|
|
Log in / Subscribe / Register

LWN.net Weekly Edition for December 13, 2007

The Grumpy Editor's video journey, part 1

By Jonathan Corbet
December 12, 2007
Part of the LWN Grumpy Editor series
Your editor has never been a big fan of video cameras. They have a very strong observer effect - they distort the social dynamics of events where they are present. It is also sad to see vacationers who, on the rare occasions when they get out, capture their every step on video; even when they leave the house, they watch their lives on television. So your editor has a strong preference for old-style, organic video memory.

The fact of the matter, however, is that your editor does not always get the final vote, especially in any area related to the raising of children. So your editor's household contains two video cameras - one ancient, one less so - and a set of tapes with no end of priceless memories. Alcohol may have dimmed the experience of some of those early musical performances and such, but video tapes are forever.

Except, of course, that they are not. In particular, the older camera, being the only device in the house which can play those old 8mm analog tapes, is starting to make some very strange noises. The kind of noises which generally come just before an extended session dedicated to the extrication of a terminally crinkled tape which has just been firmly wrapped around and embedded within a surprising amount of severely-jammed helical scan hardware. The spouse and the grandparents have all let it be known that this is not an acceptable course of events, so your editor has been tasked with saving all of this legacy data.

One could, of course, go to a local merchant who, for an amount of money obtainable via an hour or two of consulting work, would transfer this data safely to some sort of optical digital media, where it would be guaranteed to survive for at least a few months. Or one could spend an order of magnitude more time figuring out how to do the work on a Linux system without the intervention of said merchant. Needless to say, your editor never thought twice - something which explains a number of difficult situations in which he has found himself over the years.

This article is the first of (probably) three which describe your editor's odyssey through the hazards of video processing on Linux. The topic this time around is the capture of video data - how does one get imagery from a video tape onto a disk drive? The second segment will look at video editing, turning a disk full of home movies into something moderately more professional in appearance. Then the final installment will go into DVD authoring, otherwise known as the process of getting all that old footage into the hands (and players) of the grandparents.

The older camera is an analog-only device, necessitating the use of some sort of analog-to-digital conversion on the way into the computer. As it happens, your editor is in possession of a Hauppauge WinTV PVR-250 card which, one would think, is ideally suited to this task. Hauppauge is known for working with the free software community, with the effect that its hardware is well supported by the IVTV driver which, after a long development process, was merged into the 2.6.22 kernel. So, one would think, grabbing the data from this device should be easy. And it is, though it took your editor some time to figure out how.

As it turns out, there are very few video capture applications for Linux. And there is nothing which is really aimed at people trying to bring in data from analog cameras. One could use a PVR system like MythTV or Freevo for this purpose, but they are not really intended for this use case. Your editor, who has been through the process of setting up MythTV in the past, chose not to take this approach.

One possible candidate was dvgrab, a tool which is part of the Kino project. This tool, however, is intended for use with FireWire-attached video cameras - we will see how well it works in that mode shortly. There is also a -v4l2 option which claims to capture via Video4Linux2, seemingly ideal for this purpose. Alas, dvgrab is written to use the V4L2 streaming mode, and, amazingly, the IVTV driver does not support that mode. So dvgrab refuses to work with the Hauppauge devices. A look at the code suggests that convincing it to use the V4L2 read/write mode should not be too hard, but that was beyond the scope of your editor's ambitions at this time.

As an aside, this sort of glitch seems to be a common problem with the Video4Linux2 API. V4L2 is well suited to letting applications drive video hardware to the very fullest extent of its capabilities, but that flexibility comes at the cost of forcing quite a bit of complexity onto the application side. A truly flexible V4L2 application must be prepared to cope with a wide variety of hardware and to operate in very different ways depending on what it finds. Most application developers do not make that effort, with the result that incompatibilities between applications and specific video devices are distressingly common. The V4L2 API is, in some ways, similar to the approach taken by X11, with some similar results: there was a long period where many applications performed badly when the display was not running in an 8-bit pseudocolor mode. X11 has worked out in the end; hopefully the same will happen with V4L2.

Another possibility was mencoder, a tool which is packaged with mplayer. Your editor does not doubt that mencoder is capable of acquiring a video stream from this device, converting it into any format one could imagine, and, while it's at it, changing the camera angle and improving the musical talents of the children being filmed. But anybody who has read the mplayer/mencoder man page knows that it is a masterpiece of its kind - a work written to a length that less verbose authors (Neal Stephenson, say) could only dream about - though Stephenson does do a better job of keeping the plot moving.

The length of the manual reflects the complexity of the tool. A typical mencoder command seems to run to about four terminal lines - and that's for a relatively wide terminal. An example from the mencoder documentation reads like this: 

    mencoder -oac lavc -ovc lavc -of mpeg -mpegopts format=xsvcd  -vf \
             scale=480:480,harddup -srate 44100 -af lavcresample=44100 -lavcopts \
             vcodec=mpeg2video:mbd=2:keyint=18:vrc_buf_size=917:vrc_minrate=600:\
             vbitrate=2500:vrc_maxrate=2500:acodec=mp2:abitrate=224 \
	     -ofps 30000/1001 -o movie.mpg movie.avi

The end result is that nobody who has not developed significant expertise in video technology, codecs, formats, and more will be able to create one of these commands. Mencoder is a highly capable tool, but approaching it for a task like this is reminiscent of trying to get to the corner store starting with a build-your-own-automobile kit. There are just too many pieces (incomprehensible pieces at that) to put together.

Then, there is transcode. The man page for this utility formats up to a good 50 pages, so it is not the simplest tool either. This problem space, it would appear, forces the creation of complex interfaces. Transcode has a V4L2 input module, which should do the trick, but, like the dvgrab version, it requires streaming I/O capability. So transcode, too, fails to work for this purpose; your editor is starting to think that it might be time to hack a bit on the IVTV driver.

Another candidate was cinelerra - a video editing tool which we will see again in future installments. Your editor tried cinelerra on a few different platforms, using both binary distributions and building from source. Suffice to say that building cinelerra from source is not something to attempt when one is short on time or short on temper. Cinelerra has a record mode, but it requires the V4L2 streaming capability. Of course, it does not bother to check whether that feature is available or not, with the result that attempts to record video yield only silent blackness. Cinelerra is a vastly powerful editing tool, but it was not usable for this task.

So how did your editor finally succeed in getting the analog video data to disk? The first step was to locate the highly-useful v4l2-ctl application which, seemingly, is only available from the V4L-DVB code repository. This tool provides command-line access to the extensive set of V4L2 ioctl() calls, enabling detailed configuration of the device. In particular, your editor made use of it to switch the device to its composite video input.

The second step, then, is decidedly low-tech: 

    cp /dev/video priceless-video-data.mpg

The end result is a file containing just the video and audio data desired, in a form which, as it turns out, can be burned directly to DVD. There is no preview of incoming data, no computer-based camera control, no little flashing counters. But it works.

[Kino] The current state of the art for video camcorders is to provide digital data via an IEEE 1394 (FireWire) port. When one has this sort of device, life is rather easier - though it seems that there really is only one game in town. That game is kino - a video editing tool - and its associated dvgrab tool. Either tool will work for capture from a digital video device. They can control the camera, split the incoming data into scenes, and generally make the process painless. Technology does actually get better sometimes. Kino and dvgrab will only store data in the DV format, necessitating a transcoding operation before writing DVDs, but that is a minor difficulty.

Your editor has learned a few things from this process. One is that the IVTV driver needs some work. But the real lesson is that working with video data under Linux involves dealing with a level of complexity that is far beyond what most people have any desire to understand. And this complexity hits hardest at the very front end: trying to get video data onto the system and into a workable format. Your editor suspects that most people who run into this wall quickly give up and buy a proprietary system for this kind of work. In other words, there's a whole world full of creative people doing interesting things with video, and Linux, despite having many of the basic capabilities these people need, is not an option for them.

Meanwhile, your editor has a disk full of video imagery - and a healthy appreciation for just how nice the storage explosion of the last few years has been. Now it's just a matter of bashing all of that data into a useful form for grandparental distribution - a process which looks like it might just take a bit of time. Stay tuned for your editor's video editing experience, due to appear on these pages within the next few weeks.

Comments (32 posted)

Specifying codecs for the web

By Jake Edge
December 12, 2007

Audio and video content are increasingly important components of the World Wide Web, which some of us remember, initially, as a text-only experience. Users of free software need not be told that the multimedia aspect of the net can be hard to access without recourse to proprietary tools. So the decisions which are made regarding multimedia support in the next version of the HTML specification are of more than passing interest. A current dispute over the recommended codecs for HTML5 shows just how hard maintaining an interoperable web may be.

In particular, several big players have complained about the inclusion of Ogg Vorbis and Theora into the standard, causing a predictable uproar in the free software community. To many, it looks like a classic free-versus-proprietary standards showdown. In truth, the issue is not clear cut; there are nuances that are difficult to turn into a banner headline. The heart of the problem is patents, but, unexpectedly, it is the Ogg codecs that are claimed to be at risk.

Nokia fired a very public shot at the Ogg family with a position paper [PDF], calling it "proprietary". It is unclear what Nokia hoped to gain with this statement, other than inflaming the community, as Ogg Vorbis and Theora are clearly open codecs, with free reference implementations – just the opposite of proprietary. In addition, unlike most (or all) other codecs, a patent search was done to look for relevant patents for Vorbis and Theora, with the Xiph.Org Foundation claiming that none could be found. Some contend that an exhaustive patent search is essentially impossible, but most codecs (MP3, H.264, etc.) are known to be patent-encumbered, which would seem to make them a poor choice for HTML5.

Ogg, Vorbis, and Theora

Ogg is a container format that can contain multiple chunks of data, typically multimedia data. Ogg is designed so that it can be processed as it is received, rather than having it all available at once, to facilitate streaming. Vorbis is a codec (short for coder-decoder) that encodes audio data at various bitrates. Vorbis is a lossy, compressed format that saves space at the expense of perfect reproduction, much like MPEG-1 Audio Layer 3 aka MP3. Theora is a codec for video data, also lossy, akin to MPEG-4. An Ogg file could contain a mixture of Theora and Vorbis data to handle the video and audio of a particular work, but it is not in any way tied to those formats. An Ogg file could instead contain MP3 and MPEG-4 data or data from any other codec.

The draft of an HTML5 specification under construction by the Web Hypertext Application Working Group (WHATWG) contained, up until this week, a recommendation for the Ogg codecs. Ogg was not required, only listed as something that SHOULD (i.e. not MUST) be implemented by conforming browsers. That recommendation was dropped from the draft this week, replaced with the following:

It would be helpful for interoperability if all browsers could support the same codecs. However, there are no known codecs that satisfy all the current players: we need a codec that is known to not require per-unit or per-distributor licensing, that is compatible with the open source development model, that is of sufficient quality as to be usable, and that is not an additional submarine patent risk for large companies. This is an ongoing issue and this section will be updated once more information is available.

Some of the big browser makers, notably Microsoft and Apple, have said that they will not support Ogg Theora – Vorbis is less of an issue – out of a concern for patents, particularly submarine patents. Ian Hickson, WHATWG spokesperson points to the Eolas and MP3 patent attacks against Microsoft (with damages in excess of a billion dollars) as examples of what the large, deep-pocketed companies are concerned about. If there is a patent covering (or appearing to cover) any of the techniques used in Theora, it is the large companies that are going to be on the hook.

Some in the community believe this move is part of a proprietary lock-in play:

Vorbis provides the perfect escape for proprietary audio prisons. Apple and Nokia are having problems with consumers and authors actually waking up and using free, non-patent-encumbered, widely available, unrestricted, non-proprietary technology. Since Vorbis directly threatens their ability to sell traps, they are extorting your compliance with threats of not supporting the HTML5 spec.

There may be some truth to that, but there are some legitimate problems with Theora as well. The technical complaints tend to compare it to H.264 (the most popular MPEG-4 codec), but that is something of a red herring. Neither the WHATWG, nor the World Wide Web Consortium (W3C) are going to allow a technology known to be licensed only on a royalty basis into HTML5. W3C, which will eventually make the final decision on what goes into HTML5, has a policy of requiring technology to be licensed in a royalty-free (RF) mode before it can be approved for inclusion into a standard.

All members of a particular W3C working group are required to disclose patents they believe to be relevant and to provide them to implementors on an RF basis. There may be relevant patent holders who are not members of the working group, thus not subject to that requirement, but if they have enforced their patent on a particular technology, the W3C will try to find an alternative. There may also be patent trolls waiting for someone with deep pockets to implement something covered by a patent they hold – this is the submarine patent threat.

Apple, Nokia, Microsoft and others have already implemented (and licensed) MPEG-4, so there would be no additional risk to them if that were used as the baseline video codec for the web. Using Theora as an alternative is seen by the larger players as a huge increase in their risk, with no benefit to their customers because there is, for all intents and purposes, no Theora content out there. For free software and smaller companies, the situation is clearly quite different.

The lack of Theora-encoded content is the crux of the matter. There might be lots of whining, but big companies would be forced by their customers to support Theora, patent suit risk or no, if there were interesting content available in only that form. This has led to a call for more Theora content:

Do compelling demos. Release video in Theora format. It may be easy to use a service that provides video for you in exchange for giving them certain rights but if you want your format to succeed, then increased usage is the way.

The WHATWG folks seem to have the needs of free software firmly in mind; certainly the W3C RF policy makes it abundantly clear that a proprietary solution will not be required, or even recommended, for HTML5. The participants on the mailing list, and Hickson, in particular, have been very patient with the onslaught of flamers screaming about the change. The whole HTML5 effort is centered around interoperability for the web, so any technology that will not be implemented by Microsoft and Apple runs directly counter to that goal. WHATWG seems to be between the proverbial rock and hard place.

Several potential solutions are being considered. Possibilities include leaving a video codec recommendation out of HTML5 – not a particularly interoperable solution – or finding a codec that is old enough that any patents covering it must have expired. Another alternative would be to get some other current codec (MPEG-4 for instance) licensed on an RF basis. This issue will undoubtedly be discussed at the W3C Video on the Web Workshop currently being held in San Jose and Brussels. Stay tuned.

Comments (72 posted)

FOSS.in: A conference in transition

December 11, 2007

This article was contributed by Biju Chacko

In the last few years FOSS.in has established itself as one of the largest open source conferences in Asia. This year the organizers re-orientated the conference to address what they see as the Indian open source community's biggest challenge. LWN dropped by the conference to see the changes and get an impression of the results.

FOSS.in was started in 2001 under the name "Linux Bangalore" in the centre of India's software industry. At that time it was difficult to get information about free software in India -- internet access was still not widespread, the software industry was focused on proprietary tools and the publishing industry had not picked up on FOSS yet. Linux Bangalore addressed an untapped market for FOSS education and was an unqualified success from the start.

LB, as it was known, was focused on encouraging the use of free software in India. The content was a mix of tutorials, howtos and advocacy. The conference retained a user orientation for many years -- the only significant developer activity was from the Indian localization community.

By 2005 FOSS had hit the mainstream. The Linux Bangalore organizers began to feel that it needed a greater raison-d'etre than advocacy and popularization. Despite changing its name to FOSS.in to reflect a larger scope, the danger remained that the conference would soon be lost among a host of other sources of open source information.

It was then that the FOSS.in team, led by Atul Chitnis, turned its attention to another problem. The Indian free and open source community had long worried that its level of participation in the open source process was very low in relation to its size. There were very few visible Indian hackers -- India was beginning to develop a reputation of being a nation of FOSS consumers that did not contribute back. This was especially alarming because many sections of the local software industry had wholly moved to free software. The embedded software industry, for example, had discarded proprietary alternatives in favor of Linux. So there was a large base of qualified developers who did not seem to be getting involved.

After a favorable response to the developer oriented tracks in FOSS.in/2005 and 2006, the FOSS.in team decided to refocus the event on encouraging FOSS contributions. The key, they decided, was exposure and communication. They felt that if Indian developers had an opportunity to meet and interact with active contributors they'd be inspired to do more themselves. To this end, they made a number of changes to the format. They added 'Project Days' -- day long tracks on a specific FOSS project. They reduced the usually hectic pace of the conference by reducing the number of talks. This gave the audience more time to talk to speakers between talks. The more leisurely pace encouraged lots of interesting conversations in the corridors. Other facilities -- a "hack centre" containing machines, tents outside the venue and a lounge area -- provided space for corridor conversations and post-talk discussions to develop further.

The results were mixed. Attendance took a major hit. Previous editions averaged about 3000 attendees, this year attendance dropped by over half to about 1200. It was, however, a far more clued-in crowd which did not plague speakers with off-topic questions. There were some complaints that some talks were pitched at a far more basic level than were needed.

The Project Days seemed to have more participation than was originally expected. There were tracks on Debian, Mozilla, Gnome, OpenSolaris, Fedora, KDE, OpenOffice and the IndLinux project. In contrast, energy levels at the main conference seemed muted. This was partly due to the smaller crowds. However, in the opinion of this correspondent, this was partly due to scheduling and content. The tone of a conference is set early on. The conference would have been better served by an initial keynote that was flamboyant and inspiring rather the low-key technical talk by the decidedly non-flamboyant Naba Kumar (the Anjuta lead).

The insistence on purely technical talks provided context and guidance to potential contributors but may have failed communicate the motivation: fun and high ideals. I think it's fair to say that the most effective recruitment tool was when the always entertaining Rusty Russell made a hapless member of the audience create a kernel patch onstage and mail it to LKML.

The success of FOSS.in/2007 may not be measurable. It may be years before the Indian FOSS community is proportional in size to the Indian software industry. There are probably many other factors that will affect this outcome. But the transition of FOSS.in to a true hacker conference can only help this to happen.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

On entropy and randomness

By Jake Edge
December 12, 2007

Linux random number generation (RNG) is often a source of confusion to developers, but it is also a very integral part of the security of the system. It provides random data to generate cryptographic keys, TCP sequence numbers, and the like, so unpredictability as well as very strong random numbers are required. When someone notices a flaw, or a possible flaw in the RNG, kernel hackers take notice.

Recurring universally unique identifiers (UUIDs), as reported by the smolt hardware profiler client program, had some worried about problems in the kernel RNG. As it turns out, the problem exists in the interaction between Fedora 8 LiveCD installations and smolt – essentially the UUID came from the CD – but it sparked a discussion leading to some possible improvements. Along the way, some common misconceptions about kernel RNG were cleared up.

The kernel gathers information from external sources to provide input to its entropy pool. This pool contains bits that have extremely strong random properties, so long as unpredictable events (inter-keypress timings, mouse movements, disk interrupts, etc.) are sampled. It provides direct access to this pool via the /dev/random device. Reading from that device will provide the strongest random numbers that Linux can offer – depleting the entropy pool. When the entropy pool runs low, reads to /dev/random block until there is sufficient entropy.

The alternative interface, the one that nearly all programs should use, is /dev/urandom. Reading from that device will not block. If sufficient entropy is available, it will provide random numbers just as strong as /dev/random, if not, it uses the SHA cryptographic hash algorithm to generate very strong random numbers. Developers often overestimate how strong their random numbers need to be; they also overestimate how easy "breaking" /dev/urandom would be, which leads to programs that, unnecessarily, read /dev/random. Ted Ts'o, who wrote the kernel RNG, puts it this way:

Past a certain point /dev/urandom will start returning results which are cryptographically random. At that point, you are depending on the strength of the SHA hash algorithm, and actually being able to not just to find hash collisions, but being able to trivially find all or most possible pre-images for a particular SHA hash algorithm. If that were to happen, it's highly likely that all digital signatures and openssh would be totally broken.

There is still a bit of hole in all of this: how does a freshly installed system, with little or no user interaction, at least yet, get its initial entropy? When Alan Cox and Mike McGrath started describing the smolt problem, the immediate reaction was to look closely at how the entropy pool was being initialized. While that turned out not to be the problem, it did lead Matt Mackall, maintainer of the kernel RNG, to start thinking about better pool initialization. Various ideas about mixing in data specific to the host, like MAC address and PCI device characteristics were discussed.

As Ts'o points out, that will help prevent things like UUID collisions, but it doesn't solve the problem of predictability of the random numbers that will be generated by these systems.

In order to do that we really do need to improve the amount of hardware entropy we can mix into the system. This is a hard problem, but as more people are relying on these facilities, it's something we need to think about quite a bit more!

Linux provides random numbers suitable for nearly any purpose via /dev/urandom. For the truly paranoid, there is also /dev/random, but developers would do well to forget that device exists for everything but the most critical needs. If one is generating a large key pair, to use for the next century, using some data from /dev/random is probably right. Anything with lower requirements should seriously consider /dev/urandom.

Comments (28 posted)

New vulnerabilities

autofs: insecure default configuration

Package(s):autofs CVE #(s):CVE-2007-5964
Created:December 12, 2007 Updated:January 14, 2008
Description: Versions of the autofs automounter daemon as shipped by Red Hat (and possibly other distributors) are installed with an insecure configuration; in particular, the "hosts" map lacks the "nosuid" option, allowing an attacker who has control over an NFS server to run setuid programs on vulnerable systems.
Alerts:
Mandriva MDVSA-2008:009-1 autofs 2007-01-12
Mandriva MDVSA-2008:009 autofs 2007-01-11
Fedora FEDORA-2007-4707 autofs 2007-12-21
Fedora FEDORA-2007-4469 autofs 2007-12-15
Fedora FEDORA-2007-4532 autofs 2007-12-15
Red Hat RHSA-2007:1129-01 autofs5 2007-12-12
Fedora FEDORA-2007-4709 autofs 2007-12-21
Red Hat RHSA-2007:1128-01 autofs 2007-12-12

Comments (none posted)

e2fsprogs: integer overflows

Package(s):e2fsprogs CVE #(s):CVE-2007-5497
Created:December 7, 2007 Updated:February 12, 2008
Description: Rafal Wojtczuk of McAfee AVERT Research discovered that e2fsprogs, ext2 file system utilities and libraries, contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These could result in heap-based overflows potentially allowing the execution of arbitrary code.
Alerts:
Foresight FLEA-2008-0005-1 e2fsprogs 2008-02-11
Fedora FEDORA-2007-4447 e2fsprogs 2008-01-16
Fedora FEDORA-2007-4461 e2fsprogs 2008-01-16
Red Hat RHSA-2008:0003-01 e2fsprogs 2008-01-07
Gentoo 200712-13 e2fsprogs 2007-12-18
rPath rPSA-2007-0262-1 e2fsprogs 2007-12-11
Debian DSA-1422 e2fsprogs 2007-12-07
Mandriva MDKSA-2007:242 e2fsprogs 2007-12-10
Ubuntu USN-555-1 e2fsprogs 2007-12-08

Comments (none posted)

emacs: buffer overflow

Package(s):emacs CVE #(s):CVE-2007-6109
Created:December 10, 2007 Updated:May 6, 2008
Description:

From the National Vulnerability Database:

Buffer overflow in emacs allows attackers to have an unknown impact, as demonstrated via a vector involving the command line.

Alerts:
Ubuntu USN-607-1 emacs21, emacs22 2008-05-06
SuSE SUSE-SR:2008:003 java, nss_ldap, cairo, geronimo, moodle, SDL_image, python, mysql, nx, xemacs 2008-02-07
Mandriva MDVSA-2008:034 emacs 2007-02-04
Gentoo 200712-03 emacs 2007-12-09

Comments (none posted)

emul-linux-x86-qtlibs: arbitrary code execution

Package(s):emul-linux-x86-qtlibs CVE #(s):
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the Gentoo advisory:

An attacker could trigger one of the vulnerabilities by causing a Qt application to parse specially crafted text or Unicode strings, which may lead to the execution of arbitrary code with the privileges of the user running the application.

Alerts:
Gentoo 200712-08 emul-linux-x86-qtlibs 2007-12-09

Comments (none posted)

firebird: arbitrary code execution

Package(s):firebird CVE #(s):CVE-2007-4992 CVE-2007-5246
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the Gentoo advisory:

Adriano Lima and Ramon de Carvalho Valle reported that functions isc_attach_database() and isc_create_database() do not perform proper boundary checking when processing their input.

A remote attacker could send specially crafted requests to the Firebird server on TCP port 3050, possibly resulting in the execution of arbitrary code with the privileges of the user running Firebird (usually firebird).

Alerts:
Gentoo 200712-06 firebird 2007-12-09

Comments (none posted)

heimdal: insufficient memory allocation

Package(s):heimdal CVE #(s):CVE-2007-5939
Created:December 7, 2007 Updated:December 12, 2007
Description: The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not allocate memory for the ticketfile pointer before calling free, which allows remote attackers to have an unknown impact via an invalid username. NOTE: the vulnerability was originally reported for ftpd.c, but this is incorrect.
Alerts:
Mandriva MDKSA-2007:239 heimdal 2007-12-06

Comments (1 posted)

libnfsidmap: possible privilege escalation

Package(s):libnfsidmap CVE #(s):CVE-2007-4135
Created:December 7, 2007 Updated:December 12, 2007
Description: The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.
Alerts:
Mandriva MDKSA-2007:240 libnfsidmap 2007-12-07

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CVE-2007-3781 CVE-2007-5969
Created:December 11, 2007 Updated:May 21, 2008
Description: MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)

MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)

Alerts:
Red Hat RHSA-2008:0364-01 mysql 2008-05-21
Gentoo 200804-04 mysql 2008-04-06
SuSE SUSE-SR:2008:003 java, nss_ldap, cairo, geronimo, moodle, SDL_image, python, mysql, nx, xemacs 2008-02-07
rPath rPSA-2008-0018-1 mysql 2008-01-17
Debian DSA-1451-1 mysql-dfsg-5.0 2008-01-06
Ubuntu USN-559-1 mysql-dfsg-5.0 2007-12-21
Red Hat RHSA-2007:1157-01 mysql 2007-12-19
Fedora FEDORA-2007-4471 mysql 2007-12-15
Fedora FEDORA-2007-4465 mysql 2007-12-15
Red Hat RHSA-2007:1155-01 mysql 2007-12-18
Mandriva MDKSA-2007:243 MySQL 2007-12-10

Comments (none posted)

nagios: cross-site scripting

Package(s):nagios CVE #(s):CVE-2007-5624
Created:December 7, 2007 Updated:September 14, 2009
Description: Cross-site scripting (XSS) vulnerability in Nagios 2.x before 2.10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts.
Alerts:
Debian DSA-1883-2 nagios2 2009-09-14
Debian DSA-1883-1 nagios2 2009-09-10
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09
Mandriva MDVSA-2008:067 nagios 2008-03-18
Fedora FEDORA-2007-4145 nagios 2007-12-06
Fedora FEDORA-2007-4123 nagios 2007-12-06

Comments (none posted)

phpMyAdmin: information disclosure

Package(s):phpMyAdmin CVE #(s):CVE-2007-0095
Created:December 11, 2007 Updated:September 25, 2008
Description: phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message.
Alerts:
Fedora FEDORA-2008-8286 phpMyAdmin 2008-09-24
Fedora FEDORA-2008-8269 phpMyAdmin 2008-09-24
Fedora FEDORA-2008-6502 phpMyAdmin 2008-07-17
Fedora FEDORA-2008-6450 phpMyAdmin 2008-07-17
Fedora FEDORA-2008-2229 phpMyAdmin 2008-03-03
Fedora FEDORA-2008-2189 phpMyAdmin 2008-03-03
Fedora FEDORA-2007-4298 phpMyAdmin 2007-12-10
Fedora FEDORA-2007-4334 phpMyAdmin 2007-12-10

Comments (none posted)

ruby-gnome2: format string vulnerability

Package(s):ruby-gnome2 CVE #(s):CVE-2007-6183
Created:December 7, 2007 Updated:December 22, 2008
Description: A format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
Alerts:
Fedora FEDORA-2008-11551 ruby-gnome2 2008-12-21
Fedora FEDORA-2008-3249 ruby-gnome2 2008-04-22
Fedora FEDORA-2008-3283 ruby-gnome2 2008-04-22
Fedora FEDORA-2008-2682 ruby-gnome2 2008-03-26
Fedora FEDORA-2008-2662 ruby-gnome2 2008-03-26
Fedora FEDORA-2008-1535 ruby-gnome2 2008-02-13
Mandriva MDVSA-2008:033 ruby-gnome2 2007-02-01
Debian DSA-1431-1 ruby-gnome2 2007-12-11
Gentoo 200712-09 ruby-gtk2 2007-12-09
Fedora FEDORA-2007-4216 ruby-gnome2 2007-12-06
Fedora FEDORA-2007-4229 ruby-gnome2 2007-12-06

Comments (none posted)

samba: stack-based buffer overflow

Package(s):samba CVE #(s):CVE-2007-6015
Created:December 11, 2007 Updated:December 3, 2008
Description: A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server.
Alerts:
Fedora FEDORA-2008-10638 samba 2008-12-02
Ubuntu USN-556-1 samba 2007-12-18
SuSE SUSE-SA:2007:068 samba 2007-12-12
Mandriva MDKSA-2007:244 samba 2007-12-11
Red Hat RHSA-2007:1117-01 samba 2007-12-10
Red Hat RHSA-2007:1114-01 samba 2007-12-10
Slackware SSA:2007-344-01 samba 2007-12-11
Fedora FEDORA-2007-4275 samba 2007-12-10
Fedora FEDORA-2007-4269 samba 2007-12-10
Gentoo 200712-10 samba 2007-12-10
rPath rPSA-2007-0261-1 samba 2007-12-10
Debian DSA-1427-1 samba 2007-12-10

Comments (none posted)

xorg-x11-xfs: arbitrary code execution

Package(s):xorg-x11-xfs CVE #(s):
Created:December 10, 2007 Updated:December 12, 2007
Description:

From the xorg advisory:

Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters. Maliciously crafted requests can either cause two different problems with both requests:

* An integer overflow in the computation of the size of a dynamic buffer can lead to a heap overflow in the build_range() function.

* An arbitrary number of bytes on the heap can be swapped by the swap_char2b() function.

Alerts:
Fedora FEDORA-2007-763 xorg-x11-xfs 2007-12-07

Comments (none posted)

zabbix: privilege escalation

Package(s):zabbix CVE #(s):CVE-2007-6210
Created:December 6, 2007 Updated:December 12, 2007
Description: Bas van Schaik has found a privilege escalation in the agentd process of the Zabbix network monitor application. Agentd can be used to run user commands under the root account, leading to an escalation of privilege.
Alerts:
Debian DSA-1420-1 zabbix 2007-12-05
Fedora FEDORA-2007-4176 zabbix 2007-12-06
Fedora FEDORA-2007-4160 zabbix 2007-12-06

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.24-rc5, released by Linus on December 10. He says:

Things _have_ slowed down, although I'd obviously be lying if I said we've got all the regressions handled and under control. They are being worked on, and the list is shrinking, but at a guess, we're definitely not going to have a final 2.6.24 out before xmas unless santa puts some more elves to work on those regressions.

The list of fixes is still fairly long; there is also a significant FireWire stack update. The short-form changelog is included in Linus's announcement; see the long-format changelog for all the details.

A handful of patches have found their way into the mainline git repository since the -rc5 release.

Comments (none posted)

Kernel development news

Quotes of the week

while i dont want to jump to conclusions without looking at some profiles, i think the SLUB performance regression is indicative of the following fallacy: "SLAB can be done significantly simpler while keeping the same performance".

I couldnt point to any particular aspect of SLAB that i could characterise as "needless bloat".

-- Ingo Molnar

I suppose if the NSA had 20,000 2Ghz processors in the basement cranking for 10 years, then 50% of the time *after* they did a black bag job to crack the random pool state, they could get the last 80 bits generated from /dev/random, but it just seems that if you are assuming the power to grab the pool plus add_ptr, there would be much more useful things you could --- like for example having the black bag job trojaning the software to grab the private key directly.
-- Ted Ts'o

Nothing is beyond my skills. My mad k0der skillz are unbeatable.
-- Linus Torvalds

Comments (12 posted)

Simpler syslets

By Jonathan Corbet
December 10, 2007
Syslets are a proposed mechanism which would allow any system call to be invoked in an asynchronous manner; this technique promises a more comprehensive and simpler asynchronous I/O mechanism and much more - once all of the pesky little details can be worked out. A while back, Zach Brown let it be known that he had taken over the ongoing development of the syslets patch set; things have been relatively quiet since then. But Zach has just returned with a new syslets patch which shows where this idea is going.

This version of the patch removes much of the functionality seen in previous postings. The ability to load simple programs into the kernel for asynchronous execution is now gone, as is the "threadlet" mechanism for asynchronous execution of user-space functions. Instead, syslets have gone back to their roots: a mechanism for running a single system call without blocking.

As had been foreshadowed in other discussions, syslets now use the indirect() system call mechanism. An application wanting to perform an asynchronous system call fills in a syslet_args structure describing how the asynchronous execution is to be handled; the application then calls indirect() to make it happen. If the system call can run without blocking, indirect() simply returns with the final status. If blocking is required, the kernel will (as with previous versions of this patch) return to user space in a separate process while the original process waits for things to complete. Upon completion, the final status is stored in user-space memory and the application is notified in an interesting way.

The syslet_args structure looks like this: 

    struct syslet_args {
	u64 completion_ring_ptr;
	u64 caller_data;
	struct syslet_frame frame;
    };

The completion_ring_pointer field contains a pointer to a circular buffer stored in user space. The head of the buffer is defined this way: 

    struct syslet_ring {
	u32 kernel_head;
	u32 user_tail;
	u32 elements;
	u32 wait_group;
	struct syslet_completion comp[0];
    };

Here, kernel_head is the index of the next completion ring entry to be filled in by the kernel, and user_tail is the next entry to be consumed by the application. If the two are equal, the ring is empty. The elements field says how many entries can be stored in the ring; it must be a power of two. The kernel uses wait_group as a way of locating a wait queue internally when the application waits on syslet completion; your editor suspects that this part of the API may not survive into the final version.

Finally, the completion status values themselves live in the array of syslet_completion structures, which look like this: 

    struct syslet_completion {
	u64 status;
	u64 caller_data;
    };

When a syslet completes, the final return code is stored in status, while the caller_data field is set with the value provided in the field by the same name in the syslet_args structure when the syslet was first started.

There is one field of syslet_args which has not been discussed yet: frame. The definition of this structure is architecture-dependent; for the x86 architecture it is: 

    struct syslet_frame {
	u64 ip;
	u64 sp;
    };

These values are used when the syslet completes. After the kernel stores the completion status in the ring buffer, it will call the function whose address is stored in ip, using the stack pointer found in sp. This call serves as a sort of instant, asynchronous notification to the application that the syslet is done. It's worth noting that this call is performed in the original process - the one in which the syslet was executed - rather than in the new process used to return to user space when the syslet blocked. This function also has nothing to return to, so, after doing its job, it should simply exit.

So, to review, here is how a user-space application will use syslets to call a system call asynchronously:

  • The completion ring is established and initialized in user space.

  • A stack is allocated for the notification function, and the syslet_args structure is filled in with the relevant information.

  • A call is made to indirect() to get the syslet going.

  • If the system call of interest is able to complete without blocking, the return value is passed directly back to user space from indirect() and the call is complete.

  • Otherwise, once the system call blocks, execution switches to a new process which returns to user space. An ESYSLETPENDING error is returned in this case.

  • Once the system call completes, the kernel stores the return value in the completion ring and calls the notification function in the original process.

Should the application wish to stop and wait for any outstanding syslets to complete, it can make use of a new system call: 

    int syslet_ring_wait(struct syslet_ring *ring, unsigned long user_idx);

Here, ring is the pointer to the completion ring, and user_idx is the value of the user_tail index as seen by the process. Providing the tail as an argument to syslet_ring_wait() prevents problems with race conditions which might come about if a syslet completes after the application has decided to wait. This call will return once there is at least one completion in the ring.

The real purpose of this set of patches is to try to nail down the user-space API for syslets; it is clear that there is still some work to be done. For example, there is no way, currently, for an application to use indirect() to simultaneously launch a syslet and (as was the original purpose for indirect()) provide additional arguments to the target system call. In fact, the means for determining which of the two is being done looks dangerously brittle. As Zach has already noted, the calling convention needs to be changed to make the syslet functionality and the addition of arguments orthogonal.

There are a number of other questions which need to be answered - Zach has supplied a few of them with the patch. Interaction with ptrace() is unclear, resource management issues abound, and so on. Zach is clearly looking for feedback on these issues:

I'm particularly interested in hearing from people who are trying to use syslets in their applications. This will involve awkward wrappers instead of glibc calls for now, and your machine may explode, but hopefully the chance to influence the design of syslets would make it worth the effort.

So, the message is clear: anybody who is interested in how this interface will look would be well advised to pay attention to it now.

Comments (10 posted)

Writeout throttling

By Jonathan Corbet
December 11, 2007
The avoidance of writeout deadlocks is a topic which occasionally pops up on the mailing lists. Most Linux systems are able to handle the writeout of dirty pages to disk without a great deal of trouble. Every now and then, however, the system can get itself into a state where it is is out of memory and it must write some pages to disk before any more memory can be allocated. If the act of writing those pages, itself, requires memory allocations, the system can deadlock. Systems with complicated block I/O setups - those using the device mapper, network-based storage, user-space filesystems, etc. - are the most susceptible to this problem.

There has been a steady stream of patches aimed at solving this problem; the write throttling patch discussed here last August is one of them. The problem is inherently hard to solve, though; it looks like it may be with us for a long time. Or maybe not, if Daniel Phillips's new and rather aggressively promoted writeout throttling patch lives up to its hype.

Daniel's patch is quite simple at its core. His approach for eliminating writeout-related deadlocks comes down to this:

  • Establish a memory reserve from which (only) code performing writeout can allocate pages. In fact, this reserve already exists, in that some memory is reserved for the use of processes marked with the PF_MEMALLOC flag.

  • Place an upper limit on the amount of memory which can be used for writeout to each device at any given time.

The patch does not try to directly track the amount of memory which will be used by each writeout request; instead, it tasks block-level drivers with accounting for the number of "units" which will be used. To that end, it adds an atomic_t variable (called available) and a function pointer (metric()) to each request queue. When an outgoing request finds its way to __generic_make_request(), it is passed to metric() to get an estimate of the amount of resource which will be required to handle that request. If the estimated resource requirement exceeds the value of available, the process will simply block until a request completes and available is incremented to a sufficiently high level.

The metric() function is to be supplied by the highest-level block driver responsible for the request queue. If that block driver is, itself, responsible for getting the data to the physical media, estimating the resource requirements will be relatively easy. The deadlock problems, however, tend to come up when I/O requests have to go through multiple layers of drivers; imagine a RAID array built on top of network-based storage devices, for example. In that case the top level will have to get resource requirement estimates from the lower levels, a problem which has not been addressed in this patch set.

Andrew Morton suggested an alternative approach wherein the actual memory use by each block device would be tracked. A few hooks into the page allocation code would give a reasonable estimate of how much memory is dedicated to outstanding I/O requests at any given time; these hooks could also be used to make a guess at how much memory each new request can be expected to need. Then, the block layer could use that guess and the current usage to ensure that the device does not exceed its maximum allowable memory usage. Daniel eventually rejected this approach, saying that looking at current memory use is risky. It may well be that a given device is committed to serving I/O requests which will, before they are done, require quite a bit more memory than has been allocated so far. In that case, memory usage could eventually exceed the cap in a big way. It's better, says Daniel, to do a conservative accounting at the beginning.

The patch does not address the memory reserve issue at all; instead, it relies on the current PF_MEMALLOC mechanism. It was necessary, says Daniel, to give the PF_MEMALLOC "privilege" to some system processes which assist in the writeout process, but nothing more than that was needed. He also claims that, for best results, much of the current code aimed at preventing writeout deadlocks needs to be removed from the kernel. He concludes:

Let me close with perhaps the most relevant remarks: the attached code has been in heavy testing and in production for months now. Thus there is nothing theoretical when I say it works, and the patch speaks for itself in terms of obvious correctness. What I hope to add to this in the not too distant future is the news that we have removed hundreds of lines of existing kernel code, maintaining stability and improving performance.

Since then, a couple of reviewers have pointed out problems in the code, dimming its aura of obvious correctness slightly. But nobody has found serious fault with the core idea. Determining its true effectiveness and making it work for a larger selection of storage configurations will take some time and effort. But, if the idea pans out, it could herald the end of a perennial and unpleasant problem for the Linux kernel.

Comments (none posted)

New bugs and old bugs

By Jonathan Corbet
December 12, 2007
As the 2.6.24 release slowly gets closer, the desire to shrink the list of known regressions grows. As can be seen from the current list (as of just before 2.6.24-rc5), there is still some work yet to be done. That list is long enough that, as Linus pointed out in the -rc5 announcement, the traditional holiday release may not happen this year.

One of those regressions is a failure of a certain model of DVD drive to work with the 2.6.24-rc kernels; this drive works fine with 2.6.23. A look at the corresponding bugzilla entry shows that quite a bit of effort has been expended (by both developers and testers) toward tracking this one down, but, as of this writing, its exact cause remains unknown. So there is not (again, as of this writing) a well-defined fix for the problem.

What is known is which patch broke the device. Tejun Heo describes it this way: "It's introduced by setting ATAPI transfer chunk size to actual transfer size which is the right thing to do generally." The current development code (destined for 2.6.25) works just fine with this device, but that would be far too big a patch to put into the 2.6.24 kernel at this stage in the cycle. So Tejun (along with others) continues to look for a simpler fix. He also has a backup plan:

If we fail to find out the solution in time, we always have the alternative of backing out the ATAPI transfer chunk size update. This will break some other cases which were fixed by the change but those won't be regressions at least and we can add transfer chunk size update with other changes to 2.6.25.

This plan drew an immediate complaint from Alan Cox, who notes that backing out this fix will break quite a few devices which had finally been made to work while fixing only one which is known to have problems with the new code. This change, he says, "...is nonsensical and not in the general good". Alan would rather take the hit of breaking one device for the benefit of making a larger number of others work properly for the first time. If need be, the failing drive could be handled via a special blacklist in 2.6.24.

That idea, however, was firmly shot down by Linus:

"The one off regression" is likely the tip of an iceberg. If something regresses for one person, for that one person who tested and noticed and made a bug-report, there's probably a thousand people who haven't even tested the development kernel, or who had problems and just went back to the previous version.

In contrast, reverting something will be guaranteed to not have those kinds of issues, since the only people who could notice are people for who it never worked in the first place. There's no "silent mass of people" that can be affected.

In recent years, as the complexity of the kernel (and concerns about its quality) have grown, the development community has taken an increasingly hard line against regressions. As Linus points out above, regressions cause visible problems for people whose systems were once working; that is a clear way to lose testers and (eventually) users. On the other hand, something which has never worked, and which still does not work, does not make life worse for Linux users. For this reason, the avoidance of regressions has become one of the highest development priorities.

There is another, related reason: the aforementioned kernel quality concerns. One can easily ask whether the quality of the kernel is improving or not, but truly answering that question is not an easy thing to do. A better kernel may, by attracting additional users, actually result in more bug reports; similarly, a buggier kernel may drive testers away, with the result that the number of reported bugs goes down. One cannot simply look at the lists of known problems and come to a reasonably defensible conclusion as to whether a given kernel is better than another or not.

What one can do, however, is ensure that everything which works now continues to work in future versions. If working things do not break, then, on the assumption that other problems are occasionally being fixed, it is reasonable to conclude that the kernel is getting better. If regressions are allowed, instead, then one never really knows. Regressions thus are the closest thing we have to an objective measurement of the quality of a given kernel release, and fixing regressions is an unambiguous way of improving that quality. So it's no wonder that the higher priority placed on improving kernel quality has led to a stronger focus on regressions.

Anybody who has watched Alan Cox's work knows that he cares deeply about the quality of the kernel. But he thinks that the anti-regression policy is being taken a little too far this time around:

To blindly argue regressions are critical is sometimes (as in this case) to argue that "this freeway is no longer compatible with a horse and cart" means the freeway should be turned back into a dirt road.

It may yet be that a proper fix for this problem will be found for 2.6.24, at which point the larger change can go through. Failing that, though, it appears that the horses and carts will win the day for now. Those needing the full freeway will have to wait until the horse-compatible version becomes available in 2.6.25.

(Update: it appears that the problem has now been fixed.)

Comments (2 posted)

Patches and updates

Kernel trees

Linus Torvalds Lnux 2.6.24-rc5 ?

Architecture-specific

Balbir Singh Fake NUMA emulation for PowerPC ?
Paul Mackerras [RFC][POWERPC] Provide a way to protect 4k subpages when using 64k pages ?

Core kernel code

Huang, Ying kexec based hibernation -v7 ?
Zach Brown syslets v7: back to basics ?

Development tools

Mathieu Desnoyers LTTng instrumentation (arch independent) ?
Mathieu Desnoyers LTTng architecture dependent instrumentation ?
Masami Hiramatsu kprobes x86 code unification and boosters ?

Device drivers

Poonam_Aggrwal-b10812 UCC based TDM driver for MPC83xx platforms. ?
Dmitry Baryshkov Tosa keyboard support ?
Anas Nashif Intel Management Engine Interface ?
Stephen Rothwell Introduce driver_create/remove_dir ?

Documentation

Michael Kerrisk man-pages-2.70 is released ?

Filesystems and block I/O

David Howells Permit filesystem local caching [try #2] ?
Jose R. Santos [PATCH] Flex_BG ialloc awareness V2. ?
Erez Zadok 00/42 Unionfs and related patches review ?
Evgeniy Polyakov DST: Distributed storage. ?
Kiyoshi Ueda [PATCH 00/30] blk_end_request: full I/O completion handler (take 4) ?

Memory management

Daniel Phillips [PATCH] A clean approach to writeout throttling ?
Mel Gorman Use two zonelists per node instead of multiple zonelists v11r2 ?

Networking

Renzo Davoli New Address Family: Inter Process Networking (IPN) ?
Michael Blizek Connection Oriented Routing Protocol ?

Virtualization and containers

Eric W. Biederman Core pid namespace enhancements ?

Miscellaneous

Avi Kivity Proposed new directory layout for kvm and virtualization ?

Page editor: Jonathan Corbet

Distributions

News and Editorials

When developers go MIA

By Rebecca Sobol
December 12, 2007
MIA means "Missing in Action". When a project is built by volunteers, as is the case with most Linux distributions, sometimes packages with bugs linger and are not fixed for long periods of time. The developer is MIA. There are many reasons that a developer might have for not taking care of their packages as promised. There will be times with the demands of work, school, family, or whatever will take precedence over volunteer work. In an ideal case the person will tell someone that they won't be around for a while. They might even find someone else to take over for them while they are gone. All too often though they don't do anything at all and thereby become MIA.

Both Debian and Fedora have made proposals for dealing with MIA developers this week so we wanted to take a closer look at how these projects are dealing with this problem. Keep in mind that Fedora and Debian are different projects, with different goals. Fedora is fast paced, with a release every six months. They can't allow buggy packages to linger for long. Debian's release cycle is long, but they have large number of packages to maintain and a large number of developers to keep track of.

Debian's Bits from the MIA team goes beyond a proposal and outlines what is now the current policy for dealing with MIA maintainers. The MIA team met recently in Spain to flesh out the details. The MIA team is a small group of people who are tasked with identifying and attempting to contact maintainers who no longer seem to be active.

Team members have access to several MIA scripts which can be used to identify unresponsive maintainers. "The most important tool is "mia-query" where you can see the history from the person, which packages he/she maintains and the last-activity." The process is lengthy, allowing 15 days after each attempted contact before proceeding to the next stage. After sixty days the maintainer's packages will be orphaned so that some other maintainer might adopt them. Only after ninety days will the person be subject to removal from the keyring, if they are Debian Developers (DD) or Debian Maintainers (DM). For packages that are team maintained the missing person will be removed from the Uploaders/Maintainers-field after sixty days.

Fedora's proposal is still the initial stages. The idea is to automate the process as much as possible. "This proposal aims to create a framework for automating the detection and processing of MIA maintainers. The framework will touch upon bugzilla, pkgdb, koji, and various automated QA efforts. It will tie into the (new) policy of automatically cleaning up orphans created during a release at the start of the next development cycle."

A scheduled process will query bugzilla, looking for a certain class of bugs. If the maintainer reaction time meets a certain criteria, the maintainer will be marked as MIA.

How these bugs are identified in Bugzilla remains to be solved. Several automated QA tasks identified so far include: broken dependencies tests, rebuild tests, package/file conflict tests, and upgrade path violation tests. "Most of these tasks will need to grow the ability to file bugs for the issues discovered, with the logic to prevent multiple filings for the same issue. As stated above, a keyword or a flag or something will be added to the bug so that it can be easily identified at a later time."

Many details remain in this proposal, such as the particular allotment of times for responses, the method that will be used in bugzilla to mark a bug for MIA detection, who will make use of that method, who will work on the detection/processing tool, who will be notified of a maintainer going MIA, whether all packages owned by the MIA maintainer get orphaned, and so on.

A truly automated system for identifying MIA maintainers will likely be of interest to other projects, especially if it can be adapted to other infrastructures.

Comments (1 posted)

New Releases

Mandriva Directory Server 2.2.0 available

Mandriva Directory Server 2.2.0 is available for download. New features and improvements include DNS/DHCP management improvements, XML-RPC server session management, and Brazilian Portuguese translation.

Full Story (comments: none)

Announcing openSUSE 11.0 Alpha0

The first alpha release of openSUSE 11.0 is available for testing. "The change between 10.3 and Alpha0 is pretty big, but it still works pretty nicely. So please join the openSUSE 11.0 development in downloading, testing and using Alpha0 or daily updated Factory distribution."

Full Story (comments: none)

dynebolic - dyne:II GNU/Linux 2.5.2 DHORUBA - final release

RastaSoft has released the dyne:II based dynebolic 2.5.2 DHORUBA. "The system is stabilized for the final release of the dyne:II series. This is a major bugfix for usb detection, encrypted nesting, international keyboard input, firewire video capture and playback. New software includes darkice/snow, oggfwd and dvgrab for minimalistic commandline streaming receipts. Updated software include Blender, Cinelerra and FreeJ. The image.dyne module is included by default. The User's Manual has been completed with more informations."

Full Story (comments: none)

Distribution News

Debian GNU/Linux

Final report from DebConf 7

A report from the 7th Debian Developers' Conference, held last June in Edinburgh, Scotland, has been posted as a 30-page PDF file. "Over 400 people took part in this year's conference: listening to the talks; discussing development issues; working closely with their fellow developers. And, of course, enjoying themselves. This report hopes to provide some insight into DebConf for those who were unable to attend. It will cover the major parts of DebConf and provide a look at the work of the organising team. It will also include the personal impressions of some of the attendees." It's clear that quite a bit of time went into the creation of this document.

Comments (5 posted)

Bits from the Extremadura QA meeting

Fifteen Debian developers gathered in Mérida (Spain) for a Quality Assurance meeting, part of the series of meetings sponsored by the Junta de Extremadura. Click below for a look at the meeting minutes.

Full Story (comments: none)

Fedora

Samba for Fedora Core 6

Fedora Core 6 reached its end of life on Friday, December 7. Even so, new samba packages that fix the recent samba vulnerability (CVE-2007-6015) have been made available.

Full Story (comments: 3)

Mandriva Linux

2008 Spring development update

Adam Williamson presents a tentative timeline for Mandriva 2008 Spring (2008.1). The current schedule shows the first alpha release on December 13. The final release is scheduled for April 2008.

Comments (none posted)

SUSE Linux and openSUSE

Minutes from last openSUSE board meeting

Some meeting minutes of the public part of the discussions from the last openSUSE board meeting are available. Click below to see them.

Full Story (comments: none)

Other distributions

Skolelinux wins the Scandinavian Free Software award

Free Software Foundation Europe has announced that the Norwegian project Skolelinux is the winner of the first Free Software Scandinavian Award handed out at during the Free Software Conference Scandinavia 2007 in Göteborg. "Skolelinux captures a big part of the free software spirit; sharing and reusing. By focusing on schools, Skolelinux makes sure students, tomorrow's computer users, and decision makers, can grow up in a spirit of sharing, reusing and learning from family, friends and neighbours."

Comments (none posted)

GNU-Darwin 7th year report

The GNU-Darwin project has issued its 7th annual report, with a look at the stories that have gone out this year. "We have had a surge in pkg_add access to our package repository since that time, indicating that GNU-Darwin is far from dead as of yet ;-}. The iPhone bricking story was of particular moment."

Full Story (comments: none)

New Distributions

Geubuntu

Geubuntu is an Ubuntu-based desktop distribution that uses parts of the GNOME desktop with the eye-catching Enlightenment DR17 window manager. Geubuntu 7.10 Luna Nuova was released December 6, 2007. From the project's home page: "That's where Geubuntu comes in. Geubuntu completes the missing parts of the E17 Desktop Shell and WM with a certain number of tools and applications from the Gnome Desktop. This is only natural, after all: it would be crazy to believe that E17 should provide a full set of applications based on ETK instead of GTK!"

Comments (none posted)

Distribution Newsletters

Concurrent's Solutions Newsletter

Concurrent's Solutions Newsletter (PDF) takes a look at RedHawk Linux, Concurrent's real-time Linux OS.

Comments (none posted)

Fedora Weekly News Issue 112

The Fedora Weekly News for December 3, 2007 looks at FUDCon Raleigh 2008, plus Planet Fedora articles "CentOS really does fill a gap", "Fedora 8 Re-Spin in the making", "FDSCo nominations underway", "Fedora update metrics", "FAmSCo nominations/elections", and several other topics.

Full Story (comments: none)

openSUSE Weekly News, Issue 3

The openSUSE Weekly News is with a look at openSUSE 11.0 Alpha 0, updated 10.3+ Live CD available for Final Testing, KDE Four Live 0.8, KDE 4.0 RC2 Packages, and Koffice Alpha6 Packages, and more. Read it in English or German.

Full Story (comments: none)

Ubuntu Weekly Newsletter #69

The Ubuntu Weekly Newsletter for December 8, 2007 covers Packaging Jams, MPAA being forced to remove the University Toolkit, Kubuntu Tutorials Day, an Ubuntu Forums interview, and much more.

Full Story (comments: none)

DistroWatch Weekly, Issue 232

The DistroWatch Weekly for December 10, 2007 is out. "One of the indications of Ubuntu's popularity is the number of derivatives based on Canonical's operating system, available for every taste and purpose. Last week, two such distributions were added to the DistroWatch database - Mythbuntu, a project delivering MythTV in an easy-to-setup package, and Geubuntu, an eye-catching distro featuring the latest Enlightenment window manager. Read our exclusive review of the latter. Also in this edition: openSUSE kickstarts the development of version 11.0 with the first alpha release, a link to article discussing the importance of "libre" distributions, information about a free online RHCE study guide, and some observations about the new ASUS Eee PC."

Comments (none posted)

Distribution meetings

Debian Miniconf 7 at linux.conf.au 2008 in Melbourne, Australia

This is a call for participation in the seventh annual Debian Miniconf which will be part of the linux.conf.au (LCA) 2008 conference run by Linux Australia in Melbourne, Australia in January.

Full Story (comments: none)

Newsletters and articles of interest

Fedora 8 - More than a Linux Distribution (Packt Publishing)

Packt Publishing takes a look at Fedora 8. "What I haven't mentioned till now is that Fedora 8 itself is a fantastic release. Desktop users will enjoy its desktop wallpaper that changes color depending on the time of the day, the easy to use Firewall configuration tool and enhanced printer and network management in addition to the Compiz 3D desktop. I love the improved package management which makes adding software from the DVD and other online repositories, not only possible but a walk in the park. Fedora 8 also finds a solution for its inability to support patented media formats in the form of CodecBuddy."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The Early Stages of the GNU PDF project

By Forrest Cook
December 12, 2007

GNU PDF is a recent, but high priority project of the Free Software Foundation. The project aims to build libraries for dealing with the Adobe Portable Document Format (PDF): "The goal of the GNU PDF project is to develop and provide a free, high-quality, complete and portable set of libraries and programs to manage the PDF file format, and associated technologies." GNU PDF is being released under version 3 of the GNU General Public License.

[GNU PDF]

Linux.com recently talked to GNU PDF project founder José Marchesi about his reasons for starting the project: "On the technical level, once Marchesi started investigating, he discovered a great deal of PDF functionality that is either missing or incomplete: "interactive features (forms, annotations), the management of embedded contents (sounds and movies), execution of JavaScript to perform forms validation, 3-D artwork, accessibility, Web capturing, [and] management of document collections." Many users are unaware of these lacks, either because they never use such features or because, Marchesi says, "The PDF standard is quite careful when providing backward compatibility: When a PDF consumer application (such as a viewer) finds an unknown construct (such as 3-D artwork), it can (and should) ignore it. But in fact you may be missing information.""

GNU PDF appears to be a highly structured development effort. The Architecture document explains the organization of the libgnupdf library. The library is divided into four overlapping layers: the base layer, the object layer, the document layer and the page layer. The Tasks Management document explains the plan for carrying out the necessary work. The project roadmap gives an excellent graphical representation of the goals that are planned for and those that have already been achieved. Progress is happening along a diagonal front, some of the base tasks are complete, while the higher layer tasks are still in early stages of development. The GNU PDF Torture Chamber document describes the testing methodology. Finally, the Sources document explains the layout of the source code.

Other open-source projects could be well served by adopting this amount of organization. With such a well structured design process, the GNU PDF project should have a good chance at achieving its goals in a timely fashion. Those interested in working on the code should start with the developer information document, private and corporate sponsors are also needed for the project.

Comments (10 posted)

System Applications

Database Software

MySQL 5.0.51 has been released

Version 5.0.51 of the MySQL DBMS has been announced. "This is a bugfix release for the current production release family. It replaces MySQL 5.0.45." A security fix is also included.

Full Story (comments: none)

Postgres Weekly News

The December 9, 2007 edition of the Postgres Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

Filesystem Utilities

Ext2Fsd: V0.35 update 01 (SourceForge)

Version 0.35 update 01 of Ext2Fsd has been announced. "Ext2Fsd is an open source linux ext2/ext3 file system driver for Windows systems (NT/2K/XP/VISTA, X86/AMD64). Modifications: remove the execute bits ('x' attribute in inode mode) for all newly created files".

Comments (none posted)

Interoperability

Samba 3.0.28 is available

Version 3.0.28 of Samba has been announced. "Samba 3.0.28 is a security release to address CVE-2007-6015."

Comments (none posted)

Mail Software

netqmail 1.06 announced

Version 1.06 of netqmail has been announced. "We have continued the philosophy of making minimal changes to qmail. This release is to celebrate the release of qmail to the public domain, and to give package distributors a base to start from. We considered making this a qmail-1.04 release, but decided to leave the qmail name under Dan Bernstein's control. We encourage other people to do so as well. If you want to make a modified version of qmail, please do so under a different name, as we have."

Full Story (comments: none)

Networking Tools

Mpd 5.0b4 released (SourceForge)

Version 5.0b4 of Mpd, a netgraph based PPP implementation, has been announced. "Mpd supports thousands of Sync, Async, PPTP, L2TP, PPPoE, TCP and UDP links in client, server and access concentrator (LAC/PAC/TSA) modes. It is very fast and functional. Next beta version released. It includes some new features, performance optimizations, tunings and fixes."

Comments (none posted)

Package Management

Ria: v4.0 released (SourceForge)

Version 4.0 of Ria has been announced. "Ria is the installer for a collection of available rpms to enable different restricted media formats in Fedora. It will make installing them easier while fixing the dependency problems by itself. Currently it supports XMMS, Mplayer, Xine, iPython."

Comments (none posted)

Web Site Development

Blogmaker 0.5 announced

Version 0.5 of Blogmaker has been announced. "Blogmaker™ is a full-featured, production-quality blogging application for Django. It supports trackbacks, ping and comments with moderation and honeypot spam prevention. Blogmaker is released under a BSD license. You may "copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software" (to borrow a phrase from the more-or-less equivalent "MIT License"). Caveat: the current release (including these docs) is for people who are already familiar with Django or willing to poke around a bit."

Comments (none posted)

Midgard 1.8.5 released

Version 1.8.5 of the Midgard web content management system has been announced. "Midgard 1.8.5 "Refix" release includes minor bugfixes and enchancements."

Full Story (comments: none)

Plone 3.0.4 released

Version 3.0.4 of the Plone web development platform has been released. "I'm happy to announce a very early Christmas present: Plone 3.0.4. This is the fourth maintenance release for Plone 3.0 and fixes several stability problems."

Full Story (comments: none)

Rails 2.0 announced

Version 2.0 of the Ruby on Rails web platform has been announced. "Rails 2.0 is finally finished after about a year in the making. This is a fantastic release that’s absolutely stuffed with great new features, loads of fixes, and an incredible amount of polish. We’ve even taken a fair bit of cruft out to make the whole package more coherent and lean."

Comments (none posted)

Desktop Applications

Audio Applications

HOgg 0.3.0 released

Version 0.3.0 of HOgg has been announced. "The HOgg package provides a commandline tool for manipulating Ogg files, and a corresponding Haskell library. HOgg is in hackage, or on the web at: http://www.kfish.org/~conrad/software/hogg/ This is the second public release. The focus is on correctness of Ogg parsing, production and editing. The capabilities of the hogg commandline tool are roughly on par with those of the oggz* [0] tools."

Full Story (comments: none)

Speex 1.2beta3 is out

Version 1.2beta3 of Speex, a speech CODEC, has been announced. "The most obvious change in this release is that all the non-codec components (preprocessor, echo cancellation, jitter buffer) have been moved to a new libspeexdsp library. Other changes include a new jitter buffer algorithm and resampler improvements/fixes. This is also the first release where libspeex can be built without any floating point support. To do this, the float compatibility API must be disabled (--disable-float-api or DISABLE_FLOAT_API) and the VBR feature must be disabled (--disable-vbr or DISABLE_VBR)."

Comments (none posted)

Data Visualization

Matplotlib 0.91.1 released

Version 0.91.1 of Matplotlib, a Python-based 2D plotting package, is out. New capabilities include: enhanced mathtext, better configuration, writing to file-like objects, record array support, a new pyplot module, maskedarray support and a new plotfile command. See the What's New document for more information.

Comments (none posted)

Desktop Environments

GNOME 2.21.3 released

Version 2.21.3 of the GNOME desktop environment has been announced. "This is the third release of the GNOME 2.21.x series, heading towards the stable GNOME 2.22.x release."

Full Story (comments: none)

GARNOME 2.21.3 announced

Version 2.21.3 of GARNOME, the bleeding edge GNOME distribution, has been announced. "This release includes all of GNOME 2.21.3 plus a whole bunch of updates and fixes that were released after the GNOME freeze date. This is the third development release on our road towards GNOME 2.22.0, which will be released in March 2008."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

The second KDE 4.0 release candidate

KDE 4.0-rc2 has been released; see the announcement for details and screen shots. "With this second release candidate, the KDE developers hope to collect comments and bug reports from the wider KDE community. With their help, we hope to solve the most pressing problems with the current KDE 4 codebase to ensure the final 4.0 release is stable, usable and fun to work with."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Electronics

LayoutEditor 20071204 released

Version 20071204 of LayoutEditor, a program to design and edit layouts for MEMS/IC fabrication, has been announced. "A new release has been published. Beside some smaller bugfixes it comes with a new introducing tutorial."

Comments (none posted)

Financial Applications

LedgerSMB 1.2.10 released

Version 1.2.10 of LedgerSMB, a fork of the SQL-Ledger general ledger software, has been released. This version includes a long list of bug fixes and some new capabilities.

Full Story (comments: none)

Games

Bridge Calculator 0.7 released

Version 0.7 of Bridge Calculator has been announced. "Bridge Calculator is freeware program written by Piotr Beling which solves problems in the Bridge card game."

Comments (none posted)

Cyphesis 0.5.15 released

Version 0.5.15 of Cyphesis a server for WorldForge games, has been announced. "Major changes in this version: Players can now create their own roads. The script API has been made much simpler. It is now trivial to run multiple servers on one machine. Memory usage has been reduced. A huge number of bugs have been fixed."

Comments (none posted)

Graphics

Free Dimensions: GUI Version 0.1 Alpha finished (SourceForge)

Version 0.1 Alpha of Free Dimensions has been announced. The software is: "A Scriptable 3D Graphics modeler and renderer. By defining points and shapes in a 3-dimensional coordinate system, one can create a scene very quickly and easily a simple scripting language. The scene can then be animated and be added special effects."

Comments (1 posted)

Music Applications

Rosegarden 1.6.0 released

Version 1.6.0 of Rosegarden has been announced. "The Rosegarden team are giddy with probably short-lived delight at the release of version 1.6.0 of Rosegarden, an audio and MIDI sequencer and musical notation editor for Linux." A number of new features have been added to this release.

Full Story (comments: none)

PDA Software

Maemo 4.x training materials released

A set of free (Creative Commons Attribution Sharealike license) training materials for the Maemo platform (which runs on Nokia tablets) has been released. They start with a "getting started" course, then get into some fairly serious development-oriented topics including GTK+, application packaging, DBus, and more. It looks like useful reading for anybody wanting to develop for this platform.

Full Story (comments: 2)

Beta version of Modest e-mail client available

A beta version of the Modest e-mail client is available for handheld devices running the OS2008 platform. "Some highlights: - the basics: POP/IMAP/SMTP (normal/secure); - IMAP folders support, and IMAP-IDLE ("push-email") - easy setup of new accounts - send and receive of rich text-emails - managing mail with your fingers - 100% open-source with a BSD-like license".

Full Story (comments: none)

Web Browsers

Mozilla Links Newsletter

The December 6, 2007 edition of the Mozilla Links Newsletter is online, take a look for the latest news about the Mozilla browser and related projects.

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The December 11, 2007 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

HTML

HTMLi: 0.6 released (SourceForge)

Version 0.6 of HTMLi has been announced. "HTMLi (HTML improved) is the AJAX framework that focuses in: * Transparent use for HTML designers * Multi-platform: 100% XSL (runs with Java, ASP, PHP, etc) * CSS Themes * Multi-Language * XML Handling - AJAX forms Live demo at http://www.htmli.com. new version includes "auto" behaviour in new elements, like datepicker, richtext, source."

Comments (none posted)

Java

Introducing Raven: An Elegant Build for Java (O'Reilly)

Matthieu Riou introduces Raven in an O'Reilly ONJava.com article. "Build processes in Java haven't evolved much since the introduction of Ant or Maven. With the ability to use scripting languages like Groovy and JRuby on the JVM, the power of a full language can be brought to bear on the build process. This article discusses Raven, a build system for Java that uses JRuby."

Comments (none posted)

Perl

Parrot Progress in November 2007 (use Perl)

A Perl Parrot Progress Report for November, 2007 has been published. "The last report was published in November as a "road map" for continued development of the Perl 6 on Parrot compiler (perl6). Since then we've basically been following the steps outlined on the road map and we are seeing significant progress on the compiler."

Comments (none posted)

Python

Python 3.0a2 is out

Version 3.0a2 of Python 3000 has been announced. "Python 3000 (a.k.a. "Py3k", and released as Python 3.0) is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especially how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. This is an ongoing project; the cleanup isn't expected to be complete until 2008. In particular there are plans to reorganize the standard library namespace."

Full Story (comments: none)

Python-URL! - weekly Python news and links

The December 11, 2007 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl/Tk

Tcl-URL! - weekly Tcl news and links

The December 6, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Tcl-URL! - weekly Tcl news and links

The December 11, 2007 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Profilers

Valgrind 3.3.0 is available

Version 3.3.0 of Valgrind has been announced. "Valgrind is an open-source suite of simulation based debugging and profiling tools. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, which avoids hours of frustrating bug-hunting, and makes your code more stable. You can also perform detailed time and space profiling to help speed up and slim down your programs. 3.3.0 primarily contains tool enhancements: a restored and improved version of Helgrind, majorly revamped version of Massif, branch-mispredict profiling for Cachegrind, and new experimental tools (Omega and DRD). Also included is support for recent Linux distros, scalability improvements for gigabyte-sized applications, and modestly improved documentation."

Full Story (comments: none)

Version Control

Stacked GIT 0.14 announced

Version 0.14 of Stacked GIT has been announced, it adds new functionality and some bug fixes. "StGIT is a Python application providing similar functionality to Quilt (i.e. pushing/popping patches to/from a stack) on top of GIT. These operations are performed using GIT commands and the patches are stored as GIT commit objects, allowing easy merging of the StGIT patches into other repositories using standard GIT functionality."

Full Story (comments: none)

Miscellaneous

Programming is Hard, Let's Go Scripting... (O'Reilly)

Perl creator Larry Wall discusses the history of a number of programming languages on O'Reilly's Perl.com. "I think, to most people, scripting is a lot like obscenity. I can't define it, but I'll know it when I see it. Here are some common memes floating around: Simple language "Everything is a string" Rapid prototyping Glue language Process control Compact/concise Worse-is-better Domain specific "Batteries included" ...I don't see any real center here, at least in terms of technology. If I had to pick one metaphor, it'd be easy onramps. And a slow lane. Maybe even with some optional fast lanes."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

A pair of small Linux system reviews

There appears to be a lot happening in the area of tiny systems running Linux. One of them is the Linutop, examined by Digital Reviews: "Running a customised version of xubuntu Linux, this little box could replace your desktop for most common tasks, including what you're doing right now. And if this wasn't impressive enough in a box slightly larger than a Nintendo DS, the Linutop does it all drawing a maximum of 5 watts - That's less than an energy saver light bulb!

Then, Tectonic has a brief look at a different system: "Living in Africa we have abundant sun, a power source we rarely consider when we buy yet another gadget. Along comes the Aleutia E1, an ultra low power computer setup that can be run from a roll up solar panel or car battery and runs Puppy Linux."

Comments (24 posted)

Likewise Open-Sources Active Directory Authentication for Linux (eWeek)

eWeek reports on the release of Likewise Open. "Like it or lump it, Microsoft's Active Directory is a very popular network directory, and thus, management system. It's been possible to use AD for Linux, but it was never easy. Now, Likewise Software, formerly Centeris, a leader in mixing and matching Windows and Linux network solutions, has announced the first open-source version of release of version 4.0 of its cross-platform authentication software: Likewise Open."

Comments (13 posted)

Trade Shows and Conferences

First KDE Education Meeting a Great Success (KDE.News)

KDE.News covers the first KDE Education Meeting. "Last weekend the members of the KDE-Edu team met in Paris for a meeting about the Education project. The meeting took place at the Mandriva office, where the members got to know each other and started vivid discussions about their applications, life in general, as well as the future and vision of the Edu module."

Comments (none posted)

Companies

SourceForge adopts eBay-like sales model for open-source software (Linux-Watch)

Linux-Watch covers the launch of SourceForge.net Marketplace. "SourceForge.net, with millions of monthly visitors, is already one of the world's largest Web sites for open-source development and distribution. What it didn't have, though, was any way for its uses to cash in on their open-source projects. On Dec. 6, that changed forever. Today, SourceForge launched an online marketplace for technology professionals to buy and sell service and support for open-source software."

Comments (2 posted)

Sun brings Niagara 2 chip to open source (eWeek)

eWeek reports that Sun is releasing the specifications of the new UltraSPARC T2 processor. "When Sun announced the release of the eight-core UltraSPARC T2 chip in August 2007, company executives said it would move to bring the specification to the open-source community through Sun's OpenSPARC initiative. The goal of releasing Niagara 2 into the open-source community through the General Public License is to create a larger community around the chip and increase the number of operating systems and applications that can use the processor, said Shrenik Mehta, senior director for Fronted Technologies and the OpenSPARC Program at Sun."

Comments (7 posted)

Interviews

Bringing one SimCity per child to the OLPC (LinuxWorld)

LinuxWorld talks with Don Hopkins, the developer who ported Micropolis (GPL-licensed SimCity) to the OLPC XO system. "It's brilliant code to read and learn from, which is why I'm so happy to get it released as GPL Open Source code. People don't usually write programs as simple and efficient as SimCity any more, but it's still important to write code for the OLPC as small and fast as possible because of its limited memory and CPU power. The OLPC is an amazingly powerful machine, compared to home computers at the time SimCity was originally released."

Comments (7 posted)

Resources

First Linux phone standard ships (LinuxDevices)

LinuxDevices covers the completion of the 1.0 Linux Phone Standards (LiPS) specification. LiPS is a forum created in 2005 to create standard APIs for Linux-based cell phones. "In theory, standard APIs for Linux-based mobile phones, if widely adopted, could enable operators to roll out services faster, while enabling handset manufacturers to produce compatible new phones faster. Other beneficiaries could be ISVs (independent software vendors), mobile phone software stack providers, and of course, phone consumers, who after buying a new phone could re-install purchased applications and continue with existing services."

Comments (1 posted)

Using a Bluetooth phone with Linux (ars technica)

ars technica has a tutorial on using a Bluetooth phone with Linux. "Once the pairing is complete, it becomes possible to access files on the phone directly through Nautilus, the GNOME file manager. You can open any Nautilus window and type obex:// into the path bar to get a list of paired phones. Double-click the phone you want to access, and you should see a regular directory listing. You can now transfer files between your computer and your phone simply by dragging and dropping files. With this method, I was able to access the sounds, pictures, and videos stored on my phone."

Comments (none posted)

Introducing Raven: An Elegant Build for Java (O'ReillyNet)

O'Reilly's OnJava.com looks at Raven, a build system for Java. "Raven is based on the Ruby dynamic language and its most prominent build tool, Rake. Don't worry, you don't have to know either to read this article or start using Raven, you can learn little by little, starting simple. Rake itself is a little bit like Ant, it lets you define tasks and the dependencies between them. Only its syntax is much sweeter."

Comments (26 posted)

Programming for the Eee PC with wxWidgets (wxBlog)

wxBlog covers the porting of the wxWidgets GUI toolkit to the Asus Eee PC. "There has been a lot of fuss about the Asus Eee PC in the last few months and Asus have clearly pressed the right consumer buttons with their cheap Linux subnotebook. No doubt there will be many more machines in this format in the future, representing a market of many millions, so it’s an attractive target for developers. Fortunately for wxWidgets programmers, it’s pretty straightforward to adapt wxGTK applications to the requirements of the Eee PC. This consists mainly of two tasks: fitting windows and dialogs onto the 800x480 screen, and distributing the application in a Xandros-friendly package (a .deb)."

Comments (1 posted)

Reviews

Low-cost PPC chips gain Linux dev kits (LinuxDevices)

LinuxDevices takes a look at some developer board kits for PPC chips. "AMCC today announced a pair of evaluation kits targeting prospective customers of its new Power 405EX and 405EXr processors. The Kilauea and Haleakala kits include boards, software tools, sample apps, benchmarks, and a Denx Linux BSP, with MontaVista Linux BSPs and tools optionally available separately from MontaVista."

Comments (7 posted)

Commercial Sound And Music Software For Linux, Part 1 (Linux Journal)

Dave Phillips is at it again, this time reviewing the state of commercial audio software for Linux. In part one of his Linux Journal article, he reviews a sequencer program, a program to create rhythm patterns and loops, as well as a transcription tool. "Before we begin this whirlwind tour I must declare that I am not at all opposed to the notion and practice of commercial Linux software of any kind. The user is still free to decide that he or she can live without a commercial product, nor do I believe that commercialism will somehow inevitably corrupt the world of FOSS Linux audio software. Personally I welcome more such software, especially if it addresses some glaring lack in the current free software armory. I prefer free solutions, but if a commercial tool exists that does the needed job, then I'm all for using that tool until a free alternative exists."

Comments (7 posted)

Miscellaneous

EMF changes tune, hails embedded Linux (LinuxDevices)

LinuxDevices notes a change of direction in an EMF report on embedded operating systems. "Embedded Market Forecasters has issued a report claiming that embedded Linux is just as dependable as other real-time operating systems (RTOSes). The independently funded report appears to recant EMF's controversial Microsoft-funded report in 2003 that claimed that embedded Windows OSes were far faster and cheaper than embedded Linux. The updated report now claims that projects using embedded Linux have achieved design parity with commercial RTOSes for most projects, offering the same level of design outcomes."

Comments (2 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

BusyBox developers go after Verizon

The Software Freedom Law Center has announced another GPL-infringement lawsuit filed on behalf of the BusyBox developers. The defendant this time is Verizon Communications, which is accused of distributing Actiontec routers (containing BusyBox) without the accompanying source.

Full Story (comments: 21)

Preliminary GNOME Foundation election results

The preliminary results from the GNOME Foundation board election have been posted; if these results hold the incoming board members will be (ordered by votes received): Luis Villa, Vincent Untz, Lucas Rocha, Behdad Esfahbod, John (J5) Palmieri, Brian Cameron, and Jeff Waugh.

Full Story (comments: none)

SQLite Consortium Launches with Mozilla and Symbian as charter members

The SQLite Consortium has been launched. "The SQLite Consortium, a new membership association dedicated to maintaining SQLite as a fully open and independent product, was formally announced today. Mozilla and Symbian Ltd. have joined the SQLite Consortium as charter members. SQLite is a compact, high efficiency, high reliability, embeddable SQL database engine."

Full Story (comments: none)

Commercial announcements

ACCESS to Lead Development of Mobile Platform

ACCESS CO., LTD.Link has announced a new mobile phone initiative. "ACCESS CO., LTD., a global provider of advanced software technologies to the mobile and beyond-PC markets, today announced the signing of a memorandum of understanding with NTT DoCoMo, Inc., NEC Corp., Panasonic Mobile Communications Co., Ltd., and ESTEEMO Co., Ltd. under which the companies will study the use of ACCESS Linux Platform(TM) as the basis for developing a shared Linux(R) platform for mobile phones and an operator pack for NTT DoCoMo."

Comments (none posted)

Office Depot uses SUSE Linux Enterprise Server

Novell, Inc. has announced the selection of SUSE Linux Enterprise Server by Office Depot for use in its global servers. "With customers in 43 countries, Office Depot has grown its global business both organically and through acquisitions. As a result, the company runs applications on a variety of platforms including Solaris*, Windows*, Linux*, z/OS and i5/OS*. To reduce complexity and control costs, the company selected SUSE Linux Enterprise Server to standardize its IT environment as much as possible."

Comments (none posted)

OpenLogic's open source census

OpenLogic has announced a scheme for performing a global census of open source software use. "Using the new OSS Discovery tool, enterprises will be able to scan any of their computers and contribute the scan results back into The Open Source Census database -- anonymously and free of charge. Once they have contributed scans, enterprises will have access to reports that summarize their own open source usage and provide comparisons to other similar companies." The tool, itself, is open source; an early version is available at CollabNet. How the anonymity and the reporting features go together is not entirely clear.

Comments (none posted)

Use OpenOffice.org online with Ulteo

The latest version of OpenOffice.org is available using a browser, with no download or installation. The Ulteo Online Desktop gives users access to OpenOffice.org 2.3 online. The service is still in beta testing.

Full Story (comments: 4)

SourceForge launches SourceForge.net Marketplace

SourceForge has launched SourceForge.net Marketplace. "SourceForge.net® (part of SourceForge, Inc., NASDAQ: LNUX), the world's largest web site for open source development and distribution, today launched an online marketplace for technology professionals to buy and sell service and support for open source software. SourceForge.net Marketplace launches with more than 600 service listings. Some major projects offering service and support include: OpenBravo, JasperSoft, Zenoss, Compiere, Firebird, Nagios and Spring Framework."

Full Story (comments: none)

New Books

New Book: Cross-Platform Development in C++

Addison Wesley Professional has published the book Cross-Platform Development in C++: Building Mac OS X, Linux, and Windows Applications by Syd Logan.

Full Story (comments: none)

Resources

TuxMobil offers 7,000 Linux Guides for the laptop

TuxMobil has announced the availability of over 7,000 help documents related to Linux laptops. "The TuxMobil project covers all aspects concerning Linux on laptops and notebooks. The number of free guides and how-to's has more than doubled in less than three years, and more than 7,000 links to Linux laptop and notebook installation and configuration guides are now listed at TuxMobil."

Full Story (comments: none)

Contests and Awards

Breach Security's ModSecurity wins AppSec 2007 award

Breach Security, Inc. has announced the winning of a top application security-specific tool award at AppSec 2007 for its ModSecurity web application firewall. "Additionally, ModSecurity was selected as the number two open source security tool from the results of an AppSec 2007 conference attendee survey. ModSecurity is the most widely deployed web application firewall in the world with over 10,000 deployments."

Comments (none posted)

Nominations open for 2008 Mellon Awards for Technology Collaboration

The Andrew W. Mellon Foundation has announced the collection of nominations for of its 2008 Mellon Awards for Technology Collaboration. "The Mellon Awards honor not-for-profit organizations for leadership in the collaborative development of open source software tools with particular application to higher education and not-for-profit activities. The 2008 MATC awards are now accepting nominations at http://matc.mellon.org. Nominations will close at 5:00pm Eastern time on Monday, 14 April 2008."

Comments (none posted)

Calls for Presentations

AFS and Kerberos Best Practices Workshop 2008 CFP

A call for participation has gone out for the 2008 AFS & Kerberos Best Practices Workshop. The event takes place on May 19-23, 2008 in Newark, New Jersey, submissions are due by March 3.

Full Story (comments: none)

Black Hat Briefings Call for Papers

A Call for Papers has gone out for a number of Black Hat Briefings events. "Black Hat is always looking for new and unique research, demonstrations and tools. If you have something you or your team would like to present please keep the following dates in mind. D.C. 2008 Briefings CfP closes January 4 Europe 2008 Briefings CfP closes February 1 USA 2008 Briefings CfP will open February 1 Japan 2008 Briefings CfP will open May 1".

Full Story (comments: none)

Upcoming Events

Debian Miniconf 7 at linux.conf.au 2008

The linux.conf.au Debian Miniconf has been announced. "linux.conf.au 2008 will run from January 28th to February 2nd 2008 and the first two days are dedicated to Miniconfs, which are community-organised streams for specific areas of interest. The Debian Miniconf is the oldest and has been one of the biggest Miniconfs at LCA and has always attracted great speakers and an enthusiastic crowd of Debianistas."

Full Story (comments: none)

Program Unveiled for the O'Reilly ETech Conference

The O'Reilly ETech Conference program has been announced. "The final touches are being added to the O'Reilly Emerging Technology Conference, taking place March 3-6 in San Diego, California. Now in its seventh year, ETech hones in on the ideas, projects, and technologies that the alpha geeks are thinking about, hacking on, and inventing right now, creating a space for all participants to connect and be inspired. ETech is expected to draw more than 1,200 technologists, CxOs, IT managers, hackers, product developers, researchers, academics, thought leaders, business managers, strategists, artists, fringe technologists, entrepreneurs, business developers, and venture capitalists."

Full Story (comments: none)

FUDCon Raleigh 2008

FUDCon Raleigh 2008 has been announced. "The next FUDCon (Fedora User and Developer Conference) will be in Raleigh, NC from January 11-13, 2008. The event is 100% free to attend."

Full Story (comments: none)

OpenOffice.org Annual Conference 2008 - Call for Location

A Call for Location has gone out for the OpenOffice.org Annual Conference 2008. "The OpenOffice.org Community eagerly awaits its next annual international conference, OOoCon. We are looking for engaged and interested groups to host next year's conference and welcome your proposals. Since the first conference in 2003, OOoCon has been held in Germany, Slovenia, France, and Spain - could your local OpenOffice.org community rise to the challenge in 2008?"

Full Story (comments: none)

Events: December 20, 2007 to February 18, 2008

The following event listing is taken from the LWN.net Calendar.

Date(s)EventLocation
December 15
December 22		 Unix Meeting 2007 IRC, Worldwide
December 27
December 30		 24th Chaos Communication Congress Berlin, Germany
December 31 Israeli Perl Workshop Ramat Efal, Israel
January 11
January 13		 FUDCon Raleigh 2008 Raleigh, NC, USA
January 16
January 17		 QualiPSo Conference 2008 Rome, Italy
January 17
January 19		 KDE 4 release event Mountain View, CA, USA
January 24 Federal DBA Day Washington DC, USA
January 28
February 2		 Linux.conf.au 2008 Melbourne, Australia
January 28
February 1		 Ruby on Rails Bootcamp with Charles B. Quinn Atlanta, Georgia, USA
January 29
January 31		 Solution Linux 2008 Paris, France
February 1 Open Island Belfast, United Kingdom
February 6
February 10		 O'Reilly Money:Tech Conference New York, NY, USA
February 7 Frozen Perl 2009 Minneapolis, United States
February 8
February 10		 Southern California Linux Expo Los Angeles, USA
February 10
February 13		 NDSS Symposium 2008 San Diego, CA, USA
February 11 Florida Linux Show 2008 Jacksonville, Florida, USA
February 11 Open Source Software (OSS) and the U.S. Department of Defense (DoD) Alexandria, VA, USA
February 13
February 15		 German Perl-Workshop Regionales Rechenzentrum Erlangen, Germany
February 16 Frozen Perl 2008 Workshop Minneapolis, USA

If your event does not appear here, please tell us about it.

Audio and Video programs

HITBSecConf2007 Malaysia Videos Now Available

Videos from the Hack In The Box Security Conference are available online. "The files were created in Quicktime, however if you're having trouble playing them on your platform, please ensure you have the latest 3IVX codec installed."

Full Story (comments: none)

Conference Videos (use Perl)

brian d foy has announced the availability of some Perl conference videos. "Over the last year I've managed to video a notable amount of talks from conferences, workshops and technical meetings. After getting permission from the presenters I'm pleased to be able to finally launch most of them."

Comments (none posted)

Podcast: Ted Ts'o Interview (Linux Magazine)

Linux Magazine has released an audio interview with Ted Ts'o. "In this podcast, Ted Ts'o, the Linux Foundation's newly appointed Chief Platform Strategist, takes a few minutes to talk to Linux Magazine about his new role with the Linux Foundation, the status of Ext4, the Linux Standard Base, and more."

Comments (none posted)

Page editor: Forrest Cook


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds