LWN.net Weekly Edition for January 30, 2003
SCOsource and Linux
Rumors have been circulating for a few weeks: SCO, it is said, has hired a fancy law firm and will be pursuing intellectual property claims against Linux users and distributors. The level of concern has dropped somewhat as the company has announced its short-term plans, which are relatively uncontroversial. The full picture remains cloudy at best, however; SCO's intellectual property push could yet present the Linux community with its first serious legal difficulties.
For the moment, SCO's plans can be seen in this
press release from LinuxWorld. A new division (called "SCOsource") has
been created for the express purpose of expanding the licensing of the
company's intellectual property, "including the core UNIX source
code.
"
For now, SCOsource only has one offering: the company's System V
libraries for Linux. These libraries allow users to run SCO Unix
applications under Linux; nobody has ever really confused them with free
software. SCO's desire to realize some revenue from use of this
proprietary product is not likely to upset that many people.
SCO seemingly does not intend to stop there, however; the company clearly believes that Linux (and other systems) may contain code or techniques which infringe upon its intellectual property. We asked Chris Sontag, Vice President of SCO's Operating Systems division, about this investigation and the uncertainty it creates in the Linux community; he responded:
So SCO thinks that the possibility of its intellectual property "residing"
with Linux is enough, at least, to justify the hiring of an expensive law
![[SCO Pedigree]](https://static.lwn.net/images/ns/sco-pedigree.jpg)
firm to check it out.
What sort of SCO property might be found within Linux? One possible issue, of course, is software patents; it is essentially impossible to know which patents might be infringed by any given body of code. Any patents that SCO might have picked up with its ownership of Unix are likely to be expired by now, but the SCO could have other patents up its sleeve. The patent threat is not new, of course, and SCO is far from the only company which could conceivably create patent problems for Linux.
The other possible source of trouble is SCO's ownership of the Unix System V code. That SCO takes a broad view of what it owns can be seen in the impressive "SCO Intellectual Property Pedigree" that it has posted; it is a complicated set of diagrams with lots of arrows showing how just about everything (including Linux, QNX, Mach, Minix, and more) derives from the initial Unix system. A tiny piece of this diagram appears on the right side of this page.
Linux, one would think, should not have copyright problems with regard to SCO's Unix code; it was, after all, reimplemented from the beginning. That should be true, as long as nobody who has contributed to any Linux application has borrowed from the Unix code base. Given the number of people and vast amount of code involved, it would not be entirely surprising if a bit of borrowed code showed up somewhere.
What will SCO do if it finds something? As might be expected, the company is not willing to say much:
In other words, anything could happen, though SCO would try to not upset too many people. But if SCO turns up something that, it thinks, could be turned into licensing revenue, the company is likely to pursue that path. SCO is not in the strongest financial position, currently, and could use a new revenue stream. Of course, most other Linux companies are not going to be a great source of cash for SCO at the moment. It might well be that SCO's real target - if there is a target in the end - could be somebody with deeper pockets. Apple or Sun, say.
Sooner or later, Linux is going to face a big intellectual property challenge. If it doesn't come from SCO, somebody else is certain to pick up the slack. Even if Linux and the companies working with it emerge victorious, this sort of challenge can only serve to create uncertainty and doubt around Linux and free software in general. It will be interesting to see how it all plays out.
Two new PDA platforms
[This article was contributed by LWN reader Joe 'Zonker' Brockmeier]
The long-fabled explosion of Linux-based PDAs may finally be right around the corner.A number of Linux-based PDA solutions have been announced, but only one has made it (so far) into mainstream retailers. The Sharp Zaurus has been out for some time now, though it hasn't made much of a dent in the handheld market. According to a report by Dataquest Palm-based devices account for 30.6 percent of the market, while Microsoft Pocket PC licensees account take up 28.8 percent of the market. Linux-based PDAs don't have an appreciable share of the market yet.
However, that might change now that AMD and IBM are getting in to the act. AMD (along with Metrowerks) and IBM both announced Linux-based PDA platforms this year at LinuxWorld Expo.
The AMD OpenPDA platform is aimed at PDAs and smart phones. The OpenPDA will run on an AMD Alchemy Solutions Au1100 processor, available at speeds of 333MHz, 400MHz and 500MHz. The The Au1100 is a system-on-a-chip (SOC) processor, and it includes the LCD controller, 10/100 Ethernet, USB device and host controller functions and is MIPS32 compatible.
On the software side, the OpenPDA includes an embedded Linux kernel, Trolltech's Qtopia interface, Insignia's Java Virtual Machine and the Opera Web browser. Qtopia is the same application environment used on Sharp's Zaurus handhelds. It includes the Hancomm Office suite, standard PIM and productivity applications like the to-do list, text editor and e-mail client. The Qtopia environment also includes a number of games like Asteroids, a media player, and an image viewer. The OpenPDA platform is scheduled to be released by Metrowerks by the end of the first quarter of this year. No devices based on the OpenPDA design have been announced yet.
IBM rolled out a reference design at LinuxWorld Expo based on a PowerPC 405LP embedded processor and MontaVista's Linux Consumer Electronics Edition (CEE). The IBM device, called the "embedded Linux application platform" or e-LAP, has support for speech and handwriting recognition, and is slated to include IBM's Websphere Micro Environment. IBM's design also makes use of Trolltech's Qtopia application environment, and Opera's Web browser. The e-LAP design shown at LinuxWorld Expo included 32 MB of SDRAM with 32 MB of flash memory, as well as a 64 MB DiskOnChip device. The 405LP has a range of 152 MHz to 380 MHz.
Users who want to get their hands on an IBM PDA running Linux will have to wait a bit, as volume production isn't expected to begin until the third quarter of this year. MontaVista's CEE is supposed to be available sometime in the first half of this year.
Obviously, Linux has quite a way to go before it catches up to the Palm OS or the Microsoft PocketPC in market share. Right now, the Linux PDA seems to be for early-adopters and Linux enthusiasts only. However, interest from major players like AMD and IBM is sure to bolster Linux's chances in this market.
The new LWN text ad system
LWN text ads are the small advertisements that appear in the left column of most pages on the site. They are, we hope, relatively unobtrusive (no bouncing, flashing animations), but, since they tend to be relevant to our readers' interests, they have response rates that are as good as banner ads. Text ads are a small but important part of LWN's revenue stream.Late last week, we transitioned over to a new version of the text ad system. The new code features some amazing innovations, such as being integrated into the rest of the LWN site. It is no longer necessary to create a separate account to place and manage text ads, and text ad transactions can be viewed along with the rest on the "My Account" page. The new system also allows advertisers to make more changes to ads as they are running. (Certain other desired new features, such as the ability to restrict ad delivery to specific countries, have been deferred for now).
What has not changed is the basic method by which text ads are sold. LWN uses a sort of auction system; each advertiser names his or her own price for each ad. At the beginning of each day, the available ad exposures are divided up between advertisements according to how much is being spent on each. The result is that we can accommodate small advertisers (the minimum is $5) while providing a large portion of the site to those who are willing to pay more.
See the text ad section of the LWN.net FAQ for more information on how the text ad system works. You can also head over to this page to see which advertisements are currently running on the site.
LWN text ads are a great way of supporting the site while simultaneously drawing attention to your company or some other cause that you support. They are, for example, ideal for drawing attention to a free software project that could use more users or developers. Please consider placing your ad today.
Security
Brief items
Cross-site tracing attacks
[This article was contributed by LWN reader Tom Owen]
Last week, this Extremetech article was the first press coverage of Whitehat Security's whitepaper on a new type of cross site scripting attack. Whitehat has called it "cross site tracing", or XST.Cross-site scripting (XSS) is a simple idea at heart: the attacker loads exploitative HTML, including a client-side script, into a web site, typically one which allows public submissions and which does not properly quote HTML tags. Any user of the site who reads the story loads the exploit into their browser. The script uses the client browser's rights to cause mischief -- typically to access information and send it to the attacker. Recent XSS vulnerability reports focus on exposing cookie contents -- perhaps including session and authentication details -- to the attacker. Browser domain restrictions are supposed to stop clients from sending cookie contents anywhere except back to the server that issued them, but it's hard to enforce this restriction if scripts are allowed to access those contents, and many browsers have faults which allow scripts to bypass domain restrictions.
Enter cross-site tracing, which is a new variety of XSS attack. It uses the TRACE command, which is an obscure part of the HTTP 1.1 protocol. It substitutes for GET, except that instead of replying to the request the server echoes it -- the TRACE string and the subsequent headers -- back to the client with a content type of message/http. It's intended as a debugging aid. Most web servers implement TRACE as part of the standard, and, as it's never been implicated in security problems, most sites leave it enabled.
In essence, Whitehat report that some browsers can be scripted to send TRACE requests and return the echoed headers to the script. The report lists Mozilla (using XMLDOM) and IE (using XMLHTTP) as vulnerable. HTTP headers seem like they would be innocous, but unfortunately they carry cookies and HTTP authorization strings to the server. With the aid of one of the available domain restriction breaches, these data can be taken from the trace and sent to the attacker.
Whitehat was obviously pleased with this discovery.
The
press
release
uses words like "pandemic" and refers to
"a serious security flaw affecting all web server[s] world
wide.
"
The whitepaper is more tempered, but it implies
that the TRACE method has a defect
which compromises every web server.
Opinion on Bugtraq (discussions here and here) and Slashdot ranges from "hyped, sensationalised snakeoil" to "a terrible security hole." The critics point out that there's no fault in TRACE, and client domain restriction breaches already offer scripted ways ways to read cookies. On the whole they seem to have won the argument as there's been little press coverage and no rebuttal from Whitehat. There have been some more positive responses noting that script access to the Authorization: header containing the HTTP Basic authentication is new and disturbing, and that client problems are sometimes best fixed at the server.
Nobody is claiming that TRACE is needed on a production server -- it's as vestigial as HELP in Sendmail SMTP. So, as it's certain that a server that can't do TRACE won't ever allow its clients to be subverted through it, removing it may be the way to go. The Apache Limit directive can't suppress TRACE, so Whitehat and Apacheweek both suggest using mod_rewrite to force a forbidden (403) error in Apache:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteEngine On needs to be repeated in every <VirtualHost> block. Experiment suggests that there's more to it than this, (no, I can't make it work ...) but it has to be easier than iPlanet/Netscape, which requires a binary edit.
Security consultants feel pressure to find and publicise security holes, and it's inevitable that some of them will be less serious than the spin suggests. The community's loud and direct quality control is necessary to keep the numbers within limits. However, even snake oil may have something to teach us, and at least one Apache admin will be spending a few hours this week figuring out just what secures the DELETE method.
A look at the MS-SQL worm
Recommended reading: this posting by Karsten Self on the MS-SQL (aka "Sapphire" or "Slammer") worm and why Linux users shouldn't be overly smug about this episode. "This means that the infected hosts were on the order of 1% of all potential hosts. That is, Microsoft users were attaining a 99% patch and/or secure rate of systems publicly visible to the worm. This is a pretty good compliance rate. It was also wholly inadequate in preventing this attack".
New vulnerabilities
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 | CVE #(s): | CAN-2003-0039 | ||||||||||||||||
| Created: | January 28, 2003 | Updated: | April 5, 2003 | ||||||||||||||||
| Description: | Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s). This patch introduces a new commandline switch ``-c maxcount'' and people are advised to start the dhcp-relay with ``dhcrelay -c 10'' or a smaller number, which will only create that many packets. The dhcrelay program from the ``dhcp'' package does not seem to be affected since DHCP packets are dropped if they were apparently relayed already. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
MySQL - double free vulnerability
| Package(s): | mysql | CVE #(s): | CAN-2003-0073 | ||||||||||||||||
| Created: | January 29, 2003 | Updated: | February 21, 2003 | ||||||||||||||||
| Description: | MySQL 3.23.55 fixes a double-free vulnerability which allows a hostile client to crash the server process. Logging into the server is necessary before this vulnerability can be exploited. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
noffle - buffer overflows
| Package(s): | noffle | CVE #(s): | CAN-2003-0037 | ||||
| Created: | January 27, 2003 | Updated: | January 29, 2003 | ||||
| Description: | Dan Jacobson noticed a problem in noffle, an offline news server, that leads to a segmentation fault. It is not yet clear whether this problem is exploitable. However, if it is, a remote attacker could trigger arbitrary code execution under the user that calls noffle, probably news. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current development kernel is still 2.5.59. Linus remains away from his keyboard.The current stable kernel is 2.4.20; Marcelo released the fourth 2.4.21 prepatch on January 29. It includes some MTD driver fixes, a couple of netfilter bug fixes, the new IPMI driver, fixes for the ethernet information leakage vulnerability, an x86-64 update, and various other fixes and updates.
The latest prepatch from Alan Cox is 2.4.21-pre3-ac5; it has a few new IDE changes and a small set of fixes.
Kernel development news
Anticipatory I/O scheduling
If an operating system is to perform well, it must get top performance out of its disk drives. The best use of disks is generally obtained by recognizing a couple of basic facts of life:
- Disk seeks are very slow. Overall transfer rates go up significantly
if requests can be ordered to minimize the number and distance of seek
operations.
- Write operations can (usually) happen whenever, but there is almost always a process waiting for the completion of a read. Prioritizing reads over writes will increase the parallelism and perceived responsiveness of a system.
Unfortunately, minimizing seeks and prioritizing reads can be somewhat contradictory goals. The way to keep seeks small and relatively rare is to maintain a sizeable backlog of requests; that way, nearby requests can be grouped and executed together. Getting the best performance on writes, in other words, requires delaying write operations for a period of time. If reads are to be handled quickly, however, they cannot be delayed and kept in the request queue in this way.
It is even worse than that, actually. A process which is writing a file can have several outstanding write requests at any given time, since that process usually does not care when any particular request is completed. Processes issuing reads, on the other hand, usually generate them one at a time. The next read operation will not be requested until the previous one completes. So, even if delaying read operations were an acceptible thing to do, accumulating a backlog of close read operations is an unlikely proposition.
The 2.4 kernel tends to mix reads in with the queue of write operations. Given the way things work (a read is not particularly likely to be close to an unrelated set of writes), reads tend to get put toward the end of the queue and executed slowly. That is one reason why 2.4 can be slow to respond when there is a lot of write activity going on.
In the 2.5 kernel, reads are not allowed to languish long before they are pushed to the head of the queue and executed. This change can improve performance significantly, but it still does not solve the whole problem. As Andrew Morton put it in the 2.5.59-mm5 patch set:
But in the common case, the application which submitted a read is about to go and submit another one, closeby on-disk to the first. So whoops, we have to seek back to service that one as well.
As a result, overall performance suffers, since the disk is spending too much time seeking.
2.5.59-mm5 contains a new "anticipatory I/O scheduler" by Nick Piggin which attempts to address this problem. The basic idea is simple: if the drive has just handled a read request, assume that there is another one coming behind it and simply wait for a little bit. In this case, the request queue is plugged, the I/O scheduler sets a timer, and no more requests are passed down to the drive for a millisecond or so. If a "close" request shows up during the wait time, it is serviced right away; the distance that the kernel considers "close" grows as time passes. Eventually the close requests will stop coming, or the kernel will decide that it's time to get around to some writes regardless; at that point normal request dispatching resumes.
Andrew reports a big improvement in performance (nearly a factor of six) over 2.5.59 for a simple test he was running. The code, it is said, still needs "quite some work," but it's a good start. 2.6 looks on track to be the most responsive Linux kernel yet.
Fast reader/writer locks
The Linux kernel contains a number of primitives for controlling mutual exclusion. Semaphores and spinlocks (in several varieties) have been around for a while, and the read-copy-update mechanism was added in the 2.5 series. Yet another mechanism, called "fast reader/writer locks," has found its way into Andrew Morton's -mm patch set, and appears likely to be forwarded on to Linus soon for inclusion. So this seems like as good a time as any to look at how "frlocks" work.Frlocks, as implemented by Stephen Hemminger, are aimed at solving a couple of problems with the gettimeofday() system call. One is simple performance; gettimeofday() is not particularly slow, but some applications (including anything using the X Window System) call it frequently. It also turns out that the current implementation, which uses reader/writer spinlocks, is susceptible to a denial of service problem. Frequent calls to gettimeofday() can delay or lock out timer tick updates.
The frlock patch works by not blocking readers or writers at all. Code wishing write access to the protected data structure is given that access immediately (at least, in the absence of other writers), so there is no way that time updates can be blocked or delayed. Readers, too, get immediate access to the data structure. The catch is that readers must be prepared to retry the access if collides with a writer for access to the data.
The lock works by maintaining "pre" and "post" sequence numbers. A writer process does the following:
- Take out a spinlock associated with the frlock
- Increment the "pre" sequence
- Mess around with the data structure
- Increment the "post" sequence
- Release the spinlock
Readers do something like the following:
- Remember the lock's "post" sequence number
- Grab the data of interest
- Ensure that the lock's "pre" sequence matches the remembered "post" sequence. If not, go back to the beginning.
In other words, as long as the sequence numbers match, the reader knows that no writer changed the data while the reader was doing its thing. In practice, the reader side tends to be expressed in code like:
do {
seq = fr_read_begin(&some_lock);
/* Copy the data */
} while (seq != fr_read_end(&some_lock));
Frlocks, clearly, will not be suitable for lengthy calculations, or those which have immediate side effects. In cases where a small data structure is changed infrequently but read often, however, frlocks may be the key to improved performance. In the introduction to the latest set of frlock patches, Stephen claims an 18% improvement in the speed of gettimeofday() - and the elimination of the timer tick lockout problem.
The return of modversions
Perhaps the biggest bit of unfinished work with the new kernel module loader is the module versioning support. Module versioning is an attempt to make binary loadable modules work with multiple kernel versions. It works by attaching a checksum to each exported kernel symbol; the checksum is calculated from the prototype or declaration of the symbol. As long as the checksums in a module match those in the running kernel, it is assumed that the module can be safely loaded. Kernel hackers tend not to use module versioning, which explains why it took so long to get this feature fixed. Production kernels shipped by distributors need this feature, however; otherwise it is essentially impossible for vendors to support binary-only modules.Kai Germaschewski has posted a modversions implementation which works with recent 2.5 kernels. The underlying idea is essentially the same as that found in previous implementations, but the implementation is entirely different.
The old scheme used the genksyms program to generate the checksums, and to create a bunch of include files (ending in .ver) which redefined the exported kernel names to include those checksums. The effect was to create a bunch of preprocessor definitions like:
#define printk printk_R1b7d4074
(The actual definitions were a little more complicated). Loadable modules would thus be built to call printk_R1b7d4074() instead of printk(). The names were stored in that form in the kernel symbol table, so the insmod program simply needed to look for a direct match. If the interface had changed, the names would not match, and the module would refuse to load.
The new implementation does away with the include files. It does still use genksyms, but the output is reprocessed into a set of structure declarations. One structure (containing the symbol name and its checksum) is created for each symbol used by the module; the array of structures is then linked into the module in a special section. When a module is loaded into the kernel, the checksums are used to verify compatibility, and the special section can be discarded. Among other things, this approach makes it easier to force the loading of a module with mismatched symbols, should anybody be unwise enough to attempt such a thing.
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Janitorial
Memory management
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Plans from Red Hat
Several articles were published this week looking at Red Hat's plans. The Register starts off with this article about the recently announced end-of-life schedule. (See Red Hat's errata policy announcement). We understand the need to set an end-of-life to products, but announcing a December 31, 2003 end-of-life for 8.0 seems a bit extreme. After all, 8.1 isn't even due out until April.Next, Linux Journal takes a look at Red Hat's plans for a corporate desktop. The idea here is to get people familiar with Red Hat desktop at work. Then in a year or two they'll be ready to trade in their Windows systems for a Red Hat desktop at home. This seems like a good strategy. If the corporate sales are good, Red Hat should gain some users this way.
Finally, vnunet looks at Phoebe and a new Samba configuration tool included with Phoebe. Phoebe is, of course the beta version of 8.1. "Without the new tool, most system administrators would configure Samba by editing text files on each system running the Samba software. Many administrators prefer this method of configuration because it makes it straightforward to back up and redistribute server configurations simply by copying one text file. However, other administrators who are used to working with Windows may be put off by the text-based interface." As long as 'vi filename' still works....
Linux Comes to Unisys Servers (via SCO) (Register)
The Register reports that the SCO Group plans to release SCO Linux for Unisys Corps ES7000 servers and ClearPath mainframes.Advantages of OpenMosix on IBM xSeries (IBM developerWorks)
IBM developerWorks has a three-part series on setting up an openMosix mini-cluster on IBM xSeries. Part 1 introduces current clustering technologies available for Linux and and an introduction to openMosix. Part 2 steps through the process of getting a fully-functional openMosix cluster configured and running. Finally, in Part 3, gives some examples of how you can use your new cluster.
Distribution News
Debian GNU/Linux
The Debian Weekly News for January 28th, 2003 is available. This week: Netcraft added Debian to the list of operating system vendors; the security team finally got everything together and was able to release a whole bunch of advisories for the version of KDE in woody; and more.The nomination period for this year's Debian Project Leader election began on January 24; nominations will be accepted through February 14, and voting will begin on March 21. Click here for the full announcement from the Project Secretary.
Meet people from the Debian Project at Solutions Linux 2003 / Linux Expo France (February 4 - 6, 2003 in Paris), and the Free and Open Source Software Developers' Meeting (FOSDEM) (February 8 - 9, 2003 in Brussels).
Gentoo Weekly Newsletter -- Volume 2, Issue 4
The Gentoo Weekly Newsletter for the week of January 27, 2003 is available. This week looks at Gentoo Linux at LinuxWorld, and much more.Mandrake Linux - Updated msec packages
Mandrake Linux fixes a bug in msec with Multi Network Firewall 8.2. This version has improperly enabled password aging in msec level 4.Slackware Linux
This week's Slackware changes include an upgrade to cups-1.1.18; new stuff in a/devs-2.3.1-i386-11.tgz; an upgrade to LPRng-3.8.20; bunches of new gnome stuff; an upgrade to proftpd-1.2.7; and much more.Yellow Dog Linux
Yellow Dog Linux has some bug fix advisories available for gaim and nautilus.
New Distributions
Emergency CD 2
Emergency CD 2 is a bootable CD-ROM with a console-only mini-distribution based on Red Hat 7.3. It uses Linux kernel 2.4.19-xfs(i586) and includes many console tools and utilities. The first public release is v2.01.
Minor distribution updates
Astaro Security Linux
Astaro Security Linux has released v3.383 beta with major feature enhancements. The 3.390 beta release adds bug fixes. "Changes: This Up2Date adds a new WLAN feature. It also updates WebAdmin, MiddleWare, Selfmonitor, HTTP proxy, and some other software. New versions of the DHCP server and client are also included."
EvilEntity Linux
EvilEntity Linux has released vDR-0.2.5 with major feature enhancements. "Changes: The Application Suite has been expanded, and was made more focused on multimedia. Packages have been updated system wide. Install speed has been increased, as well as system performance."
Gibraltar Firewall
Gibraltar has released v0.99.6a with minor security fixes. "Changes: This release fixes the recently discovered security hole in the dhcp3 daemon. If you have enabled it, please update to this release."
OpenZaurus
The second release candidate for OpenZaurus 3.1 is currently available for testing.PXES Linux Thin Client
PXES Linux Thin Client has released v0.5.1-25 with major feature enhancements. "Changes: This new release introduces some expected changes. Maybe the most important is the migration to kernel 2.4.20, although the previous kernel is included too. You can select the desired kernel in the proces of image building. Some interesting inclusions are a graphical boot screen and the selection of boot messages level, with no messages at all. Support for a read-only root filesystem was added so you can create a PXES CDROM if you want, and support for multiple kernel architecture was fully added."
SmoothWall
SmoothWall has released v2.0 beta 4 with major feature enhancements. "Changes: This release includes major updates to the networking capabilities. Support for the U.S. Robotics SureConnect USB ADSL modem and modems based on the ECI chipset (such as the Fujitsu FDX310) was improved, and the new USB Home Highway ISDN connections from BT are now supported."
TopologiLinux
TopologiLinux has released v2.0.0 with major feature enhancements. "Changes: Both NTFS and FAT are now supported, as are all versions of Windows."
Xandros
Xandros announced the release of the Xandros Desktop Standard Edition 1.0. The Standard Edition is a less expensive version of the previously announced Deluxe Edition.
Distribution reviews
Red Hat Slips off a Curve (OfB.biz)
Timothy R. Butler continues the Penguin Shootout with a look at Red Hat 8.0. He is not entirely pleased with the results. "Another small issue is the Red Hat Network. Unlike MandrakeSoft or SuSE's update utilities, RHN keeps a profile of your system to decide what updates you need. Besides the fact that Red Hat ends up knowing a lot about your system (you can opt out of giving various information), this also means that Red Hat doesn't allow you to have multiple systems hooked up to RHN without additional fees. While I can certainly understand why, after all, it takes a lot of space to store all of that information, Red Hat could avoid both the problem and the cause by simply having the RHN utility decide on the client side what needs updates rather than on the server side."
Page editor: Rebecca Sobol
Development
KDE 3.1 has been released
The much-anticipated release of KDE 3.1 has been announced with much fanfare.
A few of the changes in KDE 3.1 include:
- Enhanced security for the KMail email client.
- Calendar compatibility with Exchange 2000.
- Improved LDAP integration for the KDE PIM framework.
- A desktop lockdown framework for restricting configuration settings.
- A desktop sharing framework which can be used for remote technical support.
- Tabbed browsing for the Konqueror web browser.
- The Quanta Plus web development platform with PHP support.
- The KGET download manager.
- A new default style and default icon style.
- A new multimedia player plugin.
- Several new games.
The Changes between KDE 3.0.5 and KDE 3.1.0 document details the changes in the following sections: kdelibs, kdeaddons, kdeadmin, kdebase, kdebindings, kdeedu, kdegames, kdegraphics, kdemultimedia, kdenetwork, kdepim, kdesdk, kdetoys, kdeutils, and Quanta Plus.
System Applications
Audio Projects
Ogg Traffic
The January 27, 2003 edition of Ogg Traffic is out with the latest Ogg Vorbis audio compression news. Topics include: Using Signal Difference for Quality Evaluation?, Icecast.org's New Face, Vorbis 1.0 GT3, and Is that a Portable Vorbis Player on the Horizon?.
Education
Linux in Education Report
Issue #88 of the Linux in Education Report is out. Topics include A report from the educationaLinux miniconf in Perth, Australia, lesson plans for math and science, Sun's efforts to get StarOffice into UK schools, a TCO study for Linux in schools, a Lindows.com educational license offer, open source in Africa, an opening for the DebianEdu leader, and much more.
Electronics
Icarus Verilog Snapshot 20030126
Snapshot 20030126 of the Icarus Verilog electronic simulation language compiler is out from the gEDA project. "Support for real/realtime variables and expressions has been added." See the release notes for details.
Libraries
International Components for Unicode (IBM)
IBM has an open-source project known as International Components for Unicode. "The International Components for Unicode (ICU) libraries provide robust and full-featured Unicode services on a wide variety of platforms. ICU supports the most current version of the Unicode standard, and they provide support for supplementary Unicode characters (needed for GB 18030 repertoire support). As computing environments become more heterogeneous, software portability becomes more important. ICU lets you produce the same results across all the various platforms you support, without sacrificing performance." ICU has been released under the X License.
Web Site Development
Midgard Lite 0.8.1 released
Version 0.8.1 of the Midgard Lite web development framework has been released. "The main goal of this release is to provide an easily installable package so everybody has the chance to look into the world of midgard. The core of Midgard Lite is more reliable than ever before, and only few important Midgard functions are missing".
Quixote 0.6 beta2 released
The second beta of the Quixote 0.6 Python-based web development platform is available. One serious bug in the beta1 release was fixed, among other things.Aegir CMS 1.0 RC1 released
The first prerelease of version 1.0 of the Aegir CMS Open Source Content Management System is available. "Aegir CMS is a full-featured Content Management System built on the popular Linux, Apache, MySQL and PHP (LAMP) platform powered by the Midgard application server."
Zope Members News
The most recent headlines on the Zope Members News include: Open Letter to the Community, IssueTrackerProduct 0.4.9b, and SGI Supportfolio Powered by Zope.
Miscellaneous
Twisted 1.0.2 released
Version 1.0.2 of the Twisted event-driven networking framework has been released, with a ton of new features.
Desktop Applications
Audio Applications
Tkeca 1.0.1 released
Version 1.0.1 of tkeca, a Tcl/Tk front end for the Ecasound audio utility, is available. This release features a new About TKECA button and a change to the GNU General Public License.Tkeca 1.0.2 released
Tkeca 1.0.2 was also released this week, it contains a couple of bug fixes.Ardour developments
Ardour, a multi-track audio recording package, has had some recent updates. The latest changes include a new timestretching user interface, implementation of "snap-to" for the selection process, the ability to deal with "chunks" of playlists, a new editor selection model, dither options for export, bug fixes, and more.amSynth 1.0 rc2 announced
Version 1.0-rc2 of amSynth, the Analogue Modeling Synthesizer, has been released. This version supports the Jack Audio Connection Kit. Other changes include a revised configure and build system, support for a virtual keyboard, a per-user installation, bug fixes, and support for the latest versions of GCC.
Desktop Environments
KDE-CVS-Digest for January 24, 2003
The January 24, 2003 KDE CVS Digest is available. "This week, Kaplan is reborn as Kontact (a personal information management application for KDE that integrates KMail, KAddressBook, KOrganizer, and other applications), KMail is moved and a new VCard parser makes an appearance. Also read about KHTML's continued improvements thanks to the Apple Safari work., and new improvements in the KOffice filters. A number of new applications were also added to the repository."
GNOME Summary for January 25, 2003
The GNOME Summary for January 19 - 25, 2003 is out. This week covers GNOME Foundation and Bitstream announce free fonts; ExtremeTech interviews from LWE; GNOME 2 100% translated to Mongolian; and much more.FootNotes
Headlines on the GNOME desktop FootNotes site include: GNOME 2.2 Desktop Release Candidate 2 (2.1.91): ''OUTATIME'', Sodipodi 0.29 released, GnomeMeeting 0.96 aka ''Seems, madam? I know not seems!'' released!, Desktop Enhancements!, libgda/libgnomedb/mergeant 0.10.0 released, GNOME 2.2 Desktop User Guide, GNOME 2.2 Desktop System Administration Guide, New Mongolian GNOME translation bursts onto scene, Camorama 0.16 released, Official Slackware Gnome2.2 out, Remote Gkrellm Over SSH, Linux World: The State of the Linux Desktop, and more.Adopt-a-Geek: Put Old Hardware to Good Use!
The Adopt-a-Geek program strives to put more computer resourses into the hands of KDE developers.KDE PIM Hackfest Summary
KDE.News summarizes the results of the KDE PIM Hackfest. "The main purpose was to define a roadmap on the future of personal information management in KDE. Berndhard Reiter from Intevation wrote down a nice summary for your convenience."
Games
Crystal Space 0.96r001 released
Version 0.96r001 of the Crystal Space 3D Engine has been released. "This is a VERY significant release compared to 0.94. Almost everything has changed :-) Lucky for you we have tried to make the transition as easy as possible."
GUI Packages
FLTK Developments
The latest new software for FLTK, the Fast, Light ToolKit include: FL-Inventor 0.9.5-rev1, fl_connect 0.9, Cartesian, and Fl_Device.
Interoperability
Wine Weekly News
Issue #154 of the Wine Weekly News is out. Topics include: News: kerneltraffic.org, CrossOver Plugin 1.2, SuSE Offering, Kernel Module / Shared Memory Revisited, InstallShield 6 Insight, Where is fnt2bdf?, MSVC 4 & Explorer.exe Implementation, Executing Batch Files, Extracting Icons, Installing IE5.5, Wine Robustness?, CVS Vulnerability?, and Whither wine-releases ?.
Office Applications
KOffice 1.3 Release Schedule (KDE.News)
KDE.News covers the release schedule for KOffice 1.3. "According to it the release cycle begins with Beta 1 in April and ends with the final release in early September 2003. Among the many targetted features are hyphenation support for KWord and Presenter, over 100 new formulas for KSpread and much improved filters (development status)."
AbiWord Weekly News #127
Issue #127 of the AbiWord Weekly News is out, with the latest AbiWord word processor development news. "Martin has improved footnote functionality to the point that they're more intelligent than Microsoft's attempts. As I type this, either 1.1.3 is now released, and 1.0.4 is almost out, leaving Mark with a US$20 bill to foot. Jeremy's ready to show off his screen shot of his spunky new wallpaper, I mean, NSIS2 development. Finally, a friend of Andrew's may soon be appearing in the credits of other people's commits."
AbiWord Weekly News #128
Issue #128 of the AbiWord Weekly News is out. Topics include the AbiWord 2.0 release plan, abiword2.nsi, INS, Initial Barbarism support documentation, "can't open font" at startup, More Contributors to the TWiki, End Notes, Footnotes exported to/imported from RTF, Tree closed for 1.1.3, and a lot more.Danish Native Language Project for OpenOffice
OpenOffice.org has announced the creation of the DA Project, which aims to bring Danish language support to OpenOffice.
Web Browsers
mozillaZine
The latest mozillaZine topics include: mozdev.org Soliciting for Donations, Integrating Switch Accessibility into Mozilla, Ten Things Phoenix is Better at Than Mozilla, New Netscape 7.01 Base Installer for Windows, UK's 'PC Plus' Magazine Awards Mozilla Editor's Choice, evolt.org Interviews Eric Meyer, K-Meleon Update in Development, and Independent Status Reports.
Languages and Tools
C
GCC warnings
Some changes are being implemented in the GCC warning software. "The ongoing effort to remove warnings from the GCC code base itself, spear-headed by Kaveh Ghazi, has paid off: For our development versions and snapshots, we now enable -Werror during a full bootstrap."
Caml
Caml Weekly News
The January 21-28, 2003 edition of the Caml Weekly News is out. Topics include: load modules by name, uname for Ocaml, Books on FP, and New bug fix version of Camlimages library.
FORTRAN
G95 FORTRAN work continues
Work continues on the G95 FORTRAN compiler project, subroutines are being added and bugs are being fixed.
Java
Java Swing: Menus and Toolbars, Part 2 (O'Reilly)
O'Reilly continues the series on Swing menus and toolbars. "In part 2 of this book excerpt on Swing menus and toolbars from Java Swing, 2nd Edition, learn about menu bar selection models, beginning with the JMenuBar class."
Fine-tuning Java garbage collection performance (IBM developerWorks)
Sumit Chawla illustrates Java garbage collection on IBM's developerWorks, with a focus on the IBM Java Virtual Machine. "In this article, the author shows how to find out whether garbage collection, the task carried out by Java Virtual Machine in the background to reclaim unusable space, is finely tuned. He then provides several recommendations to address your garbage collection issues."
Deploying multiple applications in J2EE 1.2 (IBM developerWorks)
Kyle Brown and Keys Botzum cover component reuse issues on IBM's developerWorks. "If you are developing with EJB technology, you are creating potentially reusable components. Unfortunately, plans to deal with reuse are often not put into place until it's too late. In this article, IBM enterprise developers Kyle Brown and Keys Botzum examine a common reuse scenario and explore some considerations that arise from it."
Lisp
SBCL 0.7.12 released
SBCL version 0.7.12 is available. "This is a minor maintenance release which changes the default compilation optimization policy of code processed by EVAL, provides an experimental implementation of the debugger's RETURN command, and fixes a few bugs."
Perl
This Week on perl5-porters (use Perl)
This Week on perl5-porters for January 20-26, 2003 is available on Use Perl. "This week, the P5P summary will attempt to entertain you with several low-level hacks. (A weird kind of entertainment if any.) Read about printf(), optimisations, internals, perldoc, and other code stories below."
This week on Perl 6
The January 19, 2003 edition of This week on Perl 6 is out. Topics include: Objects (again), Optimizing and per file flags, The draft todo/worklist, Parrot Examples, Thoughts on infant mortality (continued), Operators neg and abs in core.ops, The eval patch, Pretty Pictures, Solaris tinderbox failures, Parrot compilers, ook.pasm eval, Array questions, L2R/R2L syntax. Again, Larry's state of health and employment, and more.Screen-scraping with WWW::Mechanize (O'Reilly)
Chris Ball shows how to scrape screens with Perl. "Screen-scraping is the process of emulating an interaction with a Web site - not just downloading pages, but filling out forms, navigating around the site, and dealing with the HTML received as a result. As well as for traditional lookups of information - like the example we'll be exploring in this article - we can use screen-scraping to enhance a Web service into doing something the designers hadn't given us the power to do in the first place."
PHP
PHP Weekly Summary
Topics on this week's PHP Weekly Summary include: PHP and XML, Binaries for MacOS X, PHP 5, CVS checkouts from HEAD, ADT extension, Dump_node() changes, and Msession 1.2.
Python
Dr. Dobb's Python-URL!
The Dr. Dobb's Python-URL for January 27, 2003 is available, with lots of news and links for the Python community.The Daily Python-URL
This week's Daily Python-URL article topics include: SQLObject, PyObjC, rlcompleter2, the EuroPython 2003 Conference, Eric3, a Python IDE, A conversation with Guido van Rossum, part III: Programming at Python speed, PythonMagick, SandBox, Perl 6 and Python 3000, kobra, a native .NET wrapper for Python, tn5250j features Jython scripting, path 1.0, and more.
Ruby
The Ruby Weekly News
Topics on this week's Ruby Weekly News include: mod_ruby - what is persistent and what is shared?, Ruby does not have enough libraries?, Hash#+?, ModuleBuilder, and Our own CPAN. New Ruby software includes: archive-tarsimple-0.1.0.
Tcl/Tk
Dr. Dobb's Tcl-URL!
The January 28, 2003 edition of Dr. Dobb's Tcl-URL! is out with the latest Tcl/Tk development news.
XML
X+V 1.1 ---XHTML+Voice
IBM's developerWorks has published the specifications for X+V, which is geared toward voice-based interaction. "X+V brings spoken interaction to standard WWW content by integrating a set of mature WWW technologies such as XHTML and XML Events with XML vocabularies developed as part of the W3C Speech Interface Framework. X+V brings together voice modules that support speech synthesis, speech dialogs, command and control, speech grammars, and the ability to attach Voice handlers for responding to specific DOM events, thereby re-using the event model familiar to web developers. Voice interaction features are integrated directly with XHTML and CSS, and can consequently be used directly within XHTML content."
Parsing RSS At All Costs (O'Reilly)
Mark Pilgrim talks about dealing with malformed RSS data on O'Reilly. "As I said in last month's article, RSS is an XML-based format for syndicating news and news-like sites. XML was chosen, among other reasons, to make it easier to parse with off-the-shelf XML tools. Unfortunately in the past few years, as RSS has gained popularity, the quality of RSS feeds has dropped. There are now dozens of versions of hundreds of tools producing RSS feeds. Many have bugs. Few build RSS feeds using XML libraries; most treat it as text, by piecing the feed together with string concatenation, maybe (or maybe not) applying a few manually coded escaping rules, and hoping for the best."
The Return of XML Hypertext (O'Reilly)
Kendall Grant Clark writes about XML hypertext efforts on O'Reilly. "The first thing one might say about xml-hypertext is that its credentials suggest that it is a trustworthy source. A brief glance through its archive is like a glance through the Who's Who of the XML community. Not only is the roster of participants a good indication of the quality of conversation, but it also suggests that the list's motivating idea is not the product of a single person, but reflects broader community interests."
Introduction to XFML (O'Reilly)
Peter Van Dijck introduces XFML on O'Reilly. "XFML is a simple XML format for exchanging metadata in the form of faceted hierarchies, sometimes called taxonomies. Its basic building blocks are topics, also called categories. XFML won't solve all your metadata needs."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Copyrights: A radical rethink (Economist)
The Economist has posted a column on copyright inspired by the Eldred v. Ashcroft ruling. "Copyright was originally the grant of a temporary government-supported monopoly on copying a work, not a property right. Its sole purpose was to encourage the circulation of ideas by giving creators and publishers a short-term incentive to disseminate their work. Over the past 50 years, as a result of heavy lobbying by content industries, copyright has grown to such ludicrous proportions that it now often inhibits rather than promotes the circulation of ideas, leaving thousands of old movies, records and books languishing behind a legal barrier. Starting from scratch today, no rational, disinterested lawmaker would agree to copyrights that extend to 70 years after an author's death, now the norm in the developed world." They argue for much shorter copyrights, but for giving copyright holders "legal backing" for copy protection technologies.
Also in this week's Economist: an article on the BSA/CSPP/RIAA deal and a lengthy survey on the Internet society, with articles in privacy, copyright protection, direct democracy, and more.
Commentary: The way of Linux (News.com)
Here's a lengthy Forrester Research pronouncement on News.com "CIOs making a commitment to open source should also commit to a team that can demystify licensing issues, manage code rollouts and check a project's sanity level. Staffing the center with skeptics--not gurus--will keep corporate technology policy far away from the open-source socialist fringe." Despite such language, it is actually a very positive report.
CEO Visions: Kinder, Gentler Software (TechWeb)
Oracle's Larry Ellison on Linux (covered by TechWeb). "Our database operates on clusters of low-cost Linux machines. We've bet extremely heavily on Linux. We think Linux is a winner. If it's not, it's a bit of a problem for us. If it is, it's a huge win for us. ... In 25 years at Oracle, I've never seen movement like this toward an operating system. I've never seen anything with this much uptake. We're seeing Linux absolutely go over the moon."
Linux infiltrates Homeland Security, and other conspiracies (Register)
The Register plants tongue firmly in cheek for this article about the US Department of Homeland Security's newly-launched web site. "Still, it's nice to see Linux defending the homeland, and to know that the Department of Homeland Security doesn't hold with this stuff about the GPL being communism. Unless... Now, there's another good conspiracy theory.."
Trade Shows and Conferences
LinuxWorld: Baby It's Cold Inside (Wired)
Wired attends LinuxWorld. "It's interesting to watch as new users of Linux, including reps from Merrill Lynch, Goldman Sachs, and VeriSign, are trotted out to explain how great Linux is to people who have probably spent the last decade elbow deep in kernel code. "It's like watching a baby discover its toes," said New Jersey coder Nick Nardine. "Not only does the baby think its toes are the coolest thing in the world, it insists you must discover your toes too. Watching these guys push Linux on us is endearing and annoying at the same time.""
Sun Hits Stride At LinuxWorld (TechWeb)
TechWeb covers LinuxWorld announcements from Sun. "And Mad Hatter, the codename for Sun's Linux desktop, will roll into beta this spring, followed by general availability summer of 2003."
LinuxWorld Is Wall-to-Wall Good News (Linux Journal)
Linux Journal wraps up LinuxWorld. "On the AMD side of the struggle, several vendors offered Opteron-based evaluation and development hardware. A running 1U system at the Angstrom booth had processors that were cool to the touch, with two small fans per processor. Although Angstrom can't release numbers and Linux Journal didn't have a thermometer, the Opterons feel cooler than current Athlons."
Microsoft wins Linux award (vnunet)
Vnunet notices that the winner of LinuxWorld's best system integration software in the Open Source Product Excellence Awards is not exactly an open soure product. "But [Microsoft's Services for Unix 3.0] is still a Windows-based product, with the user needing to run Windows NT4, 2000 or XP Professional. The Unix/Linux element is needed in order to access the Unix operating systems. A purist might therefore argue that it is not open source at all."
Companies
IBM Touts New Enterprise Linux Customers At LinuxWorld (TechWeb)
This TechWeb article list some of IBM's big Linux customers. "Sales are the supreme test of a technology's value, and IBM is highlighting that point by parading nearly a dozen new Linux customers. The Armonk, N.Y., computer giant, which dove into the Linux market three years ago, said at LinuxWorld in New York on Wednesday that the PGA Tour was among the converts to the open-source operating system."
Intel gets 'big iron' partner (vnunet)
Vnunet covers a deal between Intel and Fujitsu to develop high-end servers. "Fujitsu has reorganised its 300-strong Linux development team and it is expected that they will be concentrating on using open source for its server management software."
Red Hat intros 12 month only support on 'consumer' OSes (Register)
The Register takes a look at Red Hat's current "end-of-life" schedule. "Microsoft comes under regular fire for its apparent eagerness to end-of-life its products, making them more difficult and expensive to support, and hence forcing users to upgrade to the next version. But without fanfare Red Hat has quietly introduced its own approach to end-of-life, and compared to this, Microsoft's idea of an upgrade cycle looks pretty sedate. As of the release of Red Hat 8.0, the company is only guaranteeing errata maintenance for the 12 months following a product's release."
SCO Group Readies New Platform (eWeek)
eWeek covers a new platform under development by the SCO Group. Known as SCOx, SCO hopes it will drive the next generation of applications on both the network and the server, across both Unix and Linux. "SCO Group chief executive Darl McBride told eWEEK in an interview here at LinuxWorld Wednesday that two of the company's core customer segments the replicated site customer and the small- to medium-sized business customer are looking for a platform that melds their server-based solutions and the Internet."
Linux Adoption
Morgan Stanley aids Linux learning curve (News.com)
News.com looks at Red Hat customer Morgan Stanley. "Birnbaum wasn't just helpful in pushing Red Hat to build necessary features into Linux, Tiemann said. He also helped champion the cause of Linux among Wall Street companies."
Tablets good for healthcare staff (NZ Herald)
The New Zealand Herald looks at a South Auckland Maori health provider that is carrying out the first local trials of Linux-based Tablet computers to gather health information at clients' homes and communicate wirelessly with base. Thanks to Kanchana Wickremasinghe
Interviews
Linus has an open view (The West Australian)
This year Linus went to Linux.conf.au instead of LinuxWorld. While there he spent some time talking with the press. Here is an interview with Linus in The West Australian. "Mr Torvalds appears to find Microsoft's angst over open source, and Linux in particular, more amusing than troubling overall. But he warns the battle could get serious."
You can find another interview in AustralianIT. Thanks to Leon Brooks
Larry McVoy on BitKeeper, kernel development, Linus Torvalds and Bruce Perens (LinuxWorld)
Joe Barr talks with Larry McVoy in this LinuxWorld article. "McVoy's biggest contribution to free software may be BitKeeper, his proprietary source management system. The story of how BitKeeper has come to be Torvalds' (and many other kernel hackers) tool of choice in maintaining the Linux development tree is worthy of a book. It's not just an unlikely outcome, given the animosity that often flares up when proprietary and open source types gather in the same space, it has been a frustratingly painful one. McVoy tells me that it was his desire to help Linus that has resulted, to use his own words, in "a miserable last five years.""
Resources
LinuxDevices.com Newsletter
Here is the LinuxDevices.com Newsletter for January 23, 2003. Get caught up on all that's new in embedded Linux.Spam filtering techniques (developerWorks)
developerWorks looks at six different ways to deal with spam. "At first blush, it would be reasonable to suppose that a set of hand-tuned and laboriously developed rules like those in SpamAssassin would predict spam more accurately than a scattershot automated approach. It turns out that this supposition is dead wrong. A statistical model basically just works better than a rule-based approach"
Reviews
Langa Letter: Linux Has Bugs: Get Over It (TechWeb)
Fred Langa revisits Linux bugs in this TechWeb article. "It's hard to imagine a less inflammatory or more obvious assertion--that all operating systems have bugs and security issues--but I won my bet: Linux and open-source fans thought I was attacking them or their preferred operating system. They deluged me with E-mails, many irate, claiming that CERT (and I) were dead wrong."
Not Your Father's Encyclopedia (Wired)
Wired looks up Wikipedia, an open source encyclopedia. "In Wikipedia's second year, editors have added 80,000 entries to the English version and 33,000 more to the other language editions. The surge in growth has made it the world's largest and fastest growing open-content encyclopedia, according to its founders."
Miscellaneous
Linux Australia votes in first female president (ZDNet Australia)
ZDNet Australia covers Linux Australia's new president, Pia Smith. "Asked why she wanted to be president, Smith said she wanted to invigorate the organisation, so as to raise the profile and scope of the Linux operating system in Australia."
Page editor: Forrest Cook
Announcements
Commercial announcements
IBM releases 2003 Linux Software Evaluation Kit
The new IBM Linux Software Evaluation Kit that has been expanded to 4 CDs for 2003. In addition to the newest levels of DB2 Universal Database, WebSphere Application Server, and Lotus Domino, the 2003 SEK will also include WebSphere Studio Site Developer, WebSphere MQ, Tivoli Access Manager, Linux porting tools, along with many white papers and tutorials. Sign-up here and get the Linux Software Evaluation Kit mailed to you at no charge.Pioneer-Standard Announces Alliance with HP to Support Linux-based Business Solutions for HP ProLiant Servers
Pioneer-Standard Electronics, Inc. has announced an alliance with HP to advance Linux-based HP ProLiant and Intel(R) Itanium(TM) server solutions in the marketplace.Storever Introduces OpenBrick Wifi Extranet Server based on Mandrake Linux
Storever introduced the OpenBrick Wifi Extranet Server. Based on the OpenBrick Advanced Extranet Server, the new OpenBrick provides a simple solution to setup advanced secure WiFi networks.OpenBrick Introduces Umigumi: The Instant Appliance Setup Program
The OpenBrick Community has introduced "Umigumi". Umigumi can reconfigure any embedded platforms or even a standard PC in just a few seconds, or change them into an appliance: router, firewall, VPN, OGG player, print server, thin client, etc. Umigumi is an open source product designed for the OpenBrick platforms by the OpenBrick community, but it can easily be extended to support any embedded hardware platforms running Open Source operating systems like GNU/Linux and FreeBSD/OpenBSD.SCO Establishes SCOsource to License UNIX Intellectual Property
The SCO Group has announced the creation of a new division called "SCOsource" which will be charged with managing the company's "Unix intellectual property." Initially the division will be licensing SCO's System V libraries; it will be interesting to see where it goes after that.Linux Journal Press Releases "Linux In the Workplace" Under GNU FDL
Linux Journal Press has announced the release of Linux in the Workplace under the GNU Free Documentation License (FDL). (LWN reviewed this book last November).
Resources
EDRi-gram: a new European digital rights newsletter
The first issue of "EDRI-gram," a new newsletter on European digital rights, has just been published. Topics covered include the implementation of the European Copyright Directive, the draft software patent law, updates from the UK and Germany, and more. Click below for the first issue, along with information on how to subscribe.
Upcoming Events
Thursday's collection of LinuxWorld press releases
Here is another round of press releases from LinuxWorld:- Metrowerks
demonstrated a pre-release version of OpenPDA.
- Red Hat, Inc.
announced plans for a comprehensive framework as the next step in
building an integrated enterprise Linux platform.
- INNOVATION Data Processing announced
a partnership with Sistina Software and Mainline Information Systems,
Inc. to offer a Linux System Solution Package for the IBM zSeries and
S/390 platforms.
- IDG World Expo announced the winners of the Open Source Product Excellence Awards at LinuxWorld Conference & Expo. Award winners SGI and Ximian, Inc. have put out their own press releases.
LinuxWorld and linux.conf.au wrapups
Russell Pavlicek has sent us a wrapup of last week's LinuxWorld conference. "In all the booths, there was a different tone of communication. The magicians and campy actors who had once populated the demo areas were replaced with business presenters earnestly communicating the advantages of their respective corporations."
Leon Brooks, meanwhile, has posted "A Triumphal
Wrapup" from linux.conf.au. "A penguin ambled out on-stage at
the opening session, and then off again. After a few minutes, Rusty
appeared with a penguin head under his arm. 'Ha, ha' said everyone, very
funny, Rusty wore a penguin suit, yay. Then when everyone was thoroughly
disarmed, Linus came back on in his usual casual way, wearing the headless
suit. It took a minute or two for the penny to drop for quite a few people,
but the cheers came.
"
LinuxWorld Attendance Tops 19,000
Here's the official LinuxWorld wrapup from IDG World Expo.ESC San Francisco 2003 Highlights
CMP Media LLC announced its 15th annual Embedded Systems Conference (ESC) San Francisco will be held in the Moscone Convention Center in San Francisco, April 22 - 26, 2003. Registration is open.OSCON 2003 (Python 11) CFP
A call for participation has been posted for the O'Reilly 2003 Open Source Software Convention in Portland, Oregon on July 7-11, 2003. Submissions are due in by February 15.CFP: 3rd Workshop on Open Source Software Engineering
A call for papers has gone out for the 3rd Workshop on Open Source Software Engineering, to be held in Portland, Oregon on May 3, 2003. Submissions are due in by February 15.YAPC::Europe::2003 Call for Participation (use Perl)
Use Perl has announced the call for participation for the YAPC::Europe::2003 conference, to be held in Paris on July 23-25, 2003.YAPC::Canada Slated for May 15-16, 2003 (use Perl)
Use Perl has an announcement for the YAPC::Canada converence, it will be held in Ottawa, Ontario on May 15 and 16, 2003.More FOSDEM interviews posted
The latest set of FOSDEM speaker interviews is up: Jon 'maddog' Hall, Owen Taylor, and Havoc Pennnigton.Events: January 30 - March 27, 2003
| Date | Event | Location |
|---|---|---|
| January 30 - 31, 2003 | SAINT-2003 | Orlando, Florida, USA |
| February 3 - 6, 2003 | O'Reilly Bioinformatics Technology Conference | (Westin Horton Plaza.)San Diego, CA |
| February 4 - 6, 2003 | Linux Solutions 2003 | (CNIT)Paris, France |
| February 8 - 9, 2003 | Free and Open source Software Developers' European Meeting(FOSDEM) | Brussels, Belgium |
| February 10 - 14, 2003 | The fifth NordU/USENIX Conference(NordU2003) | (Aros Congress Center)Västerås, Sweden |
| February 20 - 21, 2003 | Desktop Linux Summit | (Vivendi Universal Building)San Diego, CA |
| February 22 - 24, 2003 | CodeCon 2.0 | (Club NV)San Francisco CA, USA |
| February 27 - 28, 2003 | Linux Summit 2003 | (Dipoli Conference Center)Espoo, Finland |
| March 17 - 19, 2003 | Open Source for National and Local eGovernment Programs in the U.S. and EU | (The Marvin Center Grand Ballroom, George Washington University)Washington, DC |
| March 20 - 21, 2003 | First OpenOffice.org Conference(OOoCon2003) | (University of Hamburg)Hamburg, Germany |
| March 26 - 28, 2003 | PyCon DC 2003 | (George Washington University)Washington DC |
Software announcements
This week's software announcements
Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
- Sorted alphabetically,
- Sorted by license.
Miscellaneous
News on European Patents
Michel Rocard (former Prime Minister of France and now on the Committee on Culture, Youth, Education, the Media and Sport) is proposing an amendment (PDF format) to explicitly rule out patent-ability on information processing. The amendment is well written and we can only hope that it will have some influence on the European parliament. Thanks to Laurent Guerby
Page editor: Forrest Cook
Letters to the editor
latest Forrester report
| From: | Nathan Myers <ncm-nospam@cantrip.org> | |
| To: | letters@lwn.net | |
| Subject: | latest Forrester report | |
| Date: | Sun, 26 Jan 2003 13:43:11 -0500 |
To the editor,
The latest report from Forrester Research summarized at
http://news.com.com/2009-1122-982090.html
was disappointingly unprofessional in several respects.
Its dig about "the open-source socialist fringe" demonstrates a
characteristic confusion: the term "open source" was invented
specifically for participants to distance themselves from the Free
Software movement's political opinions. By definition, there can
be no such thing as an "open-source socialist fringe". Nonetheless,
the report would better have observed that even the putatively
fringiest socialists' code works demonstrably better than the
convicted monopolists' output, and let readers draw their own
conclusions.
Its dismissive treatment of desktop use of Free operating systems as
a "gaffe" that wouldn't "make sense", is similarly unprofessional.
If the writers think no Free Software is ready for desktop use, they
neither support the claim, nor offer any estimate of how long it will
be before any will be ready. The many successful desktop deployments
to date, and the unexplainable paucity of failures, would surely
mystify the authors if they considered the matter.
The authors pretend that only open-source software produces additional
costs "like documentation, support and commercial add-ons", which
"swell a company's IT budget". What do they imagine swells the IT
budgets of companies dependent on proprietary software? Similarly,
they recommend staffing a technology center with "skeptics--not gurus".
Since a guru is, by definition, the most competent available individual,
"skeptics" must be those less competent. They beg the question,
skeptical of what? Might skepticism about the wisdom of depending
on the goodwill of a criminal monopolist qualify?
The blanket advice, "companies ... should treat open source like
commercial software: Hands off the code," betrays a deep failure to
understand the success of Free Software to date. Decisions about
participation in Free Software projects belong at the lowest levels
of the company, where the costs and benefits to each project may be
evaluated directly, without reference to ideology. If a particular
group has the needed skills on hand, and would benefit from engaging
with others to improve their tools, what does it matter how
sophisticated the rest of the company is about building software?
Better advice for a CIO would be, "Hands off: encourage line managers
to make reasoned choices." Such good advice is too generally
applicable, somehow, to put into a report.
The tacit advice to ignore the second most widely-deployed Linux
distribution, Debian, is simply irresponsible. Support for Debian
installations is as readily obtained as for most distributions they do
recommend, and Debian has unquestionably better future prospects than
most. The Debian project's continued success must so mystify the
authors that they dare not mention it at all.
The report's final predictions -- Microsoft freeing its "language
runtime" (thus making its OS, somehow, magically scalable from embedded
systems to mainframes), and a million-dollar "Ellison Prize" for
people who no longer write code, somehow generating an outpouring of
innovation -- smack of fevered fantasy. Where did we get the Free
Software we have? That's where to look for it in the future.
Many of Free Software's key components (including the BSD TCP/IP stack
used in Microsoft's operating systems) came out of (socialistic?)
direct government grants to solve specific problems. Some arose from
the "socialist fringe" the report disparages. Most were developed to
meet specific needs by people hired to satisfy those needs, and then
found uses (and development support) worldwide. Many of those people
were hired by, or on behalf of, governments. Is that socialistic?
The code works.
The report's flaws come from the same place as in most research firms'
reports: sponsorship. Who paid Forrester to have this report written?
It looks stitched together from scraps of position papers from IBM and
an embedded-system vendor. The authors clearly do not understand the
field they pretend to analyze. Instead, they have constructed a fantasy
world in which they can echo the wishes of their sponsors.
We should not allow the report's apparently-positive remarks to mislead
us about the merits of the report or its publisher.
Nathan Myers
ncm-nospam@cantrip.org
Insecurity
| From: | Leon Brooks <leon@cyberknights.com.au> | |
| To: | fred@langa.com | |
| Subject: | Insecurity | |
| Date: | Wed, 29 Jan 2003 09:33:04 +0800 | |
| Cc: | lwn@lwn.net |
Hi, Fred; with regard to your recent pontifications on security:
Quoting http://www.informationweek.com/story/IWK20030124S0013/1
> the article said: "...more than 50% of all [CERT] security advisories ...
> in the first 10 months of 2002 were for Linux and other open-source
> software solutions."
The implication is that Linux has more bugs than everything else combined. You
also implied an acceptance of WinInformant's wildly errant conclusions
evidently founded on the same implication.
Quoting http://www.langa.com/newsletters/2003/2003-01-13.htm#4
> None of this excuses or lessens the seriousness of Windows' own problems,
> of course, but it does show that as Linux grows in popularity, it will
> have its own full share of bugs and security problems, too.
This assertion is independent of WinInformat's, and it is wrong too. Bugs have
nothing to do with popularity; if anything, more participants in a given
development process implies less bugs. In real life, the bug reporting
process extends to more decorative issues that a project with fewer
developers wouldn't have the resources to worry about.
Quoting InformationWeek again:
> It's hard to imagine a less inflammatory or more obvious assertion - that
> all operating systems have bugs and security issues
Unfortunately, you did not limit yourself to this assertion. If you had, you'd
be clear. You tried to be borrow some of WinInformat's facade of cleverness
and bend CERT's reports to support your statement in such a way that you
appeared to be conservative. That was damn silly, and you deserved to be
flamed for it.
You then go on to raise and knock down a straw man by putting up a few mild
objections to your point, namely that there aren't really that many bugs, and
they can be fixed faster. Let's look at those.
> We can avoid CERT's problem of counting the same bug more than once if
> we compare the security patch/update counts for one popular distribution
> and version of Linux to one popular version of Microsoft Windows.
First off, the problem lies not with CERT, but with careless or zealotrous
researchers interpreting the raw CERT data wrongly.
Second off, you do avoid that problem, but you smack face-first into another,
one which is actually worse ("out of the frying pan, into the fire").
Slammer/Sapphire, currently the bane of MS-SQL servers the world over (still
one probe every 2 minutes or better in a Class C subnet as I write) is not
counted as a Windows bug, but a similar problem in PostgreSQL would be
counted as a bug in, say, the SuSE, Slackware or Caldera Linux distributions.
There is no direct Windows equivalent for a Linux distribution. No Windows
version ships with anything like Mandrake's 4000 or Debian's 11000 or so
(slightly more granular) packages. Or, for that matter, with anything like
the same amount of control over them. Microsoft's "157 products" aren't a
drop in a bucket compared to that.
You also do not correctly address the issue of bug severity. A typical
Microsoft bug results in, as the mythical CERT CA-96.13 says, "the total
destruction of your entire invasion fleet and [...] unauthorized access to
files" by remote control. A typical Linux bug results in remote access as an
ordinary or even crippled (chrooted and/or owns no files) user, or the
possibility of local escalation to superuser. Your "quick example" is
exceptional, not typical.
Perhaps more terrifying are the Windows bugs that _cannot_ be fixed. Because
of the way Windows is designed, in all known versions, it will _always_ be
possible to push a stick through the spokes of the Windows message-passing
system and escalate privs. IE's MIME handling under Windows is still badly
broken, and as far as I can tell, always will be.
Just to labour the point, conside this list of known, unpatched Internet
Explorer vulnerabilities - http://www.pivx.com/larholm/unpatched/ - including
"Silent delivery and installation of an executable on a target computer", and
contrast that with the Open Source competition (Mozilla, Konqueror and
derivatives) which patched and tested the most recent SSL vulnerability in
under a day (95 minutes from notification to fix-release for Konqueror).
> The open source community has fragmented into myriad competing segments,
> each with its own different, and increasingly quasi-proprietary,
> distributions of software.
Using a few prominent examples to speak for all Linux distributions is grossly
careless. In general, Linux distributions include little if any proprietary
software, and most have downloadable distributions which are both libre and
gratis. Many, notably Debian and Mandrake, make a point of GPLing all of
their specialised tools, and many distributions borrow chunks from each
other. In the case of Sun's "Mad Hatter" distribution, they borrowed RedHat's
entire distribution en bloc.
Fragmentation is - from a security perspective - good. A software monoculture
is vulnerable. _Any_ monoculture is vulnerable. Linux runs on 13 hardware
architectures, Windows on 2 (really only 1), a typical Linux distribution
provides a sheaf of different window managers, web browsers, mail clients,
office suites, databases, webservers, scripting lanugages and so on.
From a user perspective, the choice represented by fragmentation is good. For
a current example, a parochial Australian girls' school installed Linux and
defaulted the girls' desktops to KDE. Within days, a significant number of
the students had discovered and settled on GNOME and lighter window managers
like IceWM and BlackBox. The helldesk didn't explode as a result (choice of
WM is part of the user context), in fact the support crew do much less
running around than they used to with Windows and no such choices.
Is Linux ready for the desktop? The 20,000 (soon to be 200,000) users in Rio
Grande do Sul's State schools think so too.
There's a lot more which could be said about your article, but it hardly seems
worthwhile. Do more research, come at the issues with more hard facts and
less fancy theories. Don't try to justify mistakes, it's much more useful to
learn from them.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://slpwa.asn.au/ Member, Linux Professionals WestOz
http://linux.org.au/ Committee Member, Linux Australia
http://linux.org.au/~leonb/lca2003/ THE Oz Linux Technical Conf:
excellent event, photos here!
The Langa Letter - an opposing view
| From: | jimd@starshine.org | |
| To: | jimd@starshine.org, star@starshine.org, lwn@lwn.net, letters@lwn.net | |
| Subject: | The Langa Letter - an opposing view | |
| Date: | Mon, 27 Jan 2003 17:18:33 -0800 (PST) |
Fred's comment about "severity" is, as he points out, inherently
subjective. His numerical analysis is also subject to more issues that
he's simply ignoring.
For example the 157+ bug count for RH 7.2 or 7.3 includes fixes for many
overlapping products and many which are rarely installed by Linux users --
RH simply includes a lot of optional stuff. Meanwhile the count for
Micrsoft may still be artificially low, since MS is known to deliberately
minimize the number and severity of their bug reports. Many of their 30+
reported patches might include multiple fixes and descriptions which
downplay their signficance.
Fred also, inexcusably, argues that "first availability" of a fix (in
source form, sometimes in focused, though public, mailing lists and venues)
"doesn't count" as faster. That is simply jury rigging the semantics to
support a prejudiced hypothesis.
Another approach to looking at the severity of bugs is to view the effect
of exploits on the 'net as a whole.
In the history of Linux there have only been a couple of widespread worms
(episodes where a bug's exploit was automated in a self-propagating
fashion). Ramen, Lion and Adore are the three which come to mind.
Subjectively the impact of these were minimal. The aggregate traffic
generated by them was imperceptable on the global Internet scale. Note
that the number of Linux web, DNS and mail servers had already surpassed MS
Windows servers by this time --- so the comparison is not numerically
outrageous.
Compare these to Code Red, Nimba, and the most recent MS SQL injection
worms. The number of hosts compromised, and the effect on the global
Internet have been significant.
I simply don't have the raw data available to make any quantitative
assertions about this. However, the qualitative evidence is obvious and
irrefutable. The bugs in MS systems seem to be more severe than
comparable bugs on Linux systems.
If a researcher were really interested in a rigorous comparison, one could
gather the statistics from various perspectives --- concurrently trying to
support and refute this hypothesis.
Fred is right, of course, that Linux has many bugs --- far too many.
However, he then extends this argument too far. He uses some fairly shoddy
anecdotal numbers, performs trivial arithmetic on them and tries to pass
this off as analysis to conclude that there is no difference between MS XP
security (and that of their other OSes) and Linux' (Red Hat).
I won't pass my comments off as anything but anecdotal. I won't look up
some "Google" numbers to assign to them and try to pass them off as
statistical analysis.
I will assert that Linux is different. That bugs in core Linux system
components are fewer, less severe, fixed faster, and are (for the skilled
professional) easier to apply across an enterprise (and more robust) than
security issues in Microsoft based systems.
The fact that numerous differences in these to OSes make statistical
comparison non-trivial doesn't justify the claim that there is no
difference.
Further anecdotal observations show that the various Linux distributions
and open source programming teams have done more than simply patch bugs as
they were found. Many of the CERT advisories in Linux and elsewhere (on
the LWN pages, for example: http://www.lwn.net/ ) are the result of
proactive code auditing by Connectiva, Gentoo, S.u.S.E., IBM and The MetaL
group at Stanford, among many others. In addition many of these projects
are signficantly restructuring their code, their whole subsystems, in order
to eliminate whole classes of bugs and to minimize the impact of many
others. For instance the classic problems of BIND (named, the DNS server)
running as root and having access to the server's whole filesystem used to
be mitigated by gurus by patching and reconfiguring it to run "chroot"
(locked into a subdirectory tree) and with root privileges dropped after
initial TCP/port binding (before interacting with foreign data). These
mitigations are now part of the default design and installation of BIND
9.x. Linux and other UNIX installations used to enable a large number of
services (including rsh/rlogin and telnet) by default. These services are
now deprecated, and mainstream distributions disable most or all network
services by default and present dire warnings in their various
enabling dialog boxes and UI's). before allowing users to enable them.
These changes are not panacea. However, they are significant in that they
hold out the promise of reducing the number and severity of future bugs,
and they artificially inflate recent statistics (since the majority of this
work as been over the last two or three years).
Fred will undoubtedly dismiss these comments as being more "rabid
advocation" by a self-admitted Linux enthusiast. He may even point to MS'
own widely touted "trustworthy computing" PR campaign as evidence of a
parallel effort on "the other side of the Gates." However this message
isn't really written to him.
It's written to those who want to make things better.
The real difference between security in MS and in Linux is qualitative
rather than quantitative. With Linux every user and administrator is
empowered to help themselves. Every one of us can, and many more of us
should, accept a greater responsibility for our systems and their integrity
and security. Linux users (including corporations, governments and other
organizations) can find and fix bugs and can participate in a global
community effort to eliminate them and improve these systems for everyone.
Let's not get wrapped up in blind enthusiasm and open source patriotism.
But let us not fall prey the the claim that there is no difference. There
is a difference and each one of us can be a part of making that difference.
JimD
Page editor: Jonathan Corbet