LWN.net Weekly Edition for September 1, 2005
Linux and desktop graphics
There is a lot to be said for the X window system. It is, after all, one of the oldest and most successful free software development projects in existence. X helped to pioneer many concepts, including the idea of a graphical display as a network service and the absolute separation of graphical mechanism and policy. Long before Linux began to make proprietary Unix vendors worry, X was pushing aside proprietary desktop implementations.X has a problem, however: it is very much a two-dimensional system in a three-dimensional world. It was designed around dumb frame buffers, but is now expected to run on graphical adaptors which, in terms of processor performance, far outclass the central processor they serve. As a result, X tends to make poor use of contemporary video hardware; it restricts itself to the hardware's two-dimensional processor (a nearly vestigial afterthought bolted onto the real hardware) and cannot make use of many of the capabilities provided by the 3D processor. X is, essentially, using a legacy interface which is poorly supported now, and which may go away in the near future.
To remain viable, and to help free operating systems develop the best desktop experience possible, X must grow into the current crop of hardware. The X developers have understood this for some time, and have been working in that direction. Events from this week demonstrate, however, that there is a lack of consensus on what needs to be done, and when.
The person driving the debate is Jon Smirl, an active graphics programmer. Frustrations with the X development process have led Jon to write and post a document called The State of Linux Graphics. Regardless of how one feels about Jon's opinions, the document is worth a read; it is a comprehensive overview of the problem and the current body of low-level graphical software. If you've ever wondered what all those acronyms (XAA, EXA, DRI, ...) mean, this document will clarify a number of things.
X developers seem to agree that X needs to make a switch from 2D to 3D hardware. There is less consensus on how the 3D hardware should be made available to user space. One approach is to make OpenGL be the API for next-generation graphics. This interface is relatively well designed, is open, and already has a certain level of support in free software. It is a high-level interface which allows an application to take advantage of the hardware's capabilities. OpenGL supporters see the X of the future as being a sort of management layer around the OpenGL interface.
Jon Smirl is one of those supporters. He has been working on Xegl, a version of the X server which makes the OpenGL interface available. A few weeks ago, however, Jon announced an end to his Xegl work. In his opinion, Xegl is not going to reach a usable state anytime soon, so it is not worth working on.
The problem, it seems, is that Xegl lacks developers and is progressing too slowly. According to Jon, a big part of the problem is that development work in the X community has been spread in too many directions. He is, in particular, critical of an effort called EXA, which is working to integrate drivers using the 3D hardware into the existing X API. EXA may have the effect of extending the life of the current X server, but it does relatively little to make the hardware's capabilities available to applications. As a result, the X server will be faster on supported hardware, but it will still be a 2D server. Says Jon:
Jon seems to believe that the main thing EXA will accomplish is to push back the date when Xegl will show up as the real solution to the problem. He claims that Linux is already far behind the proprietary platforms in providing a desktop which can take advantage of contemporary hardware, and has little patience for developments which threaten to widen that gap. So Jon has stopped development work on Xegl, and is working for process change instead. His conclusion states:
Not all X developers are entirely supportive of Jon's position. The administrator of freedesktop.org, where Jon's document is hosted, posted a dismissive response and promptly shut down Jon's account, making the document unavailable. It has since been restored, but that action (ostensibly taken for other reasons) added an unpleasant note to the debate.
Some developers seem to agree that the OpenGL approach is the right one for the long term, but they never believed that this solution could be implemented in the near future. It is, after all, a complex project. For these developers, EXA makes sense as a short term, relatively easy solution to make X functional on current hardware.
Others seem to disagree with the transition to OpenGL altogether. The current X Render extension makes a number of capabilities available to applications, and it could be extended where needed. Render is seen as a friendlier API for 2D applications than OpenGL. Not moving to OpenGL would mean less disruption for applications and would avoid impacting X performance on older hardware without 3D acceleration.
The discussion, as of this writing, has not reached much in the way of new conclusions. The Xorg project lacks a dictator, and will thus be hard put to pick a direction and expect that the developers will simply follow. What does seem clear, however, is that the developers are determined to bring X forward to where it is, once again, a leading-edge graphical platform. They will probably get there, one way or another.
The StorageTek DMCA decision
Last year, StorageTek (soon to be a subsidiary of Sun) brought a suit against Custom Hardware Engineering, alleging copyright and DMCA violations. CHE is a third-party maintenance vendor which was offering maintenance services for StorageTek's tape libraries. To carry out that maintenance, CHE built a gadget which would intercept diagnostic messages sent within the library; CHE also had to bypass StorageTek's "GetKey" system which protected access to those messages. StorageTek claimed that running the maintenance code (which generates the diagnostic messages) was a copyright violation, and that bypassing GetKey went against the DMCA's anticircumvention measures. A U.S. district court agreed, and issued an injunction shutting CHE's maintenance service (for these libraries) down.CHE appealed the injunction, and an appeals court has now produced a ruling [PDF] reversing the injunction. In doing so, the appeals court has placed some limits, however small, on the application of the DMCA.
This case matters. It is not hard to imagine similar situations which could affect the free software community. If StorageTek's internal diagnostic streams are privileged, many other hardware communication paths may be as well. Consider a closed network adaptor, for which a free, reverse-engineered driver exists. The vendor could claim that the communications between the proprietary driver and the firmware on the card serve as an access to that (copyrighted) firmware, and that the (undocumented, complex) interface to the card is a technical measure preventing unauthorized access. By this reasoning, a free driver would be a DMCA violation. As DRM systems work their way into (what used to be) general-purpose computers, this sort of issue will come up in that context as well.
When viewed in this context, the StorageTek decision, while welcome, does not give much relief. It is a narrow decision which does little to return control of hardware to those who have purchased (and believe that they own) it.
The core of the appeals court decision is that CHE's activities did not, in fact, constitute copyright infringement. The infringement argued by StorageTek took the form of CHE loading StorageTek's maintenance code into the library's processor by means of rebooting the machine. This allegedly infringing activity is the same thing that happens when the owner of the machine turns it on. This "copying" of the software into RAM might well have been a copyright infringement, except that the copyright law contains an explicit exception for third-party maintenance providers. Even in this case, CHE might not have been in the clear, however; the company prevailed in the end because StorageTek had never made a clear separation between its operational and maintenance programs. The whole mess is loaded when the system boots, so the appeals court decided that it was all necessary to operate the library.
In other words, if StorageTek had been more careful to keep its maintenance software separate, and to not load it automatically when the system boots, it might have gotten through this appeal. The court also notes that StorageTek could have written its software license agreement to forbid third parties (such as CHE) from turning on the machine at all - but didn't.
Once that decision was reached, the court had little trouble with the DMCA claim. The DMCA, the court decided, is a copyright law. To that end, the anti-circumvention provision does not stand on its own, but is tied to the underlying copyright regime. That limits how this provision can be read:
In theory, this interpretation means that circumvention, itself, is not a crime. It is only when that circumvention is part of a violation of copyright that the DMCA comes in to play. Unfortunately, anything which is said to "facilitate" copyright infringement will fall on the wrong side of that line, so there is nothing good in this ruling for DeCSS (for example).
So, in the end, this ruling does little to enable us "consumers" to keep control over the devices that we believe we own. It is more likely to serve as a checklist for companies like StorageTek in the future: their systems are likely to be designed to avoid the pitfalls encountered by StorageTek in this case. This ruling has, mainly, increased the number of lawyers that hardware manufacturers must apply to achieve their aftermarket goals.
Whenever one buys a device containing proprietary software, one must accept that said device may serve somebody else's interests. That is in the nature of proprietary software, but that nature is made worse by current copyright law, which sees the act of paging software into RAM to execute it as an act of copying which may be controlled by the copyright owner. The ruling in the StorageTek case has drawn some boundaries on how far vendors can use copyright law to assert control over hardware they have sold, but the situation, fundamentally, has not changed.
Writers wanted
For the last couple of years, Joe 'Zonker' Brockmeier's articles have been a regular feature here at LWN. We are thus sad to announce that this week's article (on the Distributions Page) will be Zonker's last for LWN. Zonker has gotten a real job, and will no longer be available to write free-lance articles. We offer Zonker our thanks for many great articles, and wish him well at his new place of employment.LWN is always looking for good writers, but, for obvious reasons, our level of interest has just gone up. We are, in particular, interested in talking to authors who have top-notch writing skills, are good at meeting deadlines, can generate ideas for articles, are not afraid of fussy editors, and who are not afraid of some of the most demanding readers around. We do pay for articles, though we must say that working for LWN is not a way for anybody to get rich.
If you think you might be interested in writing for LWN, please start by taking at a look at our author guide. Then drop us a note at authors@lwn.net and we'll talk.
Security
Banner ads: worse than you thought
As seen on the interesting-people list: a Firefox (on Windows) user visits a "mainstream" web site, then finds a bit of malware running on his system, trying to phone home. The problem this time around was not the web site itself; instead, the unpleasant code was contained within an image being served as a banner advertisement. Many ad networks claim to be able to deliver readers, but one does not normally understand them to bring the users' systems along as well.Over the last few years, there has been a long and tiresome series of buffer overflow vulnerabilities in the libraries which interpret various image formats. Often, the associated updates are widespread, needing to update several packages which use the affected libraries. Closing these vulnerabilities may seem like a pointless exercise; we may not expect to be attacked by way of an image file. But applications like web browsers and instant messaging clients do accept images from unknown sources, and that makes them vulnerable to attack. Even some CD players will grab and display images (CD covers) from the net. If an image library is vulnerable, the software which uses that library is vulnerable, and there can be no doubt that, where a vulnerability exists, certain people will be there to exploit it.
Advertising networks look like an especially effective means for the dispersal of malicious images. Even if every company which serves advertisements were diligent in checking all images for malware (unlikely), detecting all exploits would be a challenge. Meanwhile, a widespread ad network can distribute images from no end of web sites, most of which are unlikely to be compromised in more straightforward ways. The person reporting this particular episode noted that The Onion's site was one of those distributing malicious images; The Onion may have a stranger than normal sense of humor, but it does not extend to practical jokes of this nature.
One hopes that the image-handling libraries will get more secure over time. One may not be so naive as to hope that more complex things, such as Flash, will also improve, but a Flash-free browser generally yields a better web experience anyway. Meanwhile, it is well to remember that any path which allows data into our systems may be used against us, and advertising networks are a path with true strangers at the other end. Online ads are obnoxious enough as it is; if they become known for carrying malware, even more people will likely find themselves motivated to block ads altogether.
New vulnerabilities
apache2: CGI script denial of service
| Package(s): | apache2 | CVE #(s): | |||||
| Created: | August 25, 2005 | Updated: | August 31, 2005 | ||||
| Description: | Apache 2 has a vulnerability in which a remote attacker can access certain CGI scripts, causing exhaustion of all RAM and a denial of service. | ||||||
| Alerts: |
| ||||||
backup-manager: insecure permissions and tempfile
| Package(s): | backup-manager | CVE #(s): | CAN-2005-1855 CAN-2005-1856 | ||||
| Created: | August 26, 2005 | Updated: | August 31, 2005 | ||||
| Description: | Two bugs have been found in backup-manager: backup files are created with default permissions making them world readable, even though they may contain sensitive information and the optional CD-burning feature of backup-manager uses a hardcoded filename in a world-writable directory for logging. This can be subject to a symlink attack. | ||||||
| Alerts: |
| ||||||
courier: DNS failure vulnerability
| Package(s): | courier | CVE #(s): | CAN-2005-2151 | ||||||||
| Created: | August 25, 2005 | Updated: | August 31, 2005 | ||||||||
| Description: | The Courier mail server has a problem with DNS failures and Sender Policy Framework (SPF) records. Remote attackers can use this to corrupt memory and cause a denial of service. | ||||||||||
| Alerts: |
| ||||||||||
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap | CVE #(s): | CAN-2005-2641 | ||||||||||||||||
| Created: | August 25, 2005 | Updated: | October 6, 2006 | ||||||||||||||||
| Description: | libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
maildrop: missing privilege release
| Package(s): | maildrop | CVE #(s): | CAN-2005-2655 | ||||
| Created: | August 30, 2005 | Updated: | August 31, 2005 | ||||
| Description: | Max Vozeler discovered that the lockmail program from maildrop, a simple mail delivery agent with filtering abilities, does not drop group privileges before executing commands given on the commandline, allowing an attacker to execute arbitrary commands under with group mail privileges. | ||||||
| Alerts: |
| ||||||
ntp: uses wrong gid
| Package(s): | ntp | CVE #(s): | CAN-2005-2496 | ||||||||||||||||||||
| Created: | August 26, 2005 | Updated: | August 11, 2006 | ||||||||||||||||||||
| Description: | When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
phpldapadmin: programming error
| Package(s): | phpldapadmin | CVE #(s): | CAN-2005-2654 | ||||||||
| Created: | August 30, 2005 | Updated: | September 6, 2005 | ||||||||
| Description: | Alexander Gerasiov discovered that phpldapadmin, a web based interface for administering LDAP servers, allows anybody to access the LDAP server anonymously, even if this is disabled in the configuration with the "disable_anon_bind" statement. | ||||||||||
| Alerts: |
| ||||||||||
simpleproxy: format string vulnerability
| Package(s): | simpleproxy | CVE #(s): | CAN-2005-1857 | ||||
| Created: | August 26, 2005 | Updated: | August 31, 2005 | ||||
| Description: | Ulf Harnhammar from the Debian Security Audit Project discovered a format string vulnerability in simpleproxy, a simple TCP proxy, that can be exploited via replies from remote HTTP proxies. | ||||||
| Alerts: |
| ||||||
Resources
Tool Announcement: AIRT -- the Advanced Incident Response Tool 0.4.2 released
Version 0.4.2 of the advanced incident response tool (AIRT), a collection of tools for dealing with security breaches, is available; click below for the details.
Events
22nd Chaos Communication Congress 2005: Call for Papers
The 22nd Chaos Communication Congress will be held in Berlin on December 27 to 30, 2005. The call for papers is out, with submissions due by the beginning of October.
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current 2.6 release is 2.6.13, announced by Linus on August 28. Only a small number of relatively important fixes went in since -rc7. For those just tuning in, 2.6.13 includes inotify, support for the Xtensa architecture, kexec and kdump, execute-in-place support, a configuration-time selectable clock interrupt frequency (the default for i386 changes to 250 Hz), a much-improved CFQ I/O scheduler with I/O priority support, the voluntary preemption patches, the removal of the devfs configuration option (though the code remains in place for the moment) and more. The long-format changelog contains the details for the patches merged since 2.6.13-rc7.The floodgates have opened for 2.6.14; Linus's git repository includes a large InfiniBand update (with a shared receive queue implementation), a PHY abstraction layer for ethernet drivers, a serial ATA update, four-level page table support for the ppc64 architecture, some sk_buff structure shrinking patches, a big netfilter update (including netlink interface to a number of netfilter internals and a user-space packet logging capability), a new linked list primitive, a DCCP implementation (see below), and more.
The current -mm release remains 2.6.13-rc6-mm2; there have been no -mm releases over the last week.
The current stable 2.6 kernel is 2.6.12.6, released on August 29. This one will be the last in the 2.6.12.x series, now that 2.6.13 is out; it contains a small number of important fixes.
Kernel development news
Chelsio responds to the TOE article
Last week's Kernel Page included an article about the TCP offload engine patch proposed by Chelsio Communications. That article reflected the criticisms of the TOE approach which have been heard on the development lists. In response, Chelsio's Wael Noureddine has sent us a letter defending TCP offload engines. That letter appears in this week's Letters to the Editor page. It merits a mention here, however, since it provides a different view of the situation than was seen on this page last week. Readers who do not normally get to the back page may want to have a look this time around.Linux gets DCCP
For many years, the bulk of networking over IP has made use of just two protocols: transmission control protocol (TCP) and user datagram protocol (UDP). TCP offers a reliable, stream-oriented connection which works well for a large variety of higher-level network protocols. UDP, instead, makes a best effort to move individual packets from one host to another, but makes no promises regarding reliability or ordering. Most higher-level protocols are built upon TCP, but there are applications which are better served by UDP. These include:
- Protocols involving brief exchanges which will be slowed unacceptably
by TCP's connection overhead. A classic example is the domain name
system, which can often achieve a name lookup with a single packet in
each direction.
- Protocols where timely delivery is more important than reliability. These include internet telephony, streaming media, and certain kinds of online games. If the network drops a packet, TCP will stall the data flow until the sending side gets a successful retransmission through. But a telephony application would rather keep the data flowing and just do without the missing packet.
The second type of application listed above is an increasingly problematic user of UDP. Streaming applications are a growing portion of the total traffic on the net, and they can be the cause of significant congestion. Unlike TCP, however, UDP has no concept of congestion control. In the absence of any sort of connection information, there is no way to control how any given application responds to network congestion. Early versions of TCP, lacking congestion control, brought about the virtual collapse of the early Internet; some fear that the growth of UDP-based traffic could lead to similar problems in the near future.
This concern has led to the creation of the datagram congestion control protocol (DCCP), which is described by this draft RFC. Like UDP, DCCP is a datagram protocol. It differs from UDP, however, in that it includes a congestion control mechanism. Eventually, it is hoped that users of high-bandwidth, datagram-oriented protocols will move over to DCCP as a way of getting better network utilization while being fair to the net as a whole. Further down the road, after DCCP has proved itself, it would not be surprising to see backbone network routers beginning to discriminate against high bandwidth UDP users.
DCCP is a connection-oriented protocol, requiring a three-packet handshake before data can be transferred. For this reason, it is unlikely to take over from UDP in some areas, such as for DNS lookups. (There is a provision in the protocol for sending data with the connection initiation packet, but implementations are not required to accept that data). The higher-bandwidth applications tend to use longer-lived connections, however, so they should not even notice the connection setup overhead.
Actually, DCCP uses a concept known as "half connections." A DCCP half connection is a one-way, unreliable data pipe; most applications will create two half connections to send data in both directions. The two half connections can be tied together to the point that, as with TCP, a data packet traveling in one direction can carry an acknowledgment for data received from the other. In other respects, however, the two half connections are distinctly separate from each other.
One way in which this separation can be seen is with congestion control. TCP hides congestion control from user space entirely; it is handled by the protocol, with the system administrator having some say over which algorithms are used. DCCP, on the other hand, recognizes that different protocols will have different needs, and allows each half connection to negotiate its own congestion control regime. There are currently two "congestion control ID profiles" (CCIDs) defined:
- CCID
2 uses an algorithm much like that used with TCP. A congestion
window is used which can vary rapidly depending on net conditions;
this algorithm will be quick to take advantage of available bandwidth,
and equally quick to slow things down when congestion is detected.
(See this LWN article
for more information on how TCP congestion control works).
- CCID 3, called "TCP-friendly rate control" or TFRC, aims to avoid quick changes in bandwidth use while remaining fair to other network users. To this end, TFRC will respond more slowly to network events (such as dropped packets) but will, over time, converge to a bandwidth utilization similar to what TCP would choose.
It is anticipated that applications which send steady streams of packets (telephony and streaming media, for example) would elect to use TFRC congestion control. For this sort of application, keeping the data flowing is more important than using every bit of bandwidth which is available at the moment. A control connection for an online game, instead, may be best served by getting packets through as quickly as possible; applications using this sort of connection may opt for the traditional TCP congestion control mechanism.
DCCP has a number of other features aimed at minimization of overhead, resistance to denial of service attacks, and more. For the most part, however, it can be seen as a form of UDP with explicit connections and congestion control. Porting UDP applications to DCCP should not be particularly challenging - once platforms with DCCP support have been deployed on the net.
To that end, one of the first things which was merged for 2.6.14 was a DCCP implementation for Linux. This work was done by Arnaldo Carvalho de Melo, Ian McDonald, and others. It is a significant bunch of code; beyond the DCCP implementation itself, Arnaldo has done a lot of work to generalize parts of the Linux network stack. Much of the code which was once useful only for TCP or UDP can now also be shared with DCCP.
For now, only CCID 3 (TFRC) has been implemented. A CCID 2 implementation, taking advantage of the TCP congestion control code, will follow. Even before that, however, the 2.6.14 kernel will be the first widely deployed DCCP implementation on the net. As such, it will likely help to find some of the remaining glitches in the protocol and shape its future evolution. When DCCP hits the mainstream, one can be reasonably well sure that the Linux implementation will be second to none.
The state of the dynamic tick patch
The configurable timer interrupt frequency patch, part of the 2.6.13 kernel, led to a certain amount of controversy over the optimal default value. That default is 250 Hz, but there arguments in favor of both increasing and decreasing that value. There was no consensus on what the default should really be, but there is a certain amount of agreement that the real solution is to merge the dynamic tick patch. By varying the timer interrupt frequency in response to the actual system workload, the dynamic tick approach should be able to satisfy most users.Now that patches are being merged for 2.6.14, the obvious question came up: will dynamic tick be one of them? The answer, it seems, is almost certainly "no." This patch, despite being around in one form or another for years, is still not quite ready.
One issue, apparently, is that systems running with dynamic tick tend to boot slowly, and nobody has yet figured out why. The problem can be masked by simply waiting until the system has booted before turning on dynamic tick, but that solution appeals to nobody. Until this behavior is understood, there will almost certainly be opposition to the merging of this patch.
Another problem with the current patch is that it does not work particularly well on SMP systems. It requires that all CPUs go idle before the timer interrupt frequency can be reduced. But an SMP system may well have individual CPUs with no work to do while others are busy; such a situation could come up fairly often. Srivatsa Vaddagiri is working on a patch for SMP systems, but it is still a work in progress and has not received widespread testing.
The end result is that dynamic tick is unlikely to come together in time to get into 2.6.14; the window for merging of patches of this magnitude is supposed to close within a week or so. So this patch will be for 2.6.15 at the earliest. If the revised development process works as planned, 2.6.15 should not be all that far away. Hopefully.
Improving shared memory performance
When a process forks, the kernel must copy that process's memory space for the new child. Linux has long avoided copying the memory itself; anything which cannot be shared is simply marked "copy on write" and left in place until one process or the other does something to force a particular page to be copied. The kernel does copy the process's page tables, however. If the parent process has a large address space, that copy can take a long time.Recently, Ray Fucillo noted that the amount of time required to create a new process increased notably with the size of any shared memory segments that process was using. After some discussion, Nick Piggin came up with a quick fix: don't bother copying page tables in cases where the kernel will be able to reconstruct them at page fault time anyway. This small patch takes away the fork() penalty for large shared mappings. In many cases, it will make fork() more efficient in general; if the child process never uses those parts of its address space (if it simply uses exec() to run another program, say), the setup and teardown overhead can be avoided altogether. On the other hand, if the child process does use those mappings, a higher cost will be paid overall. Rebuilding page tables one-by-one in response to faults is more expensive than simply copying them in bulk at fork() time. The consensus seems to be that the tradeoff is worthwhile, however, and this patch has been merged for 2.6.14. If any serious performance regressions result, they will hopefully be found before 2.6.14 is released.
One might well ask, however: why bother copying page tables for shared mappings at all? Since the mappings are shared, the associated page tables might as well be too. Sharing page tables would cut down on fork() overhead, save the memory used to store multiple copies of the tables, improve translation buffer performance, and reduce the number of page faults handled by the kernel. To this end, Dave McCracken has posted a new shared page table patch. This patch is simpler than previous versions in that it does not attempt to perform copy-on-write sharing of private mappings; instead, it restricts itself to mappings which are, themselves, shared. Since most processes have a few of these (consider shared libraries, for example), even the smaller patch can achieve a fair amount of sharing.
For the most part, sharing of page tables is straightforward; the kernel need only avoid copying them and point a new process's page directories to the shared tables. The one problem which does come up is reference counting. When each process has its own page tables, it is easy to know when those tables are no longer used. When a page table can be used by more than one process, however, the kernel needs a way to keep track of how many users each table has. The shared page table patch addresses this by using the _mapcount field in the page structure describing the page table page itself.
[Yes, page tables can already be shared by threads which share an entire address space. In that case, however, the kernel can track usage by looking at references to the full address space, rather than to individual portions of it.]
Not everybody is convinced that shared page tables are a good idea. The added complexity may not be justified by the resulting performance gains. Dave claims a 3% improvement on an unnamed "industry standard database benchmark," which is significant. There is also a fundamental conflict between shared page tables and address space randomization. For page tables to be shared, the corresponding mappings must be at the same virtual address in every process, but randomization explicitly breaks that assumption. Dave apparently has ideas for making the patch work in the presence of randomization (if the alignment of the mappings works out), but, for now, the two features are incompatible.
It has also been asked: do shared page tables still yield a performance benefit when Nick's deferred page table copying patch is taken into account? The answer would appear to be "yes." The deferred copying patch is entirely aimed at shortening the process creation time. Shared page tables should also help in that regard, but, unlike the copying patch (which may hurt ongoing performance slightly until the page tables are populated), shared page tables speed things up throughout the life of the process. So there may well be room in the kernel for both patches.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Vancouver goes to Helsinki
The Debian release team meeting held in Vancouver in March spawned a proposal for creating quality requirements for Debian ports to trim the herd of supported architectures. That proposal, not surprisingly, generated quite a bit of heated discussion among Debian developers.Wouter Verhelst called for a follow-up meeting at Debconf5 in Helsinki, and has submitted a report covering the discussion at the meeting. According to Verhelst's report, several points from the Vancouver proposal were discussed.
The first of the "problematic items
" is the requirement that "an architecture must be publicly available to buy new
". This was clarified to mean "new hardware which, as of yet, is only available under NDA, or to avoid things such as a Vax port of Debian
" and not to be applied retroactively to existing ports. Since it would be difficult, at best, to provide widespread access to hardware that requires Debian developers to sign an NDA, it seems a very reasonable requirement.
The next sticking point is the requirement that "any architecture needs to be able to keep up with unstable by using only two buildd machines
". Unfortunately, Verhelst reports that "we didn't reach an agreement; in the end, we decided to move on.
" There will be more debate, but the requirement will remain in the meantime.
Another topic of discussion in Helsinki was the veto powers that would be given to the Debian System Administrators (DSA), Release Team and Security Team. Those teams would be able to veto an architecture if it would have an adverse impact on the quality of the release and/or the length of the release cycle.
There are still those who object to the "arbitrary
" veto powers, but Verhelst responds that if it's abused, the team vetoing the release can be overridden:
We also asked Debian Project Leader Branden Robinson for input on Helsinki meeting, and whether the veto power was necessary and how to make it more acceptable. Robinson said he was "equivocal about it
".
At the same time, the concerns of the developers in general are legitimate. We *should* be cognizant of concentrations of privilege and power, because then we render ourselves susceptible to decision-making based on personality rather than consensus. Again, Biella Coleman's paper describes how the Debian Project is culturally uncomfortable with such a possibility.
I think the only real long-term solution to these problems is to decentralize our processes as much as we can. This is difficult in part because there is much expert knowledge locked up in the heads of people who either don't have the time or the inclination to serve as mentors or documentation-writers. As Coleman describes in Chapter 6 of her dissertation, there is a strain of the meritocratic geek philosophy which holds that self-education is the only legitimate avenue to exercise of authority. In my view, while it's certainly laudable to encourage people to grapple with challenging and unfamiliar code, material, or concepts on their own, this process demonstrably leads to the entrenchment of elites.
The "98 percent rule," requiring a port to compile 98 percent of the archive's source, is also generating quite a bit of discussion. A look at the build daemon statistics can be instructive in seeing how well each port is doing in terms of building packages. However, there's little point in worrying about those statistics right now while things are still undergoing rapid development, as Steve Langasek points out:
In his report, Verhelst suggests that the Vancouver proposal was not intended to "kill off
" some of the Debian architectures. Langasek, who was not at the Helsinki meeting, clarified that the intention of the Vancouver proposal was "motivated by a concern that the absolute count of release architectures in Debian is too high to be sustainable
".
We asked Robinson if it was likely that any ports would be dropped from Etch, and he replied that "it's possible that a currently supported architecture will be dropped. I don't yet consider it likely. I think the reason for dropping an architecture for Etch, if it happens, will likely have to do with build daemon failures for that architecture.
"
It would appear that the Helsinki meeting has moved the ball forward a bit in terms of developing a set of release criteria for Debian ports. However, it's also clear that there will be a great deal more discussion before a final set of criteria is adopted.
Obviously, no matter what the final language, it will not make everyone in the Debian community happy. However, we think that the Vancouver proposal is a good start towards making the Debian release process faster and more predictable.
New Releases
Asianux 2.0 released
Chinese Red Flag Software Co., Ltd., Japanese MIRACLE LINUX Corp. and Korean Haansoft Inc. have announced the release of Asiaunx 2.0. "Asianux2.0 is co-developed by Red Flag Software, MIRACLE LINUX and Haansoft in Beijing. Based on this common platform, local branding products, including 'Red Flag DC Server 5.0', 'MIRACLE LINUX V4.0' and 'Haansoft Linux 2006 Server & Server 64' will be released and sold in Chinese, Japanese and Korean market. These three products are 100% identical in OS level and provide customers with more local value-added application level features."
BLAG39999.20000 Released
BLAG Linux and GNU has announced (click below) an alpha release of the forthcoming BLAG40000. BLAG39999.20000 (dents) is based on Fedora Core 4 plus updates, adds apps from Dag, Freshrpms, NewRPMS, and includes custom packages.
Distribution News
Fedora: RFC: X.Org X11 modularization project - rpm package driver naming
Fedora has begun work on X.Org X11 modularization, and they are in the process of packaging the video and input drivers. The modularized X.Org X11R7 will make it much easier for an individual driver to be updated without having to release the entire 150Mb monolithic X release. Click below to see the proposed naming conventions. "Interested Fedora Core, Fedora Extras, or community developers who have an opinion about the X.Org modular package naming conventions, or who just want to provide feedback concerning the above proposal, are encouraged to respond to this RFC on or before Monday August 29th if possible."
Debian news
Joerg Jaspert explains what he has been doing with the NEW queue. "NEW checking is about three things. In order of priority: trying to keep the archive legal, trying to keep the package namespace sane, and trying to reduce the number of bugs in Debian. Not all QA issues will be noticed; we don't test packages, but we do look through them and note problems that jump out at us. Sometimes that'll result in a bug, sometimes it will result in an email, sometimes it will result in a REJECT, depending on how serious the issue seems."
Andreas Barth looks at the status of various package transition efforts. "we currently have a couple (or rather: way too many)
transitions already ongoing. Please, don't upload shlib bumps or lib
renamings unless required by one of these transitions.
"
There is now a Debian GNU/kFreeBSD i386 machine available to Debian developers. "The
machine name is "io.debian.net". It was kindly donated by Aurelien Jarno
and is hosted by "ETH Zurich, Department of Physics". We wish to thank
them for their contribution to the GNU/kFreeBSD development.
"
The next Bug Squashing Party will be held
September 2 - 4, 2005. "Coordination will happen over IRC channel
#debian-bugs on irc.debian.org as usual.
"
Here are some Results of the meeting in Helsinki about the Vancouver proposal.
New Distributions
ELE Live CD
ELE is a bootable Live CD Linux distribution with focus on privacy related software. It is based on Damn Small Linux and aims to be as small as possible. The current version is 0.0.2, released last March.Mupper
Mupper is a rescue-CD project for the PegasosPPC. It is based on Gentoo Linux and contains various tools like parted, midnight-commander and support for various filesystems including FAT, VFAT, ReiserFS, XFS and EXT3. The live CD also includes some network tools such as snort and tcpdump. Mupper joins the list at version 0.3 which was released August 28, 2005.
Distribution Newsletters
Debian Weekly News
The Debian Weekly News for August 30, 2005 is out. This issue looks at reasons to use Debian and an overview of some Debian derivatives, Debian in China, requirements for NEW, a new Debian GNU/kFreeBSD development machine, package transitions, and several other topics.Fedora Weekly News, Issue 11
The latest Fedora Weekly News looks at a Guide to Managing Software with Yum, the availability of Yum Extender 0.42-03, Setup your wireless client at home, Secure your desktop PC, Using yum localinstall packagename, Why no hat? Here's why, Fedora Myths - New Fedora Wiki Page, New CSS on fedoraproject.org, and several other topics.Gentoo Weekly Newsletter
The Gentoo Weekly Newsletter for the week of August 29, 2005 covers Gentoo documentation updates, Swedish rescue CD for PegasosPPC, and several other topics.DistroWatch Weekly, Issue 115
The DistroWatch Weekly for August 29, 2005 is out. "Plenty of media hype about Asianux last week, but is the project worth the attention? We doubt it and we'll tell you why. We have not done a book review before, but we couldn't resist one in this edition after we found ourselves infatuated with Dru Lavigne's BSD Hacks, an excellent collection of superb tips for administering BSD operating systems. Also in this issue: an interview with Jay Klepacs, the founder and lead developer of aLinux, and the usual regular departments."
Package updates
Fedora updates
Updates for Fedora Core 4: audit (bug fix), openoffice (adds a README to he_IL dictionary), libsoup (fix for NTLM authentication), selinux-policy-targeted (bump for FC4), policycoreutils (fixes for fix files), xen (upgrade to a newer version of the upstream xen-unstable), evince (update to 0.4.0 and merge some fixes from devel), poppler (a PDF rendering library).Updates for Fedora Core 3: freeradius (security updates), libsoup (fix for NTLM authentication), evolution-connector (patch for PDA synchronization), epiphany (update to 1.4.9).
Slackware updates
Slackware Linux has a lengthy changelog notice (click below) for August 30, including a number of upgrades, new packages in testing, and security fixes.
Newsletters and articles of interest
MEPIS: the miniature monster of Morgantown, West Virginia (Mad Penguin)
Mad Penguin talks with Warren Woodford, creator of MEPIS. "In this interview, Warren explains the secret to his distro's rapid and widespread proliferation. Give desktop customers what they want: a simple, reliable set of applications that are easy to acquire, install, and use. Give it away for free. Always. Show respect to the command-line community who created the base packages in the first place. Join the Debian Common Core Alliance, and play nicely in the sand box with them."
Distribution reviews
First look at aLinux 12.5 (MadPenguin)
Mad Penguin has a review of aLinux. "From what it looked like, every available 'look and feel' option in KDE was turned on by default, and from what I could tell.. a few more were added to the mix. The style appears to be Linspire's 'Crystal Clear' and it looks good, but the rest put it over the top. As everyone who frequents our site probably knows, I'm a real sucker for a good looking Linux desktop, but this is a bit too much for me. There is so much going on here that it is almost to the point of being totally distracting."
Review: VidaLinux 1.2 (Linux.com)
Linux.com takes a look at VidaLinux. "VidaLinux is great for people who want to ease into a Gentoo Linux environment and don't want to do a lot of typing and surrender a lot of their time for the installation. You start out with a working desktop environment and can work from there -- and if you screw everything up beyond your ability to repair, you can more quickly reinstall VidaLinux than plain Gentoo. Seekers of user-friendly desktop distros, beware: VidaLinux 1.2 probably isn't for you."
Page editor: Rebecca Sobol
Development
Caller ID on your computer with NCID
NCID, the Network Caller ID package, is a cross-platform system that provides telephone Caller ID information to networked computers:
![[NCID]](https://static.lwn.net/images/ns/ncid.png)
NCID features
include:
- Support for multiple caller ID systems and multiple clients.
- Provides a log of who called and when the call was made.
- Can provide aliases for received names and numbers.
- Uses modem lock files to support sharing with other applications.
- Can run an external application when a telephone ring event happens.
- Includes text, GUI and synthesized speech clients for output.
- Can send output to a pager or cell phone.
- Includes a TiVo client so incoming calls can be seen while watching TV.
- Has an LCD client for systems without a normal display.
- Includes a pop-up Caller ID clients that run on Mac OS-X and Windows.
Version 0.60 of NCID and version 0.9.10 of NCIDpop,
the pop-up client for Mac OS X and Windows,
were released this week.
"NCID release 0.60 adds support for slow responding modems, the NetCallerID standalone device, and for Distinctive Ring. The server configuration file has changed and aliases were moved to a separate alias file. Configuration files were added for the client, log file rotation, and for the various support scripts. There was also some code improvements and bug fixes.
"
System Applications
Database Software
It's PostgreSQL Beta Time Again
The first beta version of PostgreSQL 8.1 is now available for download. Version 8.1 contains several new features that would benefit from extensive testing. Click below to see more about the new features, and where to send your bug reports.PostgreSQL Weekly News
The August 27, 2005 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL information and resources.
Libraries
Cairo 1.0 released
Version 1.0 of the Cairo SVG library has been released. "While this release does mark the culmination of months or years of work by many people, it's more significant in marking what is yet to come. Cairo has just begun and we're excited to see where it will go from here. In this release, we have marked three backends as "supported" xlib, image, win32 and all other backends as "experimental" which as such, do not have part in the API guarantees of this release."
Web Site Development
Zope 3.1.0 RC 2 released!
Version 3.1.0 RC 2 of the Zope web development platform is available. "It is in our opinion that Zope 3.1 is more than ready for production use, which is why we decided to drop the 'X' for experimental from the name. We will also continue to work on making the transition etween Zope 2 and Zope 3 as smooth as possible."
Desktop Applications
Audio Applications
JackMix 0.1.0 released
Version 0.1.0 of JackMix, a mixing application for the Jack Audio Connection Kit, has been released. "This new release includes a dir where I did some first tests with OSC, which I plan to use for communication between the mixer-server and the gui(s). Until now its just a lib and two test-apps in that dir."
Snd-ls V0.9.5.3 and Mammut V0.21
Version 0.9.5.3 of Snd-ls, a distribution of the sound editor Snd is out with performance improvements and bug fixes. Also, Version 0.21 of Mammut, an audio FFT package, has been announced.
Business Applications
Using Drools in Your Enterprise Java Application (O'ReillyNet)
Paul Browne discusses Drools on O'Reilly. "Enterprise Java developers have many fine framework choices at the presentation and persistence levels, but what about the business logic that sits in the middle? Do you want to recompile a mass of if ... then spaghetti code every time a manager drops a new gotcha in your lap? In this article, Paul Browne suggests that a rule engine like Drools may be an ideal fit for this task."
Tina POS 0.0.9 released (SourceForge)
Version 0.0.9 of Tina POS, a point of sales application for systems with touch screens, has been announced. "This version adds mayor changes to Tina POS like inventory management, refunds, new taxes management and more."
Zope3 / ERP Project Launched
The Zope3/ERP Project (enterprise resource planning) has been launched. "The goal of the project is to leverage the Zope3 platform and build an ERP solution based on ERP5 technologies with the capability of handling more than 1,000 concurrent users or 1,000,000,000 business records and compete with the famous proprietary ERP solutions. The project has been discussed with ERP5 developers and customers in Africa, Americas, Asia and Europe for now one year. Initial high performance experimentations have been conducted with success and give us the confidence that this goal can be reached."
Desktop Environments
GNOME 2.12 RC Public Testing Release
Public Testing Release 2.12 RC of GNOME has been announced. "Also known as 2.11.92, GNOME 2.11 RC is the release candidate intended for wide public scrutiny before the final release in September. It is packed full of tasty GNOME goodness, so if you're itching to find out what we've been doing, and can't wait to finish building it, take a look at Davyd's Prerelease Tour of this release".
GNOME Software Announcements
The following new GNOME software has been announced this week:- Alexandria 0.6.0 (new features, bug fixes, and translation work)
- Epiphany 1.7.6 (new features and bug fixes)
- Evince 0.4.0 (bug fixes)
- Evolution 2.3.8 (bug fixes and translation work)
- Eye of GNOME 2.11.92 (bug fixes and translation work)
- GARNOME 2.11.92 (GNOME 2.11.92 update, bug fixes)
- gedit 2.11.93 (bug fixes and translation work)
- GNOME-Applets 2.11.92 (new features, bug fixes, and translation work)
- GTK+ 2.8.3 (bug fixes)
- gyrus 0.3.4 (new features, bug fixes, and translation work)
- librsvg 2.11 (performance improvements, bug fixes)
- librsvg 2.11.1 (bug fixes)
- libxml++ 2.11.0 (bug fixes)
- Nautilus-actions 0.3 (initial release)
- PyGTK 2.7.4 (new features and bug fixes)
- Revelation 0.4.5 (new features and bug fixes)
- Sound Juicer 2.11.92 (new features)
- Teatime 2.6.0 (code improvements, bug fixes)
- Zenity 2.11.92 (documentation and translation work)
- Buldozer, Echelon applit, and Griffith (new releases)
KDE Software Announcements
The following new KDE software has been announced this week:- Kalva 0.7.95 (new features and bug fixes)
KDE Commit Digest (KDE.News)
The August 28, 2005 edition of the KDE Commit-Digest has been announced. Here's the content summary: "KTuberling gets Serbian sounds. Configuring backgrounds per display in Xinerama implimented. SoC projects progress. Speech Recognition (for hot-keys) merges into KDE 3.5. Webcam support for msn in Kopete. Kate adds syntax highlight support for /etc/fstab, /etc/mtab files... Rejoice!"
Electronics
gEDA/gaf 20050820 snapshot
A new snapshot of gEDA/gaf (gschem and friends), a suite of electronic simulation and CAD tools, is out with bug fixes and more. See the release notes for details.Icarus Verilog Snapshot 20050829
Snapshot 20050829 of the Icarus Verilog electronic simulation language compiler has been announced. "Wake up everybody, I really *am* doing lots of work on Icarus Verilog. Here comes another snapshot with lots of new stuff for the development branch."
kicad 2005-08-29 released
Release 2005-08-29 of kicad, an electronic schematic/PCB system, is available with bug fixes and other enhancements.
Games
Hexen2: Hammer of Thyrion 1.3.0 released (SourceForge)
Version 1.3.0 of Hexen2: Hammer of Thyrion, a first-person shooter game, has been announced. "Hammer of Thyrion is a port of Raven's class based first person shooter Hexen2 source code and is based on the original Linux Hexen II project, Anvil of Thyrion. HoT includes many bugfixes, improved sound and video".
TORCS version 1.2.4 released (SourceForge)
Version 1.2.4 of TORCS, The Open Racing Car Simulator, has been announced. "The 1.2.4 release highlights are reworked tracks and cars, updated sound and added OpenAL support, more clever and new opponents, support for texture compression and downscaling, heavily improved collision detection and response, a Windows debug project, lots of little improvements and bug fixes, and an updated track editor."
GUI Packages
PyQt 3.15 released
Version 3.15 of PyQt, a Python interface to the Qt GUI toolkit, is out. "All classes now support Python's cyclic garbage collector. Utility functions have been added to QAxBase to ease integration with win32com on Windows. Automatic type conversion has been improved using available real-time type information."
Interoperability
Wine Traffic
The August 26, 2005 edition of Wine Traffic is available. Topics include: Theming Support, Authentication & ntlm_auth, Safedisc Update, WineHQ Downtime, Non-continuable Exceptions, Sharing IDL Generated Headers and Google Talk.
Music Applications
Freecycle 0.5 alpha has been released
Version 0.5 alpha of Freecycle, a beat slicer that provides amplitude and frequency domain beat matching, is out. "Lot of new features in this release, among which a fully functional midi subsystem, allowing the assignement of midi notes to locked beatlines and realtime playing of midi note events. Freecycle now supports drag n'drop from/to or within Freecycle. Moreover, it allows the drag n'droped waves to be stacked and assigned to a scene."
Patchage 0.2.2 Released
Version 0.2.2 of Patchage, a modular patch bay for Jack audio and Alsa MIDI, is out with bug fixes.
Office Applications
Gnumeric 1.5.5 Released (GnomeDesktop)
Version 1.5.5 of the Gnumeric spreadsheet has been announced. "This release repairs the long-broken solver and fixes a couple of problems with the sheet management dialog."
Office Suites
The second OpenOffice.org 2.0 beta
The OpenOffice.org project has released a new beta of the upcoming 2.0 release. This is a good chance for those interested in the 2.0 release (which is full of new features) to help shake out the last bugs.OpenOffice.org Newsletter
The OpenOffice.org newsletter for August is out. It looks at the beta 2 announcement, the upcoming OpenOffice.org conference, and more.
Peer to Peer
Distributing Content with BitTorrent (O'Reilly)
Robert Bernier discusses the publishing of content using BitTorrent on O'Reilly. "BitTorrent has three distinct components: the client, the web server, and the tracker. The client is the person/machine that downloads the content. The web server provides a link to a file called a torrent. The torrent is a specially created file that describes the shared file and the location of the tracker. This third component is a service that waits for a connection from a client. It sits on a user-assigned socket that can be either on the same machine as the web server or at another location. The tracker not only supervises the sharing of the content between multiple clients, but also logs all downloading activities. The tracker can manage many files at the same time from many different torrents on many different web servers."
Science
GNU TeXmacs 1.0.5.7 released
Stable version 1.0.5.7 of GNU TeXmacs, a scientific text editor which was inspired by TeX and GNU Emacs, is available. See the project news for change information.
Video Applications
DVD converter 'videotrans-1.0.1' released (SourceForge)
Version 1.0.1 of videotrans has been announced. "Yesterday "videotrans-1.0.0" was released, which contained some installation problems. Videotrans-1.0.1 should fix these problems. videotrans is a set of scripts that allow its user to reformat existing movies into the VOB format that is used on DVDs."
Web Browsers
Mozilla Firefox and Minimo development schedules (MozillaZine)
MozillaZine covers the release schedule for Mozilla Firefox 1.5 Beta. "The Mozilla Developer News weblog has posted the schedule for Mozilla Firefox 1.5 Beta, with Firefox 1.5 Beta 1 scheduled for release on Thursday 8th September. In preparation for the release, the tree will be locked down at 11:59pm Pacific Daylight Time (UTC -0700) on Tuesday 6th September."
Also, see this article for information on the development path for the Minimo mobile browser.
Minutes of the mozilla.org Staff Meeting (MozillaZine)
The minutes from the August 15, 2005 mozilla.org Staff Meeting have been announced. "Issues discussed include Joi Ito, Mozilla Firefox 1.5 and Mozilla Thunderbird 1.5 branching, planning for Firefox 2.0 and Thunderbird 2.0, marketing and the Mozilla Foundation reorganization."
Minutes of the mozilla.org Staff Meeting (MozillaZine)
The minutes from the July 25, 2005 mozilla.org staff meeting have been announced. "Issues discussed include bugs in the Mozilla 1.7.11 release, Mozilla Firefox 1.5 planning, OSCON and the Mozilla Foundation reogranization."
Languages and Tools
Caml
Caml Weekly News
The August 23-30, 2005 Caml Weekly News is online with the latest Caml language articles.
Java
This week on harmony-dev
The August 21-27, 2005 edition of This week on harmony-dev is online with coverage of the developments to the Harmony open-source Java platform.
Lisp
SBCL 0.9.4 released
Version 0.9.4 of SBCL (Steel Bank Common Lisp) has been announced. "This version features major changes such as the Solaris x86 port, better heap management and performance enhancements on MIPS platforms, improved ANSI compliance, new documentation, and several bug fixes."
wxCL 1.1.0 Alpha released
Version 1.1.0 Alpha of wxCL, a Common LISP interface to the wxWidgets GUI library, is out with new features, bug fixes, and a license change.
Perl
This Week in Perl 6
The August 17-23, 2005 edition of This Week in Perl 6 is online with the latest Perl 6 development news.Perl Needs Better Tools (O'Reilly)
Matisse Enzer ponders the future of Perl on O'Reilly. "Perl is in danger of becoming a fading language--new programmers are learning Java and Python in college, and companies like Google hardly use Perl at all. If you are afraid that Perl may be in danger of becoming irrelevant for medium-to-large projects, then read on."
Python
Dr. Dobb's Python-URL!
The August 30, 2005 edition of Dr. Dobb's Python-URL! is available with more new Python article links.python-dev Summary
This week's python-dev Summary covers the python-dev mailing list traffic for August 1-15, 2005.IMDbPY 2.1 released (SourceForge)
Version 2.1 of IMDbPY has been released. "IMDbPY is a Python package useful to retrieve and manage the data of the IMDb movie database. With this release you can transfer the whole content of the plain text data files (distributed by IMDb) into a SQL database. A lot of bugs where fixed, and the 'http' data access system retrieves some new information."
Ruby
Ruby Weekly News
The August 28th, 2005 edition of the Ruby Weekly News summarizes the latest discussions on the ruby-talk mailing list.
Tcl/Tk
Dr. Dobb's Tcl-URL!
The August 24, 2005 edition of Dr. Dobb's Tcl-URL! is online with the latest Tcl/Tk news and resources.
Build Tools
cruisecontrol 2.3 released
Version 2.3 of cruisecontrol is out with bug fixes and other improvements. "CruiseControl is a framework for a continuous build process. It includes, but is not limited to, plugins for email notification, Ant, maven, and various source control tools. A web interface is provided to view the details of the current and previous builds."
Debuggers
Valgrind 3.0.1 (for x86 and amd64) is available
Version 3.0.1 of Valgrind, a suite of simulation based debugging and profiling tools, is out. "3.0.1 fixes a bunch of bugs reported in 3.0.0. There is no new functionality. Some of the fixed bugs are critical, so if you use or distribute 3.0.0, an upgrade to 3.0.1 is recommended."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
What Is the X Window System (O'ReillyNet)
O'ReillyNet examines the X Window System. "One reason X has had such staying power is that from the beginning it incorporated many of the windowing capabilities that we now take for granted. These capabilities include network transparency, graphical capability, the use of a mouse, and the ability to link together a heterogeneous network of workstations from different vendors."
Users: OSDL right to reject Windows/Linux TCO study (SearchEnterpriseLinux.com)
SearchEnterpriseLinux.com looks at flaws in Windows/Linux total cost of ownership (TCO) comparisons. "Pavlicek suggested that a study conducted by Microsoft will tend to focus on a short time frame, usually around three years. By doing this, it can emphasize the cost of migration and associated training costs while at the same time claiming zero cost for staying with Windows. The problem with this approach, in Pavlicek's opinion, is that it ignores a fundamental component of the software industry: change is constant and unavoidable."
Trade Shows and Conferences
aKademy 2005 (KDE.News)
KDE.News covers aKademy 2005 which was held in Málaga, Spain, August 27 to 28. Here's the kick off article and the conclusion.
Companies
Something fishy's going on (News.com)
Bruce Schneier has an article on News.com looking at a document, published by the Trusted Computing Group, on how systems with a Trusted Platform Module should be implemented. He likes that the document emphasizes the security applications, and directs implementers away from coercive implementations or those which hinder interoperability. "But there's something fishy going on. Microsoft is doing its best to stall the document, and to ensure that it doesn't apply to Vista (formerly known as Longhorn), Microsoft's next-generation operating system." (See this LWN article for background on TPM chips and how they will be supported under Linux).
Linux Adoption
French Agriculture Ministry Migrates to Linux/Samba
The Samba project covers the French agricultural ministry's migration of 500 NT servers to a Linux and Samba environment. "Samba is handling the file and print server duties in the Mandriva setup. The article offers some insight into the French Agriculture Ministry's migration concerns and how Mandriva tried to address those concerns."
Legal
Studios mine P2P logs to sue swappers (News.com)
News.com reports that Hollywood studios launched lawsuits against file swappers based on records found in peer-to-peer log files. "The Motion Picture Association of America said it filed 286 lawsuits against people around the United States based on information acquired from file-trading sites shut down earlier in the year. Most of those sites were hubs connecting people using the BitTorrent technology, a peer-to-peer application designed for speeding downloads of large files."
Interviews
An Interview with David Heinemeier Hansson (O'ReillyNet)
O'ReillyNet interviews David Heinemeier Hansson, the developer of Ruby on Rails. "Rails is opinionated software. It eschews placing the old ideals of software in a primary position. One of those ideals is flexibilitythe notion that we should try to accommodate as many approaches as possible, that we shouldn't pass judgment on one form of development over another. Well, Rails does, and I believe that's why it works."
People Behind KDE: Kevin Ottens (KDE.News)
KDE.News points to this People Behind KDE interview with Kévin Ottens. "I'm working on most of the newer ioslaves in KDE, namely : system:/, media:/, remote:/, and trash:/ (only helped a bit). I've developed their kicker applets counterparts. Moreover, I'm planning to be involved into Plasma, even if I'm not really active currently. And finally, I try to help with Tenor on the academic side, digging for relevant academic references."
An Exclusive Interview with Scott Shreeve, Medsphere Co-Founder and Chief Medical Officer (HIStalk)
HIStalk talks with Scott Shreeve about Medsphere. "Linux was starting to take off and we were looking at this massive application that had been highly successful in the VA's closed environment. We saw many of the successes that Linux was having. This could be the hospital's OS. We felt there was a market opportunity for a cost-effective, proven system that could be used by hospitals that couldn't afford commercial products." (Found on LinuxMedNews)
Michal Zalewski on the Wire (O'ReillyNet)
O'ReillyNet talks with Michal Zalewski about his new book Silence on the Wire and other topics. "MZ: Who should read it? Well--if you just want to get a solid grasp of the basics, this book is not for you, at least not to accomplish this task. If you are a seasoned computer user or a developer, and want to learn to see the technology in a different way, I believe you should give SotW a try. If you are an infosec professional and want to learn more about the technology, and rediscover the fascinating world of computer mechanics, I hope you'd enjoy SotW, too."
Resources
Building a Call Center with LTSP and Soft Phones (Linux Journal)
Michael George shows how to assemble a Linux-based phone system on Linux Journal. "Need to equip an office with terminals and phones, all on a small budget? With LTSP and KPhone, you can do it with only terminals, sound cards and headsets."
At the Sounding Edge: Dave's Distractions (Linux Journal)
Dave Phillips has been distracted by a few audio applications, on Linux Journal. "I confess that this is the latest distraction, but it's already got me avoiding other necessary tasks. D. Michael McIntyre has been writing The Rosegarden Companion for two years, and it's easy to tell that it's been a labor of love. The author's presentation style is informal and friendly, and he definitely is knowledgeable about his subject."
Five mistakes GNU/Linux neophytes make (Linux.com)
Linux.com has some advice for people new to Linux. "Everyone has an opinion on which GNU/Linux distribution you should start with, and most of them are inappropriate. GNU/Linux aficionados are often poor sources of distribution advice because they're too involved with advocating their favorite distro to consider new users' needs."
Reviews
Vim's newest features (Linux.com)
Linux.com takes a look at new features in Vim. "New features include multiple windows, syntax highlighting, multiple levels of undo, and color themes. All of these improvements are made possible by the use of vim plugins."
Miscellaneous
OSDL says no to Microsoft (ZDNet)
There has been some buzz about a meeting between Microsoft's Martin Taylor and OSDL's CEO Stuart Cohen at the recent Linux World Conference & Expo. Joe Brockmeier passes on what he found out from Stuart Cohen about that meeting in his ZDNet blog. "The eWeek report notes that OSDL had only confirmed discussing the idea with Taylor, but not a final response from OSDL. After reading the eWeek story, I couldn't think of any reason why OSDL should participate -- and, for some reason, kept thinking about the fable of the frog and scorpion -- but I was curious whether OSDL was giving it serious consideration."
Open opposition (China Daily)
China Daily covers an anti-Linux FUD campaign being run by the China Software Industry Association. "Sun Yufang, a Chinese scholar who has long been researching Linux software, says most Linux developers cannot make a living under the current business model. Most of these developers 'either have died or have focused on other businesses in past years,' Sun says."
Page editor: Forrest Cook
Announcements
Commercial announcements
Novell Reports Financial Results for Third Fiscal Quarter 2005
Novell, Inc. has announced it's third quarter financial results. ""Customers continue to embrace Novell's Linux and identity solutions," said Jack Messman, Chairman and CEO of Novell. "We were particularly pleased with our initial penetration of the Chinese market where Linux is an attractive technology for government and commercial users. Our increasingly customer-focused, go-to-market approach is leading to a stronger Novell as evidenced by our positive operating cash flow and growth in deferred revenue in the quarter. While we were profitable this quarter, we still have improvements to make in our business which will lead to cost reductions.""
Novell To Acquire Joint Venture Partner in India
Novell has announced it has signed a definitive agreement to acquire the 50% stake held by its partner in Onward Novell, its sales and distribution arm in India. Novell will integrate the Onward Novell organization with the company's existing India operations, increasing Novell's investment in the region.SGI to Install HPC Environment at Dresden Technical University
SGI has announced a contract to install a 1500 processor Altix System at Dresden University of Technology. "In two project phases to be completed within twelve months, a state-of-the-art, innovative and flexibly usable infrastructure with computational power of more than a dozen teraflops will be implemented. This will enable investigators in scientific areas such as physics, material sciences, engineering, bioinformatics and nanotechnology to find answers to new types of challenging problems."
TimeSys Introduces First Online Development Network for ``Roll-Your-Own'' Embedded Linux Developers
TimeSys Corporation has announced the availability of LinuxLink(TM) subscriptions for embedded developers creating their own custom Linux platform. LinuxLink subscriptions target many processor architectures from Freescale, Intel, MIPS and ARM, and deliver continuously updated streams of components, information and technology aggregated from leading semiconductor manufacturers, the open source community and TimeSys.
New Books
Pragmatic Bookshelf publishes Agile Web Development with Rails
Pragmatic Bookshelf has published the book Agile Web Development with Rails by Dave Thomas and David Heinemeier Hansson with Leon Breedt, Mike Clark, Thomas Fuchs, and Andreas Schwarz.Geek Your Ride - O'Reilly's Latest Release
O'Reilly has published the book Car PC Hacks by Damien Stolarz.Addison-Wesley publishes Moving to Linux
Addison-Wesley Professional has published the second edition of Moving to Linux: Kiss the Blue Screen of Death Goodbye by Marcel Gagne.
Resources
New Hugin tutorials (GnomeDesktop)
GnomeDesktop.org mentions the availability of tutorials on Hugin, a Panorama Tools GUI front-end. Tutorials include Creating linear panoramas with Hugin and Perspective correction.An Illustrated Guide to IPSec
For everybody who has wondered how the IPSec protocols work: Steve Friedl has put together a guide to IPSec, complete with a great many illustrations. It is a good starting place to learn about what is happening at the IP level when IPSec is used.Linux-Mobile-Guide
Issue 3.17 of the Linux-Mobile-Guide is available. "This guide covers laptop, notebook, PDA and mobile (cell) phone related Linux features, such as installation methods (via network interface, without CD/DVD drive, etc.), hardware features (PCMCIA, IrDA, BlueTooth, APM, ACPI, etc.) and configurations for different environments."
Netgear WGPS606 Printer Configuration Mini HowTo
The CUPS project has produced a mini HOWTO on connecting a Netgear WGPS606 wireless print server to a Linux system.Xen tutorial released
Julien Danjou has written a tutorial on running Xen under Debian.
Contests and Awards
First KDE Appreciation Awards Announced (KDE.News)
KDE.News reports on the winners of the KDE Appreciation Awards. "The awards are for best application, best contribution to KDE and the Jury's Choice Award. The jury consisted of the well-known KDE hackers Aaron Seigo, Brad Hards, David Faure and Matthias Ettrich. If you want to know who the winners are, read on!"
TuxMobil GNU/Linux Award 2005 granted
The Free Software Foundation Europe (FSFE) has announced the winners of the TuxMobil GNU/Linux Award 2005. "The TuxMobil GNU/Linux Award 2005 has been granted to OpenEmbedded, OpenZaurus, PI-Sync, KWlanInfo and BlueZ."
Upcoming Events
GNOME Summit 2005 announced
The GNOME Summit will be held on October 8-10, 2005 at the MIT Stata Center in Cambridge, Mass.Linux Audio Conference 2006
The 2006 Linux Audio Conference (LAC2006) will be held in Karlsruhe, Germany on April 27-30, 2006.Linux demo on Software Freedom Day, September 10th
The Linux Users' Group of Davis will hold a Linux and open-source software demonstration in Davis, CA on September 10, 2005.OpenOffice.org Conference 2005 registration opens
Registration is now open for the OpenOffice.org Conference 2005. The event will take place on September 29 and 30, 2005 in Koper-Capodistria, Slovenia.Call for Participation: UKUUG Spring Conference 2006
A Call for Participation has gone out for the UKUUG Spring Conference 2006. The event takes place in Durham, UK on March 22 and 23, 2006, abstracts are due by December 23, 2005.Events: September 1 - October 27, 2005
| Date | Event | Location |
|---|---|---|
| September 1 - 4, 2005 | aKademy 2005 | (University of Málaga)Málaga Spain |
| September 1 - 2, 2005 | Symposium on Security for Asia Network(SyScAN'05) | (The Dusit Thani Hotel)Bangkok, Thailand |
| September 1 - 2, 2005 | YAPC::EU::2005 | (University of Minho)Braga, Portugal |
| September 1 - 4, 2005 | GOTO10 ASP digital sound workshop | Rotterdam, the Netherlands |
| September 5 - 9, 2005 | International Computer Music Conference(ICMC 2005) | Barcelona, Spain |
| September 12 - 15, 2005 | Embedded Systems Conference | (Hynes Convention Center)Boston, Mass |
| September 14 - 16, 2005 | php|works | (Holiday Inn Yorkdale)Toronto, Canada |
| September 16 - 18, 2005 | ToorCon 7 | (San Diego Convention Center)San Diego, CA |
| September 17 - 18, 2005 | Freedel | New Delhi, India |
| September 19 - 21, 2005 | Plone Conference 2005 | (Semper Depot, Lehargasse)Vienna, Austria |
| September 20 - 23, 2005 | New Security Paradigms Workshop(NSPW) | (UCLA Conference Center)Lake Arrowhead, California |
| September 23 - 24, 2005 | Sixth Symposium on Trends in Functional Programming(TFP 2005) | Tallinn, Estonia |
| September 26 - 29, 2005 | Hack in the Box Security Conference(HITBSecConf2005) | Kuala Lumpur, Malaysia |
| September 26 - 30, 2005 | IEEE International Conference on Cluster Computing(Cluster 2005) | Boston, Massachusetts |
| September 28 - 30, 2005 | OpenOffice.org Conference 2005(OO.oCon) | Koper (Capodistria), Slovenia |
| September 30 - October 2, 2005 | Linucon | Austin, Texas |
| October 1, 2005 | Ohio LinuxFest 2005 | Columbus, OH |
| October 2 - 5, 2005 | Gelato October 2005 Meeting for Linux on Itanium | Porto Alegre, Brazil |
| October 5 - 6, 2005 | LinuxWorld London | Olympia, London, UK |
| October 6, 2005 | Fedora Users and Developers Conference(FUDCon London) | (LinuxWorld Conference and Expo UK)London, UK |
| October 7 - 9, 2005 | Indie Games Con 2005(IGC) | Eugene, Oregon |
| October 8 - 10, 2005 | GNOME Boston Summit | (Gates Building)Cambridge, MA |
| October 8, 2005 | LinuxForum BOF-dag | Denmark |
| October 12 - 13, 2005 | IT Underground(ITU) | Warsaw, Poland |
| October 13 - 14, 2005 | Open Source Desktop Workshops | San Diego, CA |
| October 14 - 15, 2005 | HackLu 2005 | (Chambre des Metiers)Kirchberg, Luxembourg |
| October 14 - 16, 2005 | Blender Conference 2005 | (De Waag)Amsterdam, the Netherland |
| October 16 - 23, 2005 | piksel05 | Bergen, Norway |
| October 17 - 20, 2005 | O'Reilly European Open Source Convention 2005(EuroOSCON) | Amsterdam, The Netherlands |
| October 18 - 21, 2005 | Zend/PHP Conference and Expo 2005 | (Hyatt Regency SF Airport Hotel)Burlingame, CA |
| October 18, 2005 | Dynamic Languages Symposium 2005(DLS05) | San Diego, CA |
| October 19 - 21, 2005 | Australian Unix Users Group Conference 2005(AUUG) | Sydney, Australia |
| October 24 - 28, 2005 | 12th Annual Tcl/Tk Conference | (Red Lion Hotel)Portland, Oregon |
Event Reports
aKademy Developers Conference Prepares for KDE 4 (KDE.News)
KDE.News presents a report from the 2005 KDE aKademy conference. "The 2005 KDE aKademy continued today with the opening of the developer conference: two days of talks describing upcoming KDE technologies, giving programming tips and, of course, plenty of informal hacking and discussion sessions between the developers. Today's talks included they keynote from Trolltech, a new multithreading scheduler library, meta-programming revisited and how to boot to KDE in 10 seconds."
Audio and Video programs
LQ Radio Interview with Doc Searls
LinuxQuestions.org has announced a new radio interview with Linux Journal's Doc Searls. "We discuss a variety of topics including recent OSCON and LinuxWorld trips, Cluetrain, Google, splogs, RSS, Linux Trademarks and more."
Page editor: Forrest Cook
Letters to the editor
Article on TOE
| From: | "Wael Noureddine" <wael-AT-chelsio.com> | |
| To: | "Jonathan Corbet" <corbet-AT-lwn.net> | |
| Subject: | Re: Article on TOE | |
| Date: | Wed, 31 Aug 2005 10:10:18 -0700 |
Hi Jonathan,
We found your article on "Linux and TCP Offload Engines" very
interesting. The article discussed the submitted Chelsio TOE patch and
compiled a list of the objections raised by the stack maintainers. We
hope to be given the opportunity to provide some information regarding
the patch, and to clarify some of the points made.
As you have noted, the patch itself is really minimal. All in all, a
dozen or so lines of actual code will be needed for 2.6.14 to provide
generic, vendor-independent support for TOE. In any case, we have
resources committed to handling any future maintenance work. Therefore,
this should prove of very little impact on the maintenance of the stack.
The maintainers' apprehension regarding TOE in the Linux stack is well
known and shows up in the list of objections. Before we answer these
objections listed in last week's article, it is important to stress the
following points:
1) In addition to full offload, a TOE provides all the functions of a
regular NIC, including checksum offload and LSO for non-offloaded
traffic. A TOE can be operated as a NIC without any changes.
2) Today, you can buy a 10 Gbps TOE at virtually no price premium
compared to a 10 Gbps NIC. You're basically getting the additional
features for free.
3) Adding TOE support in the stack does not bypass the software stack.
It only gives the possibility to enable additional functionality if need
be. TOE is a performance enhancement which should be available to users
who need it.
Now, to the objections:
* The maintenance issue has been mentioned above, and looking at the
patch itself should address any concerns in that area. Questions,
comments or suggestion regarding it are more than welcome and
appreciated. If there is anything that can be done to further improve
this aspect let us know.
* Netfilter support is really not shorted out, and connection acceptance
can still be subjected to regular checking. Also, keep in mind that a
TOE is there to speed up some connections which require it, the rest of
the traffic is still fully processed in the software stack.
* Traffic rate control at 10 Gbps speeds is really not practical in
software today. Without arguing if and when that would be possible,
today the Chelsio TOE provide rate control in hardware, so no
functionality is lost in that regard. Clearly, this will depend on
different vendors' implementations, but this is all about choice.
* The security and patching issue is dependent on the vendor approaches
and their handling of flaws. However, given that a TOE can be disabled
at any time, one can fully rely on the software stack, while awaiting a
fix. There is no impact compared to regular NICs, besides the
performance loss.
* TOE performance has been questioned in the past, and perhaps rightly
so. However, it appears that this has changed recently. The Chelsio TOE
holds the Internet 2 Land Speed Record (7.5Gbps over 33,000Km), where
it maxed out the PCI-X bus and the distance required, with 1,500 byte
frames. This is just one indication, other independent tests by the Los
Alamos
Lab and OSU showed for example that TOE provides about twice the
throughput at half the CPU utilization of a regular NIC for data transfers,
and 60% to 1000% improvement in Web server capacity (see
http://www.chelsio.com/technology/HotInterconnect_2005.pdf). These
improvements were obtained without fully utilizing the TOE capability,
such as zero copy.
* It is clear that no one would want to design a 100Mbps TOE today, but
it is also a question whether anyone still has an original 100Mbps
adapter from 1993 in their current system. Technology advances will
obsolete everything we're building now, and in that regard the TOE is no
different from a regular NIC. Assuming you still have the 100Mbps TOE
you bought 10 years ago, you could just disable the offload and use it
as a NIC.
* It is important to stress that the TOE patent issue is being taken out
of context when it comes to full offload. The patents in question are
for the partial offload approach which has been taken by Microsoft. Full
offload is not, and cannot be patented as legal studies have determined.
* Stateless offload is an option which may work out for some
applications and users. However, the performance gap is still
considerable. Adding CPUs or waiting for CPUs to get faster are
suggestions which ignore the cost part of the equation. It is best to
leave such considerations to the users, who have to optimize their cost
performance measure.
* TOE opponents rely on the observation that CPU speeds tend to catch up
with network speeds, obviating the need for TOE. However, the very fact
that TOE is brought up recurrently and ever more pressingly indicates
that this gap is periodic, and it is getting more serious every time.
Today, the performance gap is being filled with exotic inter-connects,
such as InfiniBand, while TCP/IP over Ethernet lags in performance.
Dismissing this market as niche and insignificant would be ignoring the
market realities. As shown in recent studies, such as
http://www.chelsio.com/technology/Cluster_2005_Techical_R...,
a TOE makes TCP/IP over Ethernet again a competitive
technology.
It is important to mention that there are many unacknowledged benefits
to performing TCP processing in hardware, including microsecond
granularity retransmission and rate control, and receive data
re-assembly offload. These capability turn out to be very useful when
operating the latest low latency 10 Gbps Ethernet switches-on-a-chip,
which tend to have limited buffering resources and may consequently drop
packets. In addition, a TOE can handle essential TCP features, such as
timestamps, which are usually turned OFF due to their high processing
requirements at 10 Gbps. In addition, a TOE will most likely be required
to enable other technologies such as iSCSI, which is expected to gain
widespread use as a storage networking protocol.
TOE's performance has been independently demonstrated by end users, and
the technology can be integrated into Linux with relatively little
effort compared to other options being considered. There are no real
technical reasons for denying TCP offload its place as a useful option,
which users who require high performance should have today. It is our
hope that other reasons can be addressed to the satisfaction of
everyone, and the benefit of the users of TCP/IP over Ethernet
Free Software And Trademarks
| From: | Gervase Markham <gerv-AT-mozilla.org> | |
| To: | letters-AT-lwn.net | |
| Subject: | Free Software And Trademarks | |
| Date: | Wed, 31 Aug 2005 22:53:23 +0100 |
Sir,
Unfortunately, I went on holiday soon after John Morris' letter on
Trademarks and F/OSS was published in August 18th's LWN, and did not
have a chance to reply immediately. But, as the Mozilla Foundation's
management of the Firefox trademark has been the catalyst for many
recent discussions on the topic, and I am their first point of contact
for trademark issues, I feel I should respond.
Before I begin, I should correct the thesis of the opening paragraph,
which seems rather to underly a lot of what follows. The Foundation did
not establish a wholly-owned subsidiary Corporation to "make themselves
compatible with the rest of the corporate world", no matter what ZDNet
may think. We did it chiefly because there are rules in the USA about
the sources of income for a tax-exempt entity which we were not able to
meet with our current mixture of income sources.
In my view, the general idea of trademarks - that you can label a
product with a name or icon which represents a level of quality in the
mind of the public - is entirely compatible with the principles of Free
Software. Just as some free software licences require appropriate credit
to be given to authors, so it should also be possible to require that
distinguishing marks be removed (assuming that functionality would not
be affected thereby) if the author thinks that a derivative product does
not reflect well on their original efforts.
However, as has been pointed out many times, the way trademark law is
structured makes it a challenge to maintain one's trademark without
inconveniencing, even if just a little, those who wish to use it. This
is unfortunate, but I don't think it's insurmountable if one is careful.
Firefox has an almost uniquely strong (among free software projects)
need for a solid trademark, due to a combination of factors:
- Firefox is by far the most-used piece of consumer free software on the
planet;
- Firefox is extremely popular on Windows, and among people I describe
as those for whom "computing is not their main focus in life";
- Firefox's brand is very well known and respected;
- Firefox is used for financial transactions.
This points together mean that there is a great deal of unscrupulous
interest in our product and brand. Without a strong trademark a
nefarious person could, for example, modify Firefox to send them any
login details for a long list of banks, put up a build and buy Google
Ads saying "Official Firefox Download Site!". As the code is Free, the
only way to prevent such a scenario is to use trademark law - we can't
stop them doing a trojaned build, but we can stop them putting our good
name on it.
The interaction of trademarks with free software in such a high profile
way is a new thing. We are still trying to work out how to manage the
Firefox trademark in a way which protects our nearly 100,000,000 users
and potential users from scenarios such as this one, but yet does not
unduly inconvenience people on the same side as us - our developers,
quality Linux distributions, OEMs, etc. I welcome any constructive input
as to how we can better achieve this without losing control of the mark.
Gerv
The dismal state of proprietary corporate security
| From: | Alex Fernandez <alejandrofer-AT-gmail.com> | |
| To: | letters-AT-lwn.net | |
| Subject: | The dismal state of proprietary corporate security | |
| Date: | Tue, 30 Aug 2005 21:12:00 +0200 |
Dear editor,
As free software speeds along, more and more happy users live in a
world without proprietary offerings. Sheltered from serious security
problems, using libre-and-gratis software which also happens to be
more reliable, and in charge of their own machines; they tend to
misunderstand what is happening on the other side of the fence. This
letter is an attempt to let them peek within, but without feeling the
actual pain.
First, a disclaimer. I live in Spain, not the world center of
information technologies but probably closer to the third world of
computing. I have however worked for large multinationals, and on
occassion with some European partners and research facilities. My
impressions are based on first-hand experience, and may therefore be
biased by my own career. Your mileage may (and hopefully will) vary.
Now, what is happening on proprietary corporate networks? 'Dispair'
would be an understatement: given that the dominant operating system
family is so inherently insecure, corporate IT departments have mostly
quit trying to provide such extravagant facilities as private e-mail.
In the trade-off between privacy and security, privacy has all but
lost -- taking security down with it, of course.
I have experienced workplaces where private accounts do not exist;
instead, people log on to whatever computer they are assigned to,
using the machine id or e-mail handle as username and trivial
passwords. It is against policy to change these passwords. User
documents do not of course travel with the user, but have to be
carried painfully since folder sharing is not allowed and USB ports
are disabled. Administrative rights for the computer are never granted
by the IT department (the old "systems and networks"); their staff has
acknowledged that it is too labor-intensive to administer the network
in any sensible way, so they just replace hardware and format hard
drives. By the way, IT staff erect like a natural barrier for any
sensible request like installing software required for work. It is not
easy to work this way, having no control of your own computer; luckily
hacks are available that grant full administrative rights to any
machine, at which point you are on your own.
Mind you, this is in companies specialized in software development.
Where any source code control exists at all, seldom is it anything
beyond CVS. Usernames are again trivial as are passwords, so the
repository is usually wide open to anyone who happens to be on the
right side of the firewall. The only solution ever considered is to
switch to proprietary source code control systems. E-mail is similarly
unprotected; that is when you don't find random mail folders available
on network disks. By the way, certificates used for remote access to
the intranet are usually not accepted by common browsers and/or
expired, and therefore brittle.
As a last straw, network topologies are difficult to understand, with
egress filtering (a pet peeve of mine) the only reliable constant.
Those responsible for "peripheral defenses" have not yet understood
that limiting the destination port of outgoing connections usually
serves no good purpose; it is a giant leap they will never be ready to
make.
So, the corporate response to the invasion of malware and security
holes has been to give up. No security for anyone means that security
cannot be breached; any problem will be handled as a matter of policy.
Next time you see Microsoft's (or for that matter anyone else's)
claims to a secure operating system, try to view them as
tranquilizers, to be shot intravenously for IT managers who get the
fits every time they see a new intrusion; when they wake up, they will
start looking for a new software product to protect them or new
features to cut down on.
Thanks for your attention,
Alex Fernández.
Page editor: Jonathan Corbet