LWN.net Weekly Edition for June 16, 2005

A few notes on the OpenSolaris release

Sun has followed through on its promises, and placed the bulk of its Solaris source on OpenSolaris.org. Regardless of whether you intend to do anything with this code, or with Solaris in general, this release is a significant event. Observers have noted for years that Linux was likely to bring about the end of proprietary Unix systems. With the opening of Solaris, that prediction has come to pass. While some proprietary Unix offerings still exist, Solaris was the largest and most significant of them. With Solaris in the open, the proprietary Unix era is done.

OpenSolaris is not a small download. Anybody not already running Solaris will have to bootstrap themselves with a binary distribution. Then there's the core source tarball, compiler, and "closed binaries" packages. Throw in the BFU package to get the latest stuff: "BFU" is said to stand for "blindingly fast upgrade," but other interpretations of the acronym are certainly possible. Sun's site requires registration before it will allow you to download files; interestingly, however, it also makes torrents and a (no-registration) third-party site available.

Note that, if you simply want to wander around in the source code, it is not necessary to download the whole thing. Sun has provided a web-based source browser which makes digging through the code easy.

The "closed binary" package is said to be a temporary thing. It comes with a relatively reasonable "free beer" license, though it does require that you only run the binaries on an OpenSolaris system. The list of binary-only programs is somewhat strange: it includes od, patch, rdist, sed, ssh, telnet, and kernel drivers for hardware like the Intel e1000 network adaptor - stuff which, seemingly, should be free. The Sun compilers come with a rather more restrictive license; users are required to be "a participant of the OpenSolaris community," may not publish benchmark results, and cannot modify the "java technology" included with the software. Also:

Software may contain programs that perform automated collection of system data and/or automated software updating services. System data collected through such programs may be used by Sun, its subcontractors, and its service delivery partners for the purpose of providing you with remote system services and/or improving Sun's software and systems

So it is, perhaps, not surprising that even developers within Sun are interested in using free compilers with OpenSolaris. An effort to Build OpenSolaris with GCC is apparently well advanced, so the need for the proprietary Sun compilers should go away soon. Interesting, according to one developer, much of the pain of porting to gcc was caused by gcc's insistence on putting constant data into read-only memory. OpenSolaris, it seems, did a lot of writing to "constant" strings.

One of the more significant omissions from OpenSolaris currently is an X server. Two servers actually run on Solaris: X.org and the venerable Xsun server. The plan is, apparently, to move toward releasing a version of the X.org server, but that has not happened yet.

Much has been said about Sun's choice of the CDDL as the license for the Solaris source code; there is not much to add at this time. It is worth noting, though, that if you choose to contribute code to OpenSolaris, you not only have to contribute it under the CDDL, but you must sign Sun's contributor agreement [PDF] as well. That agreement has some obvious things, like patent licensing. It also, however, requires you to give Sun an ownership stake in your code:

You hereby assign to Sun joint ownership in all worldwide common law and statutory rights associated with the copyrights, copyright applications and copyright registrations in Your Contribution, to the extent allowable under applicable local laws and copyright conventions, and agree never to assert against Sun any "moral rights" therein. You understand that (i) this Agreement may be submitted by Sun to register a copyright in Your Contribution, and (ii) Sun may exercise all rights as a copyright owner of Your Contribution.

Sun, in other words, can take your code and make it into a proprietary product, or release it under any other license that it sees fit. It doesn't seem to have occurred to Sun that terms like this might reduce the size of the "vibrant developer community" that it wishes to create.

The CDDL license will prevent any code in the Solaris kernel from finding its way into Linux - we can only hope that nobody tries to sneak some in anyway. It is amusing to note, however, that the first OpenSolaris-inspired kernel patch has already been posted; it is a small optimization to how SYSV semaphores work. With luck, good ideas will flow from the OpenSolaris kernel to Linux (and vice versa), even if the code itself cannot.

Large dumps of corporate code are always a little hard for the community to digest. So it may be some time before OpenSolaris grows into a true free software project with active user and developer communities. It will probably get there: the code is good enough, and there are enough established Solaris users now, to give OpenSolaris some momentum. Whether OpenSolaris can develop into a truly successful project over the long term remains to be seen, however. There is some good stuff there, but it may turn out to be too little, too late from a company which is still struggling to understand what free software is about.

Comments (10 posted)

What is firefox prefetching?

One reason many of us insist on using free software is its relative lack of surprises. Free programs rarely contain features which cause them to behave in a way which is contrary to the interests of their users. Unlike many proprietary programs, free applications tend not to phone home without permission, unnecessarily restrict what their users can do, or perform unexpected operations behind users' backs. As Lauren Weinstein recently discovered, however, the Firefox browser can be made to behave in a way which is surprising indeed - and Google, in the name of faster browsing, is taking advantage of that behavior.

In particular, Firefox will, at times, "prefetch" the contents of a web page which it thinks you might want to see soon. If a page is marked as being the "next" page in a series, Firefox, by default, will prefetch that page's contents. (And, yes, for those who have asked for "next" tags for the LWN Weekly Edition, it will happen when we get a chance). When the user hits the link for the next page, it will already be resident in the Firefox cache, and will display more quickly.

The interesting thing is that Firefox can be told explicitly to prefetch pages; all it takes is a tag like:

    <link rel="prefetch" href="URL">

Google will, if it decides that you should be feeling lucky, add such a tag to the first in a series of search results, causing that first result to be prefetched. Among other things, this prefetch can cause cookies to be set in the browser even though the person ostensibly in control of the browser never decides to visit the site. An easy experiment will verify this behavior: turn on cookie notifications, then search for a term with a relatively obvious top result - Lauren used "soundbite." The result will be a screen somewhat like that shown on the right: the soundbite.com web server is attempting to set cookies, even though your editor never clicked on a link which would lead to that site.

Prefetching in this way can lead to a number of undesirable consequences: unwanted cookies, bandwidth use, etc. More seriously, it could lead to accesses to truly unwanted sites: stumbling into non-work-safe sites is already too easy, without one's browser deciding to fetch additional pages from arbitrary servers with no user participation. Should an unpleasant Firefox security hole be discovered, prefetching could, for the right sort of vulnerability, be exploited to compromise systems. That would be an unwelcome sort of surprise.

Google's use of prefetching in this way is unfortunate; it seems certain to lead to trouble for somebody, somewhere down the line. The real problem, however, is with Firefox, which is shipped with prefetching turned on. There is no indication, anywhere in the preference screens, that an option controlling prefetching even exists. Anybody wanting to disable prefetching will have to edit their prefs.js file, or tweak the network.prefetch-next option on the about:config screen. Turning off prefetch in this way will slow down some page loads, but, for many users, the extra delay will be worth it.

[As a postscript, your editor can't help but poke at a bit of poor user interface design in Firefox. An attempt to pull up a long page yielded this dialog, asking: "A script on this page is causing mozilla to run slowly... Do you want to abort the script?" The two buttons are marked "Cancel" and "OK". It is nice that Firefox does not entirely lose control in such situations. But does "Cancel" kill the script, or let it run?]

Comments (13 posted)

A foundation for Zope

Back in 1998, LWN got one of its first scoops by reporting that a company called Digital Creations was planning to release its well-respected Principia product under an open source license. Even more interestingly, this release had been advocated by the company's venture capital backers. Over the years, both the software and the company were renamed "Zope," and the Zope platform has been used for many applications, including the popular Plone framework.

Zope Corporation has, throughout, retained copyrights for - and control over - the Zope platform. Recently, however, the company announced that a foundation would be created for Zope. This foundation will be given the copyrights to the code and the right to the Zope trademark; its task will be to ensure the future success of Zope independently from Zope Corporation. We talked briefly with Zope Corp. head Rob Page about this change.

Why have you decided to make this move at this time?

The global potential for Zope 3 is huge. The design principles in Zope 3 make it the perfect platform for "Web 3.0" development. By way of example, we (Zope Corporation) are developing a large document management project for the US Department of Defense on Zope 3, and Mark Shuttleworth is working to bring SchoolTool/SchoolBell to the world -- all on top of Zope 3.

Everyone with a vested interest in Zope benefits from its widespread adoption and deployment. Users benefit from the support network and commercial organizations benefit from more platform-based opportunity. We believe the explicit vendor neutrality of a Foundation will accelerate the adoption of Zope (version 2 *and* version 3).

Bottom line: We want to remove any objections to adopting Zope, and we see the Zope Foundation as the last step.

Were there any particular problems or pressures which led to the creation of the foundation?

No. A confluence of events -- the availability of Zope 3.1 (whose release is imminent), the release of SchoolTool, our imminent completion of our large DoD project and the community's launch of a Zope 3 ECM (Enterprise Content Management) project made this an excellent time to launch the Foundation.

That said, members in the Zope community have been discussing a Foundation for more than a year and we take it at face value that a Foundation would help them sell more Zope-based products and services to their prospective and current customers.

How many engineers do you have working on Zope now? Do you expect that to change as Zope moves over to the foundation?

From November 2001 through November 2004 our Chief Technology Officer, Jim Fulton worked on little other than Zope 3. Typically, at least 2 additional Zope Corporation engineers spent 80% of their time throughout that period working on Zope 3 work as well.

He was assisted by the incredible efforts of some really smart people. At the risk of insult by omission, it's appropriate to specifically mention and appreciate the efforts of Steven Alexander, Stephan Richter, and Philipp von Weitershausen.

Since October of 2004 we have had more than 4 full-time engineers working on the above-mentioned Zope 3 based Document Management project. We have already contributed large amounts of code into Zope 3 (XPDL support is one specific example). We intend to release additional significant contributions into both Zope 3 and the upcoming Zope 3 Enterprise Content Management project.

Of course, everyone here works on Zope. :^) Most developers are working on the delivery of our products into specific customer environments. This involves installation, custom development, configuration and transition to internal operations. We don't expect that to change.

What sort of governance structure do you see for the foundation?

The governance structure of the foundation will be developed by taking the best ideas from the likes of the Apache Software Foundation, Eclipse Foundation and others. Since it's early we haven't drawn any specific conclusions. We intend to work these issues out during the summer and launch the foundation by October 2005.

Will Zope Corp. retain any sort of veto power over changes it doesn't like?

Zope Corporation won't have a veto per se. Some changes (e.g., changing Zope's license) will require a unanimous vote of the Board of Directors.

How will you ensure that the development of Zope continues to meet your business needs?

In an open source world we can't ensure_ anything. :^)

What we can do is continue to demonstrate productive leadership and contribute great software and ideas. The Zope community is distinguished by having gathered some really smart people so we're extremely optimistic about the Foundation's success.

How will the foundation be funded?

We will be recruiting a few start-up partners to fund the initial formation and operation of the Foundation.

The Foundation will have a dues structure that will support ongoing operations.

What's the status of Zope 3? There does not appear to have been a Zope X3 release since last November; has development stalled?

There hasn't been a tagged release of Zope 3 since last November, though by the time I send this (or the time it's published) Zope 3.1 will be out.

Development has done anything but stall. The last seven months have been spent fixing bugs, refactoring implementations and polishing interfaces. We have a large customer to thank for providing the real-world application to thoroughly exercise Zope 3.

A lot of community work has gone into Zope 2.8 and a project called "Five" (Zope 2 + Zope 3 = Five ;-) - these are Zope 2 focused projects which aim to bridge the gap between Zope 2 and Zope 3 architectures. Zope 2.8, which now includes Five in the distribution, was released officially on June 11th, 2005.

How's business? Is the services model working for you?

Depends on what you mean by services.. :^)

Since 2001 we have been de-emphasizing our professional services capacity in favor of a more productized delivery model.

Our product business -- specifically the delivery of our products through managed hosting (aka ASP/Software as a Service) has been extremely successful. We recently announced the addition of CNHI as a managed hosting customer. CNHI will be launching 133 newspapers on our Zope4Media product.

Our managed hosting offering provides our customers with a managed/guaranteed environment in which they can assemble composite applications (i.e., applications built from Zope, Squid, LAMP, etc.), without assuming the operational responsibilities.

We thank Mr. Page for taking the time to answer our questions.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

MD5 collisions

June 15, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

It may be time to retire MD5. The MD5 Message-Digest Algorithm RFC says that "It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest." At the time, this may have been true -- the RFC was written in 1992 -- but a number of researchers are finding that MD5 hashes aren't as unique as one might like.

Within the last year several researchers have come forward with results that show it's possible to create meaningful collisions of MD5 hashes. Dan Kaminsky published "MD5 to be considered harmful someday" (PDF) in December 2004; this paper describes the creation of two executables with the same MD5 hash using a tool called Stripwire (available here). Kaminsky writes that this would be an "excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature".

Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely "activated", without the MD5 changing. This has implications for Tripwire, DRM, and several package management architectures.

Kaminksy isn't the only one to find ways around MD5. Vlastimil Klima published Finding MD5 Collisions - a Toy For a Notebook in March of this year, where he describes finding MD5 collisions in 8 hours on a notebook PC with a 1.6 GHz Pentium. Arjen Lenstra, Xiaoyun Wang and Benne de Weger published "a method for constructing pairs of X.509 certificates where the "to be signed" parts of the certificates form a collision for MD5. Xiaoyun Wang and Hongbo Yu published a paper this year on how to break MD5 (PDF) and other hash functions.

Now Stefan Lucks and Magnus Daum have come up with a method for creating two documents with the same digital signature. Lucks and Daum describe creating two postscript documents, using Wang and Yu's attack, that have meaningful content and the same MD5 hash. They describe a scenario between "Alice and her boss" where Alice creates two postscript documents with the same MD5 hash. One, which is presented for a digital signature, is a letter of recommendation - the other is a document granting "Alice" access to confidential information.

The files are available for download from the Institute for Cryptology and IT-Security website. If one opens the files with a text editor, the content for both the letter of recommendation and the order are present, but manipulated so that only one letter is displayed in a normal postscript viewer. Lucks and Daum demonstrate that the MD5 hash collision attacks are not just hypothetical attacks with no practical applications.

Given the number of practical attacks on MD5, it may be time to move to a Federal Information Processing Standards (FIPS) approved hash algorithm, such as SHA-256, or SHA-512. Note that vulnerabilities have recently been found in SHA-1, however, and NIST is already planning to phase it out by 2010.

Comments (10 posted)

New vulnerabilities

ettercap: format string vulnerability

Package(s):

ettercap

CVE #(s):

CAN-2005-1796

Created:

June 13, 2005

Updated:

July 13, 2005

Description:

The Ettercap suite of networking tools has a format string vulnerability that can be exploited by a remote attacker for the execution of arbitrary code.

Alerts:

Debian	DSA-749-1	ettercap	2005-07-10
Gentoo	200506-07	ettercap	2005-06-11

Date	Event	Location
June 16 - 17, 2005	AstriCon Europe 2005	(Auditorium Madrid Hotel)Madrid, Spain
June 17 - 19, 2005	RECON 2005	Montreal, Quebec, Canada
June 18, 2005	Perl Dag 2005	Copenhagen, Denmark
June 19 - 22, 2005	International Lisp Conference 2005(ILC 2005)	(Stanford University)Palo Alto, CA
June 20 - 21, 2005	Linux Cluster Summit 2005	Walldorf, Germany
June 22 - 25, 2005	LinuxTag 2005	(Kongresszentrum)Karlsruhe, Germany
June 23 - 24, 2005	Italian Perl Workshop 2005	(University of Pisa)Pisa, Italy
June 24 - 25, 2005	Fedora Users and Developers meeting(FUDCon2)	Karlsruhe, Germany
June 25, 2005	LugRadio Live 2005	(Molyneux Stadium)Wolverhampton, UK
June 25, 2005	XML Prague 2005	Malá Strana, Prague, Czech Republic
June 27 - 29, 2005	Yet Another Perl Conference(YAPC::NA 2005)	(University of Toronto)Toronto, Ontario, Canada
June 27 - 29, 2005	EuroPython 2005	Göteborg, Sweden
June 27 - 29, 2005	Open Culture	(Via Festa del Perdono 7)Milan, Italy
June 29 - 30, 2005	Where 2.0 Conference	(Westin St. Francis Hotel)San Francisco, CA
June 30 - July 3, 2005	Linux Vacation/Eastern Europe(LVEE)	Hronda, Belarusia
July 1 - 6, 2005	Linux Desktop Development and KDevelop Developers Conference 2005	Kiev, Ukraine
July 5 - 9, 2005	LSM 2005 Libre Software Meeting for Medicine	Dijon, France
July 6 - 9, 2005	IV Jornades de Programari Lliure	Campus de Vilanova i la Geltrú, Spain
July 10 - 18, 2005	Debconf 5	Helsinki, Finland
July 11, 2005	Evolution of Open-Source Code Bases(EVOSC05)	Genova, Italy
July 11 - 15, 2005	First International Conference on Open Source Systems(OSS2005)	Genova, Italy
July 11 - 14, 2005	GOTO10 workshop	(OKNO)Brussels, Belgium
July 11 - 15, 2005	IEEE International Conference on Web Services(ICWS 2005)	Orlando, Florida
July 17 - 19, 2005	Desktop Developer's Conference	(Ottawa Congress Centre)Ottawa, Ontario, Canada
July 18 - 22, 2005	ApacheCon Europe 2005	Stuttgart, Germany
July 18 - 22, 2005	PostgreSQL Bootcamp	(Big Nerd Ranch)Atlanta, GA
July 20 - 23, 2005	Ottawa Linux Symposium(OLS 2005)	Ottawa, Canada
July 20 - 22, 2005	North American Plone Symposium	(The Astro Crowne Plaza)New Orleans, Louisiana
July 26, 2005	2nd European LISP and Scheme Workshop	Glasgow, Scotland
July 27 - 28, 2005	Back Hat Briefings USA 2005	Las Vegas, NV
July 31 - August 4, 2005	2005 SIGGRAPH Computer Animation Festival	Los Angeles, CA
August 1 - 5, 2005	O'Reilly Open Source Convention	(Oregon Convention Center)Portland, Oregon
August 1 - 5, 2005	CIFS 2005 Conference and Plugfest	(Doubletree Hotel)San Jose, CA
August 4, 2005	Penguicon 2005	Israel
August 4 - 7, 2005	Linux 2005	(University of Wales)Swansea, UK
August 8 - 11, 2005	LinuxWorld Conference and Expo	(Moscone Center)San Francisco, CA

LWN.net Weekly Edition for June 16, 2005

Security

New vulnerabilities

ettercap: format string vulnerability

gaim: remote DoS

gaim: denial of service

gedit: format string vulnerability

lutelwall: insecure temp file

mozilla firefox: javascript vulnerabilities

shtool: insecure temp file

sysreport: information disclosure

tcpdump: denial of service

telnet: information disclosure vulnerability

wget: file overwrites and arbitrary code execution

Resources

Kernel development

Brief items

Kernel development news

Patches and updates

Kernel trees

Architecture-specific

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Security-related

Benchmarks and bugs

Miscellaneous

Distributions

News and Editorials

New Releases

Distribution News

New Distributions

Distribution Newsletters

Minor distribution updates

Package updates

Newsletters and articles of interest

Distribution reviews

Development

System Applications

Audio Projects

Database Software

Filesystem Utilities

Networking Tools

Security

Web Site Development

Desktop Applications

Audio Applications

Desktop Environments

Electronics

Fonts and Images

Games

GUI Packages

Imaging Applications

Instant Messaging

Interoperability

Office Suites

Web Browsers

Miscellaneous

Languages and Tools

Caml

Perl

PHP

Python

Ruby

Tcl/Tk

Cross Compilers

Editors