Wind River buys RTLinux

Among many in the real-time community, it is a matter of accepted faith that a general-purpose kernel (such as the Linux kernel) cannot be expected to perform properly in a situation where deterministic, real-time response is required. Things may work most of the time, but one never knows when such a kernel may get distracted for too long, with disastrous results for real-time applications. On the other hand, general-purpose kernels do tend to provide nicer programming environments than hard real-time kernels. So real-time developers can be faced with a fundamental conflict: deterministic response or a rich environment?

One longstanding attempt to resolve this conflict is RTLinux. At its core, RTLinux is a small, real-time kernel without a great deal of functionality. One of the things RTLinux can do, however, is run a normal Linux kernel as a low-priority task. The RTLinux kernel responds to interrupts, passing them through to the real-time code when appropriate; Linux only gets a chance to run when the real-time code has finished. In an RTLinux system, a small amount of real-time code can perform data acquisition or other real-time tasks while leaving much of the more time-flexible processing to Linux-based code.

One interesting thing to know about RTLinux is that the basic technique is patented. This patent - first covered in LWN in February, 2000 - was a relatively early indication of just how software patent claims can affect free software users. The core RTLinux code was licensed under the GPL, but it was not truly free; anybody wanting to use it was subject to the terms imposed by the patent owner. Those terms were eventually spelled out in the RTLinux patent license which allowed royalty-free use provided that either (1) the "Open RTLinux" distribution was used without modifications, or (2) the entire application was licensed under the GPL. Not everybody was happy with this license, but most of the world found ways of living with it or avoiding the patent, and things got quiet on the RTLinux front for some years.

On February 20, however, Wind River Systems announced the acquisition of RTLinux - including the patent. Interestingly, nothing to be found in Wind River's press release or acquisition FAQ mentions the patent license in any way. The text of that license, meanwhile, has disappeared from the FSMLabs site and has yet to reappear on the Wind River site. LinuxWorld ran an article on the acquisition with a verbal statement from Wind River that the license would be maintained, which is a step in the right direction, but it hardly adds up to a commitment on Wind River's part.

It is entirely possible that Wind River will continue with the current policy. Perhaps Wind River will even make new "Open RTLinux" releases allowing licensees to run reasonably contemporary software. At the moment, however, this code does not appear to be downloadable from anywhere, and there is no indication of when that situation might change. Along these lines, it's worth looking at some text from the acquisition FAQ [PDF]:

Given that Wind River sees an advantage to having a newer RTLinux than the "open source" versions, updated free releases of RTLinux from Wind River seem unlikely.

For anybody who is concerned, there are alternative approaches to real time and Linux which are worthy of consideration. At the lowest level, there is Adeos, a "nanokernel" which makes RTLinux-like functionality available while avoiding the claims of the RTLinux patent. Rather than run the general-purpose kernel as a task of the real-time kernel, Adeos runs both as tasks underneath itself. Adeos, in turn, is used at the base of RTAI, a longstanding RTLinux competitor. Things have been relatively quiet on the RTAI front in recent times, but a look at the RTAI-Lab project suggests that interesting things are happening there still.

Beyond that, work on the real-time preemption project, which aims to make Linux, itself, a real-time capable kernel, continues, and much of that work has found its way into the mainline. It will always be harder to prove that a full Linux kernel can provide deterministic response times, but, for many applications, the real-time performance of this kernel will be more than good enough. Some real-time vendors are already shipping products based on this work.

There may well be an ongoing market for the RTLinux technology that Wind River has just bought. It would be nice if Wind River could find a way to exploit that market while, simultaneously, using RTLinux to increase its contributions back to the community. There are few indications that Wind River sees RTLinux as anything more than a product, though, so those hoping for a more community-oriented stance may well be disappointed. The good news is that the alternatives are plentiful and quickly getting better.

Comments (4 posted)

Notes from the Fedora front

There have been a few events of interest in the Fedora community recently; this article will attempt to provide a quick overview thereof. For the purposes of this page, "events of interest" do not include personalities who have decided to switch loudly to a different distribution.

The Fedora project has been trying to open itself up to contributions from the community, with slow (but real) success. The community is not just made up of developers and packagers, however; it turns out there is a group of motivated people who would like to help out with the Fedora artwork. Good design can be as hard as good code, and one would think that this sort of contribution would be welcome. And, to an extent, it is - to an extent.

There has been a conversation happening on the fedora-art list recently; some of the themes can be seen in this posting. It seems, frankly, that the Red Hat-based Fedora folks are concerned about the quality of artwork contributions and (though they don't say so in so many words) loss of control over the default look of the distribution. The end result is that the Fedora board has decided that contributed artwork will not be part of the default Fedora theme; instead, that work will be done within Red Hat. The project is trying not to close the door completely:

Nonetheless, there is a fair amount of disappointment in the artwork community at the moment.

On a related issue, the recent revelation that Dell's customers are asking for preinstalled Linux systems has created some interested in the Fedora community. Having a vendor as large as Dell preinstall Fedora would have clear benefits in helping the project to expand its user base. The Fedora folks would like to help make that happen, but it seems that there are some potential roadblocks on the way:

Some members of the advisory-board list have pointed out that worrying about the trademark policy is getting ahead of the game; making the distribution work seamlessly on, say, Dell laptops should maybe come first. Still, this issue points out the hazards of mixing trademark licensing and free software. Sometimes the results are not even in the trademark holder's interest.

Dell laptops were mentioned because the project knows that a surprisingly large number of its users are installing Fedora on those systems. How does Fedora know this? The answer is a tool called "smolt," which gathers information on the underlying hardware and phones home with it. The project is quite careful about how this communication is done - no connection is made until the user explicitly agrees to it happening. Even so, there have been some complaints on the lists, along with suggestions that it could be illegal under the privacy laws of some countries, especially in Europe.

The project is currently working on a privacy policy to govern its use of data gathered from smolt. It looks fairly tight; the project really is just interested in the sort of hardware its distribution is running on, not the people who are running it. Nonetheless, if anybody has concerns about the use of this information (which might be expanded to include a list of packages installed on the system), now would be the time to express them.

During a recent Fedora board meeting, there was discussion of the Fedora 7 release delay, and, in particular, whether support for Fedora Core 5 and 6 would be extended to compensate. It came out that, while a number of people assume that the new 13-month support policy came into effect when it was adopted, that is not how the project understands it. The Fedora Core releases are currently expected to be supported under the old way of doing things: support for Fedora Core 5 will end when the second Fedora 7 test release (which just went into freeze mode) comes out. Support for Fedora Core 6 will end during the Fedora 8 development cycle. The full 13-month (or "2n+1") support mode is only expected to begin with Fedora 7. There has been some talk of trying to extend security support for FC5 and FC6, but it is not at all clear that it will happen.

Finally, it has been noted that a number of Fedora tasks seem to be going more slowly than many people would like. The word that your editor has heard is that much of this has to do with the impending release of RHEL 5. Getting that release into final form has been causing some heavy demands on Red Hat's developers, with the result that less time is available for working on Fedora. Once the RHEL release is out, things can be expected to pick up a bit on the Fedora side.

Comments (4 posted)

Who wrote 2.6.20?

Time recently published an article entitled Getting rich off those who work for free which, among other things, talked about free software this way:

It is not uncommon to see Linux referred to as a volunteer-created system, as opposed to the corporate-sponsored, proprietary alternatives. There has been little research, however, into how much work on Linux is truly "volunteer" - done on a hacker's spare, unpaid time. In general, the assumption that Linux is created by volunteers is simply accepted.

Determining the real provenance of free software can be a daunting task. There is a wealth of information available for those who look, however. In an attempt to shine some light in this area, your editor hacked up some scripts to do a lot of digging around in the kernel git repository. The idea was that, by looking at who is putting changes into the kernel, we can get a sense for where our source is coming from.

Who got patches into 2.6.20

This study looked at the stream of patches that changed the 2.6.19 kernel into the current 2.6.20 release. There were, as it turns out 4983 non-merge changesets in this release, contributed by 741 different developers. (Merge changesets mark where the contents of other repositories were pulled into the mainline, but they do not carry any code changes, so the analysis skipped them). These patches added 286,439 lines of code and removed 159,812 others, for a total growth of 126,627 lines over the 2.6.20 development cycle.

Your editor's scripts looked over every non-merge commit in 2.6.20. For each, the developer listed as the "author" was given credit for the patch. This approach is not entirely fair, since one developer will, in some cases, be submitting code written by a group of people. In general, though, there is no easy way of getting around this problem - the true breakdown of authorship of a joint work simply is not available in the mainline repository. Your editor believes that this inaccuracy affects the accounting of a relatively small portion of the patches merged into the mainline.

Beyond that, how one generates statistics from a patch stream is an interesting question. How does one measure the productivity of programmers? One possibility is to look at the number of changesets merged. By that metric, this is the list of the most prolific contributors to 2.6.20:

Developers with the most changesets
Al Viro	241	4.8%
Andrew Morton	92	1.8%
Jiri Slaby	92	1.8%
Adrian Bunk	87	1.7%
Gerrit Renker	79	1.6%
Josef Sipek	79	1.6%
Avi Kivity	68	1.4%
Tejun Heo	67	1.3%
Patrick McHardy	63	1.3%
Ralf Baechle	61	1.2%
Randy Dunlap	59	1.2%
Alan Cox	58	1.2%
Mariusz Kozlowski	57	1.1%
Andrew Victor	53	1.1%
Paul Mundt	52	1.0%
Stefan Richter	49	1.0%
David S. Miller	48	1.0%
Russell King	44	0.9%
Benjamin Herrenschmidt	44	0.9%
Akinobu Mita	43	0.9%

Looking at patch counts rewards developers who put in large numbers of small patches. Al Viro's patches include a vast number of code annotations (to enable better checking with sparse), include file fixups, etc. Many of the changes are small - many do not affect the resulting kernel executable at all - but there are a lot of them. Even so, as the biggest contributor, Al generated less than 5% of the total changesets added to the kernel. The top 20 contributors, all together, generated 28% of the total changesets in 2.6.20.

One could make the argument that a better way to look at the problem is by the number of lines affected by a patch. In this way, a contributor's portion of the whole will not depend on whether it has been split into a long series of small patches or not. On the other hand, simply renaming a file can make it look like a developer has touched a large amount of code. Be that as it may, by looking at lines changed (defined as the greater of the number of lines added or removed by each individual changeset), one gets a table like this:

Developers with the most changed lines
Jeff Garzik	20712	6.0%
Patrick McHardy	15024	4.3%
Jiri Slaby	13917	4.0%
Avi Kivity	11726	3.4%
Andrew Victor	9710	2.8%
Amit S. Kale	9537	2.7%
Stephen Hemminger	9120	2.6%
Geoff Levand	8396	2.4%
Michael Chan	8307	2.4%
Chris Zankel	8099	2.3%
Mauro Carvalho Chehab	7390	2.1%
Adrian Bunk	6138	1.8%
Yoshinori Sato	5232	1.5%
Al Viro	4981	1.4%
Benjamin Herrenschmidt	4588	1.3%
Thierry MERLE	4549	1.3%
Dan Williams	4516	1.3%
Jonathan Corbet	3924	1.1%
Gerrit Renker	3857	1.1%
Jiri Kosina	3805	1.1%

Jeff Garzik comes out on top of this particular measurement by virtue of having deleted the long-unmaintained floppy tape subsystem. Patrick McHardy's work includes a number of additions to the netfilter subsystem, Jiri Slaby did a great deal of driver cleanup work, Avi Kivity was the contributor of the KVM virtualization code, and Andrew Victor contributed a number of ARM-related patches and the Atmel AT91 i2c driver. (The contributions made by other authors can be found by searching out their name in the 2.6.20 short-form changelog).

Most of the developers in the above list got there by adding code to the kernel. It can be said, however, that the true heroes in the development community are those who remove code and make the kernel smaller. The developers who were best at removing more code than they added were:

Developers with the most lines removed
Jeff Garzik	19862	12.4%
Chris Zankel	5608	3.5%
Adrian Bunk	5528	3.5%
Arnd Bergmann	2224	1.4%
Linus Torvalds	1739	1.1%
Atsushi Nemoto	1425	0.9%
Thierry MERLE	911	0.6%
David Gibson	878	0.5%
Dominik Brodowski	528	0.3%
Stefan Richter	509	0.3%

Once again, Jeff Garzik's removal of ftape comes out on top, by far. Chris Zankel cleaned up the Xtensa architecture, removing a number of files in the process. Adrian Bunk worked on the ftape removal, got rid of the frame diverter code, removed an old, broken block driver, and generally performed cleanups all over the tree. Mr. Bunk is, in fact, the bane of old code; over the last year (since 2.6.16) he has removed a full 127,000 lines from the kernel source tree. Arnd Bergman got rid of a bunch of syscall*() macros. Linus Torvalds removed the broken x86 stack unwinder code.

Finally, one could look at a different measure entirely: the number of patches signed off by each developer. A Signed-off-by: line is an indication that the person involved believes that the code is suitable for merging into the kernel; it implies that some degree of attention has been paid to the patch. Authors sign off their code, as do the subsystem maintainers who pass it up the chain. The top signers-off in 2.6.20 were:

Developers with the most signoffs
Andrew Morton	1422	13.7%
Linus Torvalds	1366	13.2%
David S. Miller	483	4.7%
Jeff Garzik	331	3.2%
Greg Kroah-Hartman	269	2.6%
Al Viro	241	2.3%
Paul Mackerras	232	2.2%
Andi Kleen	177	1.7%
Mauro Carvalho Chehab	170	1.6%
Russell King	166	1.6%
Adrian Bunk	120	1.2%
Arnaldo Carvalho de Melo	119	1.1%
Ralf Baechle	117	1.1%
James Bottomley	109	1.1%
Patrick McHardy	96	0.9%
Jiri Slaby	94	0.9%
Avi Kivity	87	0.8%
Josef Sipek	79	0.8%
Paul Mundt	78	0.8%
Gerrit Renker	78	0.8%

There were a total of 10,354 signoff lines in the 2.6.20 patch stream, so each changeset, on average, was signed off just over two times. It is interesting that Linus, who ultimately merges every patch, only signed off 13% of them. It seems that most patches, these days, go directly into the mainline from subsystem repositories without a signoff from Linus or Andrew. Most of the other names on that list, with just a few exceptions, are the maintainers of subsystem or architecture trees.

Who paid them

So now we have a sense for who got their fingers on the code which went into 2.6.20. But one interesting question still has not been answered: to what extent was that code contributed by volunteers (or "hobbyists")? Finding an answer to that question is somewhat trickier than looking at who wrote the patches, mostly because very few developers say "I wrote this on behalf of my employer."

The approach taken by your editor was relatively simplistic, but, perhaps, the best that is practical. Any patch whose author's given email address indicates a corporate affiliation is assumed to have been developed by an employee of that corporation. So any patch posted by somebody with an ibm.com email address is accounted as having been done by an IBM employee. Things are complicated by the fact that many people who work for companies do not use corporate addresses; it is not unheard-of for companies to have policies explicitly prohibiting code contributions associated with their domains. Your editor has coped with this problem by filling in the relevant developer's affiliation whenever it is known to him; in some cases, the developer was asked for this information.

This method has the effect of crediting all of an employee's work to his or her employer. In many cases, the situation is probably more complicated than that; one assumes, for example, that a certain kernel hacker's employer has not directed him to hack on Battle for Wesnoth. When looking only at kernel code, however, crediting all work to the employer is probably relatively safe.

Using this approach, the top sources of changesets were:

Top changeset contributors by employer
(Unknown)	1244	25.0%
Red Hat	636	12.8%
(None)	383	7.7%
IBM	368	7.4%
Novell	295	5.9%
Linux Foundation	261	5.2%
Intel	178	3.6%
Oracle	126	2.5%
Google	97	1.9%
University of Aberdeen	79	1.6%
HP	78	1.6%
Qumranet	71	1.4%
Nokia	67	1.3%
SGI	64	1.3%
Astaro	63	1.3%
MIPS Technologies	61	1.2%
SANPeople	53	1.1%
Miracle Linux	43	0.9%
MontaVista	41	0.8%
Broadcom	39	0.8%

Looking instead at the number of lines of code changed, the results become:

Top lines changed by employer
(Unknown)	66154	19.0%
Red Hat	44527	12.8%
(None)	38099	11.0%
IBM	25244	7.3%
Astaro	15306	4.4%
Linux Foundation	13638	3.9%
Qumranet	12108	3.5%
Novell	11930	3.4%
Intel	11652	3.4%
SANPeople	9888	2.8%
NetXen	9607	2.8%
Sony	8497	2.4%
Broadcom	8349	2.4%
Tensilica	8195	2.4%
Nokia	5581	1.6%
MontaVista	4394	1.3%
University of Aberdeen	4324	1.2%
LWN.net	3975	1.1%
Secretlab	3370	1.0%
HP	3211	0.9%

[Note that these tables have been updated once since the article was originally published; the curious can see what the original versions looked like.]

In these tables, the line marked "(Unknown)" is exactly that: patches for which existence of a supporting employer could not be determined. The line marked "(None)", instead, indicates the patches from developers known to be working on their own time.

Either way, the results come out about the same: at least 65% of the code which went into 2.6.20 was created by people working for companies. If the entire "unknown" group turns out to be developers working on a volunteer basis - an unlikely result - then just over 1/3 of the 2.6.20 patch stream was written by volunteers. The real number will be lower, but it still shows that a significant portion of the code we run is written by developers who are donating their time.

One year's worth of changes

Looking at a single kernel release is instructive, but it can also be deceptive. The relatively short release cycle used by the kernel project makes it fairly easy for prolific developers to see few of their patches go into a specific release. In an attempt to gain a longer-term perspective, your editor forced his suffering system to crank through the entire history from 2.6.16 (released almost exactly one year ago) to the present. Some 28,000 non-merge changesets have been added to the mainline (by 1,961 developers) over that time, replacing 1.26 million lines of old code with 2.01 million lines of new code - the kernel grew by 754,000 lines.

The developers who touched the most lines over that time were:

Developers with the most changed lines
Adrian Bunk	134021	5.3%
Jeff Garzik	87847	3.5%
Andrew Vasquez	75195	3.0%
Mauro Carvalho Chehab	68568	2.7%
David Teigland	46607	1.9%
Ralf Baechle	38559	1.5%
David S. Miller	35958	1.4%
Andrew Victor	35594	1.4%
Bryan O'Sullivan	33901	1.4%
Paul Mundt	27041	1.1%
Dave Kleikamp	26615	1.1%
Lennert Buytenhek	25192	1.0%
Haavard Skinnemoen	24372	1.0%
Ben Dooks	23207	0.9%
Patrick McHardy	23175	0.9%
Ingo Molnar	22456	0.9%
James Bottomley	22205	0.9%
David Howells	19168	0.8%
Jiri Slaby	18335	0.7%
Divy Le Ray	17909	0.7%

The results for employers were:

Top lines changed by employer
(Unknown)	740990	29.5%
Red Hat	361539	14.4%
(None)	239888	9.6%
IBM	200473	8.0%
QLogic	91834	3.7%
Novell	91594	3.6%
Intel	78041	3.1%
MIPS Technologies	58857	2.3%
Nokia	39676	1.6%
SANPeople	36038	1.4%
SteelEye	36021	1.4%
Freescale	35034	1.4%
Linux Foundation	34163	1.4%
MontaVista	30211	1.2%
Simtec	26166	1.0%
Atmel	25975	1.0%
HP	23714	0.9%
SGI	22057	0.9%
Oracle	21251	0.8%
Open Grid Computing	20505	0.8%

The end result of all this is that a number of the widely-expressed opinions about kernel development turn out to be true. There really are thousands of developers - at least, almost 2,000 who put in at least one patch over the course of the last year. Linus Torvalds is directly responsible for a very small portion of the code which makes it into the kernel. Contemporary kernel development is spread out among a broad group of people, most of whom are paid for the work they do. Overall, the picture is of a broad-based and well-supported development community.

There are many other interesting things to be learned by looking at the kernel's development history. Expect more articles along these lines as your editor finds the time to improve his scripts.

Comments (61 posted)

A PostgreSQL flaw

An announcement of possibly insecure practices in user-defined PostgreSQL functions seems at first blush to be a fairly straightforward advisory; a deeper look reveals some serious implications. It is a problem that echoes a textbook security hole in UNIX setuid programs; it would appear that the developers did not consider that history when adding a setuid-like capability to PostgreSQL. Unfortunately, it also appears that the fix that the advisory recommends is not up to the task of resolving the issue. Anyone using SECURITY DEFINER functions in PostgreSQL probably has quite a large job ahead of them to clear up this particular mess.

PostgreSQL functions can be be declared as "SECURITY DEFINER" functions, which causes them to run with the privileges of the owner rather than those of the invoker. PostgreSQL binds the operators and functions called at runtime and searches each element in the schema path to find them. Unfortunately, the user invoking the function can control the schema search path and, by defining operators or other functions that are used by the SECURITY DEFINER function, the invoker can run any code with the permissions of the owner.

The once common, now hopefully largely eradicated, UNIX parallel was a vulnerability in setuid programs that invoked other programs via exec(). If the program did not either sanitize its PATH environment variable or fully specify the path to the executable, it was vulnerable to attackers who would put their own code in the path, with the same name as the executable, ahead of the standard program. When the setuid program executed, it would grab the wrong binary and the attacker could run arbitrary code with the permissions of the owner of the setuid program. Another important requirement is that all elements of the sanitized PATH and the directory of the binary are not writable by non-privileged users.

So, much like the solution to the UNIX issue, the advisory suggests that SECURITY DEFINER functions specify a sanitized schema path. The equivalent to a fully specified path is not recommended as it is "likely to induce mistakes and will furthermore make the source code harder to read and maintain." Unfortunately, it turns out that because of the way PostgreSQL processes the function definitions, the only solution is to schema-qualify each and every function and operator reference in the function. In addition, setting a schema search path in a function is not local to the function, it changes the global search path for the whole program; functions that do this should restore the original search path on exit.

It turns out that the references in a function are resolved as PostgreSQL creates an execution plan for the function. This is prior to actually executing the "set search path" operation in the function and so it will bind to functions and operators in the user controlled schema path as described here. The only alternative is the laborious and error-prone task of schema-qualifying function and operator references in SECURITY DEFINER functions.

This is a very unfortunate outcome for a feature that was meant to promote more secure database usage. The idea is to separate the database privileges into different users but to still allow users with few privileges to perform a restricted set of privileged operations. It is surprising that the UNIX setuid issues from the dawn of time_t were not more closely studied when this feature was implemented. It would also seem that the PostgreSQL developers will need to rework how the execution plan and search path interact to fix this design flaw.

Comments (4 posted)

clamav: directory traversal, denial of service

Package(s):	clamav	CVE #(s):	CVE-2007-0897 CVE-2007-0898
Created:	February 20, 2007	Updated:	March 7, 2007
Description:	Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor. (CVE-2007-0897) Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message. (CVE-2007-0898)
Alerts:	Debian DSA-1263-1 clamav 2007-03-06 Gentoo 200703-03 clamav 2007-03-02 SuSE SUSE-SA:2007:017 clamav 2007-02-23 Mandriva MDKSA-2007:043 clamav 2006-02-19

Comments (none posted)

ekiga: format string vulnerability

Package(s):	ekiga	CVE #(s):	CVE-2007-1006 CVE-2007-0999
Created:	February 21, 2007	Updated:	March 30, 2007
Description:	Ekiga contains a format string vulnerability in the code which processes control messages from remote peers. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user's privileges.
Alerts:	Gentoo 200703-25 ekiga 2007-03-29 Red Hat RHSA-2007:0087-02 ekiga 2007-03-14 Mandriva MDKSA-2007:058 ekiga 2007-03-08 Ubuntu USN-434-1 ekiga, gnomemeeting 2007-03-09 Fedora FEDORA-2007-322 ekiga 2007-03-07 Fedora FEDORA-2007-321 ekiga 2007-03-07 Ubuntu USN-426-1 ekiga, gnomemeeting 2007-02-22 Mandriva MDKSA-2007:044 ekiga 2007-02-21 Fedora FEDORA-2007-263 ekiga 2007-02-20 Fedora FEDORA-2007-262 ekiga 2007-02-20

Comments (none posted)

fail2ban: denial of service

Package(s):	fail2ban	CVE #(s):	CVE-2006-6302
Created:	February 16, 2007	Updated:	July 30, 2007
Description:	fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address.
Alerts:	Gentoo 200702-05 fail2ban 2007-02-16

Comments (3 posted)

gnomemeeting: format string flaw

Package(s):	gnomemeeting	CVE #(s):	CVE-2007-1007
Created:	February 20, 2007	Updated:	March 5, 2007
Description:	A format string flaw was found in the way GnomeMeeting processes certain messages. If a user is running GnomeMeeting, a remote attacker who can connect to GnomeMeeting could trigger this flaw and potentially execute arbitrary code with the privileges of the user.
Alerts:	Debian DSA-1262-1 gnomemeeting 2007-03-04 Mandriva MDKSA-2007:045 gnomemeeting 2007-02-21 Red Hat RHSA-2007:0086-01 gnomemeeting 2007-02-20

Comments (none posted)

gnucash: temporary file vulnerability

Package(s):	gnucash	CVE #(s):	CVE-2007-0007
Created:	February 21, 2007	Updated:	February 27, 2007
Description:	Gnucash (2.0.4 and prior) suffers from a set of symbolic link vulnerabilities.
Alerts:	Fedora FEDORA-2007-256 gnucash 2007-02-27 Mandriva MDKSA-2007:046 gnucash 2007-02-21

Comments (none posted)

kernel: denial of service

Package(s):	kernel	CVE #(s):	CVE-2006-0007 CVE-2007-0006
Created:	February 15, 2007	Updated:	November 14, 2007
Description:	Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service vulnerability. A remote attacker can cause the key_alloc_serial function's key serial number collision avoidance code to have a null dereference, resulting in a crash.
Alerts:	Fedora FEDORA-2007-599 kernel 2007-06-21 Red Hat RHSA-2007:0099-02 kernel 2007-03-14 rPath rPSA-2007-0050-1 kernel 2007-03-06 Red Hat RHSA-2007:0085-01 kernel 2007-02-27 Mandriva MDKSA-2007:047 kernel 2007-02-21 Fedora FEDORA-2007-226 kernel 2007-02-13 Fedora FEDORA-2007-225 kernel 2007-02-13

Comments (1 posted)

MoinMoin: cross-site scripting and information leak

Package(s):	moin moinmoin	CVE #(s):	CVE-2007-0901 CVE-2007-0902
Created:	February 21, 2007	Updated:	February 21, 2007
Description:	MoinMoin suffers from a pair of vulnerabilities. An attacker who tricks a MoinMoin user into viewing a specially-crafted URL can execute arbitrary JavaScript with the user's privileges. There is also an information disclosure vulnerability which can tell an attacker about the versions of software running on the system.
Alerts:	Ubuntu USN-423-1 moin, moin1.3 2007-02-20

Comments (none posted)

php: multiple vulnerabilities

Package(s):	php	CVE #(s):	CVE-2007-0906 CVE-2007-0907 CVE-2007-0908 CVE-2007-0909 CVE-2007-0910 CVE-2007-0988
Created:	February 20, 2007	Updated:	March 21, 2007
Description:	A number of buffer overflow flaws were found in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. If very long strings under the control of an attacker are passed to the str_replace() function then an integer overflow could occur in memory allocation. If a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker who is able to access a PHP application affected by any these issues could trigger these flaws and possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906) If unserializing untrusted data on 64-bit platforms, the zend_hash_init() function can be forced to enter an infinite loop, consuming CPU resources for a limited length of time, until the script timeout alarm aborts execution of the script. (CVE-2007-0988) If the wddx extension is used to import WDDX data from an untrusted source, certain WDDX input packets may allow a random portion of heap memory to be exposed. (CVE-2007-0908) If the odbc_result_all() function is used to display data from a database, and the contents of the database table are under the control of an attacker, a format string vulnerability is possible which could lead to the execution of arbitrary code. (CVE-2007-0909) A one byte memory read will always occur before the beginning of a buffer, which could be triggered for example by any use of the header() function in a script. However it is unlikely that this would have any effect. (CVE-2007-0907) Several flaws in PHP could allows attackers to "clobber" certain super-global variables via unspecified vectors. (CVE-2007-0910)
Alerts:	Gentoo 200703-21 PHP 2007-03-20 SuSE SUSE-SA:2007:020 php4,php5 2007-03-15 Red Hat RHSA-2007:0082-02 PHP 2007-03-14 Ubuntu USN-424-2 USN-424-1 fixed 2007-03-08 Debian DSA-1264-1 php4 2007-03-07 rPath rPSA-2007-0043-1 php 2007-02-27 Fedora FEDORA-2007-287 php 2007-02-26 OpenPKG OpenPKG-SA-2007.010 php 2007-02-23 Slackware SSA:2007-053-01 php 2007-02-23 Mandriva MDKSA-2007:048 php 2006-02-22 Red Hat RHSA-2007:0088-01 PHP 2007-02-22 Ubuntu USN-424-1 php5 2007-02-21 Red Hat RHSA-2007:0081-01 PHP 2007-02-21 Fedora FEDORA-2007-261 php 2007-02-20 Red Hat RHSA-2007:0076-01 PHP 2007-02-19

Comments (none posted)

spamassassin: denial of service

Package(s):	spamassassin	CVE #(s):	CVE-2007-0451
Created:	February 16, 2007	Updated:	March 14, 2007
Description:	Version 3.1.8 of Spamassassin fixes some bugs and a malformed HTML denial of service vulnerability.
Alerts:	Red Hat RHSA-2007:0075-02 spamassassin 2007-03-14 Gentoo 200703-02 spamassassin 2007-03-02 Mandriva MDKSA-2007:049 spamassassin 2007-02-23 rPath rPSA-2007-0038-1 spamassassin 2007-02-23 Red Hat RHSA-2007:0074-01 spamassassin 2007-02-21 Fedora FEDORA-2007-242 spamassassin 2007-02-15 Fedora FEDORA-2007-241 spamassassin 2007-02-15

Comments (none posted)

sun-jdk: arbitrary code execution

Package(s):	sun-jdk	CVE #(s):	CVE-2007-0243
Created:	February 19, 2007	Updated:	April 25, 2007
Description:	A anonymous researcher discovered that an error in the handling of a GIF image with a zero width field block leads to a memory corruption flaw. An attacker could entice a user to run a specially crafted Java applet or application that would load a crafted GIF image, which could result in escalation of privileges and unauthorized access to system resources.
Alerts:	Red Hat RHSA-2007:0167-01 java-1.5.0-ibm 2007-04-25 Red Hat RHSA-2007:0166-01 java-1.4.2-ibm 2007-04-25 Gentoo 200702-08 emul-linux-x86-java 2007-02-17 Gentoo 200702-07 sun-jdk 2007-02-17

Comments (1 posted)

Kernel release status

The current 2.6 prepatch is 2.6.21-rc1, released on February 20. "There's a lot of changes, as is usual for an -rc1 thing, but at least so far it would seem that 2.6.20 has been a good base, and I don't think we have anything *really* scary here." Significant changes include the long-awaited dynamic tick patch, better high-resolution timer support, the VMI virtualization interface (now built on top of paravirt_ops), the ALSA "system on chip" layer, lots of new drivers, and more. See the short-form changelog for details, or the full changelog for lots of details.

As of this writing, a few hundred patches have found their way into the mainline git repository since -rc1 was released. Most of them are in the Video4Linux subsystem, adding ASUS P7131 remote control support, BTTV cropping support, a big update to the pvrusb2 WinTV driver, a new MSI Mega Sky 580 driver, and quite a bit more.

The current -mm tree is 2.6.20-mm2. Recent changes to -mm include Xen DomU support, lguest, Blackfin architecture support, more workqueue changes, POSIX listio completion support for asynchronous I/O, utrace (a new tracing mechanism meant to replace ptrace()), and the kernel markers patch.

Stable kernel updates: 2.6.20.1, 2.6.19.4, and 2.6.18.7 were all released on February 20 with a single patch: a fix for the NFS ACL denial of service vulnerability. Larger updates for 2.6.18 and 2.6.19 (probably the last stable updates for both of those kernels) are currently in the works, with a likely release around the 23rd or 24th.

2.6.16.41 was released on February 18 with about a dozen fixes.

Comments (2 posted)

More changes for 2.6.21

With the release of 2.6.21-rc1, the merge window for this kernel development cycle is now closed. Most of the major 2.6.21 changes were covered here last week, but a number of significant changes did get into the mainline between then and the closing of the window. They are:

• The VMI virtualization interface has been merged. VMI is a generic hypervisor interface; it is (now) built on top of paravirt_ops and provides a higher level of functionality.

• The clocksource and dynamic tick patches have been merged.

• Various improvements to the kernel's support for Sony laptops.

• The deprecated ACPI "hotkey" driver has been removed.

• Version 1 of the JFFS filesystem has been removed.

• The audit subsystem has a "lockdown" mode where further configuration changes cannot be made.

• A simple driver allowing Blackberry devices to be charged from a Linux system's USB port has been merged.

• A big ARM update has been merged with oprofile support for ARMv6 processors, kexec() support, support for a number of new board and processor variants, and more.

• The v9fs (Plan 9) filesystem has seen a number of improvements, mostly in the form of better caching.

• The SYSV shared memory code has been reworked for more sane internal file usage and easier integration into the ongoing containers / namespaces work.

• A driver for the Silicon Motion SM501 "multimedia companion" chip has been added.

Now the stabilization period begins, with the final 2.6.21 due somewhere approximately around the beginning of May.

Comments (9 posted)

The managed resource API

The device resource management patch was discussed here in January. That patch has now been merged for the 2.6.21 kernel. Since the API is now set - at least, as firmly as any in-kernel API is - it seems like a good time for a closer look at this new interface.

The core idea behind the resource management interface is that remembering to free allocated resources is hard. It appears to be especially hard for driver writers who, justly or not, have a reputation for adding more than their fair share of bugs to the kernel. And even the best driver writers can run into trouble in situations where device probing fails halfway through; the recovery paths may be there in the code, but they tend not to be well tested. The result of all this is a fair number of resource leaks in driver code.

To address this problem, Tejun Heo created a new set of resource allocation functions which track allocations made by the driver. These allocations are associated with the device structure; when the driver detaches from the device, any left-over allocations are cleaned up. The resource management interface is thus similar to the talloc() API used by the Samba hackers, but it is adapted to the kernel environment and covers more than just memory allocations.

Starting with memory allocations, though, the new API is:

    void *devm_kzalloc(struct device *dev, size_t size, gfp_t gfp);
    void devm_kfree(struct device *dev, void *p);

In a pattern we'll see repeated below, the new functions are similar to kzalloc() and kfree() except for the new names and the addition of the dev argument. That argument is necessary for the resource management code to know when the memory can be freed. If any memory allocations are still outstanding when the associated device is removed, they will all be freed at that time.

Note that there is no managed equivalent to kalloc(); if driver writers cannot be trusted to free memory, it seems, they cannot be trusted to initialize it either. There are also no managed versions of the page-level or slab allocation functions.

Managed versions of a subset of the DMA allocation functions have been provided:

    void *dmam_alloc_coherent(struct device *dev, size_t size,
			      dma_addr_t *dma_handle, gfp_t gfp);
    void dmam_free_coherent(struct device *dev, size_t size, void *vaddr,
			    dma_addr_t dma_handle);
    void *dmam_alloc_noncoherent(struct device *dev, size_t size,
			         dma_addr_t *dma_handle, gfp_t gfp);
    void dmam_free_noncoherent(struct device *dev, size_t size, void *vaddr,
			       dma_addr_t dma_handle);
    int dmam_declare_coherent_memory(struct device *dev, dma_addr_t bus_addr,
				     dma_addr_t device_addr, size_t size, 
				     int flags);
    void dmam_release_declared_memory(struct device *dev);
    struct dma_pool *dmam_pool_create(const char *name, struct device *dev,
				      size_t size, size_t align,
				      size_t allocation);
    void dmam_pool_destroy(struct dma_pool *pool);

All of these functions have the same arguments and functionality as their dma_* equivalents, but they will clean up the DMA areas on device shutdown. One still has to hope that the driver has ensured that no DMA remains active on those areas, or unpleasant things could happen.

There is a managed version of pci_enable_device():

    int pcim_enable_device(struct pci_dev *pdev);

There is no pcim_disable_device(), however; code should just use pci_disable_device() as usual. A new function:

    void pcim_pin_device(struct pci_dev *pdev);

will cause the given pdev to be left enabled even after the driver detaches from it.

The patch makes the allocation of I/O memory regions with pci_request_region() managed by default - there is no pcim_ version of that interface. The higher-level allocation and mapping interfaces do have managed versions:

    void __iomem *pcim_iomap(struct pci_dev *pdev, int bar, 
                             unsigned long maxlen);
    void pcim_iounmap(struct pci_dev *pdev, void __iomem *addr);

For the allocation of interrupts, the managed API is:

    int devm_request_irq(struct device *dev, unsigned int irq,
		         irq_handler_t handler, unsigned long irqflags,
		     	 const char *devname, void *dev_id);
    void devm_free_irq(struct device *dev, unsigned int irq, void *dev_id);

For these functions, the addition of a struct device argument was required.

There is a new set of functions for the mapping of of I/O ports and memory:

    void __iomem *devm_ioport_map(struct device *dev, unsigned long port,
			          unsigned int nr);
    void devm_ioport_unmap(struct device *dev, void __iomem *addr);
    void __iomem *devm_ioremap(struct device *dev, unsigned long offset,
			       unsigned long size);
    void __iomem *devm_ioremap_nocache(struct device *dev, 
                                       unsigned long offset,
				       unsigned long size);
    void devm_iounmap(struct device *dev, void __iomem *addr);

Once again, these functions required the addition of a struct device argument for the managed form.

Finally, for those using the low-level resource allocation functions, the managed versions are:

    struct resource *devm_request_region(struct device *dev,
				         resource_size_t start,
					 resource_size_t n, 
					 const char *name);
    void devm_release_region(resource_size_t start, resource_size_t n);
    struct resource *devm_request_mem_region(struct device *dev,
				             resource_size_t start,
					     resource_size_t n, 
					     const char *name);
    void devm_release_mem_region(resource_size_t start, resource_size_t n);

The resource management layer includes a "group" mechanism, accessed via these functions:

    void *devres_open_group(struct device *dev, void *id, gfp_t gfp);
    void devres_close_group(struct device *dev, void *id);
    void devres_remove_group(struct device *dev, void *id);
    int devres_release_group(struct device *dev, void *id);

A group can be thought of as a marker in the list of allocations associated with a given device. Groups are created with devres_open_group(), which can be passed an id value to identify the group or NULL to have the ID generated on the fly; either way, the resulting group ID is returned. A call to devres_close_group() marks the end of a given group. Calling devres_remove_group() causes the system to forget about the given group, but does nothing with the resources allocated within the group. To remove the group and immediately free all resources allocated within that group, devres_release_group() should be used.

The group functions seem to be primarily aimed at mid-level code - the bus layers, for example. When bus code tries to attach a driver to a device, for example, it can open a group; should the driver attach fail, the group can be used to free up any resources allocated by the driver.

There are not many users of this new API in the kernel now. That may change over time as driver writers become aware of these functions, and, perhaps, as the list of managed allocation types grows. The reward for switching over to managed allocations should be more robust and simpler code as current failure and cleanup paths are removed.

Comments (15 posted)

A new Intel wireless driver

Almost exactly one year ago, Intel announced the ipw3945 project - a free driver for its 3945ABG wireless adapters. This move was welcomed as a refreshing change from the usual mode of operation in the wireless area, which usually involves binary-only drivers. Even so, this driver was greeted with some complaints; in particular, the binary-only "regulatory daemon" was not a popular idea, despite the fact that it ran entirely in user space. The ipw3945 driver was never merged into the mainline kernel.

In many cases, just getting free drivers from companies seems like a lot to ask. Getting them to go back and start over is often out of the question. That is just what Intel has done, however, and, on February 9, the new version of the driver was announced, complete with a shiny new web site. The new driver should prove more popular than the old one was.

The user-space regulatory daemon is no more. Intel's engineers, it seems, have found a way to move the regulatory function into the device's firmware, getting the host processor out of the regulatory compliance business altogether. That is probably a more robust solution in general, even though, strictly speaking, the flexibility of the hardware has been reduced. Most users will likely look at the tradeoff - better regulatory compliance and no binary-only daemon - and like what they see. Of course, those who see binary-only device firmware as an infringement of their freedom will not feel that the situation has improved much.

Another significant change is that the new driver works with the Devicescape 802.11 stack. Devicescape remains the intended direction for wireless networking in the Linux kernel, so the new driver should be more easily integrated. At least, that will be the case once Devicescape gets into the mainline. For now, Linux users wanting to try out the new driver will also have to get a version of the d80211 module (available from the Intel site) and build that for their kernels as well.

That leads to the obvious question: when will Devicescape make it into the mainline kernel? The process of getting that code ready for merging has taken rather longer than desired, but it is still moving forward. The current plan, it seems, is to rebase the Devicescape code to 2.6.21-rc1, once that's released, and get the result included in the -mm kernel. If all goes well, the Devicescape stack might just find its way into 2.6.22. That would be a major step forward for wireless networking in Linux.

Back to the Intel driver: one thing that is still lacking is any sort of hardware documentation. Anybody not working for Intel will be limited in what they can do with this driver by what they can learn from the code itself. Your editor asked Intel about hardware documentation; we were told:

Given the choice between developing code and writing documentation, the Intel hackers went for the code.

Comments (none posted)

Clockevents and dyntick

One of the last patch sets to be merged before the 2.6.21 window closed was the clockevents and dyntick work from the real-time tree. These patches have been in the works for some time, and were originally targeted for merging in 2.6.19. In the process, the developers (primarily Ingo Molnar and Thomas Gleixner) discovered one of the fundamental laws of kernel development: if your patches break Andrew Morton's laptop, they are unlikely to make it into the mainline. That little difficulty has now been overcome, with the result that 2.6.21 will include some interesting core changes.

Dealing with clock devices has traditionally been handled in the kernel's architecture-specific code. The result has been a lot of duplicated code between architectures (there are more architectures than common timer devices) and no uniform interface for the core kernel to make use of these devices. John Stultz's generic time of day infrastructure resolved a number of those problems, at least for the timekeeping task, but anybody who wanted to program timer devices in a more general way still ended up dealing with architecture-specific code.

The "clockevents" patch set finishes this job. At its core, clockevents creates a driver API for devices which can deliver interrupts at a specific time in the future. The API tracks the capabilities of each timer (resolution and whether it can do one-shot or periodic interrupts, for example) and provides a simple interface for arming the timer. This API is defined in the core kernel, with only a low-level driver remaining in the architecture-specific code. The end result is that the kernel now has the means to query and use timer capabilities in an architecture-independent manner.

With the clockevents mechanism in place, it becomes possible to support truly high-resolution timers. When such a timer is requested, all that is required is to pick a suitable clockevent device and arm it for the desired time. These devices can deliver interrupts with a high degree of precision, with the result that kernel timers, too, can offer high precision - a feature which is of clear utility to real-time users (among others).

The periodic timer tick is now implemented with a clockevent as well. It does all of the things the old timer-based interrupt did - updating jiffies, accounting CPU time, etc. - but it is run out of the new infrastructure.

All of this is an improvement, but there is still one thing which could be better: there is no real need for a periodic tick in the system. That is especially true when the processor is idle. An idle CPU can save quite a bit of power, but waking that CPU up 100 times (or more) per second will hurt those power savings considerably. With a flexible timer infrastructure, there is no point in turning the CPU back on until it has something to do. So, when the (i386) kernel goes into its idle loop, it checks the next pending timer event. If that event is further away than the next tick, the periodic tick is turned off altogether; instead, the timer is is programmed to fire when the next event comes due. The CPU can then rest unharrassed until that time - unless an interrupt comes in first. Once the processor goes out of the idle state, the periodic tick is restored.

What's in 2.6.21 is, thus, not a full dynamic tick implementation. Eliminating the tick during idle times is a good step forward, but there is value in getting rid of the tick while the system is running as well - especially on virtualized systems which may be sharing a host with quite a few other clients. The dynamic tick documentation file suggests that the developers have this goal in mind:

So expect some interesting work in the future - the removal of jiffies alone has a number of interesting implications. The developers also have support for the x86_64 and ARM architectures, though that support has not been merged for 2.6.21; MIPS and PowerPC support is in the works as well.

Comments (4 posted)

A look at dyne:bolic 2.4

Dyne:bolic GNU/Linux is a live CD distribution that can be installed to a hard drive if desired. It is user friendly and has good hardware recognition. From the release announcement for version 2.4: codename DHORUBA:

The installation of dyne:bolic is very simple, just copy the /dyne directory from the CD to free partition on your computer. You can also save your configuration to a USB key.

Dyne:bolic is 100% free software and it's optimized to run on slower computers. It's also designed as a practical tool for multimedia production: you can manipulate and broadcast both sound and video with tools to record, edit, encode and stream.

Comments (none posted)

Debian GNU/Linux 3.1 updated

The Debian project has updated the stable distribution Debian GNU/Linux 3.1 (codename `sarge'). "This update mainly adds security updates to the stable release, along with a few corrections to serious problems. Those who frequently update from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update."

Full Story (comments: none)

Lunar-1.6.1 Install ISO "Moose Drool" released for x86_64 and i686

"Moose Drool" is also known as the Lunar-Linux 1.6.1 Installer ISO and it is available now. "This ISO is partially a refreshed installer for i686, but it is also our first stable ISO for x86_64. The x86_64 installer ISO thus marks the true final entry for Lunar Linux as a multi-arch distro. This ISO comes with gcc-3.4.6, glibc-2.3.6, linux-2.6.20, perl-5.8.8, and other rock solid base components."

Full Story (comments: none)

BLFS Version 6.2.0 has been released!

Beyond Linux from Scratch has released BLFS Version 6.2.0. This release is the complement to the LFS 6.2 book.

Full Story (comments: none)

openSUSE 10.3 Alpha1 released

The first public alpha release of openSUSE 10.3 is available for testing. Click below for a look at what's new and a list of known bugs. Alpha two is planned for March 15.

Full Story (comments: none)

Ubuntu Herd 4 released

The Ubuntu Feisty Fawn Herd 4 CD is available for testing. The announcement (click below) contains download information for Ubuntu, Kubuntu and Edubuntu and a list of known bugs. "The primary focus during the time from Herd 3 has been a mix of feature development and bug fixing."

Full Story (comments: none)

Debian announcements

Steve McIntyre presents Bits from the 2IC. "First of all, we're still working towards an Etch release. It's a shame that it'll be later than many of us hoped, but again the new release is shaping up to be our best ever. It's not my place to second-guess the release team, but I'm hoping for a release soon. We're primarily waiting on the kernel to stabilise for release and a final debian-installer release candidate. We've got a few more RC bugs to polish off, then PARTY TIME!!! (Well, maybe some of us will have some more little spots of work to do in the last few days and hours... *grin*)"

The third call for nominations has gone out for the 2007 Debian Project Leader elections. The campaign period begins February 25, 2007.

Frans Pop has an update on key expiry that broke Etch. "This means that full CD and DVD images are now available again from, for all architectures (except S/390). The now available images are virtually identical to what will be released as D-I RC2, so testing and installation reports are most welcome."

Raphael Hertzog reports on Alioth downtime and lost data from the gforge database. "What is definitely lost however is the changes done to trackers/forums/surveys during that period and in general anything that is gforge-specific. We're really sorry for that, you can be sure we'll take required measures for the future."

Comments (none posted)

openSUSE meeting minutes

openSUSE has decided to use libata by default in version 10.3. If your openSUSE installation has more than 15 partitions this could cause some problems. Click below for more information on this, and other issues.

Full Story (comments: none)

openSUSE Survey

openSUSE is running a survey to get an idea of how people feel about the openSUSE project and the openSUSE 10.2 distribution.

Full Story (comments: none)

Fedora 7 release delayed

The Fedora 7 release schedule always looked ambitious, given the challenges of integrating the Core and Extras repositories. It seems that integration is not proceeding as quickly as one might like, with the result that the Fedora 7 release is now planned for May 24, a one-month delay.

Full Story (comments: 25)

FDSCo Elections open

The elections for Fedora Documentation Steering Committee (FDSCo) are open until 23:59 UTC, 26 February 2007. Voting is open to all members of the cvsdocs group in the Fedora Account System.

Full Story (comments: none)

Announcing Fedora Desktop User Guide

The Fedora Desktop User Guide for Fedora Core 6 is available. "The Desktop User Guide is here to help you accomplish specific tasks with the desktop applications. It is written for individuals who are unfamiliar with the default Fedora Desktop and who may be running their first Linux desktop."

Full Story (comments: none)

ESR's goodbye note

For those who can't resist: here is Eric Raymond's "goodbye, Fedora" note. "Over the last five years, I've watched Red Hat/Fedora throw away what was at one time a near-unassailable lead in technical prowess, market share and community prestige. The blunders have been legion on both technical and political levels." So far, the Fedora folks do not appear to be greatly pained by his departure.

Full Story (comments: 190)

Mandriva Cooker : The Inside Man V

Fabrice Facorat has posted some information about the Mandriva Cooker (development branch). Click below for more about Nvidia/ATI vs Xorg 7.2, Testing Metisse in cooker, 64 vs 32 bit Cooker, Migration to cdrkit, Testing RandR 1.2, 2007.1 Errata create, Warly Departure, and Using PulseAudio as default in 2008.0.

Full Story (comments: 1)

Ubuntu announcements

Ben Collins announced regular meetings of the kernel team. "I invite anyone interested to attending, even if it's just to see how we get things done. Meetings are going to be held in the normal location: #ubuntu-meeting on irc.freenode.net. Meetings will be bi-weekly, Mon at 16:00 UTC, with the exception of the first meeting which is Wed Feb 21, at 16:00 UTC, due to holidays."

Martin Pitt looks at some policy decisions with regard to the package maintainer field. "a fair while ago, the Debian project collectively decided that Ubuntu source and binary packages should not carry Debian's maintainers in their Maintainer: field any more. Instead, we shall preserve them in the Original-Maintainer: field and put an Ubuntu specific contact into Maintainer:"

The Ubuntu archive team has added two new members. "We have also allocated archive team days, so if you need to have a package promoted, packages pushed through NEW or services the archive team offer, please contact the correct person on IRC (#ubuntu-devel being the most appropriate channel)."

Comments (none posted)

ProTech - a new security distribution

ProTech is a new security oriented distribution from the Techm4sters team. It's a live CD based on Ubuntu Feisty with tools for network administrators, pentesters and other forensic analysis. The first beta was made available for download February 13, 2007, with a final version expected in April 2007 when the Ubuntu Feisty release is finalized.

Comments (none posted)

Tadpole Linux Announces Logo Design Competition

Tadpole Linux is new Gentoo-based live CD geared toward K-6 elementary school students. A Logo Design Competition is underway, with a submission deadline of March 2, 2007. The first release is expected soon after.

Comments (none posted)

Fedora Weekly News Issue 77

The Fedora Weekly News for February 19, 2007 covers a change in the Fedora 7 schedule, Fedora 7 Test 1 Release Notes, Changes to fedora-advisory-board list, The Interview of Bill Nottingham, Fedora Directory Server is now in Fedora Extras, InfoDesk Inc. Chooses Fedora Directory Server, Ambassadors Report - SCALE5X, and several other topics.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for February 12, 2007 covers time zone updates, testing for new freetype, problems with NSS/NSPR, thanks from the KDE team, Adopt-a-Dev update, and much more.

Comments (none posted)

DistroWatch Weekly, Issue 190

The DistroWatch Weekly for February 19, 2007 is out. "Those users who enjoy beta testing Linux distribution had an exciting week as new development builds from Mandriva, PCLinuxOS, openSUSE and Ubuntu all appeared on public mirrors. In the meantime, the Fedora project announced a delay in the release of Fedora 7 - now scheduled for late May. In other news, Ubuntu has clarified its position on the issue of proprietary video drivers, Daniel Robbins is about to formally return to the project he founded some seven years ago, SabayonLinux loses two key developers, and CentOS announces plans for the all-new CentOS 5. The feature story takes a brief look at two distributions which recently bumped their version numbers while in the middle of development - SaxenOS and SimplyMEPIS."

Comments (none posted)

openSUSE Reminder: FOSDEM 2007 - this weekend!

A reminder for anyone going to FOSDEM this weekend; openSUSE has a dev-room where there will be lots of interesting talks, and a small booth on the floor.

Full Story (comments: none)

FudCon Videos are now available

FudCon videos from Boston 2007 are available for torrent download.

Full Story (comments: none)

Slackware glibc-zoneinfo US Daylight Savings Time changes

Slackware has new glibc-zoneinfo packages with the new US Daylight Savings Time schedule for all stable Slackware systems.

Full Story (comments: 1)

Monitoring Servers and Clients using Munin in Ubuntu (Ubuntu Geek)

Ubuntu Geek looks at Munin. ""Munin" means "memory". Munin the tool surveys all your computers and remembers what it saw. It presents all the information in in graphs through a web interface. Its emphasis is on plug and play capabilities. After completing a installation a high number of monitoring plugins will be playing with no more effort. Using Munin you can easily monitor the performance of your computers, networks, SANs, and quite possibly applications as well. It makes it easy to determine "what's different today" when a performance problem crops up. It makes it easy to see how you're doing capacity wise on all limited resources."

Comments (none posted)

Create virtual Machines Using Virtualbox in Debian (Debian Admin)

Debian Admin looks at Virtualbox on Debian Etch. "VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software."

Comments (none posted)

Xubuntu offers appealing desktop alternative (tectonic)

Tectonic has a review of Xubuntu. "Performance wise Xubuntu is everything I was hoping. It is light and fast. Clicking on the applications menu gives you immediate feedback. And unless you're running about five or six other applications at the time, opening a file browser or a terminal window is almost instantaneous. As I write this I have about four applications running, some with two or three windows open each. Clicking on the 'show desktop' applet hides all of the open six windows in just a second. On a slower machine this is not to be sneezed at."

Comments (none posted)

Software Review: Yellow Dog Linux 5 for PlayStation 3 (BC Gaming)

Blogcritics has a review of Yellow Dog Linux 5 for PlayStation 3. "[W]hat do you get with Yellow Dog Linux 5? There are 2248 packages (RPMs) included, including heavyweights in the Open Source software arena such as OpenOffice, GIMP, Firefox... the list goes on and on. Yellow Dog 5 also comes with a simply stunning desktop environment, called Enlightenment (E17)."

Comments (none posted)

Progress on the Linux Desktop Testing Project

The Linux Desktop Testing Project (LDTP) is a desktop application testing framework that was originally announced in January, 2005.

The LDTP About and FAQ documents explain the software's operation. Here are some highlights of LDTP:

• Written in the C and Python languages.
• Licensed under the LGPL.
• Can be used to improve desktop application stability by making application testing easy.
• Concepts are derived from the Software Testing Automation Framework (STAF).
• Is desktop agnostic, works with the GNOME (2.10 and above) and KDE (4.0) desktops.
• Can be used on Mozilla, OpenOffice.org and Java applications.
• Works on Linux and Solaris, a FreeBSD port is underway.
• Is supported on the OpenSUSE, Ubuntu, Debian and Fedora Core distributions.
• Uses the Assistive Technology libraries for connection to the user interface.
• LDTP connects to the test application through the remap function.
• Includes application CPU and memory performance monitoring.
• Test scripts are easy to write.
• Test output is available in an XML log format.
• Includes a Test Editor for creating tests.

The online user manual explains how to set LDTP up for application testing and explains the API.

Version 0.8.0 of LDTP was recently announced: "This release features number of important breakthroughs in LDTP as well as in the field of Test Automation."

New capabilities of LDTP 0.8.0 include:

• Performance has been greatly improved.
• The LDTP execution engine has had stability improvements.
• A number of memory leaks have been removed.
• A large number of bugs have been fixed.
• Some new code has been contributed by the Palm Source testing team.
• An LDTP repository has been added to the OpenSUSE build system.
• LDTP is now available on the Mandriva distribution.
• A new LDTP Flash demo is available.

The LDTP source code is available for download here.

Comments (none posted)

PostgreSQL Weekly News

The February 18, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

wxSQLite3 1.7.2 released (SourceForge)

Version 1.7.2 of wxSQLite3 is available. "The new version 1.7.2 of wxSQLite3 - a thin wrapper for the SQLite database for wxWidgets applications - now supports the current version 3.3.12 of SQLite. The wxSQLite3 API is now independent of optional features; it can be checked at runtime for which optional features wxSQLite3 was compiled. Since on Linux support for loadable extensions is not compiled into SQLite by default it has been made optional in wxSQLite3 as well."

Comments (none posted)

Apache SpamAssassin 3.1.8 released

Version 3.1.8 of Apache SpamAssassin has been released. "This is a maintenance and security release of the 3.1.x branch. It is highly recommended that people upgrade to this version."

Full Story (comments: none)

Openchange MAILOOK milestone

Openchange has announced the availability of a Linux MAPI library which will allow Linux users to access an exchange mail server. "The OpenChange team is very proud to announce we have released on our repository a first experimental but working implementation of our MAPI Library under Linux. Libmapi is a client-side MAPI library implementation designed to make MAPI messaging applications development under Linux trivial." (Thanks to Joerg Mayer.)

Comments (none posted)

CUPS 1.2.8 released

Version 1.2.8 of the CUPS printing system has been announced. "CUPS 1.2.8 adds a French localization, updates the Japanese and Spanish localizations, and fixes several web interface, printing, and networking bugs."

Comments (none posted)

CUPS Driver Development Kit 1.1.0 announced

Version 1.1.0 of the CUPS Driver Development Kit has been announced. "The new release adds support for creating globalized and compressed PPDs with configurable line endings, includes a new ppdmerge utility, and fixes some platform and packaging issues. The CUPS Driver Development Kit (DDK) provides a suite of standard drivers, a PPD file compiler, and other utilities that can be used to develop printer drivers for CUPS and other printing environments."

Comments (none posted)

Mod_python 3.3.1 released

Version 3.3.1 of Mod_python, a Python language extension to the Apache web server, is out. See the online documentation for change history.

Comments (none posted)

Aqualung 0.9 beta 7.1 released

Version 0.9 beta 7.1 of Aqualung, a cross-platform music player, is available. "This is an update to our recent 0.9beta7 release, containing some important fixes to bugs that were found as a result of the greater user coverage after the release of 0.9beta7."

Full Story (comments: none)

Mammut 0.57 released

Version 0.57 of Mammut, an FFT audio spectrum analysis package, has been released. This version adds new features, Mac and Windows ports and more.

Full Story (comments: none)

Grace 5.1.21 is available

Version 5.1.21 of Grace, a WYSIWYG 2D plotting tool, has been announced. "This is a maintenance release of the 5.1 series; an upgrade is recommended."

Comments (none posted)

GNOME 2.18.0 Beta 2 released (GnomeDesktop)

GnomeDesktop has announced the release of GNOME 2.18.0 Beta 2. "Love is in the air! The GNOME 2.18.0 Beta 2 release is out to spread even more love in this Valentine's day. This is our second beta release on our road towards GNOME 2.18.0, which will be released in March 2007. So, If you're feeling alone, give some love to GNOME today by breaking it, fixing it, translating it, documenting it, and your [happiness] is g[u]aranteed tomorrow! Who knows? This release marks the start of the String Freeze. No, this doesn't have anything to do with the Finnish winter."

Comments (none posted)

GARNOME 2.17.91 released

Version 2.17.91 of GARNOME, the bleeding-edge GNOME distribution, is out. "The "go go gadget garnome" release. We are pleased to announce the release of GARNOME 2.17.91 Desktop and Developer Platform. This release includes all of GNOME 2.17.91 (aka 2.18.0 Beta 2), tweaked and updated with love by the GARNOME Team."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

• Agave 0.4.2 (bug fixes and translation work)
• Banshee 0.11.7 (bug fixes and translation work)
• cairo snapshot 1.3.14 (bug fixes)
• Campcaster 1.2.0 (new features and bug fixes)
• Ekiga 2.0.5 (bug fixes)
• gedit-plugins 2.17.2 (new features, bug fixes and translation work)
• Glade 3.1.5 (new features, bug fixes, documentation and translation work)
• gThumb 2.9.2 (new features and bug fixes)
• PyGooCanvas 0.6.0 (new features, API change)
• regexxer 0.9 (new features, bug fixes and translation work)
• S-Lang Gtk 0.5.18 (new features and bug fixes)
• USBSink 0.3.1 (bug fixes and translation work)

You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Commit-Digest for 18th February 2007 (KDE.News)

The February 18, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "The Dolphin file manager is moved into kdebase. Continued work in Umbrello courtesy of the Student Mentoring program. Graphical element representations start to be introduced in Kalzium. More new country maps in KGeography. KSpaceDuel begins the porting process to a scalable graphics interface, with further SVG intergration work in KMines, KWin4, KNetWalk, KBlackBox and KMahjongg. KolourPaint gains the ability to interface with image scanning hardware. Improved handling of the XPS document format in okular. Lilypond export functionality in KTabEdit. More work in the KDE Fonts Manager. The KNewStuff2 framework reaches new milestones in its reworking for KDE 4."

Comments (none posted)

Quickies: Dev Wiki, Sonnet, Jambi, Scientific Analysis and CSS Compliance (KDE.News)

KDE.News presents another Quickies article. "Vote for the name of the new KDE developer and sysadmin wiki. *** Nathan Sanders reveals that KDE 4's Sonnet will turbocharge language processing at Linux.com. *** Trolltech announced the first beta release of Qt Jambi, now available for testing and feedback. *** ChainLink is a new Qt 4 integrated environment for scientific data analysis and visualisation using Matlab/Octave/Scilab compatible syntax. ..."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

• AmarokFS Startup Script 1.0 (unspecified)
• Autotorrent 0.1 (initial release)
• BitRock InstallBuilder for Qt 4.1.0 (unspecified)
• callintegrator 2.1 (new feature and bug fixes)
• cb2Bib 0.7.3 (bug fixes)
• Desktop Text Config 0.3 (new features)
• digiKam 0.9.1-beta1 (new features and bug fixes)
• DigikamImagePlugins 0.9.1-beta1 (new features)
• digiKam and digiKamimageplugins 0.9.1-rc1 (bug fixes and performance improvements)
• ffmpeg 1 (unspecified)
• first 1.3.3 (unspecified)
• first4 1.4.0-alpha1 (unspecified)
• KBoincMgr 0.3.0 (new features and bug fixes)
• Kirocker Music Display 1.4 and 2.0Beta2 (bug fixes and performance improvements)
• Kirocker Music Display 2.0 (new features and bug fix)
• KlogShow 1.0.0 (initial release)
• KMacBacklight 0.1 (initial release)
• KPowersave v0.7.2-unstable (new features and bug fixes)
• KTranslator 0.4 (new feature and bug fixes)
• kvpnc 0.8.8 (new features and bug fixes)
• Kwlan 0.6.0 (dependency fix)
• LyX 1.4.4 (new features and bug fixes)
• Multimedia Converter 1.0.0 (initial release)
• OneKript 0.7.2 (new features)
• Perl Audio Converter 3.2.5 (new features and bug fix)
• PokerTH 0.3 (new features, bug fixes and translation work)
• qleo 2.1 (translation work)
• rkward 0.4.6 (new features and bug fixes)
• SIR 1.7 (bug fixes)
• thin liquid film 0.95 (bug fixes)
• TuxShop 1.9 (new features and performance improvements)
• VetTux 3.7 (new features and bug fixes)
• waipssip 0.1 (initial release)
• WebIssues 0.8.4 / 0.8.2 (new features)
• Zhu3D 2.9.6 (new features and bug fixes)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• libXrandr 1.2.0 (new features and bug fixes)
• RandR protocol version 1.2.1 (documentation work and bug fixes)
• X11R7.2 (new features)
• xrandr cli app 1.2.0 (new features, bug fixes and documentation work)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

PasswordSafe 3.06 released (SourceForge)

Version 3.06 of PasswordSafe is out. "Password Safe is a password database utility. Users can keep their passwords securely encrypted on their computers. A single Safe Combination unlocks them all. Version 3.06 is a minor release - some annoying bugs have been fixed, some features have been improved upon."

Comments (none posted)

Ember 0.4.2 release candidate 4

Release candidate 4 of Ember 0.4.2 has been announced on the WorldForge game site. "This release should be stable and contains no known bugs. If you have problems running it, please send a mail to Erik."

Comments (none posted)

Wine 0.9.31 released

Version 0.9.31 of Wine has been announced. Changes include: Many Direct3D fixes and performance improvements, Several new comctl32 test cases, IDL compiler improvements, More OLE32 marshalling fixes and lots of bug fixes.

Comments (none posted)

Wine Weekly Newsletter

The February 19, 2007 edition of the Wine Weekly Newsletter is online with coverage of the Wine project. Topics include: News: Wine 0.9.31, CrossOver 6.0, DIB Engine Discussion, Summer of Code 2007, GNOME & Freedesktop Menus, Direct3D Screenshots, Toolbar Regression, RHEL 3 RPM's, and IE Developers Toolbar.

Comments (none posted)

Bongo Project releases initial milestone: 0.1.0

Version 0.1.0 of Bongo has been announced. "Bongo is a project to create fun and simple mail & calendaring software. As well as providing a well-featured but extensible set of server software, it also comes with a user-friendly web interface. The Bongo Project is pleased to announce the release of Bongo 0.1, which represents the first milestone on our roadmap. This is a source-only release intended for hackers and users who want to get an early preview of what we're building."

Full Story (comments: 2)

Elisa 0.1.4 announced

Version 0.1.4 of Elisa has been announced, it adds new features and bug fixes. "Elisa is a project to create an open source cross platform media center solution. While our primary development and deployment platform is GNU/Linux and Unix operating systems we also currently support Microsoft Windows and also hope to support MacOSX in the future. Elisa runs on top of the GStreamer multimedia framework and is develop[]ed in Python."

Comments (none posted)

CLAM 0.98 released

Version 0.98 of CLAM, a C++ framework for doing research and application development in audio and music, is available. "Apart from MacOS build, this release features KDE integration for NetworkEditor and Prototyper (so you can open network files from Konqueror), MFCC’s added to Annotator’s extractor example, and several fixes (thanks James). FLTK module has been dropped and it is not being compiled by default. It will be completely removed on the next release."

Full Story (comments: none)

HylaFAX 4.3.2 released

Version 4.3.2 of HylaFAX, a fax modem interface, has been announced. "This release includes significant improvements to email templating, a system that offers server admins an unprecedented level of control over the branding of the email messages HylaFAX sends, and so we encourage you to check it out. As always, our sincerest thanks go to all who participate in the development and testing process."

Comments (none posted)

Laplock 0.0.4 released

Stable version 0.0.4 of Laplock is available. "Laplock locks your computer or laptop using a media card such as USB memory, SD, MMC, or a Memory Stick. Once you register a unique card, the program starts xlock or xscreensaver when it is removed and stops it once it is plugged in again."

Comments (none posted)

GCC 4.1.2 released

Version 4.1.2 of GCC, the Gnu Compiler Collection, is out. "This release is a bug-fix release for problems in GCC 4.1.1. GCC 4.1.2 contains changes to correct regressions from previous releases, but no new features."

Full Story (comments: none)

Caml Weekly News

The February 20, 2007 edition of the Caml Weekly News is out with new Caml language articles.

Full Story (comments: none)

Lython 1.0 announced

Version 1.0 of Lython, a Lisp dialect compiler which outputs Python byte-code, has been announced. The description states: "Parses a lisp dialect using spark. Simple macros. Compiles to Python bytecode. Generates pyc, pyo files. Full-featured interactive interpreter. Based on Miles Egan's Lython."

Comments (none posted)

PHP 4.4.5 released

Version 4.4.5 of PHP has been released. See the ChangeLog file for a list of bug fixes and other improvements.

Comments (none posted)

Jython 2.2 beta 1 announced

The first beta release of Jython 2.2, a Python implementation on Java, is available. "This release contains all of the major features for a 2.2 release, so it's a significant milestone towards 2.2 proper. It's being released to solicit feedback about any bugs or missing features; if you can, download it and check for issues. "

Comments (none posted)

PyPy 0.99 released

Version 0.99 of PyPy, a Python interpreter implementation and an advanced compiler, has been announced. "Welcome to the PyPy 0.99.0 release - a major snapshot and milestone of the last 8 months of work and contributions since PyPy-0.9.0 came out in June 2006!"

Comments (none posted)

Tcl-URL!

The February 15, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Tcl-URL!

The February 20, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Introducing RDFa (O'Reilly)

O'Reilly has published part one of a series on RDFa. "In this first part of a two-part series, Bob DuCharme introduces us to RDFa, a new, XHTML-friendly standard syntax for RDF metadata that allows you to embed RDF metadata into the Web in a novel way."

Comments (none posted)

Wing IDE 2.1.4 released

Version 2.1.4 of Wing IDE, a Python language integrated development environment, has been announced. "This is a bug fix release that among other things fixes handling of UTF-8 byte order marks, improves auto-completion for PyQt 4, reports exceptions correctly in Python < 2.2, fixes some problems with Subversion 1.4, does better adaptive scrolling on OS X, and displays menus correctly in Hebrew locales."

Comments (none posted)

Save the BBC from Windows DRM! (Linux Journal)

Glyn Moody looks at technological choices made by the British Broadcasting Corporation. "The BBC has a long and glorious past as a technological innovator. Throughout the history of broadcasting, it has often been the first to develop and promote new technologies. Sadly, it seems now to be teetering on the brink of making technical choices that will not only damage its own reputation as a world-class institution, but which will also have serious knock-on consequences for free software."

Comments (15 posted)

IDC: Linux Ecosystem Worth $40 Billion by 2010 (internetnews.com)

internetnews.com covers a prediction by IDC on the future value of the Linux ecosystem. "At the Linuxworld Open Solutions Summit, which kicked off today in New York, IDC analysts detailed where they see the Linux ecosystem today and where it is headed by 2010. For 2006, Al Gillen, research vice president of system software at IDC, told an early morning audience that the research firm has pegged the Linux ecosystem that includes servers and software to be worth $18 billion. By 2010, Gillen said, the market will be worth $40 billion."

Comments (3 posted)

Building an Relationship Economy (Linux Journal)

Doc Searls discusses the relationship economy in his Linux Journal blog. "Is there something new that open source development methods and values can bring to the economy? How about something old? I think the answer may come from the developing world, where pre-industrial methods and values persist and offer some helpful models and lessons for a networked world that's less post-industrial than industrial in a new and less impersonal way."

Comments (2 posted)

The ACCURATE meeting

Ping reports on his touch screen voting software development and the ACCURATE meeting. "I'm excited to say that this new version fits in 400 lines of straightforward, readable Python. However, this version doesn't contain a verifier yet; included among the 300 lines of last year's software was a verifier for the ballot definition to ensure that, once the ballot is successfully loaded, the program cannot crash. After i add a verifier to the new version, it will probably weigh in somewhere between 500 and 600 lines. Still, not bad. I was aiming for under 1000, as a reasonable limit for the number of lines one could expect to review and verify with some confidence. (For comparison, the Diebold AccuVote TS-X software is over 31000 lines of C++.)"

Comments (none posted)

LinuxWorld New York: a longer name for a smaller show (Linux.com)

Linux.com covers the LinuxWorld OpenSolutions Summit. "IDG's East Coast Linux gathering is now officially called the LinuxWorld OpenSolutions Summit (LWOSS). The inaugural 2007 version of the renamed conference was held February 14 and 15 in the conference area of the Marriott Marquis hotel in Manhattan, not in a huge convention center. Despite the longer name, it was such a cute little conference that I kept wanting to pat it on its head. But sometimes smaller is better, and in many ways this 600-person LWOSS was more fun and more informative than its larger Boston and New York predecessors."

Comments (1 posted)

KDE at SCALE 5x (KDE.News)

KDE.News reports on all things KDE at SCALE 5X. "KDE was once again well represented at the 2007 Southern California Linux Expo (SCALE 5x), demonstrating to show-goers why it is the most popular Linux desktop. There were talks, demonstrations from KDE developers and and thank yous in return. Read on for the full report."

Comments (none posted)

Volunteers make Vancouver PHP Conference work (Linux.com)

Linux.com covers the Vancouver PHP Conference. "More than 225 developers attended the second Vancouver PHP Conference at the University of British Columbia's Downtown Campus in Vancouver Canada this week. Organized by the Vancouver PHP Users Group, the conference attracted many of the best-known names in the PHP world, including Rasmus Lerdorf, Andrei Zmievski, Damien Seguy, and Zak Greant. The result was a well-rounded conference that shows what an experienced group of volunteer organizers can accomplish."

Comments (1 posted)

Dell users demand more Linux options (ZDNet UK)

ZDNet UK looks at what people are saying at Dell's Ideastorm website. "Nearly 40,000 users have used the Dell Ideastorm website to promote the suggestion that Dell should: "Offer the three top free Linux versions [Fedora, OpenSuse and Ubuntu] for free pre-installation on all Dell PCs". It is now the most popular suggestion on the site."

Comments (28 posted)

Flash for Linux -- It's Not for Designers (internetnews.com)

internetnews.com looks into development issues with Adobe's Flash Player 9 for Linux. ""In general we chose the standard but we really just want it to work," Huang said. "Our wish list is for more consistency of libraries across the various Linux distributions, which would enable wider support." The problem revolves around the fact that there really isn't such a thing a standard Linux desktop. Efforts like the Linux Standard Base (LSB), which aims to provide standardized API's for the Linux desktop, fall short for Flash."

Comments (40 posted)

Cuba to migrate to open-source software (ZDNet)

ZDNet reports that the Cuban government is migrating its computers to open source software. " A Cuban academic, Hector Rodriguez, is supporting the migration to open source by heading up a development program within one of the largest Cuban universities. Cuba's customs service has already migrated to Linux, while the ministries of culture, higher education and communications are planning to do so, Rodriguez told the conference."

Comments (6 posted)

EBS chooses Linux for IT consolidation project (siliconrepublic.com)

siliconrepublic.com reports on a Linux deployment by Ireland's EBS Building Society. "The building society, which is the fifth-largest credit institution in the country, has chosen SUSE Linux Enterprise Server (SLES) from Novell as the foundation for the consolidation project. This will involve hosting IBM WebSphere applications and SLES will support more than 1,000 users within EBS in 2007. EBS has been able to save on software licensing and hardware costs as a result of the project. It has also benefited the firm’s disaster recovery strategy, as this is now easier to perform backups from a single mainframe than on many distributed machines."

Comments (none posted)

The last set of FOSDEM interviews

The last set of interviews with FOSDEM speakers has been posted; featured this time are Jeremy Allison, Keith Packard, Miguel de Icaza, Paul Everitt, Pete Herzog, and Simon Phipps. "The benefit for [Sun] in opening up Java is that it will allow the market to grow even more. And a bigger market leads to more innovators and more opportunities. I know that can sound suspicious... But in our view a big community leads to big markets, which lead to big profits."

Comments (1 posted)

LinuxWorld: Samba's Jerry Carter talks Samba's future (SearchOpenSource.com)

SearchOpenSource.com presents an interview with Jerry Carter from the Samba project. "Following his session on user authentication and Samba 3.0 at the LinuxWorld Open Solutions Summit, Jerry Carter answered a few questions on Samba's future and its role with Microsoft."

Comments (none posted)

Web 2.0 Podcast: A Conversation with Jonathan Miller (O'ReillyNet)

O'Reilly presents a podcast with Jonathan Miller, an accompanying textual transcription of the interview is included. "One year ago AOL CEO Jonathan Miller told Web 2.0 Summit program chair John Battelle that the new AOL would be truly open. At the Web 2.0 Summit 2006, Miller talks about the changes over this past year and what it has meant for revenues."

Comments (none posted)

Inge Wallin - People Behind KDE

The latest interview in the People Behind KDE series features Inge Wallin. "Q:In what ways do you make a contribution to KDE? A:Since I come from a games background - I was a long time contributor to GNU Go - I started out in kdegames. I fixed a number of bugs in KPoker, KReversi, KPat, Konquest and for some time was the maintainer of KReversi. Then I drifted over to kdeedu and helped out a little there. For some reason I started to work with KOffice and since KChart was abandoned I fixed a number of bugs there and then took over maintainership of that application. I also did some work on KSpread."

Comments (none posted)

CLI Magic: Linux troubleshooting tools 101 (Linux.com)

Linux.com looks at command line tools for troubleshooting your system. "When something goes wrong with your Linux-based system, you can try to diagnose it yourself with the many troubleshooting tools bundled with the operating system. Knowing about these tools, and how to effectively use them, can help you overcome many of the common problems on your system. Here's a list of some of the weapons in your arsenal against Linux problems."

Comments (17 posted)

Hardware Versus Software Firewalls (O'Reilly)

Chris Swartz and Randy Rosel compare various firewall implementations in an O'Reilly article. "How do the freeware firewalls compare to expensive, all-in-one firewall solutions such as the Cisco PIX? The goal for this project, then, is to compare the Cisco PIX with two freeware firewalls."

Comments (none posted)

Run Your Own Webradio Station With Icecast2 And Ices2 (HowtoForge)

HowtoForge sets up an an audio streaming server with Icecast2. "This tutorial describes how to set up an audio streaming server with Icecast2. In order that Icecast2 can stream audio to listeners we install Ices2. Ices2 is a program that sends audio data to an Icecast2 server to broadcast to clients. Ices2 can either read audio data from disk (Ogg Vorbis files), or sample live audio from a sound card and encode it on the fly. In this article we will let Ices2 read .ogg files from the local hard disk."

Comments (none posted)

Improved ways to suspend and hibernate a laptop under Linux (Linux.com)

Linux.com revisits suspend and hibernate. "Last June I wrote about suspending and hibernating laptops under Linux. Since then a few things have changed -- thankfully, for the better -- so it's time to revisit the subject. Also, a few readers have responded offering suggestions for improving the suspend shell script I wrote back then, and I've incorporated these suggestions in a new version; unfortunately most of the comments are anonymous, so I can't give proper credit to their authors. The most important change since the last article is that laptops with multi-core CPUs are now the de facto standard. Intel Core Duo and Core2 Duo processors not only offer Symmetric Multiprocessing (SMP) functionality to mobile users but also consume less power, and thus produce less heat, than their predecessors."

Comments (3 posted)

Set up remote access in UNIX through OpenSSH (developerWorks)

IBM developerWorks covers system administration using OpenSSH. "Use OpenSSH to provide a secure environment for running a remote terminal. The basics of OpenSSH and terminal usage are quite simple but, in this article, examine additional elements that allow automatic login to remote hosts, methods for running remote applications, and how to securely copy files between hosts."

Comments (16 posted)

The Pillars of KDE 4: Decibel Definitions and Benefits (KDE.News)

KDE.News looks at the definitions and benefits of Decibel. "In part 1, we gave a general overview of Decibel. In part 2, we cover everyone's favorite section - the definitions! Well, at least we hope that the definitions will be informative. Part 3 will describe some benefits for developers while part 4 deals with benefits for users."

Comments (6 posted)

IBM unveils servers for Linux consolidation (Reseller News)

Reseller News covers the latest IBM server offerings, introduced at the Linuxworld OpenSolutions Summit in New York. "The highest end of the three new offerings, the IBM System p5 560Q, includes advanced virtualisation features, such as IBM's Advanced Power Virtualisation, which runs multiple partitions per processor. This allows a customer to consolidate 320 x86-based Linux Web servers on to just one rack of five of the new servers, Handy says."

Comments (none posted)

RPM development on the road to revival (Linux.com)

Linux.com takes a look at RPM development. "The RPM Package Manager (RPM) package format and utilities are the backbone of the Red Hat Enterprise Linux (RHEL), Fedora Core, SUSE, and Mandriva Linux distributions, a host of smaller distros, and the Linux Standard Base. For years, the RPM utilities and specification were maintained by Red Hat. That changed in 2006 when, following a lengthy period of uncertainty, the company relaunched rpm.org as an independent hub for RPM development."

Comments (none posted)

A look at Slackware's package utilities (Linux.com)

Linux.com looks at Slackware's no frills approach to package management. "Unlike packages made for repository based solutions, like Debian's apt-get and Fedora's yum, Slackware packages were not designed to be dependency-aware -- and hardcore Slackware users would have it no other way. Installing dependencies by hand does have an advantage. It allows an administrator to remain in control of the libraries and programs installed on the system. But being one of the oldest distributions has its advantages. Thanks to its faithful bunch of developers, Slackware has perhaps the largest collection of package management tools. Let's look at some of them."

Comments (5 posted)

Xfce 4.4: The best lightweight desktop environment (Linux.com)

Linux.com reviews Xfce 4.4. "For years, the lightweight Xfce has been a popular desktop environment for Linux distributions running on older hardware, thanks to its lower demand on resources as compared to KDE and GNOME; it's an ideal desktop for machines with less than 256MB of memory. Until recently, however, using Xfce was a little laborious, but with its latest release last month, Xfce is a much more usable desktop environment."

Comments (28 posted)

Zero Install: An executable critique of native package systems (Linux.com)

Bruce Byfield looks at Zero Install on Linux.com. "Zero Install is one of the more promising alternatives to native package systems for Linux distributions, such as RPM and Debian's dpkg. Originally developed by Thomas Leonard, a professor in the Department of Electronics and Computing at the University of Southampton, it begins with a criticism of existing package systems the difficulties of using them, and is built to provide an answer to the problems raised by the critique. However, like other alternative package systems, it faces the problems of winning acceptance from the major distributions and fine-tuning its features."

Comments (4 posted)

EFF: Media Giant Bullies Internet Critic

The Electronic Frontier Foundation reports on their efforts to protect an Internet humor site. "The Electronic Frontier Foundation (EFF) warned Discovery Communications, Inc., today to cease its demands for the removal of an online template that uses humor to help people criticize the media company. The "SpankMaker," located at http://www.spankmymarketer.com/, helps users create parodies of a controversial marketing campaign in connection with a Discovery television production. The online tool provides images from the marketing campaign and Discovery's corporate websites, and allows users to modify them with commentary."

Full Story (comments: none)

PUBPAT Exec testifies before U.S. House of Representatives

The Public Patent Foundation executive director has announced that its executive director was to address the the U.S. House of Representatives on the subject of patent reform on February 15. "Ravicher will begin with an opening statement and then answer questions from Representatives on the Subcommittee on Courts, the Internet, and Intellectual Property, including Chairman Howard Berman (D-CA) and Ranking Member Howard Coble (R-NC), at the oversight hearing on "American Innovation at Risk: The Case for Patent Reform"".

Full Story (comments: none)

ADempiere gets worldwide professional support

ADempiere has announced the availability of worldwide professional support for its Enterprise Resource Planning software. "ADempiere project is glad to announce the incorporation of ADempiere Business inc. in the USA, an umbrella non-profit organization that will act as a virtual worldwide services organization that will offer quality professional services for the implementation of ADempiere."

Full Story (comments: none)

2006 LinuxQuestions.org Members Choice Award Winners Announced

The polls are closed and the results are in for the 2006 LinuxQuestions.org Members Choice Awards. Winners include Ubuntu (best distribution), Knoppix (best live distribution), Firefox (best browser), and much more.

Full Story (comments: 7)

Nokia announce the Nokia N800 Internet Reader Challenge

Nokia has announced the Popular Science Nokia N800 Reader Challenge. "Magazine are joining forces to create the Popular Science Nokia N800 Reader Challenge, a contest calling for user-developed applications, scripts, services or hardware additions for the new Nokia N800 Internet Tablet. The Linux<-based Nokia N800 provides portable Internet access via Wi-Fi or an enabled cell phone with Bluetooth connectivity for Web browsing, email, instant messaging, Internet calling with integrated webcam, RSS feeds, streaming music and much more."

Comments (none posted)

Free Linux course for beginners

LinuxBasics.org has announced their third free Linux class, entitled: An Introduction to Linux Basics. "This course is designed to give a foundation of understanding of Linux to a beginner who wants to know a little more about the system. More advanced Linux users will find an opportunity to dig deeper into some areas they always wanted to know more about or discover gaps in their knowledge that they didn't know existed."

Full Story (comments: none)

Python Bootcamp

Big Nerd Ranch will hold the next Python Bootcamp on May 21-25, 2007 near Atlanta,GA. "The Big Nerd Ranch announces Python training May 21-25, 2007 with a revised course and a new instructor, David Beazley. David Beazley is the author of the "Python Essential Reference," and offers a fresh take on Python training. This course is designed to teach Python programming, accompanied by the myriad uses of Python to extend and access existing systems. "Python as glue," in essence. Big Nerd Ranch provides intensive, all-inclusive courses to Mac OS X and Open Source programmers in a retreat environment."

Comments (none posted)

aKademy talks deadline extended (KDE.News)

KDE.News reports that the aKademy 2007 talks deadline has been extended. "Due to a beastie in the submissions system, the aKademy 2007 Programme Committee have extended the deadline for talk proposals until February 23rd. See the Call for Participation for some guidelines and how to submit. Confirmation to those who have already submitted has been sent out, let us know if you have no heard from us. If you contribute to KDE in any way it is likely others will want to know about it, so send us your abstract before next Friday."

Comments (none posted)

EVT '07 Call for Papers

A call for papers has gone out for the 2007 USENIX/ACCURATE Electronic Voting Technology Workshop. The event will be held in conjunction with the USENIX Security symposium on August 6–10, 2007 in Boston, MA. "The USENIX/ACCURATE Electronic Voting Technology (EVT) workshop seeks to bring together researchers from a variety of disciplines, ranging from computer science and human factors experts through political scientists, legal experts, election administrators, and voting equipment vendors. EVT seeks to publish original research on important problems, including how the software and hardware in voting might be engineered to be more robust against tampering or how it might be written to be more easily and openly verified." Submissions are due by April 22.

Comments (none posted)

Bossa Conference - Mobile Internet and multimedia

The BOSSA Conference will take place in Recife, Brazil on March 12-14, 2007. "The idea is to cover areas thoroughly from the kernel to the User Interface in mobile Internet and Multimedia. Developers from many areas such as Jeff Waugh (Gnome), Zack Rusin(Qt/KDE), Marcel Holtmann (BlueZ), Chris Hofmann (Mozilla) and John "J5" Palmieri (RedHat) have already confirmed their participation in the event."

Full Story (comments: none)

The 2007 Embedded Systems Conference

CMP Technology has announced the 2007 Embedded Systems Conference. The event takes place at the San Jose, CA McEnery Convention Center on April 1-5, 2007. "The industry's brightest minds will bring the power of brainpower to San Jose's McEnery Convention Center, and have their choice of more than 180 training sessions, courses and seminars covering methodologies, processes, and techniques fundamental for engineers developing embedded systems."

Comments (none posted)

KDE Italia at OpenMind 2007 this week (KDE.News)

KDE.News notes the KDE presence at OpenMind 2007. "OpenMind 2007 is an Italian event dedicated to Free Software and free content. The event will be from this Thursday until Saturday (22nd to 24th) February in San Giorgio a Cremano, Naples."

Comments (none posted)

KDE at Guademy, Spain and FOSS MEET, India (KDE.News)

KDE.News mentions some upcoming KDE events. "A joint KDE and Gnome meeting is taking place in Spain next month called Guademy. The objectives are to create new projects and initiatives of collaboration between both Desktops and allow new developers to get started. Aaron Seigo will give an update on KDE 4 and Albert Astals Cid will talk about Okular. Meanwhile in India Pradeepto Bhattacharya of KDE India will be talking at FOSS MEET in NIT Calicut about KDE 4 and why you should develop with Qt."

Comments (none posted)

OpenOffice.org Conference, Barcelona

Barcelona, Spain has been selected as the location for the 2007 OpenOffice.org Conference. "The figures show the continuing growth of the OpenOffice.org community, with the number of votes cast over 40% up on last year. In particular, the presence of two very strong proposals from the Asia-Pacific region reflects the huge success and potential for OpenOffice.org in this part of the world."

Full Story (comments: none)

O'Reilly Media and CMP Technology launch Web 2.0 Expo Tokyo

The Web 2.0 Expo, Tokyo has been announced. "O'Reilly Media, Inc. and CMP Technology, co-producers of the annual Web 2.0 Summit and newly created Web 2.0 Expo in San Francisco, today jointly announced the launch of a new conference and tradeshow that will bring together top leaders and technologists who are building, leveraging and driving the Japanese web economy. Web 2.0 Expo Tokyo, scheduled for November 15-16, 2007, will be held at Izumi Garden Tower in Roppongi, Tokyo."

Full Story (comments: none)

O'Reilly Where 2.0 Conference registration opens

Registration is open for the 2007 O'Reilly Where 2.0 Conference. "Where 2.0 Conference, happening May 29-30, 2007 at The Fairmont Hotel in San Jose, California. Now in its third year, the Where 2.0 Conference will bring together the leading edge developers building location-aware technology with the businesses and entrepreneurs seeking location apps, platforms, and hardware that will help them capture a competitive edge."

Full Story (comments: none)

Events: March 1, 2007 to April 30, 2007

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
February 26 March 1	PyCon Sprints	Addison, Texas
February 26 March 2	PHP5 Bootcamp Training at the Big Nerd Ranch	Atlanta, Georgia, USA
February 27 March 1	O'Reilly Emerging Telephony Conference	San Francisco, CA
February 27 March 2	EUSecWest Applied Security Conference	London, UK
February 28 March 2	Network and Distributed System Security Symposium	San Diego, CA, USA
March 2 March 3	LinuxForum 2007	Copenhagen, Denmark
March 3 March 8	O'Reilly Emerging Technology Conference	San Diego, CA, USA
March 5 March 8	EclipseCon 2007	Santa Clara, CA, USA
March 5 March 6	Karlsruhe Workshop on Software Radios	Karlsruhe, Germany
March 8 March 10	2007 Open Source Think Tank	Napa, CA, USA
March 10 March 13	Camp 5 Advanced Zope3 Training	Charlotte, North Carolina, USA
March 12 March 16	QCon	London, England
March 12 March 16	Third Annual Security Enhanced Linux Symposium	Baltimore, US
March 12 March 14	BOSSA Conference	Porto de Galinhas, Brazil
March 13 March 14	The Linux Foundation Japan Symposium	Tokyo, Japan
March 14 March 16	PHP Quebec Conference	Montreal, Canada
March 14 March 17	Barbeque Sprint for Plone3	Charlotte, North Carolina, USA
March 15 March 21	CeBIT computer fair	Hannover, Germany
March 16 March 17	MountainWest RubyConf	Salt Lake City, USA
March 18 March 23	Novell BrainShare 2007	Salt Lake City, Utah, USA
March 19 March 21	UKUUG LISA/Spring Conference 2007	Manchester, UK
March 22 March 25	Linux Audio Conference	Berlin, Germany
March 23 March 25	ShmooCon	Washington DC, USA
March 23 March 25	Guademy	Coruña, Spain
March 24	FSF Associate Membership Meeting	Cambridge, MA, USA
March 26 March 29	Emerging Technology Conference	San Diego, CA, USA
April 1 April 4	International Lisp Conference 2007	Cambridge, England
April 1 April 5	Embedded Systems Conference	San Jose, CA, USA
April 1	GPLv3: Improving a Great Licence (discussion draft 3)	Brussels, Belgium
April 2 April 6	DJango Bootcamp	Atlanta, Georgia, USA
April 2 April 5	Hack in The Box Security Conference 2007	Dubai, United Arab Emirates
April 3 April 8	Make Art 2007	Poitiers, France
April 12 April 14	International Free Software Forum (Forum Internacional Software Livre)	Porto Alegre, Brazil
April 14 April 15	Ruby and Python Conference 2007	Poznan, Poland
April 15 April 18	Gelato ICE: Itanium® Conference & Expo	San Jose, California, USA
April 17 April 19	Embedded Linux Conference	San Jose, USA
April 18 April 20	CanSecWest Applied Security Conference 2007	Vancouver, Canada
April 19	Linux 2007	Lisbon, Portugal
April 19	Power Architecture Software Summit	Austin, TX, USA
April 20 April 22	International Conference on Availability, Reliability and Security Conference on Availability, Reliability and Security	Vienna, Austria
April 20 April 22	Penguicon 5.0 Open Source Software & Science Fiction Convention	Troy, Michigan, USA
April 21	Romanian Open Source Development Meeting	Bucharest, Romania
April 23 April 25	Samba eXPerience 2007	Göttingen, Germany
April 23 April 27	PostgreSQL Bootcamp at the Big Nerd Ranch	Atlanta, USA
April 23 April 26	MySQL Conference and Expo	Santa Clara, CA, USA
April 28 April 29	Linuxfest Northwest	Bellingham, WA, USA

If your event does not appear here, please tell us about it.

OpenVZ LinuxWorld follow-up

The open OpenVZ project has sent out a news release that highlights the project's progress in 2006. "The open source project, OpenVZ delivered some 50 software updates and in total more than 2 terabytes of its virtualization software were downloaded in 2006 by the user community - the project announced today. The operating system server virtualization software technology helps increase server utilization rates. The OpenVZ project freely distributes and offers support to its users, promoting operating system virtualization through a collaborative, community effort. Supported by SWsoft, the OpenVZ project serves the needs of the community developers, testers, documentation experts, and other technology enthusiasts who wish to participate in and accelerate the technology development process."

Full Story (comments: none)