LWN.net Weekly Edition for June 14, 2007
An interview with Fedora leader Max Spevack
Now that Fedora 7 has been released, Fedora project leader Max Spevack has a little bit of breathing room. Like nature, LWN abhors a vacuum, so we sent Max a list of questions and a request for answers. We are now happy to present the answers. Without further ado...LWN: Fedora 7 is out. Congratulations! What do you think is the best single thing about this release, and what do you most wish had been done better?
The first is the combination of Fedora Core and Fedora Extras into a single package repository, and the other work that went into place around that.
Before I go on, let's define two things:
@redhat.com == employed by Red Hat
@fedoraproject.org == anyone who is a Fedora contributor, may or may not be employed by Red Hat
Pre-Fedora 7, a package maintainer had to be @redhat.com in order to have commit access to packages that were in Core, but anyone @fedoraproject.org could have commit access to packages that were in Extras. Core and Extras were built on separate build systems. The Core build system was internal to Red Hat, and the Extras build system was completely external. The compose tool that built the install tree and ISO was only able to pull from packages that were in Core.
Fedora 7 has blown all of that up.
The CVS has been combined. There is no more Core or Extras, just a single Fedora repository, which allows us to give commit access (via ACLs) to anyone @fedoraproject.org for ANY package, as appropriate. It allows people who have expertise in specific packages to have more direct access to those packages in Fedora, regardless of whether or not they are @redhat.com.
Similarly, we have rolled out a new build system, called Koji, which operates completely externally from Red Hat. Add to that a new compose tool, called Pungi, which assembles the output of Koji into an actual distribution, and the entire Fedora "toolchain" is now 100% in the community.
The end result of all of that is the second "best thing" about Fedora 7: custom spins.
Pungi, as I have already mentioned, is a command-line compose tool. You feed it a package manifest, it spits out an install tree, or an installable CD/DVD. Similarly, LiveCD Creator is the command-line tool that we use to build our LiveCD, LiveUSB, etc. It's quite similar to pungi -- you feed it a package manifest, it does the rest.
Additionally, two of our most enterprising community members, Jeroen van Meeuwen and Jonathan Steffan, have built a graphical application on top of the Pungi and LiveCD Creator APIs. This tool is called Revisor, and it provides a graphical wizard-like application that allows the user to select various repositories (Fedora or third-party), and to select a package manifest and various build targets (Live, Installable, USB, etc). The backend of the tool does all the work, and the end user can spin a custom version of Fedora without having to understand all of the technical details going on underneath.
Koji, Pungi, LiveCD Creator, and Revisor are all available in the Fedora repositories. Every tool that Fedora uses, from source control to ISO production, is 100% free software.
On the negative side, things got a little bit crazy in the last week or so prior to the release. A few regressions made it in, and while those can be fixed with things like 0-day updates, it's still not a good thing to have. So we'll work to improve that.
Also, the "feature" process around Fedora needs some fixing and managerial oversight. We're working to correct that in Fedora 8 by setting up a small team that is entirely focused on feature tracking, status, etc. Basically we're giving Fedora a bit more project management than it's had in the past.
So what can we expect for Fedora 8?
So we're looking to shorten the cycle up, with a Fedora 8 GA tentatively scheduled for October 31st.
http://fedoraproject.org/wiki/Releases/8/Schedule
That doesn't leave us a lot of time. Fortunately, we're looking at a far less ambitious Fedora 8. With so much new stuff in Fedora 7, we'd like to give all of our infrastructure changes a chance to settle in and get some polish, and also give some of the contributors who have been going nonstop on Fedora for the last few months a development cycle that is a bit less stressful.
But that doesn't mean we don't have some things planned. The best thing for people who are interested in Fedora 8 to do is look at our wiki, where we will be tracking potential features over the course of the release cycle. Before you click that link and hold us to it, I will say again that this is early-stage planning right now, and just because something appears on this list today doesn't mean it will be in the final release, or that it will even make it through the culling process in which we decide what is *really* important and what is of secondary importance.
http://fedoraproject.org/wiki/Releases/8/FeatureList
One thing not on that list that I am hoping we can get on there soon is additional improvements to the LiveCD tools -- especially the LiveUSB key, hopefully with encryption well-integrated into it. But that's just me talking as a manager -- the core developers still need to have a chance to weigh in with what they are thinking, and what their time commitments are going to be.
The second feature that I am particularly fond of is one that actually exists independent of any sort of distribution release cycle, and that is the expansion of Revisor from a GUI application to a web application. A web app that allows people to create a custom Fedora spin or a Fedora appliance will be a tremendous achievement for the Fedora Project, and will be the capstone to all of the work that has already been done with Koji, Pungi, LiveCD tools, and Revisor. Do I think this will be ready near Fedora 8? Not necessarily something that is fully production ready, but since we intend to develop it in public, hopefully at least some sort of alpha/beta that is usable.
What can you tell us about the longer-term plan for Fedora? Where do you think the project will be in 2-3 years?
Red Hat will continue to be Fedora's biggest sponsor, providing development resources, infrastructure money, bandwidth, community-budget, FUDCons, legal support, etc.
However, I believe that it is ultimately the job of the Fedora Project Leader, whoever that person is, to say "what do I have to do to ensure that the Fedora Project can grow and thrive, *EVEN IF* all Red Hat support were to one day disappear"?
It's a hypothetical question. But the answer is real. And the answer is the critical path of Fedora in a 2-3 year horizon.
16 months ago when I started my time as Fedora Project Leader, the critical path was the fact that Fedora's development infrastructure was split. We've taken the steps necessary to fix that problem. Hopefully now we can start to reap some of the rewards.
Over the next 2-3 years, I hope that we see more and more packages that were "Core" become co-maintained by both Red Hat developers and non-Red Hat developers. The infrastructure for this is now in place -- but the process itself needs to mature in its own time.
I hope that we see the Fedora Project further solidify itself as an upstream base for other distributions, not just things like Red Hat Enterprise Linux and other RHEL-derived distros. We're already seeing some success in this arena, as the One Laptop Per Child project is built on the Fedora base.
Again, we believe that we've created the infrastructure for this in Fedora 7, but it will take a year or two for the results of that to trickle down. Hopefully we'll one day see Fedora hosting the "best of breed" (though I hate buzzwords like that) appliances and spins for all sorts of different use cases.
As always, a major goal of Fedora is to continue to lower the barrier to entry for new contributors. With our technical world in decent order, I think we'll have more time in the coming year for work like this, which should pay dividends 2-3 years down the road. Hopefully Fedora can grow into a project that has a much larger community of "developers" as opposed to "packagers". We're really really good at the latter (and that's a great thing), but I'd like us to continue to improve in the former.
There has been some grumbling from the ranks of (former) Fedora Extras maintainers that the new update process just adds bureaucracy to their job. Has anything been done to make those maintainers happier?
We are working on both streamlining the updates process through command line submission tools that can be scripted, and also revamping the ACL process to use the new package database that has been built.
In the past, there was a difference between updates for a Core package and an Extras package.
For Extras, you build the package and it was pushed the next time that Extras was pushed out, without any real need for notification to users about what the update was, etc.
For Core packages, you built the package, filled out a template in a web-based updates system, and then went through updates-testing and finally to the updates repo with a announcement and visible change information coming from the yum applet.
The Fedora 7 workflow, right now, feels a lot like that old Fedora Core workflow. However, our new updates infrastructure, Bodhi, is being rolled out, and we believe that will help the situation.
What the updates workflow is GOING to look like is:
- Build a package, and send information to Bodhi about the update either
through a web form, or a command line tool that is integrated with the
makefile.
- Optionally (I'm not quite sure what the criteria around this option
are, it's probably up for discussion) send the update to updates-testing
with an announcement.
- Once the developer is happy, send the update to the official updates
repo either via the web UI or the command line tool.
- Bodhi will generate an announcement email and the yum applet will have visible change information, so that when the user gets the pop-up that says "5 new updates are available" the user will be able to know what is being updated and why.
So the biggest change here is that the freedom to update packages that were once in Extras without having to really specify what those changes were has been curtailed. And at the same time the tools are being worked on to make the updates process as easy as possible.
Whatever happened to the proposed developer ranking system? Is that still something the project is considering?
Red Hat still maintains a fairly firm control over parts of the project; the decision to not consider outside artwork for Fedora 7 is one example. Do you expect that to continue, or will the Fedora project become more independent over time?
The situation with the Fedora art community and Fedora 7's art was very unfortunate. There are some people (including me) who think that we should allow Fedora's artwork to be created, judged, and used the same way that we do with Fedora's code. There are others who think that artwork is a different beast, and that for it to be done well, it has to happen in a more "closed" environment than other parts of Fedora development.
I am not an artist. But I think Fedora 7's art looks great. I am also not the sort of person who is going to base my decision of what distribution to use on the default theme that is provided by that distribution. That isn't to say that I don't think great artwork is a major selling point -- I just don't think it's enough of a deal breaker to warrant the breaking of the rules that the rest of Fedora plays by.
I believe that Fedora has a tremendously committed and tremendously talented art community. I believe that the Fedora Project has a responsibility to give those artists a place where they can do their work, and see their work put to good use.
Put bluntly -- I would like to see all (not just some, but all) of the artwork in Fedora developed openly, in the same community-oriented way that we try to build the rest of the distribution. If such a decision results in some short-term growing pains, I'm fine with that because I think the long term community that will result from such a commitment will be stronger.
The very technical goals of Fedora 7 required all of my "political capital" so to speak, in order to make happen. I couldn't win an additional fight about the manner in which parts of Fedora's artwork was produced. Was the end result good? Yes. Was the process good? No. Did I sort of have to take it on the chin? Yes.
Will I allow the same thing to happen again for Fedora 8? No. The Fedora 8 artwork will be developed in the community, and whoever the "lead designer" of that artwork is, it will be a requirement that that person conduct their work with the input of Fedora's larger art community, or the final work, no matter how beautiful it might be, will be unacceptable.
The development process at rpm.org has been quiet for a while (though a look at the lists shows that some things are happening). Meanwhile, the other RPM has launched rpm5.org and appears to be headed toward a major release. How do you feel about the state of rpm.org development, and is there any chance of joining this fork sometime in the future?
First, from the "RPM.org as a self-contained engineering project that various distros use" angle:
Right now, a maintenance release (4.4.2.1) is being prepared, with a release planned within the next two or so weeks. Its primary goals are bug fixes, and the review/merge of patches from vendors (mainly SUSE and Red Hat).
Once that maintenance release is out, the development cycle of the next major version of RPM will begin.
Speaking with the RPM developers, my understanding is that its focus will be on making the codebase more maintainable, cleaning up and improving the APIs, and getting a proper and predictable development/release process in place. This, we think, will also help to build a more healthy community around RPM, both of developers and testers.
The rpm.org developers have been keeping an eye on what the rpm5.org team is doing. Both trees have some common interest areas and code. The long-term is where the two projects differ.
On rpm5.org (http://rpm5.org/roadmap.php), it says:
"The main RPM development is already focused on the development of the forthcoming RPM 5.0. The primary goals of RPM 5.0 are the additional support for the XML based archiving format XAR (http://code.google.com/p/xar/), an integrated package dependency resolver, further improved portability and extended cross-platform support. The final RPM 5.0 versions are expected to be released in the second half of 2007."
In short, the rpm5.org development plans give RPM a *larger* scope. The rpm.org development team thinks that RPM should have a *smaller* scope. RPM should be a solid, stable foundation of a system. Everything else should be built on top of it. Keep RPM small and extensible by providing good and stable APIs.
Now, from the "Fedora as a distribution built around RPM" perspective:
RPM needs to grow and improve, but we need to make sure it grows in the right direction. And like most things in the world there are different opinions on where RPM go.
Fedora provides tools like pungi and revisor that allow someone to use a release from rpm5.org and spin up a distribution centered around that. If a group of Fedora users wanted to spin a version of Fedora 7 using an rpm5.org release as a basis of comparison and testing, that would probably be a pretty interesting activity, and I would think that the results of it would be useful to developers working both at rpm.org and rpm5.org. That is the simple reality of the open source software world.
The Fedora Project is committed to using rpm.org's work as its upstream.
Many thanks to Max for taking the time to answer our questions in such detail.
SourceForge: the "Hotel California" of open source projects?
You can check out any time you like, but you can never leave
SourceForge (SF) provides a valuable service to the free and open source software communities, but it is not without its flaws. It is quite common that, as projects mature and gain popularity, they move away from SF for a variety of reasons. Unfortunately, because of a well-intentioned data retention policy at SF, this can lead to projects held hostage by the high regard search engines have for SF.
SF is one of the earliest providers of free hosting for projects claiming over 100,000 projects with over one million registered users. It provides source code repositories, mailing lists, bug tracking, download space for releases, and has recently added wikis for the projects hosted there. For many small projects it has been an essential part of the infrastructure. It provides a way to draw developers' attention and it is a place for users to get information and releases.
At least partially because of its popularity, SourceForge has its share of problems. Complaints about the tools chosen, user interface, number and type of advertisements, etc. are commonly heard. Perhaps the biggest issue for most projects is the availability of the site. Development grinds to a halt if the SF server goes down; communication disappears without the mailing lists and, because it uses centralized source code management, no code can be checked in or out. SF becomes the single point of failure for the entire project.
If a project gets unhappy enough with SourceForge, they can, of course, just pick up and move elsewhere. There are other project hosting sites available, some geared towards particular kinds of projects. It is likely that other sites suffer many of the same shortcomings as SF, so projects often find their own host, where they can control the tools and advertising policies. They can also impact the reliability issues by choosing tools that are less centralized. To their credit, SF does nothing to discourage projects from moving, but they do have a policy regarding what happens to the project's data and, ultimately, to the project's SF entry itself.
A weblog entry by kernel hacker Dave Jones gives his opinion, rather forcefully, about the retention policy. It seems he had tried to have his x86info project removed from SF, but was foiled by the policy. This rubbed him the wrong way:
Search engine ranking plays a big role in his annoyance as well. A page at SF with a particular project name attached to it will be very high or at the top of any search engine results. Anyone looking for the project is likely to end up at the SF site, which will require another hop to get to the active site, if they see the link, as Jones puts it:
The policy is for the protection of the code and the project, so that a loose cannon project administrator cannot, in a fit of pique, get the project and all of its files deleted. It also protects against data loss when projects move, but then disappear from their new site. There is certainly nothing wrong with the policy per se, but it has some, probably unintended, side effects.
SF has a built up a well deserved reputation as a solid, if a bit annoying, home for projects, and it certainly cannot be faulted for the trust that search engines have in it. There is also nothing wrong with providing a repository for old releases of open source software. It would just be nice if they could provide what Jones calls the "yes, I really know what I'm doing, and I understand your reasons, but please kill this project" option. In some ways like the trademark issue described on this page last week, this adds another decision that a project leader may need to consider in the early stages of a project.
The first LiPS specifications
The Linux Phone Standards Forum is an industry group aimed at standardizing the use of Linux in telephony applications. Its members include some service providers, embedded software companies, chip manufacturers, and so on. There is, interestingly, a distinct lack of representation from handset manufacturers in the group currently. LiPS has recently announced the release of the first set of Linux telephony specifications. This work is far from complete, but it is enough to give an idea for where this group intends to go. For those who would like to look at the whole thing, it can be downloaded as a zip file filled with files in PDF and HTML formats.One of the first things that one notes is that LiPS is not about free software. The (minimal) software associated with the specification can be distributed under a somewhat BSD-like license, but any necessary patent licenses can only be had under "reasonable and non-discriminatory" (i.e. discriminatory against free software) terms. LiPS is very much about making it easier to create proprietary applications for the phone space.
One set of specifications covers basic user interface tasks - how the arrow keys should work, APIs for text entry, etc. LiPS appears to have settled on GTK+ as its toolkit of choice for this purpose despite the presence of Trolltech in the list of members. There is some evident concern about the size of the GTK+ library, leading to a specification of which widgets are necessary and which can be removed. Specifications covering the customization of the look and feel of the device are planned but not yet present.
Then, there's a set of "enabler" services. Those which are present currently include a discussion of address book services and basic voice call management. There is much more planned in this area, including calendars, messaging, web browsing, data synchronization, video calling, and, inevitably, "DRM".
Other areas which have not been filled in are "application management" and "OS services." Application management covers the launching and control of applications and some API-level things like inter-process communication. The OS services category is a large one; at the lowest levels it will have a set of "requirements on the Linux kernel and drivers" and some sort of database service. On top of that one finds things like network protocols, power management, dealing with SIM cards, etc. One imagines that the specification writers will be busy for a while. Some of the missing documents are planned for later in this year, with the rest completed in 2008.
Most of this is relatively boring stuff for people who are not actually working in this area. It may turn out to be important work for those who would like to see Linux World Domination in the mobile telephone arena, though. If it is to achieve that goal, LiPS will want to broaden its membership; the lack of presence by the companies which are actually shipping Linux-based phones is worrying. The creation of a software stack which is truly free software would be a good addition to the Forum's goals; if a phone is completely proprietary and locked-down, the fact that it is running Linux will not be especially helpful or interesting. If the Forum can become truly inclusive in these ways, perhaps its specifications will be more than just LiPS service.
Security
BadBunny? Only if you invite it in
There has been a lot of press, over the last several weeks, about the "BadBunny" worm, which infects OpenOffice.org (OO.o) files. Most of the buzz seems to be about the multi-platform nature of the worm, which is interesting, but the mainstream technical press seems to miss the fact that, without a number of bad user decisions, the worm would not do anything at all. There was a lot of noise about OO.o macros and security last summer, but the situation is the same as when we last reported about OO.o security: if one is going to use an office suite with a macro language, one must be careful about which macros are run.
The infected file itself is a graphics document file called badbunny.odg which contains macro definitions that can be executed when the file is loaded into OO.o. If the macro is run, it does different things depending on the platform, but attempting to infect either the mIRC or XChat Internet Relay Chat (IRC) clients is the first step. If those clients are run after the infection, BadBunny will try to propagate by offering the document file to other connected users.
As a secondary payload, BadBunny stores and runs a script file that tries to infect other files in the directory where the document file is stored. For reasons unknown, each operating system gets a script written in a different language: for Linux it is Perl, MacOSX is Ruby, and Windows is Javascript. BadBunny also attempts to do a "ping of death" denial of service attack against multiple anti-virus sites.
The worm was first reported by the anti-virus company Sophos back in May and was described as a "proof of concept" that was emailed to their researchers. The name, BadBunny, comes from the names of various files that get installed as well as a pornographic image of a man in a bunny suit that may be displayed. More recently, anti-virus vendor Symantec has reported BadBunny "in the wild", but it is not very widespread.
There are some pretty good reasons this worm has not spread widely. Users are becoming more aware of these kinds of problems and many already know to be "cautious when handling OpenOffice files from unknown sources" as Symantec suggests in their announcement. This is not, of course, an OO.o-specific problem. All files from unknown sources should be treated with care. In order to be affected by BadBunny, users will also have to enable the macros to run. As reported by Malte Timmermann, Sun's OO.o Technical Architect, the worm does not bypass the OO.o security checks and the user will be prompted before the macros are run. One can certainly imagine that there are users who will receive a file of unknown provenance, perhaps by email or over IRC, open it and run its macros, but they are, hopefully, few and far between; this is certainly not the infection vector of an attacker's dreams.
Like it or not, macro languages in office suites are here to stay. They have their uses (and abuses). For the most part, users will not even consider using an office suite that does not offer a scripting language. As Timmermann puts it:
Of course this macro language can be used for performing any kind of tasks, that's the intention of it!
Users shouldn't run macros from unknown sources, same like they shouldn't run any programs or other scripts from unknown sources.
It could be argued that the OO.o macro language should be simplified in ways that might help cut down the potential for abuse. It is difficult to see how that can be done when the major competitor, at least in the Windows world, has a "full featured" macro language. The balance between security and new features is always tricky, but when trying to compete against an established market leader, sometimes the features have to win.
If you believe that an office suite requires a sophisticated macro language, these kinds of problems cannot be considered security holes in the program; it is doing exactly as the user instructed it to. Individuals or organizations that want to use tools with these capabilities have to be security conscious. In the end, if users are going to blindly click through any kind of warning, any reasonable level of security is impossible. This is true no matter what operating system, web browser or office suite is used.
New vulnerabilities
kdebase: information leak
| Package(s): | kdebase | CVE #(s): | CVE-2007-2022 | ||||||||||||
| Created: | June 13, 2007 | Updated: | September 19, 2007 | ||||||||||||
| Description: | A problem with the interaction between the Flash Player and the Konqueror web browser was found. The problem could lead to key presses leaking to the Flash Player applet instead of the browser. NOTE: CVE number may be incorrect, see CVE entry | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: several vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2007-1353 CVE-2007-2451 CVE-2007-2453 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 11, 2007 | Updated: | March 6, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
kernel memory contents via an uninitialized stack buffer. A local attacker
could exploit this flaw to view sensitive kernel information.
(CVE-2007-1353)
The GEODE-AES driver did not correctly initialize its encryption key. Any data encrypted using this type of device would be easily compromised. (CVE-2007-2451) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: several vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-5823 CVE-2006-6054 CVE-2007-1592 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 12, 2007 | Updated: | March 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw in the cramfs file system allows invalid compressed data to cause
memory corruption (CVE-2006-5823)
A flaw in the ext2 file system allows an invalid inode size to cause a denial of service (system hang) (CVE-2006-6054) A flaw in IPV6 flow label handling allows a local user to cause a denial of service (crash) (CVE-2007-1592) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
madwifi-ng: multiple vulnerabilities
| Package(s): | madwifi-ng | CVE #(s): | CVE-2007-2830 CVE-2007-2829 CVE-2007-2831 | ||||||||||||
| Created: | June 12, 2007 | Updated: | June 29, 2007 | ||||||||||||
| Description: | Md Sohail Ahmad from AirTight Networks has discovered a divison by zero in the ath_beacon_config() function (CVE-2007-2830). The vendor has corrected an input validation error in the ieee80211_ioctl_getwmmparams() and ieee80211_ioctl_getwmmparams() functions(CVE-207-2831), and an input sanitization error when parsing nested 802.3 Ethernet frame lengths (CVE-2007-2829). | ||||||||||||||
| Alerts: |
| ||||||||||||||
mecab: buffer overflow
| Package(s): | mecab | CVE #(s): | |||||||||||||||||
| Created: | June 12, 2007 | Updated: | June 13, 2007 | ||||||||||||||||
| Description: | MeCab 0.96 fixes several bugs and security issues. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
OpenOffice.org: arbitrary code execution
| Package(s): | openoffice.org | CVE #(s): | CVE-2007-0245 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 13, 2007 | Updated: | June 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A specially crafted RTF file could cause the filter to overwrite data on the heap, which may lead to the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
pam: privilege escalation
| Package(s): | pam | CVE #(s): | CVE-2007-1716 | ||||||||||||||||
| Created: | June 12, 2007 | Updated: | November 15, 2007 | ||||||||||||||||
| Description: | A flaw was found in the way pam_console set console device permissions. It was possible for various console devices to retain ownership of the console user after logging out, possibly leaking information to an unauthorized user. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
spamassassin: local denial of service
| Package(s): | spamassassin | CVE #(s): | CVE-2007-2873 | ||||||||||||||||||||||||
| Created: | June 13, 2007 | Updated: | June 15, 2007 | ||||||||||||||||||||||||
| Description: | The effect of the exploit is to allow overwriting of arbitrary files that are accessible by the spamd process (running as root), with data that is not under the control of the attacker. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
wordpress: SQL injection
| Package(s): | wordpress | CVE #(s): | |||||
| Created: | June 8, 2007 | Updated: | June 13, 2007 | ||||
| Description: | A lack of proper input filtering in wp_suggestCategories() of the WordPress XML-RPC API will allow SQL injection. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current 2.6 prepatch remains 2.6.22-rc4. Patches continue to flow into the mainline repository; they are mostly fixes, but the ZERO_SIZE_PTR patch for the SLUB allocator has also gone in.The current -mm tree is 2.6.22-rc4-mm2. Recent changes to -mm are almost all fixes aimed at stabilizing this tree somewhat.
The current stable 2.6 kernel is 2.6.21.5, released on June 11 with a
rather long list of fixes. 2.6.21.4 was released on
June 8 with a set of security fixes: "The /dev/[u]random fix is especially important for machines with no
entropy source (e.g. keyboard, mice, or disk drives) and no realtime clock
since successive boots could generate same output from RNG. The cpuset
bug is a possible information leak when reading from /dev/cpuset/tasks
(assuming cpusets support is compiled in and the cpuset fs mounted
on /dev/cpuset). The SCTP bug is remotely triggerable when using SCTP
conntrack.
"
For older kernels: 2.6.20.13 was released on June 8 with the same security fixes; it was followed by 2.6.20.14 (June 11), which contained a large assortment of patches.
2.4.34.5 was released on June 6 with a small set of fixes. The 2.4.35 process continues with 2.4.35-pre5, also released on the 6th.
Kernel development news
Quotes of the week
/* I'm told there are only two stories in the world worth telling: love * and hate. So there used to be a love scene here like this: * * Launcher: We could make beautiful I/O together, you and I. * Guest: My, that's a big disk! * * Unfortunately, it was just too raunchy for our otherwise-gentle tale. */
Linus on GPLv3 and ZFS
For the curious, here's a recent posting from Linus Torvalds on Sun's motivations and GPLv3. "So to Sun, a GPLv3-only release would actually let them look good, and still keep Linux from taking their interesting parts, and would allow them to take at least parts of Linux without giving anything back (ahh, the joys of license fragmentation). Of course, they know that. And yes, maybe ZFS is worthwhile enough that I'm willing to go to the effort of trying to relicense the kernel. But quite frankly, I can almost guarantee that Sun won't release ZFS under the GPLv3 even if they release other parts. Because if they did, they'd lose the patent protection."
R500 initial driver release
Support for ATI R500 graphics chipsets has been one of the biggest missing pieces from the Linux free driver collection. That has just changed with the release of an early driver for R500 chipsets written from reverse-engineered specs. The driver only does 2D for now, but 3D support is in the works. Unsurprisingly, the development team would like help in getting this driver ready for production use. This release is an important step forward; congratulations are due to the developers who have brought this work this far.Who wrote - and approved - 2.6.22
The 2.6.22 kernel is getting closer to its final state with its official release likely to happen near the end of this month. Patches are still being added to the mainline repository, but things have stabilized enough that it makes sense to take a look at where the code came from this time around. Accordingly, your editor has fixed up his scripts and cranked through the changesets added in this kernel development cycle.As of this writing, just over 6,000 changesets have been accepted for 2.6.22. Those patches were contributed by 885 different developers, added 494,000 lines, and deleted 241,000 other lines (without counting renames, which would otherwise increase both numbers by about 60,000 lines). That makes 2.6.22 a large change relative to its immediate predecessors:
Release Developers Changesets Lines
addedLines
removed2.6.20 741 4983 286,000 160,000 2.6.21 842 5349 343,000 199,000 2.6.22-rc4+ 885 6093 494,000 241,000
Here's the top contributors of those changes:
Most active 2.6.22 developers
By changesets David S. Miller 175 3.0% Kristian Høgsberg 109 1.9% Stephen Hemminger 86 1.5% Arnaldo Carvalho de Melo 82 1.4% Andrew Morton 79 1.3% Stefan Richter 79 1.3% Christoph Lameter 77 1.3% Patrick McHardy 76 1.3% Jean Delvare 75 1.3% Dmitry Torokhov 70 1.2% Stephen Rothwell 68 1.2% Paul Mundt 66 1.1% David Brownell 65 1.1% Jeff Dike 63 1.1% Alan Cox 60 1.0% Andi Kleen 59 1.0% Antonino Daplas 58 1.0% Adrian Bunk 58 1.0% Tejun Heo 57 1.0% Russell King 57 1.0%
By changed lines Bryan Wu 77594 12.9% David Howells 23310 3.9% Marcelo Tosatti 22351 3.7% Patrick McHardy 21746 3.6% Jiri Benc 18328 3.0% Hans Verkuil 13683 2.3% David S. Miller 13595 2.3% Roland Dreier 12247 2.0% Artem B. Bityutskiy 12065 2.0% Kristian Høgsberg 11153 1.9% Robert P. J. Day 7554 1.3% Christoph Lameter 7378 1.2% Andrew Victor 6638 1.1% Mike Frysinger 6313 1.0% David Brownell 6033 1.0% Michael Chan 5851 1.0% Andi Kleen 5431 0.9% David Gibson 5321 0.9% Nobuhiro Iwamatsu 5296 0.9% Mark Fasheh 4921 0.8%
Bryan Wu makes it to the top of the list of contributors (by lines changed) by virtue of being the person to contribute support for the Blackfin architecture. David Howells contributed the AF_RXRPC and AFS filesystem work; Marcelo Tosatti wrote the OLPC "Libertas" wireless driver, and Jiri Benc's name appears on the mac80211 stack.
When broken down by employer, the (approximate, as always) numbers come out like this:
Most active 2.6.22 employers
By changesets (Unknown) 1766 30.2% Red Hat 720 12.3% IBM 601 10.3% Novell 411 7.0% (None) 245 4.2% Intel 203 3.5% Oracle 127 2.2% (Consultant) 119 2.0% Linux Foundation 116 2.0% 111 1.9% SGI 93 1.6% Nokia 83 1.4% Freescale 80 1.4% Astaro 76 1.3% XenSource 56 1.0% MontaVista 56 1.0% Qumranet 55 0.9% HP 53 0.9% QLogic 52 0.9% Analog Devices 49 0.8%
By lines changed (Unknown) 130164 21.6% Red Hat 104627 17.4% Analog Devices 84561 14.0% Novell 41366 6.9% IBM 33629 5.6% Astaro 22065 3.7% (None) 20097 3.3% (Consultant) 15403 2.6% Linutronix 13585 2.3% Intel 12288 2.0% Cisco 12280 2.0% Oracle 10482 1.7% Freescale 10116 1.7% SGI 8639 1.4% Nokia 7328 1.2% SANPeople 7045 1.2% Broadcom 5952 1.0% MontaVista 5810 1.0% Linux Foundation 5746 1.0% Atmel 5220 0.9%
One thing which jumps out here is that the amount of code contributed by developers known to be working on their own time has dropped; 2.6.22 will be one of the most corporate kernels yet.
Looking at the developers who put Signed-off-by lines onto patches yields some interesting results. If one tabulates all 12,678 signoffs in 2.6.22, the results look like this:
Developers with the most signoffs (total 12678) Andrew Morton 1415 11.2% Linus Torvalds 1299 10.2% David S. Miller 814 6.4% Paul Mackerras 381 3.0% Jeff Garzik 344 2.7% Andi Kleen 252 2.0% Greg Kroah-Hartman 236 1.9% Mauro Carvalho Chehab 236 1.9% Stefan Richter 210 1.7% Russell King 189 1.5% James Bottomley 176 1.4% Jaroslav Kysela 145 1.1% Takashi Iwai 131 1.0% Len Brown 126 1.0% Kristian Høgsberg 126 1.0% Patrick McHardy 117 0.9% Jean Delvare 110 0.9% Roland Dreier 109 0.9% Antonino Daplas 106 0.8% Dmitry Torokhov 105 0.8%
All authors must sign off on their code. Additionally, any maintainer who passes a patch up toward the mainline adds a signoff indicating that he or she believes the code is legitimate and suitable for inclusion. If one excludes signoffs by the author of each patch, the remaining 7,000 signoffs are (almost) all by people through whom the code has passed (a few of them are by additional authors of the patch). Those adding non-author signoffs can thus be thought of as the gatekeepers through whom each patch must pass. Non-author signoffs break down like this:
Non-author signoffs (total 7028) Andrew Morton 1336 19.0% Linus Torvalds 1279 18.2% David S. Miller 640 9.1% Paul Mackerras 371 5.3% Jeff Garzik 322 4.6% Greg Kroah-Hartman 222 3.2% Mauro Carvalho Chehab 216 3.1% Andi Kleen 193 2.7% James Bottomley 163 2.3% Jaroslav Kysela 142 2.0% Russell King 132 1.9% Stefan Richter 131 1.9% Len Brown 115 1.6% John W. Linville 85 1.2% Roland Dreier 85 1.2% Takashi Iwai 79 1.1% Martin Schwidefsky 54 0.8% David Woodhouse 53 0.8% Ralf Baechle 48 0.7% Antonino Daplas 48 0.7%
In summary, 80% of the patches merged into the mainline kernel passed through the twenty developers listed above. One can take another step, and look at the number of non-author signoffs by employer:
Non-author signoffs by employer 1338 19.0% Linux Foundation 1281 18.2% Red Hat 1246 17.7% Novell 700 10.0% (Unknown) 660 9.4% IBM 553 7.9% (None) 293 4.2% Intel 193 2.7% SteelEye 163 2.3% Cisco 85 1.2% MIPS Technologies 48 0.7% Nokia 42 0.6% Astaro 41 0.6% Analog Devices 35 0.5% QLogic 35 0.5% Cendio 32 0.5% SGI 28 0.4% NetApp 28 0.4% (Consultant) 23 0.3% Oracle 22 0.3%
The bottom line: while Linux kernel development is a highly distributed activity, the work of several hundred developers is channeled through a surprisingly small number of individuals, and an even smaller number of companies on its way into the mainline.
More fun with file descriptors
In last week's episode, the kernel developers were considering the addition of a couple of flags to the open() system call; these flags would allow applications to select previously unavailable features like the non-sequential file descriptor range or immediate close-on-exec behavior. The problem that comes up quickly is that open() is just one of many system calls which creates file descriptors; most of the others do not have a parameter which allows an application to pass a set of accompanying flags. So it is not possible to request, for example, the non-sequential behavior when obtaining a file descriptor with socket(), pipe(), epoll_create(), timerfd(), signalfd(), accept(), and so on.In the second version of the non-sequential file descriptor patch, Davide Libenzi attempted to address part of the problem by adding a socket2() system call with an added "flags" parameter. That was enough to frighten a number of developers; nobody really wants to see a big expansion of the system call list resulting from the addition of variations on all the file-descriptor-creating calls. Another approach, it seems, is required, but finding that approach is not entirely easy.
One possibility is to simply ignore the problem; not everybody is sold on the need for non-sequential file descriptors or immediate close-on-exec behavior. There are enough people who see a problem here to motivate some sort of solution, though. Ulrich Drepper, the glibc maintainer, has seen enough applications to conclude that the issue is real.
An alternative, suggested by Alan Cox, is to create a process state flag which controls the use of these features. So a call like:
prctl(PR_SPARSEFD, 1);
would turn on non-sequential file descriptor allocation for all system calls made by the calling process. The problem here is that the lowest-available-descriptor behavior is a documented part of the POSIX binary interface. A process could waive that guarantee for itself, but it will always be hard to know that all libraries used by that process are safe in the absence of that behavior. One library might want to use non-sequential file descriptors, but that library cannot safely turn them on for the whole process without risking the creation of difficult bugs in obscure situations. It has been suggested that linker tricks could be used to avoid bringing older libraries, but Ulrich feels that people would respond by simply recompiling the older libraries and the potential bugs would remain.
Linus came into the discussion with a statement that neither adding a bunch of new system calls nor the global flag were acceptable. Instead, he came up with a completely different idea: create a mechanism which allows a single system call to be invoked with a specific set of flags. His proposed interface is:
int syscall_indirect(unsigned long flags, sigset_t sigmask,
int syscall, unsigned long args[6]);
The result would be a call to the given system call with the requested arguments. For the duration of the call, the given flags would be in effect, and signals in sigmask would be blocked. Even before adding any flags, this mechanism could be used to implement the series of system calls (pselect(), for example) which exists only to apply a signal mask to an earlier version of the call. Then the non-sequential file descriptor and close-on-exec behavior could be requested via the flags argument. Beyond that, flags could be added to control the handling of symbolic links, and various other things. Matt Mackall suggested that the "syslet" mechanism could be implemented as a "run this call asynchronously" flag.
This approach is not without its potential problems. There are worries that the flags bits could be quickly exhausted, once again making it hard to add options to existing system calls. Linus suggests overloading the flag bits as a way of making them last longer. That approach risks problems if application developers attempt to apply the wrong flags for a given system call - there would be no automatic way of catching such errors - but it is unlikely that applications would be calling syscall_indirect() themselves, so this risk is relatively small. It is appropriate to worry about whether any conceivable, sensible behavior modification is covered by this interface, or whether it needs a different set of parameters. And one might well wonder whether, some years from now, a large percentage of system calls will be made via syscall_indirect().
This new system call suffers from one other shortcoming as well: there is currently no working implementation. That will likely change at some point, leading to a wider discussion of the proposed interface. If it still seems like a good idea, we might just have a way of adding new behavior to old functions without an explosion in the number of system calls. Sometimes, perhaps, it really is true that problems in computer science are best solved through the addition of another level of indirection.
KHB: Real-world disk failure rates: surprises, surprises, and more surprises
At this year's USENIX File Systems and Storage Technology Conference, we were treated to two papers studying failure rates in disk populations numbering over 100,000. These kinds of data sets are hard to get - first you have to have 100,000 disks, then you have to record failure-related data faithfully for years on end, and then you have to release the data in a form that doesn't get anyone sued. The storage community has salivated after this kind of real-world data for years, and now we have not one, but two (!) long-term studies of disk failure rates. The conference hall was packed during these two presentations. When the talks were done, we stumbled out into the hallway, dazed and excited by the many surprising results. Heat is negatively correlated with failure! Failures show short AND long-term correlation! SMART errors do mean the drive is more likely to fail, but a third of drives die with no warning at all! The size of the data sets, the quality of analysis, and the non-intuitive results win these two papers a place on the Kernel Hacker's Bookshelf.
The first paper (and winner of Best Paper), was Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?, by Bianca Schroeder and Garth Gibson. They reviewed failure data from a collection of 100,000 disks, over a period of up to 5 years. The disks were part of a variety of HPC clusters and an Internet service provider. Disk failure was defined as the disk being replaced. The date of replacement was also used as the date of the failure, since determining exactly when a disk failed was not possible.
Their first major result was that the real-world annualized failure rate (average percentage of disks failing per year) was much higher than the manufacturer's estimate - an average of 3% vs. the estimated 0.5 - 0.9%. Disk manufacturers obviously can't test disks for a year before shipping them, so they stress test disks in high-temperature, high-vibration, high-workload environments, and use data from previous models to estimate MTTF. Only one set of disks had a real-world failure rate less than the estimated failure rate, and one set of disks had a 13.5% annualized failure rate!
More surprisingly, they found no correlation between failure rate and disk type - SCSI, SATA, or fiber channel. The most reliable disk set was composed of only SATA drives, which are commonly regarded to be less reliable than SCSI or fibre channel.
In another surprise, they debunked the "bathtub model" of disk failure rates. In this theory, disks experience a higher "infant mortality" initial rate of failure, then settle down for a few years of low failure rate, and then begin to wear out and fail. The graph of the probability vs. time looks like a bathtub, flat in the middle and sloping up at the ends. Instead, the real-world failure rate began low and steadily increased over the years. Disks don't have a sweet spot of low failure rate.
Failures within a batch of disks were strongly correlated over both short and long time periods. If a disk had failed in a batch, then there was a significant probability of a second failure up to at least 2 years later. If one disk in your batch has just gone, you are more likely to have another disk failure in the same batch. Scary news for RAID arrays with disks from the same batch. A recent paper in the 2006 Storage Security and Survivability Workshop, Using Device Diversity to Protect Data against Batch-Correlated Disk Failures, by Jehan-François Pâris and Darrell D. E. Long, calculated the increase in RAID reliability from mixing batches of disks. Using more than one kind of disk increases costs, but with the combination of data from these two papers, RAID users can calculate the value of the extra reliability and make the most economical decision.
The second paper, Failure Trends in a Large Disk Drive Population, by Eduardo Pinheiro, Wolf-Dietrich Weber and Luiz Andrè Barroso, reports on disk failure rates at Google. They used a Google tool for recording system health parameters and many other staples of Google software (Mapreduce, Bigtable, etc.) to collect and analyze the data. They focused on SMART statistics - the built-in disk drive monitoring in many modern disk drives, which records statistics about scan errors and blocks relocated.
The first result agrees with the first paper: The annualized failure rate was much higher than estimated, between 1.7% and 8.6%. They next looked for correlation between failure rate and drive utilization (as estimated by the amount of data read or written to the drive). They find a much weaker correlation between higher utilization and failure rate than expected, with low utilization disks often having higher failure rates than medium utilization disks, and, in the case of the 3-year-old vintage of disks, higher than the high utilization group.
Now for the most surprising result. In Google's population of cheap ATA disks, high temperature was negatively correlated with failure! In the authors' words:
This correlation held true over a temperature range of 17-55 C. Only in the 3-year-old disk population was there correlation between high temperatures and failure rates. My completely unsupported and untested hypothesis is that drive manufacturers stress test their drives in high temperature environments to simulate longer wear. Perhaps they have unwittingly designed drives that work better in their high-temperature test environment at the expense of a more typical low-temperature field environment.
Finally, they looked at the SMART data gathered from the drives. Overall, any kind of SMART error correlated strongly with disk failure. A scan error occurs when the disk checks data in the background, reading the entire disk. Within 8 months of the first scan error, about 30% of drives would fail completely. A reallocation error occurs when a block can't be written, and the block is reassigned to another location on disk. A reallocation error resulted in about 15% of affected drives failing with 8 months. On the other hand, 36% of the drives that failed had no warning whatsoever, either from SMART errors or from exceptionally high temperatures.
For Google's purposes, the predictive power of SMART is of limited utility. Replacing every disk that had a SMART error would end up replacing good disks that will run for years to come about 70% of the time. For Google, this isn't cost-effective, since all their data is replicated several times. But for an individual user for whom losing their disk is a disaster, replacing the disk at the first sign of a SMART error makes eminent sense. I have personally had two laptop drives start spitting SMART errors in time to get my data off the disk before it died completely.
Overall, these are two exciting papers with long-awaited real-world failure data on large disk populations. We should expect to see more publications analyzing these data sets in the years to come.
Valerie Henson is a Linux file systems consultant specializing in file system check and repair.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
A new APT for Debian Sid
APT is also known as the Advanced Packaging Tool. Wikipedia describes APT as a package management front-end, but then notes:
APT is both a front-end for dpkg and it is also the underpinning for more advanced front-end tools like Synaptic and aptitude. APT is often described as one of the best things about Debian.
A new version of APT was uploaded to Sid (Debian's unstable branch) last weekend. Version 0.7.2 is a big merge of the version in debian/experimental and the version in Ubuntu. It's an ABI breaker, meaning that until all the packages depending on libapt are rebuilt, Sid will be very unstable. By now though Sid should be settling back down.
The new APT contains translated package descriptions, support for the new dpkg "Breaks" field, apt-https support (based on libcurl), automatic removal of unused dependencies moved into libapt, automatic installation of recommends like aptitude and support for unattended installing security upgrades.
Michael Vogt notes that the automatic removal of unused dependencies is a long-standing feature request for synaptic, so having it integrated into libapt will be of great benefit there and for other apt front-ends.
The automatic installation of recommended packages is currently off by default although that will change at some point in the future. Joey Hess notes several places where the Debian installer will have to change to support this feature and there are likely other places within Debian where changes will need to be made. It would be nice to see this properly implemented and integrated through-out Lenny.
Apt development has been moved to the bazaar-ng (bzr) revision control system; the APT Development Wiki Page is the best place to track that development.
New Releases
Ubuntu Tribe 1 released
Ubuntu Gutsy Gibbon Tribe 1 has been released. "Tribe 1 is the first in a series of milestone CD images that will be released throughout the Gutsy development cycle. The Tribe images are known to be reasonably free of showstopper CD build or installer bugs, while representing a very recent snapshot of Gutsy."
Distribution News
Fedora Board Elections
Max Spevack reports: "We are due for our first round of Fedora Board elections. There have been some threads recently on fedora-advisory-board that have been working to clarify what the Board's role should be as it goes into its next term." Three of the nine seats are open for election in this current iteration, the process is similar to other Fedora elections, and anyone who is a Fedora contributor (regardless of where they are employed) may run and vote.
New mailing list and forum for 64 Studio users
The 64 Studio distribution has a new forum and a new mailing list for user questions and general discussion.End of Fedora Legacy mirror at Iowa State
The Fedora Legacy mirror at Iowa State will be shutting down on July 1, 2007. "Max Spevack announced last month that Fedora Core 5's end of life would be June 29th. That gives us a good milestone for removing our Fedora Legacy mirror. Traffic was high for two months after the announcement of Fedora Legacy's demise but has dwindled since April. So, beginning July 1, 2007, Iowa State will no longer offer a mirror of Fedora Legacy. Grab what you would like between now and then." The ATrpms.net mirror will also be shutting down soon.
New High-Performance Linux Distro for Security and Monitoring
nPulse Networks has announced it will release a new Linux distribution in August. Catapulta borrows from Debian and Ubuntu and is designed for network monitoring and security applications. From this summary page: "A key to the project was the substantial tuning required to common Linux distributions to achieve high packet throughput. nPulse eventually built its own custom distribution, named "Catapulta" which it is now placing in the public domain for general usage, and in the expectation of drawing on-going contributions from a user community to continue to enhance the distro."
New Distributions
Granular Linux
Granular Linux aims to be an easy to use, user-friendly desktop distribution for both new and experienced Linux users. It's based on PCLinuxOS and features easy switching between the KDE and XFCE desktop environments. Granular 0.90 is available as a test release. See the announcement for details.Karoshi
Karoshi is a server operating system designed for schools. Karoshi is based on PCLinuxOS and it provides a simple graphical interface that allows easy installation, setup and maintenance of your network. The latest version is 5.1.3 (announcement).linuX-gamers.net live DVD
linuX-gamers.net has announced the first public release (v0.9) of a live DVD for gamers. The DVD contains Nexuiz, Warsow, Glest, Torcs and much more.
Distribution Newsletters
Fedora Weekly News Issue 91
The Fedora Weekly News for June 9, 2007 looks at Cooperative Bug Isolation for Fedora 7, OLPC: Mesh Networking Overview in Red Hat Magazine, Fedora for ARM and cross compilation, Innovation in virtualization management tools, Fedora 7 reviews, Community Control And Documentation Of New Workflows, Fedora On ARM Architecture Opens Up Cross-Compilation Discussion, A World Of Hurt: Making F7 Install CD Set From DVD Using FC6 Pungi, Splitting Terminfo Out Of The ncurses RPM, Eliminating Unwanted RPM Dependencies And Statically-linked Binaries, F7 Images For Mass Production, Exploding Trees and SCM, Why Emacs Is Not Installed By Default, Metalink: A New Way Of Distributing Fedora ISOs?, Quick Notes On Update Image Installer And F8 Desiderata, and several other topics.Ubuntu Weekly News: Issue #44
The Ubuntu Weekly News for June 9, 2007 covers the release of Gutsy Tribe 1, newly approved MOTU Lionel Porcheron, upcoming Ubuntu Hug Day, the new Launchpad release, an interview with Mark Shuttleworth, an Ubucon held by the Colorado LoCo at Google offices, and much much more.DistroWatch Weekly, Issue 206
The DistroWatch Weekly for June 11, 2007 is out. "This week marks the start of a slower season on the distribution release calendar; all major new versions are now out and many users have been enjoying their newly updated Linux desktops. But is there still anything exciting going on the distro scene? You bet! This week's DistroWatch Weekly asks the readers to comment on their "distro hopping" habits, reports about Linux Format's annual distribution mega-test, links to an open source software article in The Economist, and reports about the new linuX-gamers live DVD. Finally, don't miss your chance to suggest new packages to be tracked after the upcoming DistroWatch's package database update later this month."
Newsletters and articles of interest
HP's LinuxCOE turns 4.0, enables DIY Linux distros (Linux-Watch)
Linux-Watch looks at LinuxCOE 4.0, which was announced last May. "If you want to give LinuxCOE a try, you can use it to install a Linux system by visiting the Instalinux website. For the source code and documentation visit the LinuxCOE site."
Pepper, Ubuntu Linux developers make plans to shrink (NetworkWorld.com)
NetworkWorld.com looks at another contender for Intel's Mobile Internet Device platform, Pepper Linux. "Pepper Linux, which runs on the slick Pepper Pad Internet browsing appliance, will be ported to Intel's MID platform, with the software being available this fall to equipment makers."
Taking OpenSolaris for a spin (Linux-Watch)
Linux-Watch takes a look at Open Solaris. "If you're like most Linux users, you've heard of OpenSolaris, but I'm willing to bet you've never tried it. One reason, as former Debian co-founder and now Sun Chief Operating Platforms Officer Ian Murdock explained, is that OpenSolaris doesn't come as a packaged operating system like Linux does."
Installing Xen On CentOS 5.0 (i386)
HowtoForge has a tutorial on installing Xen on CentOS 5.0 (i386). "Xen lets you create guest operating systems (*nix operating systems like Linux and FreeBSD), so called "virtual machines" or domUs, under a host operating system (dom0). Using Xen you can separate your applications into different virtual machines that are totally independent from each other (e.g. a virtual machine for a mail server, a virtual machine for a high-traffic web site, another virtual machine that serves your customers' web sites, a virtual machine for DNS, etc.), but still use the same hardware. This saves money, and what is even more important, it's more secure. If the virtual machine of your DNS server gets hacked, it has no effect on your other virtual machines. Plus, you can move virtual machines from one Xen server to the next one."
Distribution reviews
Alternative GUIs: SymphonyOS (TuxMachines)
TuxMachines takes a look at Symphony OS. "The SymphonyOS desktop (named "mezzo") seems to be a marriage of the fvwm window manager with Mozilla's scriptable layout engine, Gecko. On the desktop, there are areas with links in them (known as "desklets" and "launchers"). When clicked, the links can bring up Web pages or programs. In the four corners of the desktop, there are hotspots that bring up what are referred to as "menus," which are actually full-page views of four specific functional areas: Computer (settings); Files; Programs; and Trash. In the top center of the main page, there's a hotspot containing the clock, that also works as the way to refresh the desktop after the desktop background image has been changed through SymphonyOS' Desktop Manager."
Granular Linux - What Am I Missing? (TuxMachines)
TuxMachines reviews Granular Linux. "Granular Linux is a Linux distribution based on PCLinuxOS and features the XFCE4 and KDE desktops. It appears to have been in development since about the beginning of 2007 and has had one previous release. The developers of Granular have recently released a test of their upcoming .90 and I thought I'd see what it offered."
Page editor: Rebecca Sobol
Development
Collections in the XMMS2 music player
The number of music players on Linux has been steadily increasing lately, but while these projects have been getting more and more polished, we have yet to see revolutionary improvements in terms of user experience. Indeed, the trend has been to borrow as many features as possible from other projects, rather than questioning the reasons behind their design.
This article describes XMMS2's attempt to address long-standing limitations of music players, through its new support for Collections.
Design Rationale
I have been concerned with the state of music players for a long time. Two years ago, I wrote a Manifesto for a Better Music Player. Although my ideas have evolved since then, the general conclusions of that article still hold.
One important argument I made is that the design of a music player should focus on the users' needs, rather than on a list of well-known features. All the traditional features (playlist, media library, cover browsing, etc) and hacks (play queue, random mode, etc) stem from the needs users have for:
- playing music non-linearly
- searching for specific media
- browsing their media library
- organizing their music
Non-linear playback was first introduced in a crude form as the "random mode", directly inspired from legacy CD players. iTunes later popularized its "Party Shuffle" mode, which solved the unpredictability of playback by maintaining a queue of randomly selected songs. What we are still waiting for, though, is a smarter mode that would also take into account beat, artist similarity, or other semantic information.
Music players that are based on a media library typically provide a search feature. Unfortunately, the power of the search function is often hindered by annoyingly complex forms used to choose the fields to query. Few developers seem to have noticed the success of Google's search interface: minimalistic, but enriched by rating heuristics and a rich syntax for advanced users.
The other axis required by our ever-growing music libraries is browsing. Media library browsing is always present in some form, although mostly simplistic and uninspired. When they are not cloning iTunes genre/artist/album filters or the browsing of cover art, most music players simply present the users with the list of all their media in a plain multi-column layout. Easy to implement, but hard on the eyes for the users. Interestingly, Foobar2000 (freeware) is the only popular player to allow a rich customization of the layout, which greatly improves readability.
The lack of features that help users organize their media library contributes to the difficulty of addressing the two previous issues. In the physical world, users can arrange their CDs spatially in their own personal way (by artist, date of release, mood, etc), set a couple of albums aside for playing at a party, or highlight their latest acquisitions on a shelf. This lets them build a cognitive map of the location of items. On computer-based music players, however, they are barely provided with the possibility to create playlists, possibly dynamic, but seldom integrated well enough to be used powerfully. Even bare files have richer organizational possibilities, using directories!
The reason behind these limitations is not that they are inherently unsolvable. The truth is that a lot of effort is required to implement new approaches in any of these fields. Experimentation, either conceptual or in terms of interface, is expensive.
The Collections Concept
The goal of Collections is to address this problem by creating a common abstraction layer. Search, browsing and organization all share one property: they act on subsets of the media library. Computers are especially good at handling sets, but music players haven't really exploited that fact yet.
A collection is defined as a subset of the media library. This set of media (songs) can be dynamic, for instance "All media by Kraftwerk released prior to 1980" or "All media added to the media library last week, except those by Justin Timberlake". A static set, for instance hand-picked media selected for parties, is just a special case of dynamic sets.
Note that a collection is not merely what some players call a "Smart Playlist" (or "Dynamic Playlist"). A "Smart Playlist" is only used to play an arbitrary list of media, while a collection is a generic representation of a set of media. For instance, this includes the results of a search, a filtered view of the media library, the list of tracks from a given album, etc.
Because a collection is an abstract representation, it can be used ubiquitously throughout all the features of the music player: browsing, searching in the media library or the playlist, enqueuing, jumping, etc. A collection can also be saved on the server, thus allowing the users to organize their music and reuse their selection in homogeneous and flexible ways.
Collections for the XMMS2 player
The XMMS2 project turned out to be the perfect ground to implement collections. Unlike its popular predecessor XMMS, XMMS2 hasn't gathered much attention yet. However, it features all that you would expect from a recent music player: a media library, support for many audio formats and multiple platforms (Linux, *BSD, OS X, Windows, etc), bindings for many languages (C, C++, Ruby, Python, Perl, Java), and a friendly community open to innovation.
In addition, the player was designed according to a client-server architecture, so that the server is responsible for all the boring work (audio decoding, media library management, tag extraction, etc), while any flavor of user interface can be implemented as a client connected to the server, possibly across the network.
Collections have been implemented in XMMS2 as a student project during the Google Summer of Code 2006, and finally merged into the stable tree on May 20, 2007 as part of the DrJekyll release.
Support for collections was implemented on the server as a layer above the media library, and playlists are exposed to the clients through a collections API. This API allows clients to save collections on the server, query the media library, enqueue the content of a collection, etc. Thus, although the user interface depends on the client, the server and the clients all share the same abstract representation.
Clients are also freed from the need to generate complex SQL queries themselves; instead, they can easily build a (DBMS-agnostic) collection and the tedious query is performed by the server. In addition, a parser is provided to generate a collection from a string with an enriched search syntax.
Collections make it essentially trivial to browse and search the media library. Moreover, advanced features are either natively available or very easy to implement: iTunes-like Party Shuffle, recursive filtering (e.g. search inside the playlist), display Top 10 or never played songs, changing the equalizer settings if the playing song is in a particular collection (e.g. "Jazz Vinyl rips"), etc.
Implementation
Strictly speaking, collections are implemented as a directed acyclic graph (DAG), each node of which is a collection operator. In fact, because the structure is recursive, each node of the graph corresponds to a collection. This model was chosen to emphasize the aggregated nature of users' music collections.
Collection operators come in four different flavors:
- set operators
- filter operators
- list operators
- reference operator
The set operators take an arbitrary number of operands and returns the collection obtained by applying the corresponding set operation to them. For instance, "any music by The Beatles or any music by The Rolling Stones". Available set operators: union, intersection, complement.
The filter operators enforce conditions on properties of the media; the resulting collection only contains the media that match the filtering attributes. For instance, "all the songs with 'stairway' in their title". Available filter operators: equals, match (partial matching of strings using wildcards), larger/smaller (for numbers), has (checks whether a property is present).
The list operators are a bit special. The basic list operator (called "idlist") does not accept any operands; instead, it simply generates the collection corresponding to the custom list of media it contains. Because list operators store static, ordered lists of media, they are used as playlists in XMMS2. Available list operators: list, queue (pop songs once they have been played), Party Shuffle (takes an operand, used to randomly feed the list with new entries).
The reference operator is simply used to refer to the content of a saved collection or playlist. For instance, "all the songs released in 2007 in the Foo playlist". A reference operator is also used to refer to the whole media library (all media).
Now, let's illustrate all this with a sample collection structure:
![[Collection Diagram]](https://static.lwn.net/images/ns/Collection-diagram-usecase-3.png)
The nodes represent collection operators, while edges simply connect
operands to operators.
Here, "All Media" is a reference to the whole media library, and we use a Match operator to only keep media for which the artist has a name starting by "A" (1). We then take the union (3) of this and the content of the "Rock 90's" saved collection (2). The result is passed as an operand to a Party Shuffle operator (4), which we save under the name "Interesting" (5).
When the user plays the "Interesting" playlist, songs are popped from the list as soon as they are finished, and new songs matching the operand collection (3) are automatically enqueued, so that the list always contains at least 20 items. This is specified by the "size" attribute of the Party Shuffle. Of course, the user can also edit the playlist and add tracks to it manually.
This is only one example of collections among many. As you can see, the modular structure of collections allows virtually unlimited possibilities. As such, they have been tightly integrated both on the server and in the client API.
On the server, a dedicated module is responsible for handling collection features. When a collection is queried, it serializes the structure into an SQL query, runs it in the media library and returns the matching media, either as a list of media ids or hashes containing the requested media properties. When a collection is saved on the server, it is added to the collection DAG and kept in memory while the server is running. On shutdown, the whole DAG is serialized into the database. Note that playlists are nothing but collections, albeit restricted to list operators and saved into a dedicated namespace.
In the client API, collections introduced many important changes. First, executing raw SQL queries has been deprecated; all queries are now to be performed using collections. Collection data structures can be built either using a set of dedicated functions, or by calling the collection parser on a string given by the user. Finally, many XMMS2 methods have been extended to support collections (e.g. to enqueue media) and new methods allow clients to query, save and retrieve collections from the server.
If you want to learn more about the concept of collections, please have a look at the collections concept page on the XMMS2 wiki. For more details about the implementation, check the collections design page and the API documentation.
Adoption and future directions
Several XMMS2 clients have started offering features based on collections, including Abraca (GTK2 client) and gntxmms2 (console client). Other clients have ported search and browsing to the collections API: Esperanza (Qt4 client), gxmms2 (GTK2 client) and the official command-line interface.
Hopefully, client developers will start exploring new directions now that collections are in the main release. The XMMS2 CLI client has already been scheduled for a full rewrite.
Several improvements are also expected to address current limitations of the collections implementation. One limitation is that all collections are treated equally as media sets; if a filter is applied on a playlist, the order and duplicated items will be lost. A smarter internal distinction between lists and sets inside the DAG is in the works. An ordering collection operator could then be introduced to transform a set into an ordered list, as well as an operator to select subsequences of such lists, similarly to SQL LIMIT operation. They could be used to create a collection containing the "list of the 20 most recently added media". The SQL query generator could also be further optimized, unless we decide to replace the database backend completely.
Collections have just made it into the official XMMS2 distribution, but people already use them through features like search, Party Shuffle or groups of songs saved in the media library. They are a powerful toy for developing new features in the clients and hopefully helping users organize and use their music library.
It's an exciting time to come up with fresh ideas in the XMMS2 world, and I hope the rest of the developers in the music player community will take the time to reflect on and discuss all these questions earnestly!
System Applications
Database Software
PostgreSQL Weekly News
The June 10, 2007 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.Agile Database Refactoring with Hibernate (O'Reilly)
Gilad Buzi, Kelley Glenn and Jonathan Novich discuss the process of changing data models on O'Reilly. "In this article, we will show readers how to upgrade their faulty schemas and data models without affecting existing applications or processes. By using the latest technology from Hibernate (version 3.0 and up)--along with a combination of database views, stored procedures, and standard design patterns--application developers and data architects can repair a faulty data model, one piece at a time."
Device Drivers
LIRC 0.8.2 announced
Version 0.8.2 of LIRC, the Linux Infrared Remote Control interface, is out with support for more IR remotes and other changes.
Mail Software
Apache SpamAssassin 3.1.9 released
Version 3.1.9 of Apache SpamAssassin has been announced. "This is a maintenance and security release of the 3.1.x branch. It is highly recommended that people upgrade to this version from 3.0.x or 3.1.x."
Apache SpamAssassin 3.2.1 released
Version 3.2.1 of Apache SpamAssassin has been announced. "This is a maintenance and security release of the 3.2.x branch. It is highly recommended that people upgrade to this version from 3.2.0."
Mailfromd 4.1 announced
Stable version 4.1 of Mailfromd is out. "Mailfromd is a general-purpose mail filtering daemon for Sendmail and Postfix. It is able to filter both incoming and outgoing messages using criteria of arbitrary complexity, supplied by the administrator in the form of a script file. The program interfaces with Sendmail using Milter protocol. Mailfromd provides the following basic features: flexible programming language for writing filter scripts, sender address verification, SPF, DNSBL, greylisting and whitelisting, controlling mail sending rate."
Networking Tools
PacketViz 0.5.0 released
Version 0.5.0 of PacketViz, a Java-based network graphing tool, has been released. "PacketViz is a general packet or interaction graphing tool that can be used in a variety of applications including: Cache coherency "protocol flow diagrams", Networking packet diagrams and Dynamic software interaction diagrams".
Miscellaneous
announcing Allmydata-Tahoe v0.3
Version 0.3 of Allmydata-Tahoe is out. "We are pleased to announce the release of version 0.3.0 of Allmydata-Tahoe, a secure, decentralized storage grid under a free-software licence. This is the follow-up to v0.2 which was released May 2, 2007"
Desktop Applications
Audio Applications
AlsaPlayer 0.99.80-rc1 and FftScope 1.0.5 announced
Version 0.99.80-rc1 of AlsaPlayer and Version 1.0.5 of FftScope have been announced. "The main added feature in those 2 packages is a new GTK2 interface."
AudioMove 1.15 released
Version 1.15 of AudioMove is available. "AudioMove is a simple, easy to use GUI-based batch audio file copy-and-conversion program. You just tell it what files to convert, what format to convert them to, and where to put the output files, and it does it."
Jokosher 0.9 arrives
Version 0.9 of Jokosher has been released. "Jokosher is a simple yet powerful multi-track studio. With it you can create and record music, podcasts and more, all from an integrated simple environment."
Traverso 0.40.0 Released
Version 0.40.0 of Traverso is out with a number of new capabilities. "Traverso is a cross platform multitrack audio recording and editing suite with a clean and innovative interface targeted for home and professional use."
Desktop Environments
GARNOME 2.19.3 announced
Version 2.19.3 of GARNOME, the bleeding-edge GNOME distribution, is out. "We are particularly proud of all the hacking and smoke-testing that has been going on during the past couple days. New tarballs have been built and tested by various GARNOMEies as fast as we could update SVN. Once again, this early testing revealed a number of serious issues with some of the GNOME applications, a bunch of bug reports where filed, resulting in new, fixed tarballs being rolled as quickly as possible -- before the official release deadline. Our contribution to make even unstable development releases a somewhat sane place to live. Thank you, #garnome!"
GNOME 2.19.3 released
Version 2.19.3 of the GNOME desktop environment has been announced. "This is our third development release on our road towards GNOME 2.20.0, which will be released in September 2007. New features are still arriving, so your mission is simple : Go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it."
GNOME Software Announcements
The following new GNOME software has been announced this week:- Appomattox 0.2 (new features and bug fixes)
- Banter 0.1.6 (new features and bug fixes)
- Banter 0.1.7 (new features and bug fixes)
- Conduit 0.3.1 (new features and bug fixes)
- Empathy 0.7 (new features, bug fixes and translation work)
- Gimmie 0.2.7 (new features, bug fixes and translation work)
- GLib 2.14 and GTK+ 2.12 (for GNOME 2.20)
- GNOME Commander 1.2.4 (new features, bug fixes and translation work)
- gnome-games 2.18.2.1 (bug fixes)
- Gnome-Voice-Control 0.1 (initial release)
- gpaint 0.3.1 (new features, bug fixes and translation work)
- GStreamer Inspector 0.1 (initial release)
- GTK+ 2.10.13 (bug fixes and translation work)
- Hotwire 0.556 (new features and bug fixes)
- metacity 2.19.13 (new features)
- Swfdec 0.4.5 (bug fixes)
KDE Commit-Digest (KDE.News)
The June 10, 2007 edition of the KDE Commit-Digest has been announced. The content summary says: "Umbrello gets a code generator for the D programming language. Further work in Plasma. Initial work to allow the Dolphin file view component to be embedded into Konqueror. More work in the KOrganizer Calendar and KRDC Summer of Code projects, with the start of the Icon Cache, TextTool Plugins in KOffice and Kopete Messenger update projects. Start of a Solid interface in Amarok, with breakthroughs in support for the Jamendo music service. KDevelop begins to be ported to the KDevPlatform structure..."
HIG Hunting Season: Icons (KDE.News)
KDE.News looks at getting icons ready for KDE 4. "The great work of the Oxygen icon artists is a much discussed and anticipated part of KDE 4. The new icons now follow the freedesktop.org naming specification which makes it easier to share icons between applications of several desktop environments. In the HIG hunt this week, we will check that this work lives up to its full potential by looking for missing icons and wrong uses. Read on for more details."
KDE Software Announcements
The following new KDE software has been announced this week:- ALDM 0.1 Beta 1 (unstable testing release)
- Amarok remote control 1.0 (unspecified)
- eciKontrol 0.3 (new features and bug fixes)
- improved offline web browsing 3.5.7-r3 (new features and bug fixes)
- K Menu Gnome 0.6.5 (distribution updates)
- KBlogger 0.7-beta1 (new feature and bug fixes)
- kdebluetooth 1.0 Beta 3 (support for BlueZ D-BUS API)
- KDesktop transparency support 0.1 (initial release)
- kdesvn 0.12.1 (bug fixes)
- Keith neuse 0.1 (initial release)
- Kexi 1.1.3 (new features)
- Kipi 0.1.4-beta1 (new features and bug fixes)
- Kompile 0.3 beta 3 (new features, bug fixes and translation work)
- KSniffer 0.3 alpha2 (new features and bug fixes)
- KTorrent 2.2rc1 (new features and bug fixes)
- Manslide 1.5.9 (new feature and bug fixes)
- TaskJuggler 2.4.0_beta2 (new features, bug fixes and performance improvements)
- YAPG 0.1 Beta 1 (unstable testing release)
GUI Packages
Whats coming in GTK+ 2.12
Matthias Clasen has sent out a series of emails describing changes coming to GTK+ 2.12. "I thought it might be a good idea to anticipate the release announcement for GTK+ 2.12 by writing a series of mails about some of the new features that will appear in the next stable release. I hope that this inspires some people to play with the new stuff, so that we can - find api holes and problems before they get frozen in the stable release - get some feedback on the quality (or lack thereof) of the api docs - inspire people to write examples or gtk-demo additions that show new stuff".
Multimedia
Sofa 0.2.2 released
Version 0.2.2 of the Sofa Media Center, an audio and video media player for GNOME, has been announced: "Another bug fix release, this one should correct all compilations error users have been having. It contains some clean ups in the code but with no new features. Still, it should be more stable."
Music Applications
Csound 5.06 released
Version 5.06 of Csound, a computer music system, is out. "As part of our continuing plans Csound 5.06 was release on Wednesday 6 June 2007. Apart from the usual bug fixes and bug introductions there are a number of new opcodes, and a significant progress in merging CsoundAV functionality into the Sourceforge tree."
Office Suites
KOffice 1.6.3 released (KDE.News)
KDE.News has announced the release of the KOffice 1.6.3 office suite. "The KOffice team today released the third minor release of the 1.6 series. As the development focus has shifted to the next major release, this new version was aimed at polishing and fixing bugs. With this new version, three new languages are added to the list of translations: Bulgarian, Low Saxon and Nepali."
OpenOffice.org release 2.2.1
Release 2.2.1 of the OpenOffice.org office suite is out. "This is a minor bug fix release - full details of the changes may be found in the Release Notes".
Science
Kalkulon 3.0.0 released
Stable version 3.0.0 of Kalkulon has been announced. "Kalkulon is a plattform-independent scientific expression calculator. It has a C-like expression syntax and its own small programming language. The GUI version is written for Qt 4.2 (or later) and supports nice syntax coloring even for single digits in larger numbers. The console version supports the readline library."
Video Applications
Gnash 0.8.0 released
Gnash 0.8.0 is out; this one has been designated the third alpha Gnash release. Improvements include support for YouTube videos, a number of virtual machine upgrades, a simple Flash debugger, and more. "Gnash supports the majority of Flash opcodes up to SWF version 7, and a wide sampling of ActionScript classes for SWF version 8.5. All the core ones are implemented, and many of the newer ones work, but may be missing some of their methods."
Miscellaneous
Soothsayer revision 56 released
Revision 56 of Soothsayer has been announced. "Soothsayer is an intelligent predictive text entry platform. Soothsayer exploits redundant information embedded in natural languages to generate predictions. Soothsayer's modular and pluggable architecture allows its language model to be extended and customized to utilize statistical, syntactic, and semantic information sources."
Languages and Tools
Caml
Caml Weekly News
The June 12, 2007 edition of the Caml Weekly News is out with new Caml language articles.
Perl
Better Code Through Destruction (O'Reilly)
Igor Gariev discusses Perl garbage collection on O'Reilly. "Larry Wall said that Perl makes easy things easy and hard things possible. Perl is good both for writing a two-line script that saves the world at the last minute (well, at least it saves you and your project) and for robust projects. However, good Perl programming techniques can be quite different between small and complex applications. Consider, for example, Perl's garbage collector. It frees a programmer from memory management issues most of the time...until the programmer creates circular references."
Python
Python-URL! - weekly Python news and links
The June 11, 2007 edition of the Python-URL! is online with a new collection of Python article links.
Shells
Hotwire 0.556 released
Stable version 0.556 of Hotwire is available. "Hotwire is intended to replace the interactive command execution portion of a typical Unix shell. It includes much of the functionality found in the combination of a terminal emulator, a shell, and core utilities like ls and grep. Most of the commands are named the same, and do basically the same thing. Where it makes sense, Hotwire improves the commands to have better defaults and makes things nicer by using the mouse, and so on."
Tcl/Tk
Tcl-URL! - weekly Tcl news and links
The June 12, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
XML
XQuery, the Server Language (O'Reilly)
Kurt Cagle looks at XQuery on O'Reilly. "In February 2007, the XQuery specification became a formal W3C Recommendation, after nearly six years of development. As a language, XQuery can best be thought of as a way to turn the integrated language used to retrieve sets of nodes from an XML document, XPath, into a standalone language. To do so, XQuery adds a number of features--command and control structures (such as for expressions), the ability to create intermediate date variables (the let keyword), conditional handling (if/then/else), and the like to the XPath 2.0 language. Perhaps more significantly, however, XQuery also adds the ability to create modules consisting of collections of XQuery functions, and provides a way to subscribe to external functions within their own respective namespaces."
Libraries
Cairo release 1.4.8 now available
Version 1.4.8 of the Cairo 2D graphics library is out. "This release includes a thread-safe surface-cache for solid patterns which significantly improves text rendering with the xlib backend. Also, dozens of error paths in cairo have been fixed thanks to extensive fault-injection testing by Chris Wilson."
CLAM 1.1 released
Version 1.1 of CLAM, a C++ library for audio and music, is out. "After a very intense development months since the last 1.0 release, the CLAM crew is glad to announce that CLAM 1.1 is ready to download. It comes with many new features and code clean up. Most important improvements are found in the Visual Prototyping front: new 3D-looking widgets, new data viewers and control surface; and a simplified way to bind controls between the user interface and the processing network."
Miscellaneous
GNU tar 1.17 released
Version 1.17 of GNU tar is out with several bug fixes and a new feature. See the release announcement for details.
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Jonathan Schwartz replies to Linus regarding ZFS and GPLv3
Sun's Jonathan Schwartz has replied to the Linus posting we highlighted yesterday. "Did the Linux community hurt Sun? No, not a bit. It was the companies that leveraged their work. I draw a very sharp distinction - even if our competition is conveniently reckless. They like to paint the battle as Sun vs. the community, and it's not. Companies compete, communities simply fracture."
Bringing free software down to earth (Economist)
The Economist has run an article about Mark Shuttleworth and Ubuntu. "But Mr Shuttleworth is most excited about free software's potential to open up the third dimension in the display and navigation of information. 'In the space station there was no sensation of up or down,' he recalls. 'Yet if it was even slightly obvious which direction Earth was, everyone would point their feet in that direction. Our brain cannot reconfigure itself in a rational way. So we should exploit the irrationality to be productive.'"
Linux phone standards group to publish specifications (Ars Technica)
Ars Technica covers an announcement from the Linux Phone Standards Forum (LiPS). "LiPS aims to create a cohesive assortment of application programming interfaces (APIs) for mobile Linux development in order to increase interoperability between various Linux-based mobile platforms and simplify third-party mobile Linux application development. The first set of specifications, which will soon be available from the LiPS web site, describe systems for contact management, user interface services, and voice call handling. The rest of the LiPS 1.0 specification elements, which relate to functionality like messaging, presence, and calendaring, will be released before the end of the year."
Trade Shows and Conferences
File system, power and instrumentation: Can Linux close its technical gaps? (LinuxWorld)
Don Marti provides a nice overview of the state of the Linux Kernel in advance of the Linux Foundation's Collaboration Summit June 13-15. He quotes extensively from Andrew Morton and Linus Torvalds about parts of the kernel which need improvement. "In an e-mail message, project founder Linus Torvalds says he agrees that the file system and power management need to work. The latter, he says, is part of a bigger problem with device drivers that basically work but don't implement advanced features. But, Torvalds says, the simple instrumentation Linux already has is enough to deal with real-world performance issues."
Companies
New Firm Eager to Slap Patents on Security Patches (eWeek)
eWeek has posted an article about Intellectual Weapons, a company with an innovative new business model. "Take heart, underappreciated, unremunerated vassals, for a new firm is offering to work with you on a vulnerability patch that they will then patent and go to court to defend. You'll split the profits with the firm, Intellectual Weapons, if they manage to sell the patch to the vendor. The firm may also try to patent any adaptations to an intrusion detection system or any other third-party software aimed at dealing with the vulnerability, so rest assured, there are many parties from which to potentially squeeze payoff."
Xandros CEO doesn't agree that Linux is patent violator (LinuxWorld)
Xandros CEO Andreas Typaldos discusses their Microsoft deal in this article at LinuxWorld. "'We did not discuss patents [with Microsoft] and we don't think Linux violates any patents and we were not asked about it,' Typaldos said. 'It is a non-issue for us.'"
What the Microsoft/Xandros deal means for Linux (Linux-Watch)
Linux-Watch has quotes from various people regarding the MS/Xandros deal. "Now that the deal is in place, the question is, "What to make of it?" We do know that the partnership has not drawn even a tenth of the criticism that the Novell/Microsoft patent partnership drew. Nonetheless, some other Linux vendors have little good to say about the new Xandros partnership."
Linux Adoption
FNB switches 12000 desktops to Linux (Tectonic)
Tectonic covers a large scale Linux deployment in South Africa. "Following recent reports of a South African bank eyeing out Linux, Novell South Africa today issued a statement in which it said it had reached an agreement with First National Bank of South Africa to standardise the bank's 12 000 desktops in its 680 retail branches on Novell's Linux product. With 12 000 desktops switching to Linux this is very likely the most significant Linux and open source implementation in South Africa to date."
Legal
Peer to Patent Project Begins June 15 (Groklaw)
Groklaw has a reminder about the the Peer to Patent project starting next week. "It's historic, in that it's never been tried before, letting the public provide the USPTO examiners with a helping hand. The goal is to find ways to block stupid patents at the applications input level, so they don't get approved, issue, and subsequently hurt people and companies. I think of it as bug spray to kill off stupid patents before they can multiply."
Interviews
Interview with Brian Aker (LinuxWorld)
LinuxWorld interviews MySQL architect Brian Aker on a wide range of issues, from storage engines to open source economics. "In our view today, BitKeeper is still the strongest player and much stronger than actually three contenders right now which are Bazaar-NG, Mercurial and Git. And Git's only recent. And they're not quite there just yet. And it's interesting to see who can outinnovate who first. Can Larry and BitKeeper out keep outinnovating the open source guys, or will the open source guys pass him up. And it's interesting to watch. But I think it's making all the different products in that market better in the end, because they all have to compete with one another."
A temporary network on a budget (LinuxWorld)
LinuxWorld talks with Stu Sheldon, the Tech Committee chair for Southern California Linux Expo (SCALE). "With SCALE, the design criteria is simple, Provide stable and balanced Internet access for both exhibitors and guests. That sounds easy doesn't it? Oh, one other thing -- I needed to make it so I could pick the entire network up and rearrange it every year. This has been my task since the very first SCALE. I officially took over the Tech Committee chair position shortly after SCALE 1, and now host and maintain the three SCALE public servers year-round in my colocation facility in Thousand Oaks, Calif."
Resources
full circle magazine - #1 released!
Ubuntu has a new community-produced magazine that used Scribus, OpenOffice.org and GIMP to create a 42 page first issue. Click below for their announcement which includes the table of contents.Anatomy of the Linux kernel (IBM developerWorks)
IBM developerWorks covers kernel history and architecture. "Over time, the Linux kernel has become efficient in terms of both memory and CPU usage, as well as extremely stable. But the most interesting aspect of Linux, given its size and complexity, is its portability. Linux can be compiled to run on a huge number of processors and platforms with different architectural constraints and needs. One example is the ability for Linux to run on a process with a memory management unit (MMU), as well as those that provide no MMU. The uClinux port of the Linux kernel provides for non-MMU support."
OpenWRT 101 (O'ReillyNet)
O'ReillyNet looks at choosing, building, installing and using Linux-based firmware for wireless routers. "There are currently three major active branches of the OpenWRT platform: OpenWRT, FreeWRT, and DD-WRT. OpenWRT is the original code base, which focuses on a minimal embedded Linux platform with a number of modules to add various functionalities. FreeWRT is a direct outgrowth of OpenWRT and focuses on providing an advanced platform for experienced developers. DD-WRT started with Sveasoft Alchemy but switched over to a WRT kernel to make use of commodity access points from companies like Linksys and Netgear as opposed to high-end APs."
A guide to using PDFs on GNU/Linux (Linux Journal)
Linux Journal surveys PDF support. "Although GNU/Linux has long supported postscript format, full support for the related PDF file format has been longer in arriving. Today, however, PDF support is finally starting to equal what is available on other operating systems. Whether you are printing, editing, or viewing PDF files, you now have the choice of a variety of applications on both the command line and the desktops."
Turn Vim into a bash IDE (Linux.com)
Linux.com covers the Bash Support plugin for Vim. "The Bash Support plugin works in the Vim GUI (gVim) and text mode Vim. It's a little easier to use in the GUI, and Bash Support doesn't implement most of its menu functions in Vim's text mode, so you might want to stick with gVim when scripting."
Reviews
Kazehakase brings innovation to the browser (Linux.com)
Linux.com examines a browser that isThis gradual introduction of complexity seems ideal for learning Kazehakase without being overwhelmed the way some users are by the full set of choices in most mainstream browsers. For new or basic users, it also eliminates a clutter of choices in which they have no interest. Even Kazehakase's Expert level UI is less busy than Firefox's, but it nicely highlights the browser's innovations."
Nixstaller and the inconvenience of do-it-yourself (Linux.com)
Linux.com looks at Nixstaller. "Nixstaller 0.2.2 is a command-line tool for creating graphical installers for archived files on Unix-like systems. If that sounds paradoxical, it is. Although Nixstaller is easy enough to learn that you can produce your first installer within half an hour of installing it, much of the process is sufficiently painstaking that it cries out for the automation usually associated with a graphical interface."
Desktop publishing with OpenOffice.org (Linux.com)
Linux.com takes a look at using Draw and Writer from OpenOffice.org for desktop publishing tasks. "So why are the desktop publishing capabilities of OpenOffice.org not better known? I believe that it is mostly a matter of people seeing what they expect to see. When hearing of a program called Writer, most people naturally assume that it is just another word processor. In the same way, Draw is automatically assumed to be another graphics program. It takes time and experience to know just how far Writer and Draw can stretch, and apparently the six years or so in which OpenOffice.org has been available isn't enough for more than a handful of users to know their full potential."
Revisor utility creates custom install images for Fedora (Linux.com)
Linux.com reviews Revisor. "With Revisor running as the front end in Fedora 7, and the image building tools running in the background, it is now easy to build an install image exactly the way you want it. Using Revisor, you can choose exactly what software to include -- for example, you could build an image that installed only Xfce, and omitted GNOME and KDE. You could build a minimal install for an old machine, or for one with multiple distros and versions on which you wanted to save space. For security purposes, you could build an install in which you handpick each package. Or you could specify a custom repository or build custom images that fit on different-sized USB drives. An image built with Revisor may also be a less cumbersome way to do duplicate installs than using Kickstart. The possibilities are wide open."
Ubuntu's mobile and embedded project advances (Linux-Watch)
Linux-Watch takes a look at the updated Ubuntu Mobile and Embedded (UME) project's architecture roadmap. "Following two months of planning, Canonical Ltd. has updated the Ubuntu Mobile and Embedded (UME) project's architecture roadmap. UME aims to create a version of the popular Ubuntu desktop Linux OS tailored to the requirements of Intel-based "mobile Internet devices" (MIDs), expected in 2008."
WengoPhone 2.1 gives Linux users a solid softphone (Linux.com)
Linux.com looks at the WengoPhone. "The OpenWengo project recently released version 2.1 of its WengoPhone VoIP softphone. It's a big step forward for Linux users. Wengo -- the commercial PSTN-routing SIP provider that is the open source project's parent company -- focused on its Windows builds and essentially skipped over Linux during the 2.0 release cycle. OpenWengo's Linux developers were never satisfied with the stability of the 2.0-series release candidates, so they never incremented the Linux version number to 2.0."
Miscellaneous
LinuxChix coordinator resigns amidst controversy (Linux.com)
Linux.com reports that Mary Gardiner has resigned as LinuxChix coordinator. "Gardiner told Linux.com that she did not feel pressured into a resignation, but that it was the best thing for her and for the group. She said she will be stepping back from an active volunteer role but will remain a member. 'My involvement for the foreseeable future will be limited to handover help as needed and continued activity in AussieChix. I haven't ruled out more active involvement again sometime in the future.'"
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Mandriva signs the AFUL petition
Mandriva has announced that it has signed the AFUL petition against the sale of bundled software. "Nowadays, when you buy a new computer, several pieces of software are already pre-installed, be it the operating system, antivirus software or burning software. It is almost impossible for consumers to know the selling price, contracts and conditions of use of these applications and, if they wish to, to refuse to purchase them. On average, the price of this software constitutes between 10% and 25% of the purchase price of the computer - that is to say from 100 to 300 Euro. Although the French Consumer Code forbids tied sale of goods (the computer hardware) and services (software licenses), the situation continues and deprives consumers of real freedom of choice."
Commercial announcements
Fluffy Spider Technologies partners with Technical Solutions
Fluffy Spider Technologies (FST) and Technical Solutions (Techsol) have announced an international joint research, development, and marketing alliance. "The FST and Techsol alliance enables developers of products such as smart phones, TV set-top boxes, point-of-service terminals, in-car systems and building automation devices to outsource innovative hardware design and manufacture, with further cost reductions, and benefit from the embedded software platform that allows them to dramatically enhance the user experience."
Gaia Flash Framework released
Steven Sacks has announced the release of the Gaia Flash Framework. "Technology author Steven Sacks today announced the free public release of his Gaia Flash Framework(R). Gaia is an open-source framework that provides powerful solutions for building Flash websites to designers and developers of all skill levels. Gaia dramatically reduces development time and is the first tool to feature a scaffolding engine for Flash."
Intuit's QuickBooks Enterprise Solutions Embraces Linux
The press release is thin on technical details and there is no mention of client-side Linux support, but Intuit is, perhaps for the first time, actually admitting that Linux shops exist. It appears they are offering a way to store the database for their mid-range QuickBooks on Linux servers. "The offering will enable the tens of thousands of growing companies that are passionate about using open source environments to take advantage of Intuit's award-winning mid-market system while maintaining the increased security, manageability and lower total cost of ownership of Linux. The decision to extend the offering beyond Windows, made at the QuickBooks Enterprise Solutions User Conference, is part of Intuit's effort to continue to meet the needs of more complex businesses."
Another day another Microsoft patent deal
Microsoft has announced that it has signed a patent agreement with LG Electronics. "The specific financial terms of the agreement are confidential, but the parties are disclosing that Microsoft will be making a net balancing payment to LGE and MicroConnect for patents related to operating systems and computer systems. LGE will be making ongoing payments to Microsoft for the value of Microsoft patents as they relate to Linux-based embedded devices that LGE produces."
Microsoft hires a Director of Linux Interoperability
As announced on Microsoft's 'PORT 25' weblog, Tom Hanrahan, formerly the Director of Engineering for the Linux Foundation, has joined the company. His title is most likely new to Microsoft org charts. "Tom will join as the Director of Linux Interoperability, and will head our Linux/Windows interoperability work, including leadership of the Microsoft/Novell Interoperability Lab. This development lab will undertake much of the engineering work involved in the multi-year technical partnership. Among other things, Tom has much to teach us on 'developing in the open' -- how to work in a transparent way with a broad engineering community."
OpenLogic Partners with Aegif
OpenLogic, Inc. has announced a partnership with Aegif. "Aegif employs experienced consultants who offer strategic advice and solutions on content and document management -- and has a wide variety of clients including the largest companies in Japan. As a part of today's agreement, Aegif will use OpenLogic to provide and support the open source software needed to run major open source ECM products, as well as other open source packages. The underlying software stacks needed to run ECM open source products in Japan are often different than in the U.S. and require localized support."
PrismTech uses Gumstix for Software Defined Radio
PrismTech has announced a Software Defined Radio Solution that uses the Gumstix miniature computer. "PrismTech, an acknowledged leader in the provision of high performance middleware and tools, today announced the availability of its SpectraT Operating Environment (OE) on the GumstixT family of small form factor computers. This technology breakthrough delivers the first complete COTS Software Communications Architecture (SCA) software defined radio (SDR) solution on the world's smallest full-function computer, offering significant cost, size, weight and power (SWaP) benefits for SDR developers."
Qt Jambi 4.3 released
Version 4.3 of Qt Jambi, a rich client Java development framework with a dual license, has been has been announced by Trolltech. "With an intuitive, easy to learn API and integrated development tools for User Interface (UI) design and internationalization, Qt Jambi enables rapid development of advanced rich-client applications."
Zenoss Releases New Version of Open Source IT Management Product
Zenoss Inc. has released the next major version of Zenoss Core, version 2.0. "The new version of Zenoss Core, an integrated IT management software solution, allows IT administrators to track the configuration and health of their entire IT environment. Zenoss Core is the first commercial open source IT management solution to include a configuration management database (CMDB), and adds several other features that deliver on the company's mission of simplifying enterprise IT management."
New Books
Ubuntu for Non-Geeks, 2nd Ed, New from No Starch
No Starch Press has published the book Ubuntu for Non-Geeks, 2nd Edition by Rickford Grant.
Resources
Comparing ODF and OOXML
Sam Hiser has put up a detailed comparison of the OpenDocument and Microsoft OOXML document formats. "ODF is the only format unencumbered by intellectual property rights (IPR) restrictions on its use in other software, as certified by the Software Freedom Law Center. Conversely, many elements designed into the OOXML formats but left undefined in the OOXML specification require behaviors upon document files that only Microsoft Office applications can provide. This makes data inaccessible and breaks work group productivity whenever alternative software is used."
Calls for Presentations
StorageSS deadline extended to June 15
The 3rd International Workshop on Storage Security and Survivability (StorageSS) paper submission deadline has been extended to June 15.
Upcoming Events
aKademy keynote speakers announced (KDE.News)
KDE.News has announced the keynote speakers for aKademy 2007. "The opening talk will be from Lars Knoll of Trolltech who will tell us about their plans for Qt 4.4 and their relationship with KDE. Mark Shuttleworth of Canonical will be talking on the 10 Challenges to Open Source. On Sunday, Dan Kohn of The Linux Foundation will talk on the state of Linux Standardisation on the Desktop. Continuing the week the Edu and Schools Day will be opened by Sulamita Garcia with a talk on Intel's Classmate PC."
CIFS Engineering Workshop in Mountain View, California
A CIFS Engineering Workshop will be held in Mountain View, California on September 26-28, 2007. "This event is intended for engineers working on any CIFS products and services, not just products based on the Samba codebase. We welcome engineers from any implementers of the CIFS and SMB2 protocols, or from people shipping products based on these protocols, or people with a deep interest in advancing the standardization of these protocols."
Invitation to EBU Seminar
An European Broadcasting Union international training seminar will take place in Geneva, Switzerland on October 1-2, 2007. "Want to learn if Free and Open Source Software provides relevant alternatives for your TV & Radio production and delivery platforms? This seminar is designed for you. The seminar will be your guide through the specifics of FOSS and address key issues such as licensing, costs & support."
Registration is Open - Flash Memory Summit 2007
Online registration is open for the second annual Flash Memory Summit taking place in Santa Clara, California, August 7 - 9, 2007.Events: June 21, 2007 to August 20, 2007
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| June 17 June 23 |
Debian Developer Conference | Edinburgh, Scotland |
| June 17 June 22 |
2007 USENIX Annual Technical Conference | Santa Clara, USA |
| June 20 June 22 |
IT Underground | Dublin, Ireland |
| June 23 | Mozilla Developer Day | Paris, France |
| June 25 June 27 |
SOA World Conference and Expo 2007 | New York, NY, USA |
| June 27 June 30 |
2007 Linux Symposium | Ottawa, Canada |
| June 27 June 29 |
Summer School of Sound | Lancaster, UK |
| June 29 | NLUUG event theme innovation Enschede | Enschede, the Netherlands |
| June 30 July 7 |
Akademy 2007 | Glasgow, Scotland |
| July 2 July 6 |
Learning Programming with PHP | Redditch, Worcestershire, UK |
| July 6 | II WHYFLOSS CONFERENCE MADRID | Madrid, Spain |
| July 7 | Italian PostgreSQL Day | Prato, Tuscany, Italy |
| July 7 July 8 |
LugRadio Live 2007 | Wolverhampton, United Kingdom |
| July 9 July 11 |
EuroPython 2007 | Vilnius, Lithuania |
| July 9 July 13 |
PostgreSQL 8.2 Bootcamp at the Big Nerd Ranch | Atlanta, USA |
| July 10 July 11 |
The Linux Foundation Japan Symposium | Tokyo, Japan |
| July 12 July 13 |
IV GUADEC-ES | Granada, Spain |
| July 12 July 13 |
DIMVA 2007 | Lucerne, Switzerland |
| July 14 | UK Gentoo Meeting 2007 | London, UK |
| July 15 July 21 |
GNOME Users' And Developers' European Conference | Birmingham, England |
| July 18 July 20 |
GCC and GNU Toolchain Developers' Summit | Ottawa, Canada |
| July 22 July 24 |
Ubuntu Live | Portland, OR, USA |
| July 23 July 27 |
O'Reilly Open Source Convention | Portland, OR, USA |
| July 23 July 27 |
Asterisk Bootcamp with Jared Smith at Big Nerd Ranch | Atlanta, USA |
| July 23 July 25 |
Open Group Enterprise Architecture Practitioners Conference | Austin, TX, USA |
| July 24 July 27 |
Ninth course on the Exim mail transfer agent | Cambridge, UK |
| July 28 August 2 |
Black Hat USA 2007 | Las Vegas, NV, USA |
| July 30 August 3 |
Ruby on Rails Bootcamp at the Big Nerd Ranch | Atlanta, USA |
| August 3 August 5 |
Wikimania 2007 (Annual Wikimedia conference) | Taipei, Taiwan |
| August 3 August 5 |
DefCon 15 | Las Vegas, NV, USA |
| August 4 August 7 |
LinuxWorld Conference & Expo | San Francisco, CA, USA |
| August 6 August 10 |
16th USENIX Security Symposium | Boston, MA, USA |
| August 6 August 9 |
LinuxWorld Conference and Expo | San Francisco, CA, USA |
| August 7 August 9 |
Flash Memory Summit 2007 | Santa Clara, CA, USA |
| August 7 August 11 |
7as Jornadas Regionales de Software Libre | Córdoba, Argentina |
| August 8 August 12 |
Chaos Communication Camp | Finow airport, Germany |
| August 10 | August Penguin 2007 | Tel Aviv, Israel |
| August 11 | Picn*x XVI - The Linux 16th Anniversary Picnic | Sunnyvale, CA, USA |
| August 11 August 15 |
Virtual FudCon8 | Online, IRC |
| August 14 August 18 |
Scientific Tools for Python | Pasadena, CA, USA |
| August 19 | Open Source Health Informatics Working Group | Brisbane, Australia |
If your event does not appear here, please tell us about it.
Web sites
GNOME Blogs upgraded to WordPress MU
The GNOME Blogs site has been moved to WordPress MU, numerous site improvements have been added.
Page editor: Forrest Cook