User: Password:
|
|
Subscribe / Log in / New account

LWN.net Weekly Edition for May 3, 2007

A tale of two release cycles

As most LWN readers will be aware, the 2.6.21 kernel has been released. The 2.6.21 process was relatively difficult, mostly as a result of the core timer changes which went in. These changes were necessary - they are the path forward to a kernel which works better on all types of hardware - but they caused some significant delays in the release of the final 2.6.21 kernel. Even at release time, this kernel was known not to be perfect; there were a dozen or so known regressions which had not been fixed.

The reason we know about these regressions is that Adrian Bunk has been tracking them for the past few development cycles. Mr. Bunk has let it be known that he will not be doing this tracking for future kernels. From his point of view, the fact that the kernel was released with known regressions means that the time spent tracking them was wasted. Why bother doing that work if it doesn't result in the tracked problems being fixed?

What Mr. Bunk would like to see is a longer stabilization period:

There is a conflict between Linus trying to release kernels every 2 months and releasing with few regressions. Trying to avoid regressions might in the worst case result in an -rc12 and 4 months between releases. If the focus is on avoiding regressions this has to be accepted.

Here is where one finds the fundamental point of disagreement. The kernel used to operate with long release cycles, but the "stable" kernels which emerged at the end were not particularly well known for being regression free. Downloading and running an early 2.4.x kernel should prove that point to anybody who doubts it.

The reasoning behind the current development process (and the timing of the 2.6.21 release in particular), as stated by Linus Torvalds is:

Regressions _increase_ with longer release cycles. They don't get fewer.. This simply *does*not*work*. You might want it to work, but it's against human psychology. People get bored, and start wasting their time discussing esoteric scheduler issues which weren't regressions at all.

In other words, holding up a release for a small number of known bugs prevents a much larger set of fixes, updates, new features, additional support, and so on from getting to the user base. Meanwhile, the developers do not stop developing, and the pile of code to be merged in the next cycle just gets larger, leading to even more problems when the floodgates open. It would appear that most kernel developers believe that it is better to leave the final problems for the stable tree and let the development process move on.

The 2.6.21 experience might encourage a few small changes; in particular, Linus has suggested that truly disruptive changes should maybe have an entire development cycle to themselves. As a whole, however, the process is not seen as being broken and is unlikely to see any big "fixes."

For an entirely different example, let us examine the process leading to the Emacs 22 release. Projects managed by the Free Software Foundation have never been known for rapid or timely releases, but, even with the right expectations in place, this Emacs cycle has been a long one: the previous major release (version 21) was announced in October, 2001. In those days, LWN was talking about the 2.4.11 kernel, incorporation of patented technology into W3C standards, the upcoming Mozilla 1.0 release, and the Gartner Group's characterization of Linux as a convenient way for companies to negotiate lower prices from proprietary software vendors. Things have moved on a bit since those days, but Emacs 21 is still the current version.

The new Emacs major release was recently scheduled for April 23, but it has not yet happened. There is one significant issue in the way of this release: it seems that there is a cloud over some of the code which was merged into the Emacs Python editing mode. Until this code is either cleared or removed, releasing Emacs would not be a particularly good idea. It also appears that the wisdom of shipping a game called "Tetris" has been questioned anew and is being run past the FSF's lawyers.

Before this issue came up, however, the natives in the Emacs development community were getting a little restless. Richard Stallman may not do a great deal of software development anymore, but he is still heavily involved in the Emacs process. Emacs is still his baby. And this baby, it seems, will not be released until it is free of known bugs. This approach is distressing for Emacs developers who would like to make a release and get more than five years' worth of development work out to the user community.

This message From Emacs hacker Chong Yidong is worth quoting at length:

To be fair, I think RMS' style of maintaining software, with long release cycles and insistence on fixing all reported bugs, was probably a good approach back in the 80s, when there was only a handful of users with access to email to report bugs.

Nowadays, of course, the increase in the number of users with email and the fact that Emacs CVS is now publicly available means that there will always be a constant trickle of bug reports giving you something to fix. Insisting---as RMS does---on fixing all reported bugs, even those that are not serious and not regressions, now means that you will probably never make a release.

It has often been said that "perfect" is the enemy of "good." That saying does seem to hold true when applied to software release cycles; an attempt to create a truly perfect release results in no release at all. Users do not get the code, which does not seem like a "perfect" outcome to them.

Mr. Yidong has another observation which mirrors what was said in the kernel discussion:

There is also a positive feedback loop: RMS' style for maintaining Emacs drives away valuable contributors who feel their effects will never be rewarded with a release (and a release is, after all, the only reward you get from contributing to Emacs).

It's not only users who get frustrated by long development cycles; the developers, too, find them tiresome. Projects which adopt shorter, time-based release cycles rarely seem to regret the change. It appears that there really are advantages to getting the code out there in a released form. Your editor is not taking bets on when Emacs might move to a bounded-time release process, though.

Comments (36 posted)

The embedded Linux nightmare - an epilogue

May 1, 2007

This article was contributed by Thomas Gleixner

The usage of proprietary operating systems in companies over the last 25 years has established a set of constraints which are not really applicable to the way open source development - and Linux kernel development in particular - works. My keynote talk ("The Embedded Linux Nightmare") at the Embedded Linux Conference in Santa Clara addressed this mismatch; it created quite a bit of discussion. I would like to follow up and add some more details and thoughts about this topic.

Why follow mainline development?

The version cycles of proprietary operating systems are completely different than the Linux kernel version cycles. Proprietary operating systems have release cycles measured in years; the Linux kernel, instead, is released about every three months with major updates to the functionality and feature set and changes to internal APIs. This fundamental difference is one of the hardest problems to handle for the corporate mindset.

One can easily understand that companies try to apply the same mechanisms which they applied to their formerly- (and still-) used operating systems in order not to change procedures of development and quality assurance. Jamming Linux into these existing procedures seems to be somehow possible, but it is one of the main contributions to the embedded Linux nightmare, preventing companies from tapping the full potential of open source software. Embedded distribution vendors are equally guilty as they try to keep up the illusion of the one-to-one replacement of proprietary operating systems by creating heavily patched Linux Kernel variants.

It is undisputed that kernel versions need to be frozen for product releases, but it can be observed that those freezes are typically done very early in the development cycle and are kept across multiple versions of the product or product family. These freezes, which are the vain attempt to keep the existing procedures alive, lead to backports of features found in newer kernel versions and create monsters which put the companies into the isolated situation of maintaining their unique fork forever, without the help of the community.

I was asked recently whether a backport of the new upcoming wireless network stack into Linux 2.6.10 would be possible. Of course it is possible, but it does not make any sense at all. Backporting such a feature requires backporting other changes in the network stack and many other places of the kernel as well, making it even more complex to verify and maintain. Each update and bug fix in the mainline code needs to be tracked and carefully considered for backporting. Bugfixes which are made in the backported code are unlikely to apply to later versions and are therefore useless for others.

During another discussion about backporting a large feature into an old kernel, I asked why a company would want to do that. The answer was: the quality assurance procedures would require a full verification when the kernel would be upgraded to a newer version. This is ridiculous. What level of quality does such a process assure when there is a difference between moving to a newer kernel version and patching a heavy feature set into an old kernel? The risk of adding subtle breakage into the old kernel with a backport is orders of magnitudes higher than the risk of breakage from an up-to-date kernel release. Up-to-date kernels go through the community quality assurance process; unique forks, instead, are excluded from this free of charge service.

There is a fundamental difference between adding a feature to a proprietary operating system and backporting a feature from a new Linux kernel to an old one. A new feature of a proprietary operating system is written for exactly the version which is enhanced by the feature. A new feature for the Linux kernel is written for the newest version of the kernel and builds upon the enhancements and features which have been developed between the release of the old kernel and now. New Linux kernel features are simply not designed for backporting.

I only can discourage companies from even thinking about such things. The time spent doing backports and the maintenance of the resulting unique kernel fork is better spent on adjusting the internal development and quality assurance procedures to the way in which the Linux kernel development process is done. Otherwise it would be just another great example of a useless waste of resources.

Benefits to companies from working with the kernel process

There are a lot of arguments made why mainlining code is not practicable in the embedded world. One of the most commonly used arguments is that embedded projects are one-shot developments and therefore mainlining is useless and without value. My experience in the embedded area tells me, instead, that most projects are built on previous projects and a lot of products are part of a product series with different feature sets. Most special-function semiconductors are parts of a product family and development happens on top of existing parts. The IP blocks, which are the base of most ASIC designs, are reused all over the place, so the code to support those building blocks can be reused as well.

The one-shot project argument is a strawman for me. The real reasons are the reluctance to give up control over a piece of code, the already discussed usage of ancient kernel versions, the work which is related to mainlining, and to some degree the fear of the unknown.

The reluctance to give up control over code is an understandable but nevertheless misplaced relic of the proprietary closed source model. Companies have to open up their modifications and extensions to the Linux kernel and other open source software anyway when they ship their product. So handing it over to the community in the first place should be just a small step.

Of course mainlining of code is a fair amount of work and it forces changes to the way how the development in companies works. There are companies which have been through this change and they confirm that there are benefits in it.

According to Andrew Morton, we change approximately 9000 lines of kernel code per day, every day. That means that we touch something in the range of 3000 lines of code, when we take comments, blank lines and simple reshuffling into account. The COCOMO estimate of the value of 3000 lines of code is about $100k. So we have a total investment of $36 million per year which flows into the kernel development. That's with all the relevant factors set to 1. Taking David Wheelers factors into account would cause this figure to go up to $127 million. This estimate does not take other efforts around the kernel into account, like the test farms, the testing and documentation projects and the immense number of (in)voluntary testers and bug reporters who "staff" the QA department of the kernel.

Some companies realize the value of this huge cooperative investment and add their own stake for the long term benefit. We recently had a customer who asked if we could write a driver for an yet-unsupported flash chip. His second question was whether we would try to feed it back into the mainline. He was even willing to pay for the extra hours, simply because he understood that it was helpful for him. This is a small company with less than 100 employees and a definitely limited budget. But they cannot afford the waste of maintaining even such small drivers out of tree. I have seen such efforts of smaller companies quite often in recent years and I really hold those folks in great respect.

Bigger players in the embedded market apparently have budgets large enough to ignore the benefits of working with the community and just concentrate on their private forks. This is unwise with respect to their own investments, not to talk about the total disrespect for the values which are given them by the community.

It is understandable that companies want to open the code for new products very late in the product cycle, but there are ways to get this done nevertheless. One is to work through a community proxy, such as consultants or service providers, who know how kernel development works and can help to make the code ready for inclusion from the very beginning.

The value of community-style development is in avoiding mistakes and the benefit of the experience of other developers. Posting an early draft of code for comment can be helpful for both code quality and development time. The largest benefit of mainlining code is the automatic updates when the kernel internal interfaces are changed and the enhancements and bugfixes which are provided by users of the code. Mainlining code allows easy kernel upgrades later in a product cycle when new features and technologies have to be added. This is also true for security fixes, which are eventually hard to backport.

Benefits to developers

I personally know developers who are not interested in working in the open at all for a very dubious reason: as long as they have control over their own private kernel fork, they are the undisputed experts for code on which their company depends. If forced to hand over their code to the community, they fear losing control and making themselves easier to replace. Of course this is a short-sighted view, but it happens. These developers miss the beneficial effect of gaining knowledge and expertise by working together with others.

One of my own employees went through a ten-round review-update-review cycle which ended with satisfaction for both sides:

	> Other than that I am very happy with this latest version. Great
	> job!  Thanks for your patience, I know it's always a bit
	> frustrating when your code works well enough for yourself and you
	> are still told to make many changes before it is acceptable
	> upstream.

	Well, I really appreciate good code quality. If this is the price,
	I'm willing to pay it. Actually, I thank you for helping me so
	much.

Over the course of this review cycle the code quality of the driver improved; it also led to some general discussion about the affected sensors framework and the improvement of it on the fly. The developer improved his skills and he got an improved insight into the framework with the result that his next project will definitely have a much shorter review cycle. This growth makes him far more valuable for the company than having him as the internal expert for some "well it works for us" driver.

The framework maintainer benefited as well, as he needed to look at the requirements of the new device and adjust the framework to handle it in a generic way. This phenomenon is completely consistent with Greg Kroah-Hartman's statement in his OLS keynote last year:

We want more drivers, no matter how "obscure", because it allows us to see patterns in the code, and realize how we could do things better.

All of the above leads to a single conclusion: working with the kernel development community is worth the costs it imposes in changes to internal processes. Companies which work with the kernel developers get a kernel which better meets their needs, is far more stable and secure, and which will be maintained and improved by the community far into the future. Those companies which choose to stay outside the process, instead, miss many of the benefits of millions of dollars' worth of work being contributed by others. Developers are able to take advantage of working with a group of smart people with a strong dedication to code quality and long-term maintainability.

It can be a winning situation for everybody involved - far better than perpetuating the embedded Linux nightmare.

Comments (33 posted)

A tale of two dead companies

Once upon a time, there was a software firm named AppForge, Inc. This company sold development tools for mobile platforms, allowing others to create applications which would run on a number of different devices. These were all proprietary tools for proprietary systems, and so wouldn't normally be of interest on LWN. What has happened with AppForge turns out to be worth a look, however.

It seems that AppForge went bankrupt back in March. So there will be no support for AppForge's products going into the future. But, as it turns out, it's worse than that:

Crossfire licensing typically works by validating a serial number against AppForge's server before installation on any new device. Since AppForge went dark, end users have been unable to provision new devices with software that they thought they owned.

It does not take much searching to find forums full of AppForge customers looking for ways to activate the product licenses they had already bought and paid for. In the mean time, their businesses have come to a halt because a core component of their products has suddenly been pulled out from underneath them.

Adding the usual sanctimonious LWN sermon on the risks of using proprietary software seems superfluous here.

More recently, Progeny Linux Systems ceased operations. This company, which had based its hopes on a specialized, configurable version of the Debian distribution aimed at appliance vendors, had been quiet for some time. Founder Ian Murdock headed off to greener pastures (first the Free Standards Group, then Sun) a while back. Press releases and other communications had dried up. The last repository update posted to the mailing lists happened in October, 2006. The DCC Alliance, a Progeny-led effort to create a standard distribution based on Debian, has had no news to offer since 2005. Now the company's web site states that Progeny ceased operations on April 30.

Progeny seems to have lost out in the market to others with more interesting offerings. Ubuntu declined to join the DCC Alliance for what looks like a clear business reason: Ubuntu is becoming the standardized, cleaned-up version of Debian that DCC wanted to be, and with predictable releases as a bonus. Companies like rPath appear to be finding more success at signing up customers in the appliance market. With no wind in its sails, Progeny was unable to bring in the revenue to keep going.

Progeny's customers, too, will lose the support offered by the company. There will be no distribution upgrades, no security fixes, and nobody to answer questions. This loss will clearly be a concern for any affected customers, but those customers are in a very different position from those who were dependent on AppForge tools. Since they were using a free platform, nothing prevents Progeny's customers from continuing to ship their products. These customers can also readily find companies (or consultants) who can continue to support the Progeny platform, should they need that support. The cost may be unwelcome, but the core truth remains: any Progeny customer which has a need to keep the Progeny platform secure or fix bugs in it will be able to do so.

The nature of the technology market is such that the failure of product lines and entire companies is not an uncommon event. When one company depends on another company's products, the risk of this sort of failure must be kept in mind. That risk is far lower, however, when companies base their products on free software.

(Thanks to Scott Preece for bringing the AppForge situation to our awareness).

Comments (5 posted)

Page editor: Jonathan Corbet

Security

IPv6 source routing: history repeats itself

May 2, 2007

This article was contributed by Jake Edge.

A feature slipped into the IPv6 protocol because of political, rather than technical, considerations and has, perhaps unsurprisingly, come back to haunt the IPv6 working group. It also caused a recent Linux kernel release that disables a particular routing 'feature' of IPv6 by default; it also allows administrators to enable it if they wish. Even a cursory look at the IPv6 routing header type 0 (RH0) might lead one to remember a similar IPv4 feature that eventually fell out of favor: source routing.

Mostly used as a diagnostic tool, source routing allows a packet to specify the route, as a list of IP addresses, that should be used to reply to it. This capability was abused in IP address spoofing attacks by enabling the spoofer to see responses that normally would be routed directly to the spoofed address. Because of this (and other source routing abuses), most routers are configured to drop packets that have source routing information and have been since the mid-90s. Ten years or more would seem to be enough time to ensure that the 'next generation' of IP (IPv6 was originally billed as 'IPng') missed out on repeating these mistakes of the past; sadly, that is not the case.

IPv6 introduces something called a 'routing header' into the protocol as part of the extension headers, which are meant to replace the IPv4 options field. Three types of routing header are defined, one of which is unused (type 1) and another which is only used by Mobile IPv6 implementations (type 2). It is the third (type 0) that is the cause of all the current uproar. Also known as RH0 headers, they contain a list of hosts to be 'visited' on the way back to the source address. It should be noted that the IPv6 RFC mentions IPv4 source routing as part of the description of RH0.

A presentation (PDF) at the CanSecWest 2007 conference outlined several vulnerabilities with RH0 and that led to the kernel changes in 2.6.20.9. The biggest vulnerability appears to be in the amplification effect that can be caused by listing hosts multiple times in the 'route'. One packet can then cause what are essentially multiple copies of itself to be sent back and forth between the hosts listed in the header. This can be used to multiply the traffic in a denial of service attack as well as masking the source of the attack. The BSD operating systems have also released new versions to address this problem and the router vendors will not be far behind. (It should be noted that a bug in the original Linux fix was addressed in 2.6.20.10 and because 2.6.21 had been released in the interim, in 2.6.21.1 as well.)

Given that the problems with source routing are known and that the parallels between RH0 and source routing are also known, how did we get to the point where this kind of feature was added into IPv6? The Internet Engineering Task Force (IETF) IPv6 working group is discussing some of that in a thread on their mailing list. A memorable rant by Theo de Raadt seems to indicate that 'academics' in the process forced the inclusion of RH0 through politics. Paul Vixie commiserates and indicates that he sees it as more evidence that the IETF is largely irrelevant in setting internet standards today. In addition, no one responding to the thread seems to be able to come up with a particularly valid use case for the feature.

This would appear to be a classic case of ignoring the past and being doomed to repeat it, but it would also appear that the politics of standards bodies played a role. We certainly are not well served when political considerations trump security (or, really, any technical) considerations. Hopefully this will be yet another object lesson for those of a political bent.

Comments (19 posted)

New vulnerabilities

capi4k-utils: buffer overflow

Package(s):capi4k-utils CVE #(s):CVE-2007-1217
Created:April 30, 2007 Updated:May 2, 2007
Description: The bufprint() function in capi4k-utils fails to properly check boundaries of data coming from CAPI packets. A local attacker could possibly escalate privileges or cause a Denial of Service by sending a crafted CAPI packet.
Alerts:
Gentoo 200704-23 capi4k-utils 2007-04-27

Comments (none posted)

gimp: arbitrary code execution

Package(s):gimp CVE #(s):CVE-2007-2356
Created:May 1, 2007 Updated:June 11, 2007
Description: From this Secunia advisory: "Marsu has discovered a vulnerability in Gimp, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the "set_color_table()" function in plug-ins/common/sunras.c. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted .RAS file."
Alerts:
Debian DSA-1301-1 gimp 2007-06-09
Ubuntu USN-467-1 gimp 2007-05-31
Mandriva MDKSA-2007:108 gimp 2007-05-22
Red Hat RHSA-2007:0343-01 gimp 2007-05-21
SuSE SUSE-SR:2007:011 apache gimp zope 2007-05-16
Gentoo 200705-08 gimp 2007-05-07
rPath rPSA-2007-0090-1 gimp 2007-05-03
Foresight FLEA-2007-0015-1 gimp 2007-04-30

Comments (3 posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2007-1861 CVE-2007-2242
Created:May 1, 2007 Updated:February 8, 2008
Description: The netlink protocol has an infinite recursion bug that allows users to cause a kernel crash. Also the IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.
Alerts:
SuSE SUSE-SA:2008:006 kernel 2008-02-07
Ubuntu USN-508-1 linux-source-2.6.15 2007-08-31
Mandriva MDKSA-2007:171 kernel 2007-08-28
Ubuntu USN-489-1 linux-source-2.6.15 2007-07-19
Ubuntu USN-486-1 linux-source-2.6.17 2007-07-17
SuSE SUSE-SA:2007:051 kernel 2007-09-06
Mandriva MDKSA-2007:216 kernel 2007-11-13
Red Hat RHSA-2007:0347-01 kernel 2007-05-16
Debian DSA-1289-1 linux-2.6 2007-05-13
Foresight FLEA-2007-0016-1 kernel 2007-05-08
rPath rPSA-2007-0084-1 kernel 2007-05-01
Fedora FEDORA-2007-483 kernel 2007-05-01
Fedora FEDORA-2007-482 kernel 2007-05-01

Comments (none posted)

net-snmp: denial of service

Package(s):net-snmp CVE #(s):CVE-2005-4837
Created:May 2, 2007 Updated:May 4, 2007
Description: From the Ubuntu advisory: the SNMP service did not correctly handle TCP disconnects. Remote subagents could cause a denial of service if they dropped a connection at a specific time. Note that this vulnerability has been known since 2005.
Alerts:
rPath rPSA-2007-0089-1 net-snmp 2007-05-03
Ubuntu USN-456-1 net-snmp 2007-05-02

Comments (none posted)

qemu: multiple vulnerabilities

Package(s):qemu CVE #(s):CVE-2007-1320 CVE-2007-1321 CVE-2007-1322 CVE-2007-1323 CVE-2007-1366
Created:May 1, 2007 Updated:January 19, 2009
Description: Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service.
Alerts:
Fedora FEDORA-2008-11705 kvm 2008-12-24
Fedora FEDORA-2008-10000 kvm 2008-11-22
Fedora FEDORA-2008-9556 kvm 2008-11-12
SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19
Mandriva MDVSA-2008:162 qemu 2008-08-07
Fedora FEDORA-2008-4386 kvm 2008-05-28
Fedora FEDORA-2008-4604 kvm 2008-05-28
Fedora FEDORA-2007-713 xen 2007-10-08
Debian DSA-1384-1 xen-utils 2007-10-05
Fedora FEDORA-2007-2270 xen 2007-10-03
Red Hat RHSA-2007:0323-01 Xen 2007-10-02
Debian-Testing DTSA-38-1 qemu 2007-05-26
Debian DSA-1284-1 qemu 2007-05-01

Comments (none posted)

quagga: denial of service

Package(s):quagga CVE #(s):CVE-2007-1995
Created:May 2, 2007 Updated:July 3, 2007
Description: A malicious peer can cause the quagga routing daemon to crash by sending a properly crafted BGP packet.
Alerts:
Fedora FEDORA-2007-0838 quagga 2007-07-03
Fedora FEDORA-2007-525 quagga 2007-06-06
Red Hat RHSA-2007:0389-01 quagga 2007-05-30
Ubuntu USN-461-1 quagga 2007-05-17
OpenPKG OpenPKG-SA-2007.015 quagga 2007-05-18
Debian DSA-1293-1 quagga 2007-05-17
Mandriva MDKSA-2007:096 quagga 2007-05-02
Gentoo 200705-05 quagga 2007-05-02

Comments (none posted)

tomcat: directory traversal

Package(s):tomcat CVE #(s):CVE-2007-0450
Created:May 2, 2007 Updated:February 27, 2008
Description: Versions of tomcat prior to 5.5.22 do not properly filter filename separator characters, enabling information disclosure attacks.
Alerts:
SuSE SUSE-SR:2007:015 PHP, moodle, tomcat5, lighttpd, asterisk, libarchive, xpdf, evolution, kvirc, wireshark, gd, opera, clamav, gimp 2007-08-03
Mandriva MDKSA-2007:241 tomcat5 2007-12-10
Red Hat RHSA-2007:0360-01 jbossas 2007-05-24
Red Hat RHSA-2007:0328-01 tomcat 2007-05-24
Fedora FEDORA-2007-514 tomcat5 2007-05-21
Red Hat RHSA-2007:0326-01 tomcat 2007-05-21
Red Hat RHSA-2007:0327-01 tomcat 2007-05-14
Gentoo 200705-03 tomcat 2007-05-01

Comments (none posted)

util-linux: access restriction bypass

Package(s):util-linux CVE #(s):CVE-2006-7108
Created:May 2, 2007 Updated:June 15, 2007
Description: From the Red Hat advisory: a flaw was found in the way the login process handled logins which did not require authentication. Certain processes which conduct their own authentication could allow a remote user to bypass intended access policies which would normally be enforced by the login process.
Alerts:
rPath rPSA-2007-0126-1 util-linux 2007-06-15
Mandriva MDKSA-2007:111 util-linux 2007-06-04
Red Hat RHSA-2007:0235-02 util-linux 2007-05-01

Comments (none posted)

vim: arbitrary shell code execution

Package(s):vim CVE #(s):CVE-2007-2438
Created:April 30, 2007 Updated:May 25, 2007
Description: Vim allows two functions, feedkeys() and writefile(), to be used in the sandbox. Functions executed via modelines in files being edited are verified by the sandbox; a user who is coerced into opening a specially-crafted file could cause the system to execute arbitrary shell code supplied by the attacker.
Alerts:
SuSE SUSE-SR:2007:012 net-snmp, vim, kdebase3, mod_perl 2007-05-25
Ubuntu USN-463-1 vim 2007-05-22
Mandriva MDKSA-2007:101 vim 2007-05-09
Red Hat RHSA-2007:0346-01 vim 2007-05-09
Fedora FEDORA-2007-492 vim 2007-05-07
Foresight FLEA-2007-0014-1 gvim 2007-04-30

Comments (1 posted)

wordpress: another pile of vulnerabilities

Package(s):wordpress CVE #(s):CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897
Created:May 2, 2007 Updated:July 6, 2007
Description: Wordpress suffers from another set of vulnerabilities including a couple of cross-site scripting problems, an access restrictions bypass issue, and an SQL injection vulnerability.
Alerts:
Fedora FEDORA-2007-0894 wordpress 2007-07-05
Debian DSA-1285-1 wordpress 2007-05-01

Comments (none posted)

xscreensaver: password check bypass

Package(s):xscreensaver CVE #(s):CVE-2007-1859
Created:May 2, 2007 Updated:June 13, 2007
Description: On a system which uses a remote directory service for passwords, a local attacker can crash xscreensaver by disrupting network connectivity, thus bypassing the password check and gaining access to the system.
Alerts:
Ubuntu USN-474-1 xscreensaver 2007-06-12
Gentoo 200705-14 xscreensaver 2007-05-13
SuSE SUSE-SR:2007:009 ekiga, gnomemeeting, xscreensaver, cups, quagga 2007-05-04
rPath rPSA-2007-0088-1 xscreensaver 2007-05-03
Mandriva MDKSA-2007:097 xscreensaver 2007-05-02
Red Hat RHSA-2007:0322-01 xscreensaver 2007-05-02

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

There is no 2.6 prepatch outstanding as of this writing. The 2.6.22 merge window has opened, and about 2,000 changesets have been merged so far (see below).

The current -mm tree is 2.6.21-rc7-mm2. There's not been a lot of new features going into -mm recently; the focus has been on bug fixes.

The current stable 2.6 kernel is 2.6.21, released on April 25. For those just tuning in, 2.6.21 includes clockevents and the dynamic tick patch, the VMI virtualization interface, a number of KVM improvements, the ALSA system on chip layer, and much more. See the KernelNewbies 2.6.21 summary for vast amounts of detail.

The 2.6.21.1 update added a couple of fixes for security issues in the networking code.

For older kernels: the current 2.6.20 release is 2.6.20.8 2.6.20.9 2.6.20.10 2.6.20.11, released on May 1. The 2.6.20.11 release contains a few dozen important fixes; the previous updates contained fixes for networking-related security problems.

2.6.16.50-rc1 was released on May 1 with several fixes, a couple of which have CVE numbers attached.

Comments (none posted)

Kernel development news

Quotes of the week

So -mm is still very useful just because *Andrew* tests it, and finds all kinds of issues with it, but I literally suspect that Andrew himself is personally a big part of that, which is kind of wasteful - we should be able to spread out the pain more. Andrew is also too damn polite when something goes wrong.
-- Linus Torvalds

The overall stability in recent -mm's was not sufficiently high and we ran out of time to find all the bugs. I shouldn't have merged all those patches last week - they contained an exceptional amount of garbage. This all means that more bugs than usual will probably leak into mainline, and we'll have to fix them there.
-- Andrew Morton

Comments (2 posted)

Job opening: kernel bug manager

In the middle of the discussion on the handling of kernel bugs, Andrew Morton let it slip that the long-rumored, Google-funded kernel bug manager position is now open. It's apparently proved hard to fill: "Unfortunately the recruiting has been a bit tricky - this is not a typical job and it's a funny mixture of bureaucracy/politics/social engineering and programming. People who are skilled in both areas, are, ah, uncommon." If you are such a person this could be a great opportunity to build kernel skills while working directly with Andrew - and help the kernel process as well.

Comments (17 posted)

Merged (and to be merged) for 2.6.22

The 2.6.22 merge window has opened, with almost 2,000 changesets merged as of this writing. The merge process appears to have slowed somewhat; it may be that the level of traffic on linux-kernel is so high (even by linux-kernel standards) that nobody has time to deal with actual patches. Be that as it may, user-visible changes merged so far include:

  • Lots of networking changes, including improvements to the forward receive timeout recovery (RFC4138) implementation, a YeAH-TCP congestion control [PDF] implementation, a TCP Illinois congestion control implementation, and a new RxRPC secure socket layer (along with support for using RxRPC in the AFS filesystem). Also, the old, IPv4-only connection tracking code has been removed as per the feature removal schedule.

  • The cfg80211 patches - a new, netlink-based interface for configuring wireless interfaces - have been merged. At the same time, the netlink version of the "wireless extensions" interface has been removed.

  • The OCFS2 filesystem now has sparse file support.

  • The UBI patch, which performs flash-aware partitioning and volume management, has been merged.

  • New drivers for USB webcams based on zr364xx chipsets, AT26Fxxx dataflash devices, CM-X270-based NAND flash memory, Freescale SOC USB controllers, and Marvell Libertas 802.11 adaptors (used in the OLPC system).

    It's also worth noting that the IVTV video driver, long out of the mainline, has finally been merged. "It took three core maintainers, over four years of work, eight new i2c modules, eleven new V4L2 ioctls, three new DVB video ioctls, a Sliced VBI API, a new MPEG encoder API, an enhanced DVB video MPEG decoding API, major YUV/OSD contributions from Ian and John, web/wiki/svn/trac support from Axel Thimm, (hardware) support from Hauppauge, support and assistance from the v4l-dvb people and the many, many users of ivtv to finally make it possible to merge this driver into the kernel."

  • A new "sony-laptop" layer which replaces sonypi and provides better Sony support. The old "ibm_acpi" module has been renamed "thinkpad-acpi," and it features improved support for those laptops.

  • The CFQ I/O scheduler has been reworked. Taking inspiration from the CFS CPU scheduler, it now uses a red-black tree to sort pending requests by expected execution time and track them.

Changes visible to kernel developers include:

  • The eth_type_trans() function now sets the skb->dev field, consistent with how similar functions for other link types operate. As a result, many Ethernet drivers have been changed to remove the (now) redundant assignment.

  • The header fields in the sk_buff structure have been renamed and are no longer unions. Networking code and drivers can now just use skb->transport_header, skb->network_header, and skb->skb_mac_header. There are new functions for finding specific headers within packets: tcp_hdr(), udp_hdr(), ipip_hdr(), and ipipv6_hdr().

  • Also in the networking area: the packet scheduler has been reworked to use ktime values rather than jiffies.

Those who are curious about what else might get in to 2.6.22 can have a look at Andrew Morton's 2.6.22 merge plans document. Interestingly, Lguest, the signalfd work, and the SLUB allocator are all planned for merging, but all have become less certain since:

  • There have been some complaints that Lguest has not been sufficiently reviewed. Since this development is independent and will not bother those who do not use it, the concerns are less likely to delay its inclusion.

  • Signalfd has a new competitor in the form of the pollfs patch. Pollfs takes takes a different approach to many of the same problems and throws in polling for futex operations as well. It is far from clear that pollfs is better (some of the early reviews have been on the unfavorable side), but the process of figuring out whether that is true could delay signalfd past the closing of the merge window.

  • The SLUB allocator has also been subject to concerns that it has not been sufficiently tested for such a fundamental change. Additionally, there seems to be a difference of goals between Andrew Morton (who would like to see SLUB eventually replace the current slab allocator) and SLUB developer Christoph Lameter, who had seen the two coexisting indefinitely. Chances are these issues will get worked out and SLUB will go in as scheduled.

There are a few things of interest which are not on Andrew's list. The reiser4 filesystem seems certain to sit out (at least) another cycle, despite a resurgence in interest in getting it ready for inclusion. Xen is not mentioned, but it seems that, behind the scenes, it is being worked on. So Xen could actually show up before the merge window closes. There will be no major scheduler rework in 2.6.22; it's too soon for any of those patches to go in. The anti-fragmentation patches look likely to wait a little longer; Andrew worries that they still haven't seen enough review and benchmarking despite many iterations over a few years. The integrity management patches are considered to be unready and will not be merged.

Beyond that, there will be doubtless be surprises over the next week or so; stay tuned.

Comments (10 posted)

UIO: user-space drivers

The concept of supporting user-space drivers has appeared on this page a few times before. It's back; this time there is a version of the patch (now called "UIO") which is being proposed for inclusion into 2.6.22. The interface has changed somewhat, so another look is called for.

Like the previous version, UIO does not completely eliminate the need for kernel-space code. A small module is required to set up the device, perhaps interface to the PCI bus, and register an interrupt handler. The last function (interrupt handling) is particularly important; much can be done in user space, but there needs to be an in-kernel interrupt handler which knows how to tell the device to stop crying for attention.

The kernel module includes <linux/uio_driver.h>. If it's a driver for a PCI device, it should register itself as a PCI driver in the usual way. When it comes time to connect a device (perhaps in the PCI probe() function), the driver fills in a uio_info structure:

    struct uio_info {
	char			*name;
	char			*version;
	struct uio_mem		mem[MAX_UIO_MAPS];
	long			irq;
	unsigned long		irq_flags;
	void			*priv;
	irqreturn_t (*handler)(int irq, struct uio_info *dev_info);
	int (*mmap)(struct uio_info *info, struct vm_area_struct *vma);
	int (*open)(struct uio_info *info, struct inode *inode);
	int (*release)(struct uio_info *info, struct inode *inode);
	/* Internal stuff omitted */
    };

Here, name is the name of the device and version is the driver version (which will show up in sysfs). The number of the interrupt used by the device (if any) goes into irq, with irq_flags being the flags which will be passed to request_irq(). The function which handles interrupts is handler(). This handler should acknowledge the interrupt; it usually does not need to do anything else. The mmap(), open(), and release() functions are called from the equivalent file_operations members.

The mem array describes any memory areas which can be mapped into user space. The uio_mem structure looks like:

    struct uio_mem {
	unsigned long addr;
	unsigned long size;
	int memtype;
	void __iomem *internal_addr;
	/* ... */
    };

For each mappable area, addr is the relevant address, and size is the size of the area. If it's an I/O memory area, internal_addr is the address returned by ioremap(). The memtype field describes what the area really is:

  • UIO_MEM_PHYS indicates that addr is a physical address, generally for an I/O memory area.

  • UIO_MEM_LOGICAL is memory in the kernel logical address space, such as that returned by kmalloc().

  • UIO_MEM_VIRTUAL is memory in the kernel virtual address space - the space used by vmalloc_user() and friends.

Once the structure is filled in, the driver stub passes it to:

    int uio_register_device(struct device *parent, struct uio_info *info);

The parent pointer tells the kernel which "real" device is associated with the UIO device; if the driver is for a PCI device, parent will be pci_dev->dev.

There is not much more to the kernel-space UIO API. When a device goes away, the driver should call:

    void uio_unregister_device(struct uio_info *info);

The final function of note is:

    void uio_event_notify(struct uio_info *info);

Its purpose is to notify the UIO core that an event (typically an interrupt) has occurred. The stub driver need not call uio_event_notify() for real interrupts, but it can be used to simulate interrupts in other situations.

On the user space side, the first UIO-handled device will show up as /dev/uio0 (assuming a normal udev setup). The user-space driver will open the device. Reading the device returns an int value which is the event count (number of interrupts) seen by the device; if no interrupts have come in since the last read, the operation will block until an interrupt happens (though non-blocking operation is supported in the usual way as well). The file descriptor can be passed to poll().

The memory areas described by the kernel-space driver can be mapped into user space with the mmap() call. The interface is just a little strange: the offset value passed to mmap() should be N times the page size for the Nth memory area. So, on a system with 4096-byte pages, the first memory area will be found with an offset of zero, the second at 4096, the third at 8192, etc. Once that is figured out, though, everything is pretty straightforward.

There are some limitations, of course. UIO drivers are char drivers; there is no provision for creating user-space block or network drivers at this time. It is not possible to set up DMA operations from user space. But, for drivers which can be implemented with I/O memory access and simple interrupt handlers, the necessary pieces are in place. The patch set includes an example driver to show how it all works. According to Thomas Gleixner, the original, fully in-kernel version of the driver had to implement 68 different ioctl() commands and was over 5,000 lines long. The associated user-space code was over 3,000 lines as well. The new driver eliminates all of that, with a total of 156 lines of kernel code and just under 3,000 lines in user space.

Andrew Morton has expressed some reservations about the patch:

I'm a bit uncertain about the whole UIO idea, really. I have this vague feeling that we'd prefer to encourage people to move device drivers into GPL'ed kernel rather than encouraging them to do closed-source userspace implementations which will probably end up being slower, less reliable and unavailable on various architectures, distros, etc

The authors respond that it's not really about doing proprietary drivers, though some of that will undoubtedly go on. There's a number of people, especially in the embedded space, who want to do user-space drivers, for prototyping purposes if nothing else. The UIO framework gives them a relatively safe and standard way to write these drivers, which is seen as being better than having them each create their own kernel hooks. The patch has not been merged as of this writing, but, unless stronger objections arise, it's chances of getting into 2.6.22 are reasonably good.

Comments (16 posted)

Large block size support

On its face, it doesn't seem like Christoph Lameter's large block size support patch would be that controversial. This patch set equips the page cache to hold blocks which are larger than the system's page size by storing them in higher-order, compound pages. That, in turn, enables filesystems to work with larger blocks. The patch should make operations on large files more efficient and improve the kernel's support for some types of hardware. The patch might eventually get merged, but not before more discussion has happened.

The problem is that this patch is not without its difficulties. It adds a certain amount of complexity to the core virtual memory subsystem to implement what is, in all reality, a feature which has been rejected before: larger pages. The patch currently ducks the most difficult part of the problem - handling faults on larger pages, needed to make mmap() work - meaning that more complexity can be expected in the future. Larger blocks in the page cache means more demand for higher-order pages, which are already in short supply on many systems; that, in turn, means that the anti-fragmentation patches would almost certainly be needed as well. Use of larger pages in the page cache can also lead to more internal fragmentation and less efficient memory use.

For all these reasons, Andrew Morton has been expressing some reservations:

And make no mistake: the latter disadvantage is huge. Because if we do the PAGE_CACHE_SIZE hack (sorry, but it _is_), we have to do it *for ever*. Maintaining and enhancing core MM and VFS becomes harder and more costly and slower and more buggy *for ever*. The ramp for people to become competent on core MM becomes longer. Our developer pool becomes smaller, and proportionally less skilled.

Andrew is not necessarily opposed to the patch; he is more concerned that it not be merged until it has been carefully compared with the alternatives. He suggests keeping the page cache entry size unchanged, but trying to allocate entries in higher-order groups. That would result in larger blocks being stored contiguously in memory without the memory subsystem changes. Filesystems could use those larger blocks, and hardware could treat them as single units in scatter/gather lists for DMA, leading to more efficient operations.

Another possibility which has been raised is raising the maximum size of hardware scatter/gather lists or allowing them to be chained. Drivers could then set up larger I/O operations, improving efficiency without requiring the other changes.

Still, there is support for Christoph's patch. It would make support of larger blocks relatively straightforward for the lower layers, perhaps enabling the removal of some real hacks found in some drivers and filesystems now. The patch would also allow ext3 filesystems with larger block sizes - sometimes created on ia64 systems, which use larger pages - to be mounted on other architectures. Christoph Hellwig likes the idea that a higher-order page cache could force a solution to the longstanding problem of physical memory fragmentation. To many, it seems like a straightforward and necessary solution to a longstanding problem.

So the large block size idea is unlikely to just go away. It may be a while, though, before its proponents can do enough homework and benchmarking to fully address the worries which have been expressed. Fundamental changes are often the ones which take the longest to get into the kernel, so there is little that is surprising here. Just don't ask for a prediction of the final outcome.

Comments (3 posted)

Patches and updates

Kernel trees

Architecture-specific

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Memory management

Networking

Security-related

Virtualization and containers

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Looking into the future of Mandriva, Freespire and Linspire

Mandriva 2008

Mandriva developer Olivier Blin "blino" has posted some specs and proposals for Mandriva 2008. Changes proposed for the base system include will affect udev, mkinitrd, hardware detection, kernel drivers, graphical splash and power management. He's looking at iwlwifi for Intel Wireless 3945ABG network drivers and rt2x00 for more open source drivers.

Live CDs will use squashfs + lzma, with a special squashfs kernel module and readahead + loopback ordering to speed up the boot process. Live installs may become more flexible and allow the user select packages and languages during the live install.

Gamers may see a drakjoy tool for joystick calibration, OpenAL support for SecondLife and Wiimote using new cwiid features.

Freespire, Linspire, CNR.com

Kevin Carmony looks at some big changes in Linspire, Freespire and CNR.com. CNR is Linspire's Click aNd Run software repository. It's being revamped as a website with Web 2.0 technology and it will be supporting several other popular Linux distributions. The new CNR will be available for Linspire and Freespire users by early June. A CNR plug-in will be available for Ubuntu Feisty users by mid-June. Eventually plug-ins will be available for Debian, OpenSUSE and Fedora users as well.

The new Freespire 2.0 operating system will use Ubuntu 7.04 (Feisty Fawn) for its baseline, and will then integrate the latest KDE, the new CNR, and the latest 3rd-party proprietary software, drivers and codecs for better hardware and multimedia support. Freespire 2.0 is currently in alpha testing. A beta should be out sometime soon, with a final version expected in early June, timed to coincide with the CNR.com launch.

Linspire 6.0 will be Based on Freespire 2.0, and will be modified for OEM and Retail Channel partners. Linspire 6.0 Final is expected in late June.

Comments (2 posted)

New Releases

Announcing Fedora 7 Test 4 (6.93)

The Fedora Project has announced the release of the fourth and final test release of Fedora 7. "Test 4 is for beta users. This is the time when we MUST have full community participation. Without this participation both hardware and software functionality suffers. We need your help. Join us!"

Full Story (comments: none)

OpenBSD 4.1 Released

OpenBSD 4.1 has been released, with plenty of improvements and new features. Here's the list of changes made between OpenBSD 4.0 and OpenBSD 4.1.

Full Story (comments: 2)

New Yellow Dog Linux v5.0.1 for PS3

TerraSoft Solutions has announced the availability of Yellow Dog Linux v5.0.1 for PS3. There are more than 500 packages updates included as well as support for built-in wireless.

Full Story (comments: 1)

Distribution News

Bits from the DPL

Sam Hocevar looks at his first ten days as Debian Project Leader. "It's already been 10 days since I started my DPL term and I haven't made any formal annoucement yet, so here it is. It's a bit late to comment on the elections, but let me thank all other candidates anyway, with extra sympathy for Steve McIntyre who for the second time came second by less than 10 votes and Gustavo Franco who had a platform very similar to mine yet wasn't rewarded with as many favourable votes. Also many thanks to Anthony Towns, my predecessor, and Steve McIntyre again for making the switch as comfortable as possible."

Full Story (comments: none)

Mandriva Linux Discovery 2007 Spring

Mandriva Linux Discovery 2007 Spring is the distribution designed for beginners. "Mandriva Linux Discovery is a Live DVD: first, you can try Mandriva Linux without installing it on your hard drive. Then, once you love it, a simple icon on the desktop allows you to install the system with a few clicks - thanks to a smooth setup wizard - without even rebooting to run the installer! It has never been easier to discover Linux."

Full Story (comments: none)

The Ubuntu trademark policy

Canonical has posted a trademark policy describing how others can use the Ubuntu names. "The Ubuntu trademarks are designed to cover use of a mark to imply origin or endorsement by the project. When a user downloads something called Ubuntu, they should know it comes from the Ubuntu project. This helps Ubuntu build a reputation that will not be damaged by confusion around what is, and isn't, Ubuntu."

Comments (5 posted)

Gutsy Gibbon open for general development

Ubuntu has started the development of the Gutsy Gibbon. "For Gutsy, the general theme is Quality and Improvement. This means, we are not so much looking for new and experimental features, but rather in stabilising and polishing off our current set of features."

Full Story (comments: none)

First kernel upload for gutsy...priceless

Ben Collins looks at the Gutsy Gibbon's kernel. "Well, it's all up. linux-source-2.6.22, which is 2.6.21 at the moment, as we continue to follow linux-2.6.git through the 2.6.22 development cycle. Followed by linux-restricted-modules, which is an exact dupe of the package in feisty for 2.6.20, obviously compiled against the new kernel."

Full Story (comments: none)

New Distributions

Alinex

Alinex is the product of a partnership between Junta de Extremadura in Spain and the University of Évora in Portugal. It's a general purpose distribution targeted to the educational system and public administration. The website and documentation are in Portuguese. (Thanks to Luís Rodrigues)

Comments (none posted)

Distribution Newsletters

Debian Weekly News - April 24th, 2007

The Debian Weekly News covers Mercurial version control now available for Alioth users, version 0.4.0 of the Debian loader for Windows released, security updates are available via IPv6, Debian etch release parties, the IT department of Germany's Federal Foreign Office save money using Debian, a new GNU/kFreeBSD CD image released, Debian GNU/Linux 4.0 released and much more.

Full Story (comments: none)

Fedora Weekly News Issue 85

The Fedora Weekly News for April 28, 2007 looks at Fedora 7 Test 4, Making the Merge Happen, Red Hat Magazine OLPC Articles, Red Hat Summit Compilation, 0-Day Fedora Kernels, Red Hat's JBoss to Adopt Fedora Model, and much more.

Full Story (comments: none)

PCLinuxOS Magazine Issue 9

PCLinuxOS Magazine for May 2007 is out. This issue covers KDE User Guide Part 2, Scroogle and Konqueror Integration, Top Ten Reasons for Using Linux, Linux in Education, Updating PCLinuxOS to 2007, Using Settings from a Previous Linux Install, and much more.

Comments (none posted)

Ubuntu Weekly News: Issue #38

The Ubuntu Weekly Newsletter for April 28, 2007 covers Gutsy Gibbon's kick off off development and new additions, the availability of VMware server on Canonical's commercial servers, the Latinamerican Installfest and several other topics.

Full Story (comments: none)

DistroWatch Weekly, Issue 200

The DistroWatch Weekly for April 30, 2007 is out. "This week belongs to Mandriva Linux and its recently released version 2007.1 - we'll bring you a full review, comment on the release process, share our upgrade experiences, and link to a technical specification proposal for Mandriva Linux 2008. In other news: PCLinuxOS opens for business after a disastrous bandwidth outage, Linspire announces release dates of Freespire 2.0 and Linspire 6.0, Terra Soft release Yellow Dog Linux 5.0.1 for free download, and the developers of VMKnoppix announce a 64-bit edition of KNOPPIX 5.1.1. Finally, a comment on translating the new Top Ten Distributions page and an update on tracking distribution usage through browser strings."

Comments (none posted)

Distribution meetings

Discover Ubuntu at the Ubuntu Live Conference this Summer

Registration is open for Ubuntu Live, the first official conference dedicated to Ubuntu. "The conference will showcase a wide-ranging program of expert-led sessions and tutorials to inform and inspire the growing Ubuntu community, from power users to the Ubuntu-curious. The three-day conference launches July 22-24, 2007 at the Oregon Convention Center in Portland, Oregon, in conjunction with the O'Reilly 2007 Open Source Convention (OSCON)."

Full Story (comments: none)

Newsletters and articles of interest

Get Slack (Tux Deluxe)

Richard Hillesley traces the history of the Slackware distribution in a Tux Deluxe article. "At the time that Slackware first emerged as the logical replacement for the Software Landing Systems (SLS) Linux distribution, the satirical Church of the Subgenius, with its slogan “get slack”, was still a popular source of humour on the college campuses of the US. Slackware can be taken as a a tongue-in-cheek reference to the Church of the Subgenius, and its charismatic leader, JR ‘Bob’ Dobbs, ‘The Master of Slack’, and as an assertion that Slackware was part of the zeitgeist of the youth of America."

Comments (3 posted)

Distribution reviews

Review: SimplyMEPIS Linux 6.5 (Linux.com)

Linux.com reviews SimplyMEPIS Linux 6.5. "A few weeks ago, MEPIS released SimplyMEPIS 6.5. The latest version of the Ubuntu-based desktop distribution offers a number of interesting new features, including a 64-bit release and Beryl for 3-D desktop effects. After spending a fair amount of time with the release, I found it to be a worthy update to earlier versions of MEPIS."

Comments (none posted)

Review: Ubuntu Feisty Fawn (Linux.com)

Linux.com reviews Ubuntu 7.04. "Another six months, another release from the Ubuntu folks. The Ubuntu 7.04 release, better known as Ubuntu Feisty Fawn, is another cutting-edge, but not bleeding-edge, release that shows what Linux is capable of on the desktop. I've been running it since the early betas, and have found that it's the best Ubuntu release yet."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Improved Linux debugging with Chronicle

Last December, as examined in a previous LWN article, Robert O'Callahan discussed the need for better debugging tools under Linux:

One of the painful truths about Linux development is that debugging sucks. Specifically, gdb on Linux sucks. Basic functionality simply does not work reliably. The details of the brokenness vary depending on the version, but the general suckiness seems to hold up across versions. Since it fails on the basics, we need not even discuss the lack of modern features or its appalling usability. This is a big problem for Linux because it is driving developers away from the platform. Here's a deeper and less widely understood truth: all debuggers suck.

The article suggested that a big problem with most debuggers was the inability to move backward through buggy code (reverse execution). O'Callahan produced a paper on the topic entitled Efficient Collection And Storage Of Indexed Program Traces [PDF] and introduced the Amber project.

Amber started out with a patent liability problem due to O'Callahan's employment by Novell. Fortunately, that issue was resolved early on: "Novell has generously granted permission to release Amber as open source."

Amber underwent a name change, and is now known as the chronicle-recorder project. "Chronicle records every memory and register write in the execution of a Linux process, using Valgrind to instrument execution at the machine code and system call level. These events are indexed and compressed; from the resulting database the Chronicle query tool can efficiently reconstruct the state of memory and/or registers at any point during the execution. Additional queries such as "when was the last write to location X before time T" and "when was location X executed between times T1 and T2" are also supported."

On the topic of licensing, the Chronicle README file says: Valgrind is under the GPL. The Valgrind 'chronicle' tool's main.c file is also under the GPL. The tool's headers --- arch.h, log_stream.h, and effects.h --- use an X11 license, so they can be included by anyone. The Chronicle 'indexer' and 'query' components are GPLed. They rely on a 'base' component whose files have an X11 license (including a simple C JSON library). The intent is that the individual Chronicle components are GPLed but since they run in separate processes communicating via clearly defined interfaces, non-GPLed code can communicate with them. In particular, debugger front ends can use any license."

O'Callahan discussed the new project with his Chronicle Released article, and discussed some new debugging capabilities that Chronicle brings with a followup article on History Based Stack Reconstruction. The code is currently in an early state, the user interface is still in the planning stages and tests are limited.

For more information on Chronicle's author, Robert O'Callahan was featured in a February, 2007 Computerworld NZ interview. (Thanks to Danny O'Brien for pointing out the latest Chronicle developments).

Comments (5 posted)

System Applications

Database Software

PostgreSQL Weekly News

The April 29, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

SQLite 3.3.17 released

Version 3.3.17 of SQLite, a light weight DBMS, is out. "This version fixes a bug in the forwards-compatibility logic of SQLite that was causing a database to become unreadable when it should have been read-only. Upgrade from 3.3.16 only if you plan to deploy into a product that might need to be upgraded in the future. For day to day use, it probably does not matter."

Comments (none posted)

Device Drivers

LCDproc 0.5.2 released

Version 0.5.2 of LCDproc, the Linux LCD display driver, is out with lots of new capabilities and some bug fixes.

Comments (none posted)

Mail Software

Apache SpamAssassin 3.2.0 available

SpamAssassin 3.2.0 is out. The changelog is not particularly informative to outsiders ("compilation of SpamAssassin rules into a fast parallel-matching DFA, implemented in native code"), but one assumes it is better at filtering out spam and that can only be a good thing.

Full Story (comments: 6)

Printing

Merger of ESP Ghostscript and GPL Ghostscript

The CUPS printing project mentions the merger of ESP Ghostscript 8.15.4 and GPL Ghostscript 8.57, and how it affects CUPS. "As the head branch of Ghostscript is now under GPL (and not only the previous major version as formerly) the ESP Ghostscript project is discontinued and the extra functionality of ESP Ghostscript is merged into the head development of Ghostscript, GPL Ghostscript."

Comments (none posted)

VPN Software

SSL-Explorer 0.2.13 released (SourceForge)

Version 0.2.13 of SSL-Explorer has been released. "SSL-Explorer is the world's first open-source, browser based SSL VPN solution. This unique remote access security solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser. The 0.2.13 release provides a number of important bug fixes to many areas of the system (see change log below). This release also includes a number of performance improvements that provide improved web server responses."

Comments (none posted)

Web Site Development

SilverStripe 2.0.1 released

Stable version 2.0.1 of SilverStripe has been announced. "SilverStripe is a free software / open source content management system (CMS) for creating and managing websites through a simple web interface. It has many advanced features. These features include an MVC framework, XHTML compliance, multiple ways of organising navigation through folksonomy, a flexible data object model, multiple templates per page, a separate "draft site" and "published site through staging content, asset management , image resizing, versioning and rollback, SEF URLs with meta-data. SilverStripe is designed for UTF-8 support including internationalisation of character sets."

Comments (none posted)

Miscellaneous

Free-SA 1.3.0 released

Version 1.3.0 of Free-SA has been released. "Free-SA is statistic analyzer for daemons log files similar to SARG. Its main advantages over SARG are much better speed (7x-20x times), more reports support, crossplatform work and W3C compliance of generated HTML/CSS reports code."

Comments (none posted)

Desktop Applications

Audio Applications

Ardour 2.0 released

Version 2.0 of Ardour, a multi-track digital audio workstation, has been announced. "Nearly 2 years of work have gone into this new version. Along the way a huge number of bugs were fixed, performance and workflow were improved, and many new features were added."

Full Story (comments: none)

alsaplayer 0.99.78 released

Version 0.99.78 of alsaplayer, a PCM player for the ALSA sound system, is out. "AlsaPlayer is a new type of PCM player. It is heavily multi-threaded and tries to excercise the ALSA library and driver quite a bit. It has some very interesting features unique to Linux/Unix players. This is a feature enhancement and minor bugfix release. Support for FLAC-1.3 and 1.4 is added. A desktop file is included."

Full Story (comments: none)

eSpeak 1.23 released

Version 1.23 of eSpeak, a text to speech synthesis converter, is out with new Croatian language support.

Comments (none posted)

jack_capture V0.9.4 released

Version 0.9.4 of jack_capture is out with a bug fix involving recording more than 2 channels of audio. "jack_capture is a program for recording soundfiles with jack. Its default operation is to capture whatever sound is going out to your speakers into a file."

Full Story (comments: none)

JackMiniMix undergoes rewrite

JackMiniMix has been rewritten. "It's now called JackMixDesk has a configurable number of mono/stereo channels, pre and post sends, LASH support, a XML config file and an additional GTK interface which can be started on demand. Im working on a SVG knob widget to make the interface use less ram and I'm planning to implement MIDI support."

Full Story (comments: none)

Desktop Environments

GNOME 2.19.1 released

Version 2.19.1 of the GNOME desktop environment has been released with much exclamation. "Welcome to the new GNOME development cycle! Please fasten your seat belt: you're going to see a lot of exciting new changes!, new features!, new bugfixes!, new translations!, new documentation!. Lots of modules have great plans for 2.19 and if you're willing to help, there's a lot of areas where you'll be heartily welcomed! Don't hesitate to ask how or where you can help. If you don't even know where to start, just send a mail to our fantastic gnome-love mailing list. This is our first development release on our road towards GNOME 2.20.0, which will be released in September 2007."

Full Story (comments: 8)

GARNOME 2.19.1 released

Version 2.19.1 of GARNOME, the bleeding edge GNOME distribution, is out. "This release includes all of GNOME 2.19.1 plus a whole bunch of updates that were released after the GNOME freeze date. This is the first development release on our road towards GNOME 2.20.0, which will be released in September 2007."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Commit-Digest for 29th April 2007 (KDE.News)

The April 29, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "Continued work across kdegames, with the kbattleship-rewrite merged back into trunk/. Start of scalable interface support in Kanagram. Further functionality enhancements implemented in the Konsole refactoring effort. Small refinements in KSysGuard. More work on the KDevelop Subversion plugin. Preparations for RSYNC support in the icecream distributed compilation utility. Progress made in the Amarok-on-Windows porting and generic music store intergration for Amarok 2. Initial milestones reached in the Music Notation Flake shape Summer of Code project in KOffice. Support for boolean operations on paths in Karbon. Primary iconset imported for KDE 4, as part of a general cleanup effort in kdeartwork - more iconsets to be added soon."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week: More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Electronics

Icarus Verilog 20070427 released

Snapshot 20070427 of Icarus Verilog, a Verilog electronic simulation language compiler, is available. See the release notes for change information.

Comments (none posted)

KJWaves 1.1.2 released

Version 1.1.2 of KJWaves has been announced. The description states: "100% Java program allows viewing of RAW SPICE files, for example, those created by ngSPICE. Also allows adding analysis to SPICE CIR files and run ngSPICE and examine output. Supports printing graphs as well as copy and pasting (via right-clicking). Has German, Greek, and Spanish language translation and should be able to handle much RAW larger files."

Comments (none posted)

Encryption Software

Cryptkeeper 0.3.666 released

Stable version 0.3.666 of Cryptkeeper has been announced. "Cryptkeeper is a FreeDesktop.org Standard (KDE, Gnome, XFce, etc.) system tray applet that manages EncFS encrypted folders."

Comments (none posted)

Financial Applications

SQL-Ledger 2.8.2 released

Version 2.8.2 of SQL-Ledger, a web-based accounting system, is out with new features, bug fixes and translation work. See the What's New document for details.

Comments (none posted)

Games

FreeCol 0.6.1 released (SourceForge)

Version 0.6.1 of FreeCol, a cross-platform open-source version of the strategy game Colonization, is available. This release adds some new features and fixes some bugs.

Comments (none posted)

GUI Packages

PyQt 4.2 released

Version 4.2 of PyQt, the Python language bindings for Qt, has been announced. "The highlights of this release include: - The ability to write widget plugins for Qt Designer in Python. - Integration of the Python command shell and the Qt event loop. This allows developers to call Qt functions dynamically on a running application. - Integration of the Qt event loop with the standard Python DBus bindings available from www.freedesktop.org."

Comments (none posted)

Interoperability

Wine 0.9.36 released

Version 0.9.36 of Wine has been announced. Changes include: "Midi support in the CoreAudio driver, Mixer support in the Alsa driver, A lot of MSI fixes, Implementation for most D3DRM functions, The usual assortment of Direct3D fixes and Lots of bug fixes."

Comments (none posted)

Wine Weekly Newsletter

The April 30, 2007 edition of the Wine Weekly Newsletter is online with coverage of the Wine project. Topics include: "Wine 0.9.36, ALSA Changes, Winscard Support, Wine Killing X?, SambaXP Report, Mandriva RPM's, Debugging Reports, Wine At LinuxTag 2007 and WineConf 2007."

Comments (none posted)

Medical Applications

Apelon Vocabulary Server is now open-source

Apelon has announced the release of its Distributed Terminology System under the Apache 2.0 open-source license. "DTS assists in the management, integration, and deployment of structured biomedical terminology. It has the broadest installed user base of any such software, and is part of applications that include clinical data repositories, EMR systems, public health programs, decision support, guideline authoring, and interface engines."

Comments (none posted)

Music Applications

pyliblo 0.5 announced

Version 0.5 of pyliblo"pyliblo is a Python wrapper for the liblo OSC library. It does not yet wrap all of liblo's functionality, but includes everything you need to send and receive almost any kind of OSC message, using a nice and simple Python API. OSC can hardly get any easier :)"

Full Story (comments: none)

Office Suites

OpenOffice.org Newsletter

The April, 2007 edition of the OpenOffice.org Newsletter is out with the latest OO.o office suite articles and events.

Full Story (comments: none)

Video Applications

Freevo release 1.7.1 is out (SourceForge)

Version 1.7.1 of Freevo, a Linux application that turns a PC with a TV capture card and/or TV-out into a standalone multimedia jukebox/VCR/PVR/HTPC, is out. "This release contains some new features and some significant bug fixes. A native ALSA mi[]xer has been added, a wide screen skin "Panorama" has been added, a TV recordings manager has been added and user defined commands can now be sent to the Xine player."

Comments (none posted)

Web Browsers

Gran Paradiso Alpha 4 available for testing (MozillaZine)

MozillaZine notes the availability of the Gran Paradiso Alpha 4 browser. "New features in this development milestone of Mozilla Firefox 3 include the FUEL JavaScript library for extension developers, a redesigned Page Info window, improvements to offline application support and Gecko 1.9 bug fixes."

Comments (none posted)

Miscellaneous

Wixi 0.81 released

Version 0.81 of Wixi has been released. "Wixi is a multi-platform wiki application for the desktop. It is written in python/wxpython and uses txt2tags to convert plain text to many other formats. Wixi strives to be a simple and powerful[] wiki tool for organizing all kind of information." See the changelog file for details on this version.

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The May 1, 2007 edition of the Caml Weekly News is out with new Caml language articles.

Full Story (comments: none)

Haskell

Haskell Weekly News

The April 27, 2007 edition of the Haskell Weekly News has been published. "The last week was a very exciting week for the Haskell community, with a new GHC release, the first release of Xmonad, a window manager written in Haskell, and DisTract, a new distributed bug tracker, written in Haskell. A number of new Haskell jobs were announced, and several new user groups were formed!"

Comments (none posted)

PHP

Code As Data: Reflection in PHP (O'ReillyNet)

Zachary Kessin discusses PHP reflection on O'Reilly. "At the end of the day, all code gets turned into data before it is executed. Sometimes, you can use that fact to help ease some of your programming chores. Zachary Kessin examines the PHP reflection capabilities and shows how you can use them to automate the creation of unit tests."

Comments (none posted)

Python

The Python 3000 PEP Parade

Guido van Rossum has gone through the list of enhancement proposals for Python 3000 (the upcoming major rewrite of the language) and given his opinion on each. Since Guido maintains his Benevolent Dictator role, his opinion matters. The result is interesting reading for those who are curious about the future of the language. The actual proposals are not linked in the message, but they can be found on the Python PEP index page.

Full Story (comments: none)

Python-URL! - weekly Python news and links

The April 30, 2007 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl/Tk

Tcl-URL! - weekly Tcl news and links

The April 25, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Tcl-URL! - weekly Tcl news and links

The May 1, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Miscellaneous

Adobe to open-source Flex

Adobe has announced plans to release its Flex software development kit under the Mozilla Public License. "This includes not only the source to the ActionScript components from the Flex SDK, which have been available in source code form with the SDK since Flex 2 was released, but also includes the Java source code for the ActionScript and MXML compilers, the ActionScript debugger and the core ActionScript libraries from the SDK."

Comments (12 posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Two patent decisions from the U.S. Supreme Court

The U.S. Supreme Court has issued two decisions, both of which weaken the current patent regime somewhat. The San Jose Mercury News covers the ruling in ATT v. Microsoft, which decided that Microsoft is not responsible for violations of U.S. patents which happen elsewhere in the world. "'The presumption that United States law governs domestically but does not rule the world applies with particular force in patent law,' Justice Ruth Bader Ginsburg wrote in the majority opinion."

This Bloomberg article covers the second ruling, which states that simply combining two inventions in a trivial way does not create a new, patentable invention. "'Granting patent protection to advances that would occur in the ordinary course without real innovation retards progress,' Justice Anthony Kennedy wrote for the court."

Comments (9 posted)

Linux-powered robots go global (Computing)

Computing takes a look at internet-controlled wireless robots which are simple enough for "almost anyone" to build with off-the-shelf parts. "The stated goal is to make highly capable robots accessible and affordable for college and pre-college students, as well as anyone interested in robots. At the heart of each TeRK robot is a unique controller called Qwerk that combines a Linux computer with the software and electronics necessary to control the robot's motors, cameras and other devices."

Comments (none posted)

Trade Shows and Conferences

Akonadi Hacking Meeting (KDE.News)

KDE.News covers the second Akonadi Hacking Meeting. "Last weekend was not only the time for the KMail Hacking Days but also for the second Akonadi· Hacking Meeting in Berlin, Germany. 7 KDE-PIM developers came together for 2 days at the KDAB offices in Berlin's Kreuzberg district and continued to improve Akonadi, the personal information data storage for KDE 4. Meeting the other developers in real life and discussing issues face to face always helps to find new solutions and implement crucial features in a short period of time."

Comments (none posted)

Falcon to be the major piece of MySQL 6.0 (LinuxWorld)

LinuxWorld reports on the upcoming MySQL major release from the MySQL user conference. "MySQL developed Falcon in response to Oracle Corp.'s surprise acquisition of Finnish startup Innobase in October 2005. Oracle's purchase was seen by many observers as a predatory strike against MySQL, which bundles Innobase's InnoDB storage engine with its database. The acquisition also prompted MySQL to open up its database storage API (application programming interface) to third parties so companies could create their own storage engines."

Comments (3 posted)

China's Open Source Software Contest announces winners (Linux.com)

Linux.com covers the 2007 China Open Source Software Summit. "At the 2007 China Open Source Software Summit in Beijing on March 27, China's Co-Create Software League (Cosoft) awarded prizes to 25 winners in the second China Open Source Software Contest."

Comments (none posted)

Companies

Dude, you're getting Ubuntu (Linux.com)

Linux.com reports that Dell has teamed up with Canonical to sell Dell desktops and laptops with Ubuntu preinstalled. "Jane Silber, director of operations for Canonical, says Canonical will be working to certify certain models of Dell computers to ensure that they work with Ubuntu. The two companies are not announcing what models will ship with Ubuntu at this time, but Nick Selby, senior analyst with The 451 Group, says that there will be one notebook and three desktop systems."

Comments (51 posted)

MySQL hits $50 million revenue, plans IPO (ZDNet)

ZDNet looks at plans for an IPO by MySQL AB. "MySQL, purveyor of the open-source database of the same name, is on the road to becoming a publicly traded company, bolstered by $50 million in revenue in 2006. "It's still in the pipeline," Chief Executive Marten Mickos said of the plan to hold an initial public offering of his company's stock. He declined to discuss when the company planned to go public, but said, "We're making good progress, doing all the things we need to get done.""

Comments (none posted)

Linux at Work

U.S. schools may join inexpensive-laptop project (ZDNet)

ZDNet reports that some One Laptop per Child PCs may end up in the US school system. "Once known as the $100 laptop, the lime-green-and-white devices are inching up in price. In February, the project estimated said they would sell for $150 each. Negroponte now puts their price tag at $176 apiece. He also noted this week that the machines, which run Linux, also will be configured to run Windows as well (a fact likely to severely disappoint the open-source community). The machines would go at a higher price to U.S. schools, he said, because more resources are invested in American education than in developing nations, even in the poorest U.S. regions."

Comments (20 posted)

Legal

FSF's Brett Smith Answers Your GPLv3 Questions (Groklaw)

FSF Licensing Engineer Brett Smith answers questions from Groklaw readers about GPLv3. "I won't deny that GPLv3 is more complex than GPLv2. That's because we live in a more complex world now, where people interact with software in lots of ways besides sitting down in front of a box that runs their code, and some developers want to have all the advantages of freedom with none of the obligations. You can use simple language if all the participants have shared understanding. Unfortunately, not everybody groks freedom yet."

Comments (none posted)

Interviews

Tom Albers (People Behind KDE)

Here's a People Behind KDE interview with Tom Albers. "In what ways do you make a contribution to KDE? Currently I'm developing Mailody, an alternate mail client for KDE. It only supports online IMAP and I want to bring a new way of reading and handling email. I can't tell what things I have in mind, because there is competition with other mail clients, some of which can implement things much faster than we can ;-)." (Found on KDE.News)

Comments (none posted)

Josh Berkus: KDE Aids The PostgreSQL Team (KDE.News)

Aaron J. Seigo talks with PostgreSQL contributor Josh Berkus. "During FISL 8.0 I caught up with PostgreSQL contributor Josh Berkus who was there to present on PostgreSQL and meet up with the local PostgreSQL community. Josh is a member of the PostgreSQL core team and works at Sun Microsystems as part of their open source database team. Over lunch, Josh shared how KDE plays an important role in the release coordination process which Josh oversees."

Comments (none posted)

First interview: Sam Hocevar, new Debian Project Leader (Linux.com)

Linux.com has an interview with Sam Hocevar. "Sam Hocevar recently became the next Debian Project Leader (DPL), defeating seven other candidates while running on a platform that emphasized ways to improve how project members interact. Hocevar's election comes at a time when Debian may be losing mindshare among both users and developers to Ubuntu, and looking for ways to improve its efficiencies and to mend internal divisions. Recently, Linux.com discussed these challenges with Hocevar via email in his first interview since his election."

Comments (none posted)

Sebastian Trüg on K3b 1.0 and More (KDE.News)

KDE.News has an interview with Sebastian Trüg. "Today we talk with the author of the K3b Project, the well known application that lets you burn CDs/DVDs and that lets you rip music from CD audio and films from DVD Video. We are going to talk with Sebastian about his story: when he started using KDE, when he started to create K3b and to talk about his plans in KDE 4 with a new KDE 4 project."

Comments (none posted)

Resources

Something's Happening Here (Linux Journal)

Dave Phillips covers several topics in this blog entry. "I love my 64-bit machine. It's fast and stable, and I can run all my favorite sound and music software on it (largely thanks to the work of the 64Studio team, a.k.a. Daniel James and Free Ekayanaka). Alas, some software awaits being ported to 64-bit versions, including Adobe's ubiquitous Flash technology. I had thought my machine was doomed to life without YouTube and Homestar Runner, but recently I discovered Gwenole Beauchesne's nspluginwrapper. This little program performs a neat trick: It convinces 64-bit Mozilla/Firefox that the browser can handle a 32-bit helper application (such as Flash) with the same transparency as the true 32-bit Firefox."

Comments (none posted)

The Rise of Functional Languages (Linux Journal)

Pat Eyler looks at functional programming languages. "Functional Languages seem to be pushing for the title of the next cool thing. Talks and tutorials about them are starting to show up in conferences and conventions, books about them are hitting the shelves, people are even asking about talking about them in blogs and mailing lists devoted to some of the current hot languages."

Comments (73 posted)

Linux Gazette #138

The May issue of the Linux Gazette is out. Topics this month include an introduction to R, Debian on a Slug, a couple of book reviews, and more.

Comments (none posted)

Reviews

The rise of Alfresco: ECM that people will really use (LinuxWorld)

LinuxWorld looks at Alfresco. "Alfresco is an enterprise content management system that, according to some users, is beating legacy content management systems in speed, quality and ease of use. It has been around since 2005, but the open source, open standards, enterprise scale content management system offered by Alfresco is winning the trust of the marketplace."

Comments (7 posted)

Miscellaneous

Wikipedia co-founder wants open-source search engine (ZDNet)

ZDNet looks at the Wikia project. "Jabber founder Jeremie Miller has signed on to help develop Wikia's open-source search engine project, the organization announced. The Wikia project aims to develop a search engine, crawlers and other indexing tools through a collaborative, open-source process."

Comments (2 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

The Linux Foundation travel fund

The Linux Foundation has announced a new travel fund which will pay for free software developers to attend distant events. "Conferences covered by this fund include the LF Collaboration Summits held three times a year, the LF's Japan Symposia, the Kernel Summit, Ottawa Linux Symposium, Linux.conf.au, desktop conferences such as Guadec and aKademy, and other technical conferences where true collaboration takes place."

Full Story (comments: 3)

A Manifesto for Free Appliances

The Free Appliances project has issued a manifesto for free Appliances. "Just as there is a need for Free Software, there is a need for free (as in speech) appliances. Free Appliances can be modified or enhanced using GNU/Linux tools or other Open Source Software, preferably licensed as GPLv3. They have no binaries without source code. They adhere to generally accepted standards as much as possible. Their documentation is open. They favor open file formats since information in open file formats should not require DRM. They do not use proprietary components when there are generic ones widely available. (For example: batteries should be replaceable.)"

Comments (9 posted)

WorldVistA EHR VOE/ 1.0 achieves CCHIT certification (LinuxMedNews)

LinuxMedNews reports on the CCHIT certification of the WorldVistA electronic medical record system. "Formerly VistA Office EHR (VOE) there has been a name change due to entanglements. It is now known as WorldVistA EHR."

Comments (none posted)

Commercial announcements

Coverity to Regularly Scan Security and Quality of 250 Open Source Projects

Coverity, Inc. has announced a major infrastructure upgrade to scan.coverity.com, an open source software quality and security analysis site. "The upgrade will enable the rapid expansion of the site, including regular additions of hundreds of new open source software projects. Coverity will use the new infrastructure to add 100 new open source graphics projects to the site on May 4th, 2007, coinciding with the start of the open source Libre Graphics Meeting in Montreal, Canada."

Full Story (comments: 4)

OpenLogic announces Open Source Software inventory tool

OpenLogic, Inc. has announced the release of OpenLogic Discovery. "OpenLogic, Inc., a provider of enterprise open source solutions encompassing hundreds of open source packages, today announced the release of OpenLogic Discovery, a free software tool that helps enterprises inventory the open source software installed on their computer systems. OpenLogic Discovery finds installed open source software on Windows, Linux and Solaris platforms in order to help enterprise customers manage their use of open source and remain compliant with internal policies."

Comments (none posted)

Parallels Technology Network launched

The Parallels Technology Network has been launched. "Parallels, Inc., maker of award-winning desktop virtualization solutions for Windows, Linux and Mac OS X, announced today the Parallels Technology Network (PTN) - an online community for users, as well as developers using Parallels virtualization technology to deliver their software in self-contained virtual appliances."

Full Story (comments: none)

SugarCRM expands support for Oracle Unbreakable Linux

SugarCRM Inc. has announced plans to support SugarCRM on Oracle Unbreakable Linux. "Based on the growing community and customer demand, SugarCRM and Oracle can now provide their joint customers a robust, fully supported solution. "We are proud to have SugarCRM join the Oracle Unbreakable Linux Support Program," said Monica Kumar, senior director of product marketing, Oracle. "Together we can provide performance, reliability and world-class support that enterprise customers demand for their business-critical CRM applications.""

Comments (none posted)

Sybase releases IQ Analytics Server 12.7

Sybase, Inc. has announced the release of Sybase IQ analytics server 12.7. "Sybase IQ analytics server handles the most challenging data warehousing requirements with ease, meeting the demand for business intelligence, advanced analytics, predictive modeling, stringent regulation compliance and high-speed reporting. The addition of ETL functionality to Sybase IQ provides highly improved data integration capabilities."

Comments (none posted)

New Books

Practical Packet Analysis - No Starch Press's Latest Release

No Starch Press has published the book Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems by Chris Sanders.

Full Story (comments: none)

Upcoming Events

KOffice / KDE ODF Infrastructure Meeting (KDE.News)

KDE.News has announced an upcoming KOffice / KDE ODF infrastructure meeting. "KOffice, the KDE office suite, has always stood behind the OpenDocument Format (ODF) as an industry standard. Now with KOffice 2.0 around the corner, with OpenOffice.org quickly becoming a new leader, and with Microsoft to release its own so-called "open" format, ODF and the interoperability that it promises is more important than ever. The KOffice developers will meet in Berlin during the weekend of May 12th-13th to do as much ODF-centered development as possible."

Comments (none posted)

The Libre Graphics Meeting

A press release has been sent out by the organizers of the 2007 Libre Graphics Meeting. "Libre Graphics Meeting 2007 (LGM), a conference for developers and artists of leading open source graphics software, will bring together the top open source graphics application development teams, along with artists and print production users. LGM will take place at the Ecole Polytechnique from the 4th to the 6th of May 2007 and will be of interest to end-users, students of graphic design, editors, pre-press staff, printers and institutional archivists."

Comments (none posted)

Mitch Kapor, Philip Rosedale to Keynote at Dr. Dobb's Life 2.0 Summit

CMP Technology has announced the keynote speakers for the Life 2.0 Summit "... a virtual event that will take place in Second Life April 28 to May 4."

Comments (none posted)

The Make Magazine Maker Faire

The Make Magazine Maker Faire will be held on May 19 and 20 at the San Mateo Fairgrounds in northern California. "The award-winning, family-friendly Maker Faire celebrates the Do-It-Yourself (DIY) mindset. The festival draws the grassroots community of backyard inventors, hackers, creative recyclers, artists, engineers, and scientists from across the country--called Makers. These Makers gather to share and display their amazingly entertaining projects, wonderfully ingenious crafts, and eye-popping, up-to-the-nanosecond projects."

Full Story (comments: none)

Cross Desktop Text Layout Summit 2007 (GnomeDesktop)

GnomeDesktop.org reports on the upcoming GNOME/KDE cooperative Text Layout Summit. "The Akademy team is pleased to announce that we will be hosting the Text Layout Summit 2007 during our week in Glasgow at the start of July. This is the second Text Layout Summit following the success of the event at Gnome's Boston Summit last year. " See the KDE.News article on the summit for more information.

Comments (none posted)

Events: May 10, 2007 to July 9, 2007

The following event listing is taken from the LWN.net Calendar.

Date(s)EventLocation
May 6
May 11
Ubuntu Developer Summit Sevilla, Spain
May 8
May 11
Annual Java Technology Conference San Francisco, CA, USA
May 8
May 11
OSHCA 2007 Kuala Lumpur, Malaysia
May 9
May 11
Red Hat Summit San Diego, CA, USA
May 10
May 11
IEEE International Workshop on Open Source Test Technology Tools Berkeley, CA, USA
May 10 NLUUG Spring Conference 2007 Ede, The Netherlands
May 11
May 13
Conferenze Italiana sul Software Libero Cosenza, Italy
May 12
May 13
KOffice ODF Weekend Berlin, Germany
May 14
May 25
The Pure Data Spring School 2007 Glasgow, Scotland
May 16
May 18
php|tek Chicago, IL, USA
May 17
May 20
RailsConf 2007 Portland, Oregon
May 18
May 19
eLiberatica Open Source and Free Software Conference Brasov, Romania
May 18
May 19
FreedomHEC Los Angeles, CA
May 18
May 19
BSDCan 2007 Ottawa, Canada
May 19
May 20
The 3rd International Workshop on Software Engineering for Secure Systems Minneapolis, Minnesota, USA
May 19
May 20
Rockbox International Developers Conference 2007 Stockholm, Sweden
May 19 Grazer LinuxDays 2007 Graz, Austria
May 19
May 20
Make Magazine Maker Faire 2007 San Mateo, CA, USA
May 19 Linuxwochen Austria - Graz Graz, Austria
May 21
May 23
International PHP 2007 Conference Stuttgart, Germany
May 21
May 25
Python Bootcamp with David Beazley Atlanta, USA
May 22
May 23
Open Source Business Conference San Francisco, USA
May 22
May 24
Linux Days 2007, Geneva Geneva, Switzerland
May 23
May 24
PGCon 2007 Ottawa, ON, Canada
May 25 Linuxwochen Austria - Krems Krems, Austria
May 26 PAKCON III Karachi, Pakistan
May 29
May 30
Where 2.0 Conference San Jose, CA, USA
May 29
May 31
European ADempiere Developers Conference Berlin, Germany
May 29
May 30
I FLOSS CONFERENCE RESISTENCIA Resistencia, Argentina
May 30
June 2
Linuxtag Berlin, Germany
May 30
June 1
3rd UNIX Days Conference - Gdansk 2007 Gdansk, Poland
May 30
June 1
Linuxwochen Austria - Wien Wien, Austria
June 2
June 3
Journées Python Francophones Paris, France
June 9
June 10
PyCon Uno - First Python Italian conference Florence, Italy
June 10
June 15
DebCamp Edinburgh, Scotland
June 10 Pluto Meeting 2007 Padova, Italy
June 11
June 14
Third International Conference on Open Source Systems Limerick, Ireland
June 13
June 15
Linux Foundation Collaboration Summit Mountain View, CA, USA
June 16 DebianDay Edinburgh, Scotland
June 16 Firefox Developer Conference Tokyo, Japan
June 17
June 23
Debian Developer Conference Edinburgh, Scotland
June 17
June 22
2007 USENIX Annual Technical Conference Santa Clara, USA
June 18
June 20
O'Reilly Tools of Change for Publishing Conference San Jose, CA, USA
June 18
June 20
Advanced Workshop on GCC Internals Bombay, India
June 20
June 22
IT Underground Dublin, Ireland
June 20 Open Source Showcase @ OpenAdvantage Birmingham, UK
June 23 Mozilla Developer Day Paris, France
June 25
June 27
SOA World Conference and Expo 2007 New York, NY, USA
June 27
June 30
2007 Linux Symposium Ottawa, Canada
June 27
June 29
Summer School of Sound Lancaster, UK
June 29 NLUUG event theme innovation Enschede Enschede, the Netherlands
June 30
July 7
Akademy 2007 Glasgow, Scotland
July 2
July 6
Learning Programming with PHP Redditch, Worcestershire, UK
July 6 II WHYFLOSS CONFERENCE MADRID Madrid, Spain
July 7 Italian PostgreSQL Day Prato, Tuscany, Italy
July 7
July 8
LugRadio Live 2007 Wolverhampton, United Kingdom

If your event does not appear here, please tell us about it.

Web sites

Cryptome site shut down

Cryptome.org has long been a place to find information which has been suppressed elsewhere. Now, it seems, Cryptome has been shut down by its ISP, Verio, which has provided not solid reasons for the disconnection. The shutdown notice can still be found in Google's cache, for now.

Comments (24 posted)

Page editor: Forrest Cook


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds