those remote systems, knowledge of the password will not be necessary. The result is that a purely local exploit could use the SSH databases and protocol to automatically propagate itself across the net.
It's worth noting that a worm could be written today using this technique combined with, say, the just-announced core dump vulnerability. Sooner or later, somebody is going to go for it.
The paper's authors are trying to collect more data to generate more metrics on how extensive the "web of known hosts" is; to that end, they are asking people to contribute their known hosts files. See this page for more information. Note that their data collection process involves running a perl script (supplied by them) as root. One assumes that these researchers are trustworthy, but one would be well advised to look over that script carefully before running it anyway. Twice.
The authors also point out that OpenSSH 4.0 includes a defense mechanism in the form of hashed known hosts files. By using a hash rather than the remote system's name, OpenSSH is able to verify remote keys without actually storing a list of remote system names. This behavior must be explicitly turned on, however (by adding a "HashKnownHosts yes" line to the SSH client configuration file) and existing known hosts files must be converted to the new format. A couple of scripts have been provided to help with the conversion process.
The community is lucky to have received advance warning of this issue. Now, however, it is up to us to act on that warning. With some diligence, it may be quite a few more years before we see a serious Linux-based worm.
The broadcast flag is defeated - for now
LWN covered the broadcast flag rule in November, 2003. This rule, adopted by the U.S. Federal Communications Commission, mandated that digital television systems implement and honor a flag, embedded within the TV signal, which would forbid copying or further redistribution of the content. This rule, in effect, forbids the creation of free television demodulator systems. No source-available system could implement the broadcast flag in a way which meets the "robustness rules" set out by the regulation.The DC Circuit Federal Court of Appeals made short work of this rule; the full ruling is available in PDF format. The decision is clear and narrow:
Thus, the broadcast flag is dead, because the FCC has no authority to make that particular regulation. The court offers no opinion on whether the concept of a broadcast flag is defensible or not - it was not asked to consider that issue. All that has been decided is that the FCC has no authority to give the entertainment industry veto power over our gadgets. For the time being, digital TV systems implemented with free software are legal.
The next move in this game is obvious: the entertainment industry will go to Congress seeking a law which either (1) gives the FCC the authority to regulate devices which are not actually transmitting or receiving signals, or (2) implements the broadcast flag requirement directly. Cory Doctorow has claimed that the industry will not succeed in this goal:
The fact is, elected lawmakers are not suicidal enough to break their constituents' televisions. Watch and see: over the next year, we're all going to roast any lawmaker who so much as breathes the words "Broadcast Flag" in a favorable tone.
This view is probably overly optimistic. Experience says that the purveyors of ideas like the broadcast flag never give up; they bring their proposals to Congress over and over until the opposition has, finally, been worn down. The broadcast flag may well be defeated next year, but it will be back the year after that. Until elected representatives (and the wider world) understand why things like broadcast flags are such a bad idea, we will have to keep fighting this battle.
A new Harmony Project
Geir Magnusson Jr. sent out a proposal for "Project Harmony" which would create an open source implementation of the Java 2 Platform, Standard Edition (J2SE) version 5 and a "community-developed modular runtime (VM and class library) architecture for independent implementations to share runtime components, all to be available under the Apache License, v2.
The proposal calls for "
Magnusson said that the project "
With regard to Sun and open source Java, Magnusson said that "
Sun's Graham Hamilton has
also said that Sun will probably participate "
Bruno F. Souza, "the number
one Java Evangelist in Brazil," and another individual listed in the
Harmony proposal, also comments on Harmony in his blog and on the need
for a second implementation:
Not only that, but another implementation promotes competition and foster
innovation. An open source implementation helps in research, discussions
and even in the evolution of the Compatibility Kit. Sun recognizes the
value of that, that's why Mustang source code is now available on an
ongoing basis, and why Sun proposed recent licensing changes to its
implementation, to promote this very things. But this is not enough. Sun's
licensing changes get to the edge of the water, but although noticing that
the water is cold can be relaxing and beneficial, it don't really give you
any of the benefits of swimming. I have already discussed elsewhere other
reasons why I think an open source implementation of Java is needed.
There is certainly plenty of need for an open source Java in the open
source community. It's already been commented on, several times, that OpenOffice.org
2.0 has Java requirements that may pose problems for distributions that
don't ship Sun's Java due to license problems. There is also the question
of Java on operating systems and/or hardware architectures not supported by
Sun. Magnusson agreed this was a "
Of course, there are already efforts underway to create open source
implementations of Java, such as Kaffe
and GNU
Classpath. Kaffe is an implementation of the Java virtual machine and
class libraries to provide a Java Runtime Environment (JRE), while GNU
Classpath is a project to create the core class libraries for use with
virtual machines and compilers. There is also the GNU Compiler for Java (GCJ) and many other open source
efforts.
However, there are a few areas where Harmony may be more desirable in the
long run. Firstly, Magnusson stressed the importance of certification for
the Harmony project, to ensure compatibility with Sun's J2SE 5. Secondly,
as an Apache project, the group may be able to draw from a wider group of
contributors than Kaffe or other projects -- particularly from companies
that would like to see a fully-compatible open source implementation of
J2SE 5.
Harmony seems to be getting quite a bit of interest already. Dalibor Topic,
a contributor to both Kaffe and GNU Classpath, is one of the other
individuals who have signed on to the Harmony proposal. He explains his
interest in the project in his Advogato
diary:
Whether the Harmony, GNU Classpath, Kaffe and other projects will be able
to sort out licensing is another question. We asked Magnusson about the
licensing hurdles, and he said that they are "
There are also those who might prefer to forget Java altogether and
concentrate on something like Mono instead. While Mono is an interesting
technology, it's not always a substitute for Java and may not meet
everyone's needs. It also seems unlikely we'll see broad support for Mono
from all quarters soon, judging by Havoc Pennington's comments on the Java and
Mono discussion with regards to Harmony:
I don't know what people expect Red Hat GNOME developers to do. We can't
roll over and say "OK, we'll start hacking in C#, even though we don't see
a path to shipping any of the stuff we're hacking on" - does anyone
seriously expect that?
...I'm not trying to exhaustively belabor the Java vs. C# technical
comparison but I am trying to point out that Java has a hell of a lot going
for it including open source developer tools and libraries and huge
momentum (largely open source) on the server side. Java 5 has some cute
language features, too, and Tromey has shown how to make native code
bindings easy.
To get a general idea how long it might take for a group to implement J2SE,
one might look at the Apache
Geronimo project, which is an implementation of the Java 2 Platform, Enterprise Edition
(J2EE). The project started in August 2003, and became an official Apache
top-level project in
May 2004. According to Magnusson, the Geronimo project is now working
to pass Sun's TCK for J2EE 1.4, though it isn't clear how much more time
will be required for it to reach full compatibility.
For those interested in participating, Magnusson has sent out a FAQ about the project which
includes instructions on joining the development mailing list. The project
is not yet listed on the Apache Incubator site
yet.
If Harmony is successful, which looks quite likely given the interest it
has stirred already, it will be quite beneficial to the open source
community. While it would be much easier if Sun simply provided an open
source implementation, the community has the tools needed to do so.
a broad, collaborative community of
contributors
", and there is an impressive list of interested parties
in Magnusson's proposal. We talked with Magnusson about the project,
the interest which has been shown so far, and whether Sun had been
approached to cut out the
middleman and simply open source their implementation of J2SE to save
everyone the hassle of doing it again.
was a long time coming
", but
there was not a specific catalyst that made the group decide that now was
the time to move forward. "
Finally, we just decided that it's
time.
" He also emphasized that Harmony is about "building
communities that can collaborate...we're looking at inviting everybody who
wishes to participate
".
we
respect Sun's right to make their decision [regarding licensing]
".
We also wondered whether Magnusson or someone from the Harmony project had
approached Sun to confirm that the company isn't planning on an open source
version of Java. Magnusson said that Sun had been made aware of the
project, but that he "won't say we've gotten an assurance that
they're not going to do this in the next two years
".
at some level,
although most of our efforts will continue to be focused on building Sun's
reference implementation of J2SE.
" Although Hamilton puts a damper
on the endorsement by adding:
personal driver
" for his
interest in the Harmony project.
working to fix
licensing issues
" and noted that the project was trying to solve
licensing problems "in parallel
", since "
licensing
discussions can bog down anything
".
Security
More firefox trouble
A few weeks ago, we covered a set of vulnerabilities in Firefox that were closed with the 1.0.3 release. Once again, Firefox is in the news for security issues -- this time for two security vulnerabilities that, when combined, create a situation that could allow an attacker to install software on a user's machine without any notice to the user.What is particularly unusual about this disclosure is that it came not from the person who discovered the vulnerability, but from a third party who became privy to discussions about the vulnerability. While one might hope that the ethics of vulnerability disclosure would preclude "outing" a security vulnerability, particularly one discovered by another party, prior to the public release of a fix when it's known the vendor or project is actively working on the issue, the cat is out of the bag now.
The first vulnerability relates to "IFRAME" JavaScript URLs, which can allow an attacker to execute arbitrary code in a user's session. Alone, it could allow malicious sites to steal information from sites previously visited. The second vulnerability is in the "IconURL" parameter in "InstallTrigger.install()", which is not properly verified. This can be exploited to run JavaScript with the escalated privileges of a "Chrome script." The combination of both vulnerabilities can actually allow whitelisted sites, or sites masquerading as a whitelisted site, to take any action of the user, including administrative actions if the user has admin privileges. (This is one of the reasons why users should not make a habit of running as root.)
By default, the Mozilla Update websites were on the Firefox whitelist. The Mozilla Foundation has applied a server-side change to prevent attackers from using those sites. However, users who have added other sites to their whitelist may be at risk on those sites -- though an attacker would need to be able to guess what site a user has whitelisted.
We talked to Chris Hofmann, Mozilla's director of engineering, about the
most recent vulnerabilities and Mozilla's security record in
general. According to Hofmann, the vulnerability is cross-platform and
could potentially affect users of Firefox 1.0.3 on any platform. Hofmann
said that the Mozilla Foundation was not aware of any exploits in the wild,
and that the premature disclosure of the vulnerability was "a pretty
rare exception
".
We also asked Hofmann if he thought it would be possible to catch all of these vulnerabilities at some point in the future. In short, it looks like the answer is pretty much "no," given the complexity of a Web browser and the nature of the interfaces between components where it is not completely understood how they interact.
At this time, there is not a final Firefox 1.0.4 release, but there are candidate builds available with security fixes and a fix for a DHTML regression in 1.0.3. At a minimum, users should disable software installation until 1.0.4 is available.
New vulnerabilities
apache2 buffer overflow
| Package(s): | apache | CVE #(s): | CAN-2005-1344 | ||||
| Created: | May 6, 2005 | Updated: | May 11, 2005 | ||||
| Description: | Buffer overflow in htdigest in Apache 2.0.52 may allow attackers to execute arbitrary code via a long realm argument. | ||||||
| Alerts: |
| ||||||
Ethereal: numerous vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2005-1456 CAN-2005-1457 CAN-2005-1458 CAN-2005-1459 CAN-2005-1460 CAN-2005-1461 CAN-2005-1462 CAN-2005-1463 CAN-2005-1464 CAN-2005-1465 CAN-2005-1466 CAN-2005-1467 CAN-2005-1468 CAN-2005-1469 CAN-2005-1470 | ||||||||||||||||
| Created: | May 6, 2005 | Updated: | June 7, 2005 | ||||||||||||||||
| Description: | There are numerous vulnerabilities in versions of Ethereal versions 0.8.14 to 0.10.10 according to this advisory. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1156 CAN-2005-1157 CAN-2005-1158 CAN-2005-1160 CAN-2005-1159 | ||||||||||||||||
| Created: | May 11, 2005 | Updated: | May 26, 2005 | ||||||||||||||||
| Description: | The Firefox browser (and Mozilla as well) suffers from several vulnerabilities which can be exploited by a remote attacker to execute arbitrary code. See this advisory for a discussion of the worst two. Upgrading to version 1.0.4 will fix the problems. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
gaim: buffer overflow
| Package(s): | gaim | CVE #(s): | CAN-2005-1261 CAN-2005-1262 | ||||||||||||||||||||||||
| Created: | May 11, 2005 | Updated: | May 12, 2005 | ||||||||||||||||||||||||
| Description: | Gaim contains buffer overflows in its handling of URLs and MSN messages. By sending malicious messages, a remote attacker could exploit these overflows and execute arbitrary code. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
GnuTLS: Denial of Service vulnerability
| Package(s): | gnutls | CVE #(s): | CAN-2005-1431 | ||||||||||||||||||||
| Created: | May 9, 2005 | Updated: | June 1, 2005 | ||||||||||||||||||||
| Description: | GnuTLS 1.2.3 and 1.0.25 have been released, fixing a denial of service problem. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
hteditor: multiple buffer overflows
| Package(s): | hteditor | CVE #(s): | |||||
| Created: | May 10, 2005 | Updated: | May 11, 2005 | ||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Team discovered an integer overflow in the ELF parser, leading to a heap-based buffer overflow. The vendor has reported that an unrelated buffer overflow has been discovered in the PE parser. Successful exploitation would require the victim to open a specially crafted file using HT, potentially permitting an attacker to execute arbitrary code. | ||||||
| Alerts: |
| ||||||
kernel: ELF loader core dump vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2005-1263 | ||||||||||||||||||||||||
| Created: | May 11, 2005 | Updated: | August 25, 2005 | ||||||||||||||||||||||||
| Description: | Paul Starzetz has posted an advisory for yet another kernel vulnerability. In this case, by using a specially manipulated ELF binary, a local attacker can compromise the system (via the core dump code) and obtain root access. This vulnerability affects all kernels from 2.2 through 2.6.12-rc4. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libTIFF: buffer overflow
| Package(s): | libtiff | CVE #(s): | CAN-2005-1544 | ||||||||||||||||
| Created: | May 10, 2005 | Updated: | February 18, 2006 | ||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a stack based buffer overflow in the libTIFF library when reading a TIFF image with a malformed BitsPerSample tag. Successful exploitation would require the victim to open a specially crafted TIFF image, resulting in the execution of arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Oops!: Remote code execution
| Package(s): | oops | CVE #(s): | CAN-2005-1121 | ||||||||
| Created: | May 6, 2005 | Updated: | May 20, 2005 | ||||||||
| Description: | A format string flaw has been detected in the my_xlog() function of the Oops! proxy (in versions prior to 1.5.23), which is called by the passwd_mysql and passwd_pgsql module's auth() functions. | ||||||||||
| Alerts: |
| ||||||||||
smail buffer overflow
| Package(s): | smail | CVE #(s): | CAN-2005-0892 | ||||
| Created: | May 9, 2005 | Updated: | May 11, 2005 | ||||
| Description: | A buffer overflow has been discovered in Smail 3.2.0.120, an electronic mail transport system, which allows remote attackers and local users to execute arbitrary code. | ||||||
| Alerts: |
| ||||||
squid: errors in http_access configuration
| Package(s): | squid | CVE #(s): | CAN-2005-1345 | ||||||||||||
| Created: | May 6, 2005 | Updated: | May 11, 2005 | ||||||||||||
| Description: | Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current stable 2.6 release is 2.6.11.9, which was released on May 11. It contains a fix for the ELF loader vulnerability and a couple of other fixes as well.The current 2.6 prepatch is 2.6.12-rc4, announced by Linus on May 6. Changes this time around include more "sparse" annotations, a CIFS update, various architecture updates, resource limits for niceness and realtime scheduling (covered in last week's Kernel Page), a JFS update, some networking tweaks, and more. See the long-format changelog for the details.
Linus is currently on vacation, so no new patches have been added to his git repository since -rc4.
The latest -mm release is 2.6.12-rc3-mm3. Recent changes to -mm include a rework of the huge page code, a bunch of UML updates, a device mapper update, and more fixes.
Kernel development news
The coding style enforcer
The coding style document packaged with the kernel source contains a number of clear rules; here's one of them:
if (condition) do_this;
do_something_everytime;
Jesper Juhl recently found some code which evidently had something to hide, and submitted a patch to break the offending if statements onto two lines. Andrew Morton rejected it:
In further discussion, however, Andrew seemed to agree that, perhaps, cleaning up the kernel source to be more generally compliant with the coding style documentation might be a good thing. He just doesn't want to cope with hundreds of little patches to that end. He will, however, consider a small number of very large patches.
So a major coding style cleanup seems likely to happen, perhaps before 2.6.12 comes out. Applying this sort of patch so late in the cycle should be safe; the intent is to change the formatting, but to make no actual code changes. Andrew also plans to drop any changes which do not apply against the -mm tree, in the hopes of minimizing the effects of the changes on patches maintained by other developers.
If all goes according to this plan, the final 2.6.12 patch could be large indeed.
The mini_fo filesystem
Markus Klotzbuecher recently announced the release of mini_fo 0.6.0. Mini_fo provides (what has been called in other systems) a "translucent" or "copy on write" filesystem. A read-only, base filesystem (possibly from a remote system or CDROM) can be made to appear, via mini_fo, as a local, writable filesystem. This functionality is useful for sharing filesystems with local overrides, live CD systems, sandboxing applications, and more.At its core, mini_fo performs a simple fan-out operation. Each inode, dentry, and file structure associated with a mini_fo filesystem contains (via its private data) pointers to two other structures of the same type. One of them refers to the file or directory on the base filesystem; the other, instead, is for a local version of the file or directory on a local "storage filesystem." Both are hidden from user space, which thinks it is dealing directly with a file stored in the mini_fo filesystem.
When a mini_fo filesystem is first created, it appears as an exact copy of the underlying base filesystem. Any operation which reads files or directories is simply passed through to the base filesystem, with almost no additional overhead. In this mode, mini_fo functions as a sort of loopback filesystem.
Things change, however, when a file is opened for writing. In this case, mini_fo will create a copy of the file on the storage filesystem, with all of the data moved over. Any subsequent operations on that file will used the locally-stored version rather than the base version. So any changes made will appear locally, but they will not be propagated back to the base. Changes will be persistent across mounts as long as the storage directory used by mini_fo is not modified by anything except mini_fo.
Modified files are not the full story, of course; mini_fo must also cope with operations like deletes and renames. To that end, it maintains a set of lists of files which it knows about locally; there is one list for modified files, one for deleted files, one for files created locally, etc. These lists are stored in-kernel as standard linked lists. They are also written to the storage filesystem in a magic file (named META_dAfFgHE39ktF3HD2sr, for what it's worth) and reloaded from that file when the filesystem is mounted.
This release of mini_fo works with both the 2.4 and 2.6 kernels. Its author claims that it is intended for use with embedded systems, and thus has a small memory footprint. See the mini_fo web page for more information.
A system call for unsharing
When a new process is created with the clone() system call, a set of flags is provided which tells the kernel which resources, if any, should be shared between that process and its parent. Potentially shareable resources include virtual memory, open files, signal handlers, and more. New processes also share, by default, the filesystem namespace seen by their parent (and, usually, by the system as a whole).In the current Linux kernel, the sharing decisions made at clone() time last for the lifetime of the processes involved. There is not usually a reason to change resource sharing, but recent discussions on supporting private mounts (with the filesystems in user space patch, or otherwise) have suggested that it would actually be useful for a process to be able to "unshare" resources after its creation. In particular, if a process could detach itself from the global filesystem namespace and create its own, it would be possible to set up that new namespace with whatever private mounts that process needs. If this functionality were used within a PAM module, it would be relatively easy for administrators to set up per-user views of the filesystem, complete with private mounts.
To that end, Jenak Desai has posted a patch adding a new unshare() system call. The interface is simple enough:
long unshare(unsigned long flags);
The flags argument can be CLONE_NEWNS (to create a new filesystem namespace), CLONE_VM (to establish a private virtual address space) or CLONE_SIGHAND (to unshare signal handlers). If all goes well, when the call returns, the designated resource(s) will now be private to the calling process; otherwise the situation is unchanged.
This patch has not yet made it to the linux-kernel mailing list, and may see some changes before it is considered for inclusion.
Execute-in-place
Execute-in-place (XIP) support for the Linux kernel has been on the embedded systems wishlist for some time. Such systems usually have the kernel and relevant application images stored in a directly-accessible ROM or flash memory. This memory generally contains a filesystem, and is treated as a disk drive. This mechanism works, but it can be inefficient: running a program from this memory requires that said program first be copied into (usually scarce) RAM. It would be much better if this code could be executed directly out of the flash-based memory.Carsten Otte (of IBM) has posted a set of patches adding XIP support to the 2.6 kernel. These patches, in addition, enable fast memory-to-memory block I/O for such devices, shorting out the page cache and most of the block layer. As a result, the XIP patches are useful in a number of situations, such as, as Carsten notes, for shared-memory block devices used to communicate between (virtual) systems.
The first step is to add support at the block driver level. To that end, a new method is added to the block_device_operations structure:
int (*direct_access) (struct inode *inode, sector_t sector,
unsigned long *data);
This method, if implemented, should come up with a kernel virtual address corresponding to the given sector on the block device represented by inode. That address, which must remain valid until the device is closed, is returned in *data. The return value is zero on success or a negative error code in case of problems.
The next step is a new method in the address_space_operations structure:
struct page *(*get_xip_page)(struct address_space *space,
sector_t blockno, int create);
This method's job is to translate a specific block number within a filesystem to a page structure pointing to its directly-mapped data. It is a filesystem-specific function which will translate blockno to a sector number on the underlying device, then use that device's direct_access() method to get an address. Carsten has posted an implementation for ext2 which shows how this method can be put together.
So far, the XIP patches enable fast, memory-to-memory device access, but they do not yet implement true execute-in-place operation. The last step is to replace the usual nopage() VMA operation (filemap_nopage()) with a new version (filemap_xip_nopage()) when the underlying device and filesystem support XIP. The new nopage() method will (using get_xip_page()) handle page faults by causing a process's page tables to point directly to the on-"disk" pages, rather than reading those pages into RAM. Some other technique will be needed to run the kernel itself in an XIP mode, but anything that is invoked thereafter can be run directly from the memory device.
Put the above pieces together, and Linux has a complete execute-in-place implementation. Supporting XIP at the block level is not the only way it could be implemented; David Woodhouse pointed out that an alternative approach is to use a special-purpose filesystem. Carsten's patches, however, point out a way in which any filesystem could be made to work in an XIP mode.
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
First Look at Mandriva Linux 2005 (x86 and x86_64)
After publishing a brief review of the x86_64 edition of Mandrakelinux 10.1 in January this year and highlighting some of the problems we encountered while testing the product, we received many heated emails arguing about some of the issues mentioned in the review. One of them was an email from the then Mandrakesoft's PR department which insisted that "what you've tested was a half-baked, unofficial product which is a bit unfair to the work we've done". Yes, we would certainly agree with the "half-baked" part of the above statement, but as for the "unofficial" part, it was hard to tell - we downloaded the distribution from the directory labeled as "Official", so it wasn't immediately obvious to us that it was, in fact, an "unofficial" product. Besides, what sane software company would upload a "half-baked" product to public download servers for the whole world to see?
It has been 4 months since the controversial review and we decided to take another look at the company's latest product release - Mandriva Linux 2005 Limited Edition. Have the developers addressed the criticism? To our extreme delight, they did; as a matter of fact, every single issue we mentioned in our review of Mandrakelinux 10.1 was fixed in Mandriva Linux 2005! These included the geographical anomalies in the installer, location of FTP/HTTP mirror sites and, most importantly, the problem we had with setting up update sources to keep the distribution up-to-date with security and bug fix updates.
Mandriva, which is the company's new name after Mandrakesoft's merger with Conectiva, has gone even further with this release. While the x86_64 edition of Mandrakelinux 10.1 was only available in the form of a boxed product for €120 (or as a "half-baked" FTP/HTTP install), this time the company released an ISO image of Mandriva 2005 for free download. This is obviously not the same as the 3-CD ISO image set for the i586 architecture, but it is progress nonetheless. The single CD packs as many of the most important software packages as possible (all the big applications suites, such as GNOME, KDE, OpenOffice.org are there), but if users need more, the installation program provides an easy way to configure a remote FTP/HTTP server for downloading and installing additional applications. In fact, the installation program includes a long list of available download servers so all we needed to do is to pick a nearby mirror and the installer downloaded the relevant software lists and automatically added them to the urpmi configuration file.
We installed the i586 edition of Mandriva Linux 2005 on a Pentium 4 machine with an Intel 850 chipset and 384 MB of RAM, while the x86_64 edition found its home on a system powered by an AMD64 3500+ processor, with an MSI K8N Neo mainboard and 2 GB or RAM. Neither of them had any problems with detecting and configuring the included hardware. We used the i586 edition extensively for about a week and we have yet to find any problem with the distribution. The AMD64 box did not get to run the new Mandriva Linux much, but the installation process was trouble-free and a quick look around the desktop gave an impression that the 64-bit edition of the product is equally solid. Perhaps the best indication of the quality of this release is the low number of post-release bug-fix updates - after installing the distribution, complete with the GNOME and KDE desktops, but without any server software, the online update utility listed only a handful of packages that needed an update (some of the recent Mandrakelinux releases provided as much as hundreds of megabytes of bug-fix updates within a few weeks after the official release). Nevertheless, there were users on the distribution's mailing lists who reported problems under certain hardware configurations, so not even Mandriva Linux 2005 is perfect.
What's new in Mandriva's first release under the new name? Although the included applications are less up-to-date that those in the recently released SUSE 9.3 or Ubuntu 5.05, both of which come with KDE 3.4 and GNOME 2.10, Mandriva 2005 has its own set of tricks up its sleeves. Besides the usual improvements in hardware support and package upgrade, the developers claim to have increased the performance of KDE by up to 10% - by compiling the KDE packages with the -fvisibility option. This is said to produce substantially improved binary code and is able reduce the load times of dynamic shared objects. The -fvisibility option has been introduced into GCC 4.0 so it seems that Mandriva compiled some of its binaries with a pre-release versions of GCC 4. Two other new features worth mentioning are the inclusion of NdisWrapper for utilizing Windows wireless network drivers, and a new ALSA package with sound multiplexing.
Although Mandriva Linux 2005 has been released only recently, developers are already preparing for version 2006, currently scheduled to be released in September 2005. Some ideas for the new release have been discussed on the distribution's Bugzilla, Wiki pages and mailing lists, including a complete switch to UTF-8 encoding, work on reducing boot time, incorporation of RAID 10 support into the partitioning stage of the installation program, support for iPod, integration of OpenMosix utilities into the distribution, and many other features. There is even talk about building Ubuntu-style installation and live CD image sets for beta testing as well as final release. Of course, these are just ideas at this stage and it remains to be seen which of them will be accepted as new features in Mandriva 2006.
Despite its status as a "transitional" release, we found Mandriva Linux 2005 an excellent, "fully-baked" product that is a delight to install and use. Compared to the previous version, it is also much more polished and comparatively bug-free. The fact that the developers have read our last review and made an effort to fix the problems reported in it is an extra bonus - it shows that the company listens to its users and is willing to improve its products based on users' feedback. Overall, a very impressive product in all departments, highly recommended.
New Releases
Fedora Core 4 Test 3 released
The third Fedora Core 4 test release is out; click below for a list of mirror sites. If all goes well, this will be the final test release; Fedora Core 4 final is due on June 6.QiLinux 1.2 released
QiLinux, the Italian distribution completely made from scratch, has released version 1.2. Click below for a list of important changes and download information.Trustix Secure Linux 3.0 Release Candidate
A release candidate for Trustix Secure Linux 3.0 is now available. Click below for a list of new features or download it from a mirror near you.White Box Enterprise Linux 4
White Box Enterprise Linux version 4 has been released. "This release is starting out with i386 (ia32) and AMD64 (x86_64/ia32e) ports built from the exact same source package set, which is RHEL4 updated with all errata released through April 30." Click below for more release notes.
YES Linux 2.2 Build 3 available
The YES Linux Release Team has announced the immediate availability of YES Linux 2.2 Build 3. Click below for release updates and download information.
Distribution News
Debian AMD64 Archive Move
Here's an updates on the Debian AMD64 port. It is available, it is (mostly) working, it does not include non-free. "The Future? This archive will follow sarge with all point releases and what else might happen to sarge. Thats for sure. :)"
We will drop the unstable/main part of it, as soon as amd64 gets included into debian. We intent to provide a timeframe of about one or two weeks prior to the deletion, counting from the day on amd64 hit the 95% rate of built packages in Debian.
Debian Project Leader report for 2005-05-08
Branden Robinson has posted (click below) the Debian Project Leader report for May 8, 2005. This report looks at the Sarge release, challenges and progress, hardware infrastructure issues, Woody security updates, Debian assets, a Leadership Team status report, and more.Minutes from FDSCo (03-May-2005)
These are minutes of the Fedora Documentation Steering Committee (FDSCo) meeting held on May 3, 2005. Click below to find out who was there, how to your name in lights or at least how to get starting writing much needed documentation, how to find out what documents are most needed, and much more.Unofficial Fedora FAQ Update
Click below for the official update (as of May 7, 2005) on the Unofficial Fedora FAQ. The update lists what's new or changed, new translations (Polish and Spanish) are now available, plus how to contribute to the Unofficial FAQ.Trustix Secure Linux EOL reminders
Maintenance of Trustix Secure Linux v1.5 and 2.1 ends June 30, 2005. These TSL users should plan on upgrading to TSL 2.2, which is the current stable version. "Note that this does apply to Trustix Secure Linux 2.1 only and not other products like Trustix OS - ES 2 (formerly known as Trustix Secure Enterprise Linux 2). Trustix OS - ES 2 is to be maintained to March 2007."
Goals for the Ubuntu 'Breezy' Release
A set of preliminary goals for the Ubuntu 'Breezy Badger' release has been posted. The Ubuntu developers cannot be faulted for lack of ambition; if they achieve a substantial portion of those objectives, Breezy will be a nice release indeed.
Distribution Newsletters
Debian Weekly News
The Debian Weekly News for May 10, 2005 covers the Sarge freeze, the Debian ARM port, a licensing issue with Quagga, APT migration status, recent surveys, and more.Gentoo Weekly Newsletter
The Gentoo Weekly Newsletter for the week of May 9, 2005 is out. Gentoo is recruiting printing experts, there's some news from the forums, this week's featured develeoper is Danny van Dyk, also several other topics are covered in this edition.Mandriva Linux Community Newsletter #103
The Mandriva Linux Community Newsletter for April 29, 2005 looks at the name change, the availability of Mandriva Limited Edition 2005, a Mandriva Club naming contest, and more.Ubuntu MOTU report - Issue 3
Click below for the third issue of the Ubuntu MOTU (Masters of the Universe) project, a group of volunteers maintaining most of the Universe and Multiverse packages.DistroWatch Weekly
The DistroWatch Weekly for May 9, 2005 has a mini-review of Gentoo and features Frugalware Linux.
Package updates
Fedora updates
Updates for Fedora Core 3: system-config-bind-4.0.0-11 (new, completely rewritten version of system-config-bind), dhcp-3.0.1-42_FC3 (dhclient-script no longer automatically honors $GATEWAY setting), lapack-3.0-26.fc3 (fixes problems in some lapack libraries), system-config-bind-4.0.0-12 (bug fixes), util-linux-2.12a-24.2 (bug fixes), libexif-0.5.12-6.fc3 (prevent infinite recursion), ethereal-0.10.11-1.FC3.1 (new release, several security flaws fixed).Mandriva Linux MDKA-2005:023 - pwauth
Mandriva Linux has updated pwauth packages available for ML 10.2 (LE 2005) that fix apache support.Trustix Secure Linux updates
Trustix updates are available for TSL 2.1, 2.2 and Trustix Operating System - Enterprise Server 2 for bind, bittorrent, bzip2, clamav, hwdata, ppp, spamassassin and apache, bzip2, dhcp, proftpd.
Newsletters and articles of interest
My Workstation OS: Kanotix LiveCD (NewsForge)
Here's a NewsForge article about Kanotix. "For my purposes, Kanotix LiveCD is ideal. Hardware detection is the best I have seen. Application software is well-considered and easily extended. Releases are frequent -- every two to three months -- and free for downloading. The user forum is active and helpful. There's also a #kanotix IRC channel on irc.freenode.net."
Distribution reviews
Review: Kate Linux 2.0 (NewsForge)
NewsForge has a review of Kate OS. "Kate is a lightweight, free GNU/Linux distribution from Poland released with the goal of allowing people to play games, watch movies, listen to music, and surf the Web. While it does do these tasks, it requires a lot of handholding, manual configuration, and knowledge on a user's part. A single-CD install (with an optional second CD) is all it takes to get you up and running with Kate, but you may need to have a computer nerd handy for the setup."
Page editor: Rebecca Sobol
Development
The Screem Web Development Environment
Screem is an HTML/XML editing system that is aimed at web site development.
![[Screem]](https://static.lwn.net/images/ns/screem.png)
Unlike WYSIWYG editors,
Screem is geared toward the editing of raw HTML/XML code:
As a testament to open-source project cooperation, the Screem PHP Function Reference code came from Bluefish, another popular HTML editor.
Screem's feature list includes:
- Page Preview via external web browsers.
- Syntax Highlighting.
- DTD/Doctype Parsing with DTD file support.
- Inline Tagging with popup menus for tag modifications.
- The "Intelliclose" feature for keeping track of open tags.
- Extension support via helper applications.
- Document Structure Display for viewing complex documents.
- Support for CVS version control over edited documents.
- Link Checking for testing the validity of external links.
- Publishing capabilities using Sitecopy.
- Site-wide search and replace functionality.
- Task Management for prioritizing work with a todo list.
- A Spell Checking system that works within the HTML context.
- Link Fixing with support for changes to source and destination files.
- Page Template support for speeding up new file creation.
- Select Context support for marking and moving html groupings.
- Support for Ctags index files.
Screem version 0.14.0
was announced this week:
"Most notable improvements are: support for inline dtds, syntax highlighting colours are once again editable, support for Dreamweaver templates, auto saving, highlighting of the current line, a split pane file browser, and greatly improved helper application features.
"
For web site management situations that do not require the features of a full-blown content management system (CMS), Screem looks like the perfect tool.
System Applications
Audio Projects
Speex 1.1.8 Released
Version 1.1.8 of Speex, a voice CODEC application, has been announced: "Lots of changes in this release. Initial TI C5x port, some fixed-point improvements and fixes, better temporary memory allocation (smaller), size of integer types now detected automatically, and a new SPEEX_PLC_TUNING option."
CORBA
CLORB 0.6 released
Version 0.6 of CLORB, a Common Lisp implementation of CORBA 2, is out. "This version adds IIOP 1.1 and ASDF support, and improves the IDL compiler."
Database Software
PostgreSQL releases: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3
Several security issues have been identified over the past two weeks and new versions are available that fix these issues. "Please note that the security issues were those already reported by Tom Lane, as well as a manual fix for them. These releases are mainly to ensure that those installing and/or upgrading existing installations have those fixes automatically."
PostgreSQL Weekly News
The May 8, 2005 edition of the PostgreSQL Weekly News is online with the week's new PostgreSQL database articles.
Libraries
FreeImage 3.7.0 released (SourceForge)
Version 3.7.0 of FreeImage, a library with support for popular image formats, is out. "The main additions concern the support for HDR and 48-bit TIFF/PNG images, together with new tone mapping functions, a brand new GIF plugin supporting animation metadata and multipage files, a new color quantization function and a new lossless JPEG rotation and flipping function."
Mail Software
Gmail Mobile v0.3 released (SourceForge)
Version 0.3 of Gmail Mobile has been announced. "With this release, Gmail Mobile provides a feasible method to access your Gmail account and do most daily email tasks while you are on the move (except for the address book, which is the next item on the development list)".
Printing
New CUPS Tutorials online
The Common UNIX Printing System (CUPS) site has a number of new tutorials online. Topics include: How To Assign Printing Administration Capabilities To Users, How To Restrict Printer Information Being Received From A Client Or Server, How To Restrict Printer Information Being Sent Out From A Server, How To Restrict Group Access To A Class Of Printers, How To Restrict User Access To A Class Of Printers, and How To Restrict Group Access To A Printer.
Web Site Development
Apache Lenya 1.2.3 released
Version 1.2.3 of Apache Lenya is out. "Apache Lenya is an Open Source Java/XML Content Management System and comes with revision control, site management, scheduling, search, WYSIWYG editors, and workflow. Apache Lenya 1.2.3 is based on Cocoon 2.1.7. You can use [WWW] Cocoon features such as robust Caching, multi-channel output, it's many connectivity options to quickly build customized solutions to meet your specific needs that are not already covered by Apache Lenya today."
Latemp 0.2.0 - A Content Management System for Static HTML
Initial release version 0.2.0 of Latemp, a content management system for generating static html, has been announced. "Latemp allows one to create attractive, themable sites, which are very usable, accessible and fully standards compliant. Latemp is open-source software, fully usable, modifiable and distributable under the terms of the MIT X11 license." Thanks to Shlomi Fish.
The Nirawari web application engine
The first official release of Nirawari (in French), a web application engine, is out. "Nirawari helps the user build Web applications by describing their behavior and the information used. This allows easy creation and modification of prototypes, quick deployement, and modifications of a running component. It models an application not as a set of programs, but as a set of definitions."
UnCommon Web 0.3.9 released
Version 0.3.9 of UnCommon Web, a Common Lisp web application development framework, has been released. "This version improves the documentation, adds multithreading support to the mod_lisp backend, and more."
XRMS CRM 2005-05-07 Released (SourceForge)
Version 2005-05-07 of XRMS, a PHP/web-based Customer Relationship Management system (CRM), has been released. "This release fixes over 30 bugs, and adds many many enhancements. We have added significant improvements to the Workflow system, usability across XRMS, related activity tracking, and the CSS themes. This version also introduces the User Preference system, starting with preferences for Language and Theme. RSS feeds for new companies, contacts, and activites have been added. Many new plugins have been contributed by companies using XRMS."
Miscellaneous
moodss 20.0 (stable) released (SourceForge)
Stable version 20.0 of moodss has been released. "Moodss is a modular GUI application that can monitor systems, networks, and databases. It displays data in graphical viewers, sends emails and execute scripts on thresholds, archive data in a SQL database, and includes a daemon for background monitoring. Around 100 modules (counting Nagios plugins) are available."
Desktop Applications
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Blam 1.8.0 (support for Atom feeds)
- Devhelp 0.10 (bug fixes and other improvements)
- Evince 0.3.0 (unstable) (new features and bug fixes)
- evolution-gconf-tools 0.1.6 (new features)
- GARNOME 2.10.1.1 (bug fixes and other improvements)
- PyGTK 2.6.2 (new features and bug fixes)
- Seahorse 0.7.8 (new features and bug fixes)
- sidtool 4.0.0 (new GTK+ support)
KDE CVS-Digest (KDE.News)
The May 6, 2005 edition of the KDE CVS-Digest is online, here's the content summary: "HTML to SSML (Speech Synthesis Markup Language) working in kttsd. KStars adds ability to save observing lists. Add support for opening OASIS templates directly with a KOffice application."
KDE's Switch to Subversion Complete (KDE.News)
KDE.News reports that the KDE project's switch of version control systems from CVS to Subversion is done. "This is the largest ever change from CVS to Subversion. The conversion script ran for a total of 38 hours from start to completion. Congratulation to Stephan Kulow, Oswald Buddenhagen and the other system administrators for the successful change."
KDE Software Announcements
The following new KDE software has been announced this week:- G System 0.5.0 BETA 2 (bug fixes and other improvements)
- Kexi 0.9 beta 1 (new features and bug fixes)
Xfce Weekly News
The April 27 - May 4, 2005 edition of the Xfce Weekly News is online with news from the Xfce lightweight desktop environment project.
Games
WorldForge game releases
The WorldForge game project has announced three new releases. Ember 0.3: "Ember is a fully functional 3d client for the WorldForge project. It takes advantage of the latest graphic cards to present a beautiful, fully interactive world. An easy to use GUI allows the player to interact with both the world and other players with ease. The focus for this release has been to expand on the GUI so that the game can be fully playable without having to use console commands." Mercator 0.2.2: "
Mercator is a library for handling procedural world data, especially terrain. It is used by all WorldForge components. This API is still in development, and changes with each version." Eris 1.3.5: "
Eris is the WorldForge client-side session layer, used by many existing clients. This release adds support for accelerations on entities, to enable accurate motion prediction of balistic movement."
Imaging Applications
imgSeek 0.8.5 released
Version 0.8.5 of imgSeek, a photo collection management application, has been released. "imgSeek is a photo collection manager and viewer with content-based search and many other features. The query is expressed either as a rough sketch painted by the user or as another image you supply (or an image in your collection)." Changes include a new low-level jpeg loader, bug fixes, translation work, and more.
Music Applications
Gungirl Sequencer Version 0.3.0
Version 0.3.0 of Gungirl Sequencer, an audio sequencer that is used for making sound loops, is out. New features include automated fades, unlimited undo, sample stretching/trimming, unlimited tracks, and more.MusE 0.7.2pre1 has been released
Version 0.7.2pre1 of MusE, a MIDI/Audio sequencer, is out. Changes include support for synchronization to external hardware, a MusE 0.6 song converter and bug fixes.
Office Suites
OpenOffice.org build 1.9.100 released
Build 1.9.100 of OpenOffice.org has been released, it features bug fixes and some new capabilities.
Science
GRAMPS 2.0.0 Released (GnomeDesktop)
Version 2.0.0 of GRAMPS, the Genealogical Research And Management Programming System, has been announced. "The GRAMPS project is pleased to announce the 2.0.0 ("The Bright Side of Life") release of GRAMPS, the Genealogical Research And Management Programming System. After more than a year of development, GRAMPS is releasing the new branch that becomes its "stable" series." Many new features are included in this release.
Web Browsers
Back and Forward Now Blazingly Fast (MozillaZine)
The latest Mozilla Firefox builds include a new feature. "The latest nightly builds of Mozilla Firefox include a new feature that significantly improves the speed of the Back and Forward buttons. When using Back and Forward in older builds, the page is retrieved from the local cache rather than the Internet but Gecko still has to reparse the HTML and use it to rerender the page, which can take a while with more complex documents. With this new feature, the rendered page is kept in memory, which makes Back and Forward performance much faster (almost instantaneous)."
Mozilla Firefox 1.0.4 Release Candidates (MozillaZine)
Mozilla Firefox 1.0.4 release candidate has been released with fixes for two security flaws that could allow arbitrary code to be executed. More information on the security issues is available here and here.
Word Processors
AbiWord-2.3.0 released
FootNotes is carrying the AbiWord 2.3.0 release announcement. 2.3.0 is a development release, not intended for general use. It does provide a preview of upcoming AbiWord features, however, including "table to text" and plugins for grammar checking, math support, embedded charts, and "experimental" OpenDocument support.
Languages and Tools
C
GCC 4.1 Status Report
The May 4, 2005 edition of the GCC 4.1 Status Report is online with the latest Gnu Compiler Collection project information. Thanks to Sam Ravnborg.
Caml
Caml Weekly News
The May 3-10, 2005 edition of the Caml Weekly News is online with the latest Caml language articles.
Haskell
Monad.Reader Issue 2
Issue #2 of the Monad.Reader, an online magazine about the Haskell language, is out. "For issue two, the subjects are Template Haskell, better module compatibility, exploring dark corners of GHC, domain specific languages, and the Foreign Function Interface."
Java
A proposal for a free Java implementation
Several Apache and free Java developers have posted a proposal (click below for the full text) for the creation of a project, under the Apache Incubator umbrella, which would develop a Java runtime platform under the Apache license. This effort has been called "Project Harmony"; one wonders if the developers have intentionally reused the name of the one-time project which worked toward a free version of the Qt libraries, which were not GPL-licensed at the time. A FAQ for the project has also been postedGeneric Types, Part 2 (O'ReillyNet)
O'Reilly has published part two of a book excerpt series on Java. "In part one of this two-part excerpt from Java in a Nutshell, 5th Edition, David Flanagan described how to use generic types. This week David details how to write your own generic types and generic methods, and concludes with a tour of important generic types in the core Java API."
Lisp
Initial release of cl-pdf-parser
The initial release of cl-pdf-parser is available. "The system, which is written in Common Lisp, "enables [the] cl-pdf [PDF generation library] to draw on existing pages and add new pages to an existing PDF document"."
Pascal
Free Pascal 2.0 nearing completion
Version 2.0 of Free Pascal is nearing, the second release candidate is out. "Current development is preparing for a 2.0 release in the first quarter of 2005. The development releases have version numbers 1.9.x. The latest release is 1.9.8, which is the second release candidate for the 2.0 release." Thanks to Daniël Mantione.
Perl
This Week in Perl 6 (O'Reilly)
The April 26 - May 3, 2005 edition of This Week in Perl 6 is available with the latest Perl 6 development news.
Python
Dr. Dobb's Python-URL!
The May 9, 2005 edition of Dr. Dobb's Python-URL! is online with the latest Python language articles.
Ruby
The Past, Present, and Future of RubyGems (RubyGarden)
The RubyGarden is running part one of a history of RubyGems by Chad Fowler. "In year 2000, when I started using Ruby, one of the first discussions I remember on the English ruby-talk mailing list was about whether or not Ruby had some kind of equivalent to Perls CPAN."
Scheme
Tcl/Tk
Dr. Dobb's Tcl-URL!
The May 11, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk news and resources.
Cross Assemblers
gputils 0.13.2 Released
Version 0.13.2 of gputils, the GNU PIC Utilities, is out. The changes are: "Fixed bugs. Added gpstrip. Removed gpal."
Version Control
monotone 0.19 released
Version 0.19 of monotone, a version control system, is out. "Monotone is a free distributed version control system. it provides a simple, single-file transactional version store, with fully disconnected operation and an efficient peer-to-peer synchronization protocol. it understands history-sensitive merging, lightweight branches, integrated code review and 3rd party testing. it uses cryptographic version naming and client-side RSA certificates. it has good internationalization support, has no external dependencies, runs on linux, solaris, OSX, windows, and other unixes, and is licensed under the GNU GPL."
svk 1.00 is out
Version 1.00 of svk has been announced. "svk is a decentralized version control system written in Perl. It uses the Subversion filesystem but provides additional, powerful features." See the change log for release details.
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Court yanks down FCC's broadcast flag (News.com)
News.com reports that a Federal appeals court has tossed out the broadcast flag regulations. "'The broadcast flag regulations exceed the agency's delegated authority under the statute,' a three-judge panel unanimously concluded. 'The FCC has no authority to regulate consumer electronic devices that can be used for receipt of wire or radio communication when those devices are not engaged in the process of radio or wire transmission.'" The full ruling is online in PDF format.
Why Free Software Really Matters (Groklaw)
Groklaw has an essay on why free software matters. "Everyone talks about how Free software is important because of its benefits to business. It can mean lower operating costs, happier IT departments, better interoperability, improved security, and lots of community goodwill. Everyone talks about how Free software is important legally. It is the vanguard of the revolution in intellectual property, both in courtrooms and in the minds of people around the world. A lot of people talk about how Free software is important because it will liberate end-users everywhere from the tyrrany of commercial software and end the problem of worms, viruses, and trojans forever. What almost no one talks about is Free software being important because of its educational potential."
Trade Shows and Conferences
PyCon 2005 Coverage (Linux Gazette)
Mike Orr has put together some coverage of the PyCon 2005 conference that was held recently in Washington, DC. "It's hard to decide what the highlight was: Guido's new beard, the success of the Open Space sessions, the number of attendees (just shy of 450), the international scope (I saw several delegates from Germany, and a few from Japan and Italy), the surprise sleeper hit (WSGI and integrating the web application frameworks was the most discussed topic), the Python CPAN (integrated with PyPI), the keynote from Python's most prominent user (Google), David Goodger's name ("pronounced like Badger but GOOD!"), or Guido's plans for static typing. ("Don't worry," he says about the latter, "it's just a bad dream.")"
Wine Weekly Newsletter
The May 5, 2005 edition of the Wine Weekly Newsletter is online with coverage of the WineConf 2005 event. "Some of you might be looking for the short summary version, so it's worth recapping some major highlights. First, Alexandre has imposed some deadlines for Wine. Second, having some of the core Samba team members show up was great and it may be possible to work together on some common items. Finally, the event itself was quite large with about 50 people attending from over a dozen countries meeting at the University of Stuttgart."
Companies
IBM buys start-up to advance open source (News.com)
News.com covers IBM's acquisition of Gluecode Software. "As part of the acquisition, IBM said it will contribute to the Apache Geronimo project, a Java 2 Enterprise Edition (J2EE) application server that forms the basis of Gluecode's product line. The 18 Gluecode employees will be part of IBM's software group; IBM said it will devote dozens of people to the Joe product."
Microsoft Relaxes Open Stance (eWeek)
eWeek reports on a possible position shift from Microsoft, concerning open-source software. "At a recent conference in Cambridge, Md., sponsored by the Association for Competitive Technology, Brad Smith, Microsoft's general counsel, called for cooperation among Microsoft, its competitors and the open-source community. "I think that in the world of software development today, there is a broad panoply of software development models," Smith said. "I think we're going to have to figure out how to build some bridges between the various parts of our industry.""
Linux Adoption
Ditching Microsoft can save millions (TES)
The TES (a British education newspaper) previews a UK governmental study on software costs in schools. "The association analysed costs at 33 schools which use paid-for software, and compared them with 15 which have pioneered the use of free programs, known as open source, and the pared-down hardware to run them. Average costs, including software, hardware and support costs, were 24 per cent less per computer in secondaries using open source."
The Aloha state's commerce and consumer officials turn to open source (eWeek)
eWeek presents a case study on Hawaii's switch to open source for its bookkeeping needs. "In 2002, exasperated state officials turned to the Linux operating system to change that. They wanted all budget and expenditure data in one data mart, with a front-end application that lets users download data to their PCs and crunch numbers as they see fit."
Interviews
Interview with OpenOffice.org staff (NewsForge)
NewsForge talks with OOo developers about OpenOffice.org 2.0. "OpenOffice.org is the most comprehensive open source office productivity suite available. Into its fifth year of existence, the project is set to release its next version, OpenOffice.org 2.0, with a major overhaul. The latest release, 1.9 (also popularly known as 2.0-beta), came out in March this year and was met with mixed reviews. While many were happy with the progress, many people criticized it for its use of Java. In this interview with Louis Suarez-Potts, Community Manager; and Martin Hollmichel, Release Manager of OpenOffice.org, they talk about what makes 2.0 different from the previous releases."
LinuxMedNews.com--Just What the Doctor Ordered (Linux Planet)
Linux Planet interviews Dr. Ignacio Valdes, creator and editor of LinuxMedNews.com. "Valdes said that when he started the LinuxMedNews site it was a tight knit community with a crystal clear idea that FOSS (free and open source software) was the way to go in medicine. "The idea has become more accepted and may not be revolutionary anymore but it still has skeptics," he said. "Like everything, having the idea takes 10 minutes and implementing that idea takes years. The major changes are that there is gathering scientific evidence for what the FOSS community is doing and the number of and quality of real-world implementations has grown tremendously," he remarked."
Resources
The Daemon, the GNU, and the Penguin - Ch. 7 (Groklaw)
Groklaw has published chapter 7 of the online book "The Daemon, the GNU and the Penguin" by Dr. Peter H. Salus. Read about the origins of BSD and the Computer Systems Research Group.Book Excerpt: Firefox and Thunderbird Garage (Linux Journal)
Linux Journal presents a book excerpt from the book "Firefox & Thunderbird Garage. "The following is an excerpt from Firefox & Thunderbird Garage, a new book written by Chris Hofmann, Marcia Knous and John Hedtke and published by Prentice Hall Professional Technical Reference. The excerpt is taken from Chapter 10, "Setting Up Your Mail, RSS, and Newsgroup Accounts Using Mozilla Thunderbird"."
Mad Mac mini multimedia machine, Part 1 (developerWorks)
developerWorks begins a series of articles on using a Mac Mini system as a Linux-based multimedia server. The first article covers (Yellow Dog) Linux installation, with an aside on intellectual property issues. "However, if you start selling a device that uses one of these open source player programs to play DVDs (even if you ignore the thorny issues surrounding DVD encryption and only support unprotected disks), you'll soon be receiving letters demanding license fees for each unit sold. An interesting data point I read recently is that the US$39.95 DVD players you commonly see at chain stores contain almost US$20 of patent license fees."
Simplify Network Programming with libCURL (O'ReillyNet)
O'ReillyNet looks at curl and the back-end library libCURL. "curl's inner workings use the libCURL client library. So can your programs, to make them URL aware. libCURL-enabled tools can perform downloads, replace fragile FTP scripts, and otherwise take advantage of networking without any (explicit) socket programming. The possibilities are endless, especially with libCURL using a MIT/X-style license agreement."
Reviews
Review: CentOS 4 (NewsForge)
NewsForge reviews CentOS 4.0. "Some applications may refuse to install when they detect that you aren't running RHEL. None of the open source tools that I tried had this problem, but some commercial software does. The workaround is simple: Add a line in the /etc/redhat-release file."
Advanced image editing from the command line with ImageMagick (NewsForge)
NewsForge has published part two of a review of ImageMagick. "ImageMagick (IM) is a command-line graphics creation and editing application. In a previous article we used it to add text and frames to images, and for other basic image manipulation. In this article we'll use the ImageMagick suite of commands to create a multi-image mosaic, draw some basic shapes, and create 3D logos."
Fun with Knoppix (Ars Technica)
Ars Technica reviews Knoppix Hacks, by Kyle Rankin. "Knoppix Hacks, just like Knoppix, is targetted at a wide audience ranging from System Administrators to the family "computer guy" called on to fix his cousin's PC. There is a common misconception among people who have heard of Knoppix that it is only for Linux users. This perception couldn't be further from the truth. Knoppix, as demonstrated by the author, is an extremely useful tool regardless of your preferred operating system. This book is for anyone who has had to fix the computer of friends or family; the system administrator who has ever had to resuscitate a lifeless machine; even the average home user who's curious to try something new without replacing what they already have." (Thanks to Dale Quigg)
Linux Desktop Garage reviewed (Oceania)
Oceania reviews the book Linux Desktop Garage and the live CD that comes with it. "Unlike the other books in the Garage series, this book contained a CD. Usually, CDs that accompany books are usually lost or never even used but this one was different. After looking over the disc's contents, I quickly discovered that the CD was bootable and it even contained some of the most popular Linux programs such as GIMP ( image editing program) and OpenOffice (office suite). Put it in my CD drive and it booted right up to a Linux desktop. No installation, no reformat. Very cool idea!"
Tellico: The Cook's Collection (Cooking with Linux)
Marcel Gagné looks at Tellico, a KDE application for organizing collections. "Robby Stephenson's Tellico is billed as a collection manager though I like to think of it as a very versatile personal library system. It's a great tool for keeping track of your many cookbooks as well as Linux books, science fiction books, mysteries, and so on."
Miscellaneous
Free Software Foundation Latin America lays groundwork (NewsForge)
NewsForge covers the Free Software Foundation Latin America (FSFLA). "The organizing committee has been working since November 2004 to lay the groundwork for FSFLA. The committee currently consists of six members. All have backgrounds in free software, often combined with social or political activism."
Application of the Month: KPDF (KDE.News)
KDE.News names KPDF as the April application of the month. "It might be late but that is because April's application of the month covers one of the finest additions to KDE 3.4: KPDF. The application overview takes us through the powerful features in KPDF: thumbnails, contents, scrolling, zooming and searching. We also have an interview with one of the creators of KPDF, Albert Astals Cid."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Free Software Foundation Latin America releases Declaration of Intent
A new organization called Free Software Foundation Latin America has been launched. "Free Software in Latin America has taken a step forward. Yesterday, April 19th, six longtime Free Software advocates from Latin America published a Declaration of Intent, in which they announce the creation of a Free Software Foundation Latin America."
Gelato Foundation announces new members
The Gelato Foundation has announced new Latin American members from Chile and Buenos Aires. "In the last two weeks, Universidad de Chile and Universidad de Buenos Aires (UBA) became two of the newest members of the Gelato Federation (http://www.gelato.org), an international organization composed of leading universities, supercomputing centers, national labs, and research institutes, dedicated to advancing Linux on the Intel® Itanium® processor."
Linux Professional Institute Improves Certification Program
Linux Professional Institute has announced new improvements to its Linux certification program. "These improvements include regular rotation of exam questions, objectives review, and merging of the 101 exam forms that contain RPM and DPKG package management questions."
Software Freedom Law Center to represent the Wine project
The Wine project has sent out an announcement that it will be getting legal representation from the Software Freedom Law Center. If there is a pressing legal problem to be solved now, the release does not mention it. "The commercial value of Free and Open Source Software (FOSS) today is increasing at an exponential rate and changing the playing field for the software industry. To be viable, productive and sustainable, open source projects, such as The Wine Project, need expert legal representation."
Commercial announcements
AMD/Tyan/SUSE Set LAN Server Throughput Record
The Neal Nelson & Associates benchmarking laboratory has announced the achievement of a new server bandwidth record using AMD Opteron processors running SUSE LINUX Professional 9.2. "One endurance test ran continuously for 48 hours and transferred over 1,000 terabits (1 petabit) of user data between 96 FTP client machines and the single FTP server. These data rates were achieved with the common IPV4 protocol and standard 1,500 byte packets."
BitDefender Antivirus for Samba Servers released released
BitDefender has released version 1.6.2 of its BitDefender for Samba Linux File Servers. "BitDefender for Samba Linux File Servers was upgraded to version 1.6.2 today, and parts of it have been released under an open-source license. The antivirus for Samba shares is capable of scanning and disinfecting shared files and folders on access and on demand, and can be installed easily alongside BitDefender for Linux Mail Servers."
Black Duck Software Joins Open Source Software Institute
Black Duck Software has announced that it has become a corporate member of the Open Source Software Institute (OSSI). As a member of OSSI Black Duck will serve as a technical contributor to the second open source software research and development programs between the U.S. Navy and the OSSI.Novell acquires Immunix
Novell has announced the acquisition of Immunix, a one-time creator of a hardened Linux distribution. Novell seems most interested in the company's AppArmor security product.Novell Announces Executive Departure
Novell, Inc. has announced that Richard Seibt has resigned his position as president of Novell(R) EMEA. Mr. Seibt was formerly president of SUSE LINUX, Inc.QUALCOMM announces Linux support for mobile phone chipsets
QUALCOMM Incorporated has announced that it will be supporting Linux on its Mobile Station Modem(TM) (MSM(TM)) chipsets. "The new initiative provides manufacturers with further design and development efficiencies for 3G smartphones and other mobile handsets by leveraging the flexibility and reliability of the Linux operating system."
Red Hat to Present at Investor Conferences in May
Red Hat, Inc. has announced that it will hold two presentations at upcoming investor conferences. The events will be held on May 11 in San Francisco, CA and May 12 in Chicago, IL.Sys-con dumps O'Gara
Maureen O'Gara, the author of a set of increasingly vicious attacks on Linux and some of its defenders, has now been dropped from the lineup at Sys-con the publisher of LinuxWorld and several other sites. This change came about after LinuxWorld editor James Turner took a public "Maureen or me" stand. Whether Ms. O'Gara will resurface elsewhere remains to be seen.TimeSys Introduces Linux Customization Solutions
TimeSys has announced new Linux Customization Solutions for embedded system developers. "LinuxDepot and LinuxEngine are accessible through the TimeSys Network(TM), a secure, hosted infrastructure which includes a continuously evolving Component Repository, automated Embedded Linux Platform Builder and the knowledge and community of the Developer Exchange."
Resources
May 4 EDRI-gram newsletter
The EDRI-gram newsletter for May 4 is out. Among other things, it covers the French court decision on copy-protected DVDs and the next stage of the software patent fight. "The Europarl JURI committee will vote on the amendments on 20 June 2005. The parliament is scheduled to vote in plenary on 6 July 2005. Meanwhile, the European Commission has issued an explanatory statement about the scope of the directive on Intellectual Property Enforcement (IPRE). It also includes any kinds of patents. The directive provides strong new enforcement powers to right holders and thus gives an extra incentive to MEPs to very carefully avoid patentability of software and business methods, to avoid competitors spitefully raiding each others offices."
FSF Europe Newsletter
The May 5, 2005 edition of the FSF Europe Newsletter is online with the latest happenings from the Free Software Foundation Europe.Dive Into Greasemonkey
Mark Pilgrim has written a book about the "Greasemonkey" extension for Firefox and put the whole thing online in several formats. It would appear to be the definitive reference for anybody wanting to create Greasemonkey scripts.The LDP Weekly News
The May 4, 2005 edition of the Linux Documentation Project Weekly News is online with the latest documentation releases.Linux Gazette #114
The May 2005 Linux Gazette is now available. Topics in this issue include Python for scientific use. Part I: Data Visualization, by Anders Andreasen, A Tale of Three Conferences, by Howard Dyckoff, Secure Knoppix on CD-ROM for Disaster Recovery, by Edgar Howell, Shelling your Linux box with Festival, by Maxin B. John, Right To Your Own Devices, by Kapil Hari Paranjape, Lock It Down With Arno's iptables-firewall, by S. Keeling, Introduction to Shell Scripting, part 4, by Ben Okopnik, and more.
Contests and Awards
Mozilla Community Awards (MozillaZine)
MozillaZine has announced the launch of the 2005 Mozilla Community Awards program. "It's been an amazing year, and it wouldn't have been possible without an inspired and dedicated community of contributors. We, no doubt, have one of the largest and most varied community of open source contributors, and while we cannot recognize each and every person who helped this last year to get us where we are, we'd like to take some time to acknowledge the outstanding contributions across the full breadth of community activities."
Upcoming Events
aKademy 2005: Ready For Your Registration (KDE.News)
KDE.News has announced the opening of registration for aKademy 2005. "As previously announced aKademy 2005 is to take place at the University of Málaga from Saturday 27th August to Sunday 4th September, with a KDE e.V. members-only meeting on Friday 26th. Everyone is invited to join the conference in Málaga."
Firebird World Conference 2005
The Firebird database site has an announcement for an upcoming conference. "The world-wide Firebird Conference will take place at the Hotel Olsanka in Prague, Czech Republic, from the evening of Sunday, November 13 (opening session) until the evening of Tuesday, November 15 (closing session)."
Free/libre and open source at MIE2005 (LinuxMedNews)
LinuxMedNews has announced the presence of open-source project members at the international Congress of the European Federation for Medical Informatics. "MIE2005 will be held in Geneva, Switzerland, on 28 August to 1 September, 2005"
Linux Desktop Development and KDevelop Developers Conference 2005 (KDE.News)
The 2005 Linux Desktop Development and KDevelop Developers Conference has been announced. "The KDevelop Team and Open Source Developers Network Ukraine are proud to announce the First Linux Desktop Development and KDevelop Developers Conference that will be held in Kiev, Ukraine, 1st to 6th of July 2005."
A Panel Discussion on Open Source
A Panel Discussion on Open Source software will be held on Thursday, May 19, 2005 at the University of Toledo, Ohio. "Bill McCreary, Pilkington, has actively recruited top industry leaders from Microsoft, IBM, HP, Dell, Novell (and possibly more) to represent their positions on the issue of open source. The panel will also feature two CIOs who have bet their careers on opposing sides of the issue. After opening remarks from each participant, five to six key areas related to Open Source will be moderated by local CIOs."
Two Open Source Business Conferences Announced
OSBC has announced two new Open Source Business Conferences. "Expanding upon the San Francisco event, OSBCLegal in Seattle is scheduled to take place September 7, 2005 at the Grand Hyatt Seattle and will focus exclusively on the complex legal issues surrounding Open Source software. OSBC in Boston is scheduled to take place November 1-2, 2005 at the Boston Marriott Newton and will follow the format of the previous OSBC events in San Francisco."
Plone Symposium New Orleans 2005: Registration Opens
Registration is open for the next Plone Symposium. "New Orleans, LA. July 20-22 in the heart of the French Quarter. Learn about design, development and deployment techniques. Using Plone or Zope in a production environment? The Plone Symposium is the must-attend event of the year."
Sixth Symposium on Trends in Functional Programming
The sixth Symposium on Trends in Functional Programming will be held on September 23 and 24, 2005 in Tallinn, Estonia. "The 2005 Symposium on Trends in Functional Programming (TFP '05) is an international forum for researchers with interests in all aspects of functional programming languages, focusing on providing a broad view of current and future trends in Functional Programming." A call for papers has been announced.
Events: May 12 - July 7, 2005
| Date | Event | Location |
|---|---|---|
| May 12 - 15, 2005 | php|tropics 2005 | (Moon Palace Resort)Cancun, Mexico |
| May 13 - 14, 2005 | BSDCan 2005 | (University of Ottawa)Ottawa, Canada |
| May 19 - 21, 2005 | GUADEC-es 2005 | A Coruña, Spain |
| May 22 - 25, 2005 | Gelato Federation Meeting | (HP's Palo Alto and Cupertino campuses)San Jose, CA |
| May 23 - 26, 2005 | PalmSource Worldwide Mobile Summit and DevCon | (Fairmont Hotel)San Jose, California |
| May 24 - 27, 2005 | XTech 2005 Conference | (Amsterdam RAI Center)Amsterdam, the Netherlands |
| May 25 - 26, 2005 | Linux World New York Summit 2005 | (New York City Marriott Marquis)New York, NY |
| May 28 - 29, 2005 | Linux Unix Group of Bulgaria Seminar | Stara Zagora, Bulgaria |
| May 29 - 31, 2005 | GNOME Users and Developers European Conference(GUADEC 2005) | Stuttgart, Germany |
| June 1 - 3, 2005 | The Red Hat Summit 2005 | (Hilton New Orleans)New Orleans, LA |
| June 1 - 4, 2005 | Fórum Internacional Software Livre(FISL) | Porto Alegre/RS, Brazil |
| June 9 - 10, 2005 | Austrian Perl Workshop | (Kapsch CarrierCom)Vienna, Austria |
| June 9 - 10, 2005 | The French Perl Workshop | (Faculté des Sciences de Luminy)Marseille, France |
| June 11, 2005 | PHP West | Vancouver, BC, Canada |
| June 15 - 17, 2005 | AstriCon Europe 2005 | (Auditorium Madrid Hotel)Madrid, Spain |
| June 17 - 19, 2005 | RECON 2005 | Montreal, Quebec, Canada |
| June 19 - 22, 2005 | International Lisp Conference 2005(ILC 2005) | (Stanford University)Palo Alto, CA |
| June 22 - 25, 2005 | LinuxTag 2005 | (Kongresszentrum)Karlsruhe, Germany |
| June 23 - 24, 2005 | Italian Perl Workshop 2005 | (University of Pisa)Pisa, Italy |
| June 25, 2005 | LugRadio Live 2005 | (Molyneux Stadium)Wolverhampton, UK |
| June 25, 2005 | XML Prague 2005 | Malá Strana, Prague, Czech Republic |
| June 27 - 29, 2005 | Yet Another Perl Conference(YAPC::NA 2005) | (University of Toronto)Toronto, Ontario, Canada |
| June 29 - 30, 2005 | Where 2.0 Conference | (Westin St. Francis Hotel)San Francisco, CA |
| July 1 - 6, 2005 | Linux Desktop Development and KDevelop Developers Conference 2005 | Kiev, Ukraine |
| July 5 - 9, 2005 | LSM 2005 Libre Software Meeting for Medicine | Dijon, France |
Miscellaneous
Ubuntu Certification Poll
The Ubuntu distribution is conducting a poll concerning a certification program: "Which of the following areas would you (or perhaps your staff) consider most important for official Ubuntu skills certification?"
Page editor: Forrest Cook
Letters to the editor
Comment on http://lwn.net/Articles/134720
| From: | David Faure <faure-AT-kde.org> | |
| To: | lwn-AT-lwn.net | |
| Subject: | Comment on http://lwn.net/Articles/134720 | |
| Date: | Fri, 6 May 2005 00:25:00 +0200 |
Hello,
Thanks for the article "KOffice heads toward 1.4", by Joe 'Zonker' Brockmeier.
As a koffice developer, I would like to point out the reason for the apparent
incompability
with the OpenOffice beta you used to test OASIS OpenDocument interoperability.
There was a late change in the namespaces used by the OASIS spec, prior to it
achieving 1.0 status, and the OpenOffice.org beta that you tried obviously
didn't
have that change yet. Please try with a newer OpenOffice.org beta. 1.9.87
works.
(I have also improved the error message so that users hitting this problem
have
more information about it).
--
David Faure, faure@kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).
Page editor: Jonathan Corbet