Python gears up for 2.6 and 3.0

Things are heating up in the Python world in advance of two major synchronized releases of the language. As it heads towards Python 3000 (aka Py3k or Python 3.0), alongside the transitional version 2.6, the development team is narrowing its focus to just those items that are required for the releases. Along the way, the conversations taking place on python-devel provide a look inside the development and release process decisions that a project needs to make as releases loom.

Py3k is the next-generation version of Python, as we described last September. It will not be backward compatible with programs written for Python 2.x in a wide variety of ways. Python 2.6 is an effort to bridge the gap, enabling much of the 3.0 functionality so that new programs can start using it. It can also provide warnings for code that will not work with Py3k.

Python 2.6 was originally scheduled for an April 2008 release, in advance of the August 2008 release planned for Py3k. Now the two are slated for synchronized releases, roughly monthly, until the final release now scheduled for early September 2008. The synchronization is seen as important for two reasons as Python's Benevolent Dictator For Life (BDFL) Guido van Rossum outlines:

Because Py3k is such a radical change, the 2.x series will continue for a long time. van Rossum's recent PyCon keynote (PDF slides) mentions five years as the time frame for 2.6 to be supported, with 2.7 and 2.8 releases possible. A stable development platform for the next few years is very important for current Python users as is giving them a long time to migrate their code.

The third alpha of Py3k was released at the end of February along with the first alpha of 2.6. Additional alpha releases of each are slated for April and May as laid out in Python Enhancement Proposal (PEP) 361. Those are to be followed by betas in June and July with the final release planned for September 3. All of that adds up to a fairly aggressive schedule, but the team seems confident—at least so far.

One of the issues that the Python hackers are trying to figure out is how to track the items still left to be done. van Rossum describes the scope of the problem:

No one had any major objections to van Rossum's suggestion of using the bug tracker to track the tasks, with Christian Heimes pointing out:

The bug tracker allows for different priorities to be set on bugs (or tasks) that are entered into it, which led van Rossum and others to wonder about the proper usage of that field. One of the problems is distinguishing between issues that must be addressed before the next release versus those that must be addressed sometime before the final release. In some sense, both are "critical" and "show-stopping" (depending on which show you are focused on). Brett Cannon reported the scheme they came up with:

This can elevate bugs that are relatively minor, but need to be handled before a final release, into a category that inflates their importance. But, not elevating the bugs can lead to them incorrectly being set aside for a later release. van Rossum wondered about this bug priority "inflation", but it is the way that 2.6/3.0 release manager Barry Warsaw wants to handle things:

Other projects or project managers might make different decisions on how to handle bug priorities, but the important thing is to make a reasonable decision quickly. Once that was done, the tasks were added to the tracker and could be prioritized correctly within the framework and without a lot of hand-wringing about which way is "best". It is an important skill for project managers of all kinds to learn.

Things are progressing rapidly on python-devel these days—not surprising with two major releases due in less than six months. There is a lot of work to be done, but the Python hackers aren't shrinking from those tasks. In addition, the team has also been able to change their processes as needed to support their tight schedule. With hard work and a bit of luck that should put Py3k and its 2.6 sibling on our development machines by autumn.

Comments (6 posted)

Who maintains dpkg?

The Debian project is known for its public brawls, but the truth of the matter is that the Debian developers have not lived up to that reputation in recent years. The recent outburst over the attempted "semi-hijacking" of the dpkg maintainership shows that Debian still knows how to run a flame war, though. It also raises some interesting issues on how packages should be maintained, how derivative distributions work with their upstream versions, and what moral rights, if any, a program's initial author retains years later.

Dpkg, of course, is the low-level package management tool used by Debian-based distributions; it is the direct counterpart to the RPM tool used by many other systems. Like RPM, it is a crucial component in that it determines how systems will be managed - and how much hair administrators will lose in the process. And, like RPM, it apparently causes a certain sort of instability in those who work with it for too long.

Ian Jackson wrote dpkg back in 1993, but, by the time a few years had passed, Ian had moved on to other projects. In recent times, though, he has come back to working on dpkg - but for Ubuntu, not for the Debian project directly. One of his largest projects has been the triggers feature, which enables one package to respond to events involving other packages in the system. This feature, which is similar to the RPM capability by the same name, can help the system as a whole maintain consistency as the package mix changes; it can also speed up package installations. Triggers have been merged into Ubuntu's dpkg and are currently being used by that distribution.

The upstream version of dpkg shipped by Debian does not have trigger support, though, and one might wonder why. If one listens to Ian's side of the story, the merging of triggers has been pointlessly (perhaps even maliciously) blocked for several months by Guillem Jover, the current Debian dpkg maintainer. So Ian concluded that the only way to get triggers into Debian in time for the next release ("lenny") was to carry out a "semi-hijack" of the dpkg package. By semi-hijack, Ian meant that he intended to displace Guillem while leaving in place the other developers working on dpkg, who were encouraged to "please carry on with your existing working practices."

Ian also proceeded to upload a version of dpkg with trigger support, and without a number of other recently-added changes. It is worth noting that all of this work went into a separate repository branch, pending a final resolution of the matter. So when the upload was rejected (as it was) and Ian was deprived of his commit privileges (as he was), there was no real mess to clean up.

Those wanting a detailed history of this conflict can find it in this posting from Anthony Towns. It is a long story, and your editor will only be able to look at parts of it.

One of the relevant issues here is that Guillem Jover appears to be a busy developer who has not had as much time to maintain dpkg as is really needed. Since the beginning of the year, he has orphaned a number of other packages (directfb and bmv, for example) in order to spend more time on dpkg. But, as a result of time constraints, a number of dpkg patches have languished for too long.

While this was happening, Guillem put a fair amount of the time he did have into reformatting the dpkg code and making a number of other low-level changes, such as replacing zero constants with NULL. Ian disagrees strongly with the reformatting and such - unsurprisingly, the original code was in his preferred style. And this is where a lot of the conflict comes in, at two different levels. Ian disagrees with the coding style changes in general, saying:

Many developers will disagree on the value of code reformatting; some projects (the kernel, for example) see quite a bit of it. Judicious cleaning-up of code can help with its long-term maintainability. All will agree, though, that reformatting can make it harder to merge large changes which were made against the code before the reformatting was done. This appears to be a big part of Ian's complaint: unnecessary (to him) churn in the dpkg code base makes it hard for him to maintain his trigger patches in a condition where they can be merged.

Code churn is a part of the problem, but Ian's merge difficulties are also a result of doing the trigger work in the Ubuntu tree rather than in Debian directly. Ian did try to unify things back in August, but that was after committing Ubuntu to the modified code. Ubuntu's dpkg is currently significantly different from Debian's version, and, while one assumes that, sooner or later, Debian will acquire the trigger functionality, there is no real assurance that things will go that way. Dpkg has been forked, for now, and the prospects for a subsequent join are uncertain.

Ian also asserts that, as the creator of dpkg, he is entitled to special consideration when it comes to the future of that package. His semi-hijack announcement makes that point twice. But one of the key features of free software is this: when you release code under a free license, you give up some control. It seems pretty clear that Ian has long since lost control over dpkg in Debian.

So who does control this package, and how will this issue be resolved? Certainly Ian's hijack attempt found little sympathy, even among those who think that dpkg has not been well maintained recently. There are some who say that the disagreement should be taken to the Debian technical committee, which is empowered to resolve technical disputes between developers. But faith in this committee appears to be at a low point, as can be seen in this recent proposal to change how it is selected:

Meanwhile, the discussion has gone quiet, suggesting that, perhaps, it has been moved to a private venue. The dpkg commit log, as of this writing, shows that changes are being merged, but triggers are not among them. It is hard to imagine that the project will fail to find a way to get the triggers feature merged and the maintenance issues resolved, but that does not appear to have happened yet.

Comments (102 posted)

Installfest generates 350 Linux computers for schools

On Saturday March 1st, Untangle and the Alameda County Computer Resource Center (ACCRC) organized the first of what is hoped to be many "Installfest for Schools" events. It took place at four San Francisco Bay area locations (San Francisco, Berkeley, San Mateo and Novato) and refurbished 350 older computers with Ubuntu for northern California schools.

The primary goal of the installfest was to give children in disadvantaged neighborhoods the same access to technology that students in wealthy school districts grow up with. However, the event was also about curbing waste. 132 million PCs were bought in the year 2000 alone and none of them can run Vista. But older hardware works great with GNU/Linux and extending the life of these PCs will keep thousands of tons of toxic electronic waste out of the landfill. And let's not forget about budgetary waste. With many states facing budget crises that will inevitably force deeper classroom spending cutbacks, why should our schools to spend their scarce resources on proprietary software licenses? In fact, cutbacks may create an incredible window of opportunity for the GNU/Linux desktop movement to establish itself within schools.

The installfest drew approximately 130 free and open source software community volunteers across the four locations. We started with over 1,000 older, discarded computers that had been collected by ACCRC through donations from the general public, local businesses and municipal governments. Some of the computers were smooth sailing: they met the hardware specification, had all of the necessary components and installed without any problems. Other computers had software install problems, but those were easy to solve because so many of the Bay Area's most hardcore free and open source software gurus participated and with their combined expertise, no error message went unattended to. The rest of the computers required a little more care, as many of them were missing a hard drive, NIC or enough RAM to run Ubuntu. Yet, by disassembling problematic boxes it was easy to form a pool of spare parts that could then be stitched back together to create working computers. The week after the installfest, ACCRC put the finished systems through a 72-hour burn-in test and we now have 350 computers that have already started being donated to schools.

The Ascend School in Oakland received the first batch of nine computers. Other schools that have received open source computers from the ACCRC include:

• Lockwood School (Oakland)
• Whittier Elementary School (Oakland)
• Casa Grande High School (Petaluma)
• Woodside Elementary School (Concord)
• KIPP San Francisco Bay Academy (San Francisco)
• Mission High School (San Francisco)

This event was about donating open source computers to schools in Northern California. However, ACCRC regularly donates to schools nationwide (and sometimes internationally). Schools in need of computers should fill out ACCRC's school application form [PDF].

Computer hardware and software specifications

The minimum specifications for each computer were an 800mhz processor (PIII or AMD), 256MB Ram and a 20 GB hard drive, but we were pleasantly surprised to find a handful of P4 processors in the mix as well. One location even received a batch of 6 dual core systems with elegant slim cases—who throws those out and what else are they looking to get rid of?—but ironically we couldn't install them during the event because they were only equipped with DMS-59 DVI ports that required special monitor cables.

Each system received a fresh copy of Ubuntu 7.10 desktop with the latest apt-get upgrade applied as of February 27, 2008. Because the computers were going into schools with little or no GNU/Linux expertise, it was important to try and create a positive first experience so we worked with Creative Commons to package samples of pictures from Flickr and music from Jamendo to show off the fun side of the donated computers. No Starch Press also donated PDF copies of Ubuntu for non-Geeks that were loaded on to each computer so that help for common support questions was never more than a click away.

Install specifications

Each location was set up with 10 to 40 workstations that had permanent keyboards, mice, monitors and cables so that the volunteers only had to move the desktops themselves back and forth. The process was started by booting from custom install CDs and the packages were applied over the network via apache http web servers. The custom CDs were optimized to make the Ubuntu OS installation as fast and easy as possible. Physically placing the CD into the drive and booting from disc was really all that was required because the additional content from Creative Commons and No Starch Press were bundled as Debian packages that were automatically installed via the network just like the other Ubuntu updates and patches.

The installfest networks were based on dual Pentium III servers with a RAID array and Gigabit network cards plugged into a 24-port Gigabit switch. It was important to have a fast setup because updating as many as 40 systems at once placed a heavy load on drives and network connections. Electricity was also a concern as most of the outlets available had 15 or 20 Amp circuits. Given the intensity of the installation/reboot workload and the relatively power inefficient CRT monitors, we drew the line at 5 workstations per 15 Amp circuit because an extra machine might have fit, but blowing the circuit breaker would have caused a big disruption—especially if the breaker happened to be in a locked closet.

Community goes the extra mile

With 130 volunteers showing up, Untangle and ACCRC really had a lot of help in pulling the Installfest for Schools off. However, the community did far more than just show up, our volunteers really went the extra mile to save the day on as we stumbled across a handful of unexpected hiccups. One particularly inspirational moment was when the San Mateo location ran out of computers, our volunteers drove their own cars across the Bay to pickup extra hardware rather than close the location early! We also owe a debt of gratitude to 3 members of the San Francisco Linux Users' Group (Christian Einfeldt, Jim Stockford and Daniel Mizyrycki), who worked long hours to set up and clean up that location.

We also received lots of help from free and open source software related organizations. Mozilla in particular really stepped up to the plate by blogging about the event and then bringing schwag and pizza for all 130 volunteers! But Mozilla wanted to get their hands dirty as well and Mozilla team members showed up to lend a hand at each location. Creative Commons and the No Starch Press helped put together content. Also, O'Reilly, OSI, the Linux Foundation, Sun and Canonical really helped get the word out with supportive blog mentions that encouraged participation as well.

Future plans

Moving forward, Untangle and ACCRC hope to continue organizing bigger and better Installfests for Schools. Our goal is to turn the one-time regional event into a distributed national event occurring on a regular basis. If we're able to find some friendly organizations to help out, we may even be able to go international. Stay tuned because you'll be hearing from us sooner rather than later about the next Installfest for Schools.

Anyone wishing to help should stay informed by signing up for the installfest mailing list. As we move more into a distributed national event, we need all of the help that we can get identifying local schools, old computer donors and feet on the street volunteers to make sure everything goes smoothly. That work will be coordinated on the mailing list.

[ Andrew Fife, of Untangle, is one of the organizers of the project. ]

Comments (6 posted)

Breaking CAPTCHA

Perhaps someday it will be considered discrimination against a sentient, but these days a way to distinguish between programs and humans is required for many web-based applications. Keeping spambots from posting comments in weblogs or other bots from signing up for a web service are two of the most common applications for separating humans and bots. As has often been the case in the past, though, when the stakes are high enough, attackers will find ways to circumvent barriers like this.

The most common means of testing for humans in web site sign-ups and the like is a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). Typically these are images that contain some text that has been mangled so that it is still recognizable by humans, but not by programs—at least that is the theory. Variations on the theme include asking math or "common sense" questions that programs will supposedly not be able to figure out—more likely no attacker has had enough interest breaking them. Serious CAPTCHAs tend to use images that can be created on the fly, giving nearly infinite variety.

Some of the most sophisticated CAPTCHAs are those used by various free web mail services: Hotmail, Yahoo, and Gmail. These services provide quite a bit of storage that might be of use to an attacker, but they also lend their reputation to mail that gets sent from those accounts. Domains like yahoo.com and gmail.com are very unlikely to be blacklisted. Mail coming from those domains may also score lower in various spam testing rules, which may be exactly what an attacker is looking for.

Various techniques have been tried in the past to circumvent CAPTCHAs, with the most successful ones using humans. It seems that many folks will happily solve CAPTCHAs in order to view pornography or for cash. Over the last year, though, CAPTCHA-breaking programs have started to appear.

In a very detailed report, Websense presents evidence that Gmail's CAPTCHA has been cracked. Earlier reports indicate that attackers have cracked Yahoo, Windows Live, and Hotmail CAPTCHAs as well. Cracked does not mean 100% success rate—humans cannot even achieve that—it just needs to work often enough to provide the attackers with the accounts they want.

These programs use some image processing and optical character recognition (OCR) techniques to decipher the puzzle, removing humans from the equation entirely. Typical success rates are in the 20-35% range. For attackers with botnets available to spread out the work, this could yield an amazing number of accounts in relatively short order.

CAPTCHAs have a number of bad characteristics: they are annoying to most and unusable by those who are visually impaired. Yet they are pervasive. Alternate techniques using audio have so far been found wanting; a more interesting method is Asirra from Microsoft Research.

Asirra uses 3 million images of dogs and cats from animal shelters that have been categorized. The test then shows a dozen random images from the database and asks the "human" to select all the cat photos. This would seem much more difficult for a program to handle. The picture database would need regular updates to thwart attackers just collecting all the images and doing their own categorization—perhaps with help from porn viewers or poor folk. Also, computer recognition systems will someday be able to recognize dogs and cats.

It is a difficult problem to solve, but one that needs to be addressed. Systems like OpenID are not enough—it is not what they were designed for—as there is nothing stopping bots from having OpenIDs. Some mechanism that would allow reputation or trust to accumulate on a given ID might help prove that its holder is a human—or at least a well-behaved bot. Designing a reputation service that is decentralized will also be difficult, but it is the right direction for solving these kinds of problems.

Comments (17 posted)

CERT C Secure Coding Standard: last call for reviewers

CERT is working put put together a set of secure coding standards - essentially a long set of rules on how to avoid common mistakes which can create security vulnerabilities. The standard for C is headed for a 1.0 release around mid-April. Before that happens, CERT is asking for one last round of comments; see the associated web site for more information.

Full Story (comments: 27)

backup-manager: password disclosure

Package(s):	backup-manager	CVE #(s):	CVE-2007-4656
Created:	March 17, 2008	Updated:	March 19, 2008
Description:	From the Debian advisory: Micha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing.
Alerts:	Debian DSA-1518-1 backup-manager 2008-03-15

Comments (none posted)

cups: heap overflow

Package(s):	cups	CVE #(s):	CVE-2008-0047
Created:	March 19, 2008	Updated:	October 16, 2008
Description:	The cups package suffers from a heap overflow vulnerability in the cgiCompileSearch() function. This vulnerability could be exploited remotely if the print server shares printers over the network.
Alerts:	Fedora FEDORA-2008-8801 cups 2008-10-16 Fedora FEDORA-2008-2131 cups 2008-04-08 Fedora FEDORA-2008-2897 cups 2008-04-08 Ubuntu USN-598-1 cupsys 2008-04-02 Slackware SSA:2008-094-01 cups 2008-04-03 Mandriva MDVSA-2008:081 cups 2007-04-02 Gentoo 200804-01 cups 2008-04-01 Red Hat RHSA-2008:0192-01 cups 2008-04-01 Debian DSA-1530-1 cupsys 2008-03-25 SuSE SUSE-SA:2008:015 cups 2008-03-19

Comments (none posted)

dovecot: multiple vulnerabilities

Package(s):	dovecot	CVE #(s):	CVE-2008-1199 CVE-2008-1218
Created:	March 13, 2008	Updated:	October 7, 2008
Description:	From the Fedora alert: CVE-2008-1199 If Dovecot was configured with mail_extra_groups = mail, users having shell access to IMAP server could use this flaw to read, modify or delete mails of other users stored in inbox files in /var/mail. /var/mail directory is mail-group writable and user inbox files are by default created by useradd with permission 660, <user>:mail. No mail_extra_groups is set by default, hence default Fedora configuration was not affected by this problem. If your configuration sets mail_extra_groups, see new options mail_privileged_group and mail_access_groups introduced in Dovecot 1.0.11. (mail_extra_groups is still accepted, but is deprecated now) CVE-2008-1218 On Dovecot versions 1.0.11 and newer, it was possible to gain password-less login via passwords with tab characters, which were not filtered properly. Dovecot versions in Fedora were not affected by this unauthorized login flaw, but only by a related minor memory leak in dovecot-auth worker process.
Alerts:	SuSE SUSE-SR:2008:020 dovecot, GraphicsMagick, openssh, mercurial 2008-10-07 Red Hat RHSA-2008:0297-02 dovecot 2008-05-21 Ubuntu USN-593-1 dovecot 2008-03-26 Gentoo 200803-25 dovecot 2008-03-18 Debian DSA-1516-1 dovecot 2008-03-14 Fedora FEDORA-2008-2464 dovecot 2008-03-13 rPath rPSA-2008-0108-1 dovecot 2008-03-12 Fedora FEDORA-2008-2475 dovecot 2008-03-13

Comments (none posted)

horde3: file execution and disclosure via directory traversal

Package(s):	horde3	CVE #(s):	CVE-2008-1284
Created:	March 17, 2008	Updated:	May 6, 2008
Description:	From the CVE entry: Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.
Alerts:	Gentoo 200805-01 horde 2008-05-05 Fedora FEDORA-2008-2362 horde 2008-03-13 Fedora FEDORA-2008-2406 horde 2008-03-13 Debian DSA-1519-1 horde3 2008-03-15

Comments (none posted)

ikiwiki: cross-site scripting

Package(s):	ikiwiki	CVE #(s):	CVE-2008-0808 CVE-2008-0809
Created:	March 18, 2008	Updated:	March 19, 2008
Description:	From the Debian advisory: Josh Triplett discovered that ikiwiki did not block Javascript in URLs, leading to cross-site scripting vulnerabilities.
Alerts:	Debian DSA-1523-1 ikiwiki 2008-03-17

Comments (none posted)

krb5: multiple remote vulnerabilities

Package(s):	krb5	CVE #(s):	CVE-2008-0062 CVE-2008-0063 CVE-2008-0947
Created:	March 19, 2008	Updated:	March 25, 2008
Description:	The "kdc" authentication component, part of the krb5 package, has a number of vulnerabilities, including denial of service, information (secret key) leaks, and, potentially, remote code execution.
Alerts:	Gentoo 200803-31 mit-krb5 2008-03-24 Fedora FEDORA-2008-2647 krb5 2008-03-21 Fedora FEDORA-2008-2637 krb5 2008-03-21 rPath rPSA-2008-0112-1 krb5 2008-03-19 Mandriva MDVSA-2008:071 krb5 2008-03-19 Mandriva MDVSA-2008:070 krb5 2007-03-19 Mandriva MDVSA-2008:069 krb5 2007-03-19 Red Hat RHSA-2008:0164-01 krb5 2008-03-18 SuSE SUSE-SA:2008:016 krb5 2008-03-19 Ubuntu USN-587-1 krb5 2008-03-19 Red Hat RHSA-2008:0181-01 krb5 2008-03-18 Red Hat RHSA-2008:0182-01 krb5 2008-03-18 Red Hat RHSA-2008:0180-01 krb5 2008-03-18 Debian DSA-1524-1 krb5 2008-03-18

Comments (none posted)

krb5: double-free flaw

Package(s):	krb5	CVE #(s):	CVE-2007-5971
Created:	March 19, 2008	Updated:	May 20, 2010
Description:	The krb5 GSSAPI library suffers from a double-free flaw which could be exploited to crash applications using that library.
Alerts:	Ubuntu USN-940-1 krb5 2010-05-19 Ubuntu USN-924-1 krb5 2010-04-07 Gentoo 200803-31 mit-krb5 2008-03-24 Fedora FEDORA-2008-2647 krb5 2008-03-21 Fedora FEDORA-2008-2637 krb5 2008-03-21 rPath rPSA-2008-0112-1 krb5 2008-03-19 Mandriva MDVSA-2008:070 krb5 2007-03-19 Mandriva MDVSA-2008:069 krb5 2007-03-19 Red Hat RHSA-2008:0164-01 krb5 2008-03-18 Red Hat RHSA-2008:0180-01 krb5 2008-03-18

Comments (none posted)

krb5: denial of service

Package(s):	krb5	CVE #(s):	CVE-2008-0948
Created:	March 19, 2008	Updated:	March 19, 2008
Description:	From the Red Hat advisory: A flaw was found in the RPC library used by the MIT Kerberos kadmind server. An unauthenticated remote attacker could use this flaw to crash kadmind. This issue only affected systems with certain resource limits configured.
Alerts:	SuSE SUSE-SA:2008:016 krb5 2008-03-19 Red Hat RHSA-2008:0181-01 krb5 2008-03-18

Comments (none posted)

ldapscripts: password disclosure

Package(s):	ldapscripts	CVE #(s):	CVE-2007-5373
Created:	March 17, 2008	Updated:	March 19, 2008
Description:	From the Debian advisory: Don Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing.
Alerts:	Debian DSA-1517-1 ldapscripts 2008-03-15

Comments (none posted)

lighttpd: information disclosure

Package(s):	lighttpd	CVE #(s):	CVE-2008-1270
Created:	March 13, 2008	Updated:	April 10, 2008
Description:	From the Mitre advisory: mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
Alerts:	Gentoo 200804-08 lighttpd 2008-04-10 SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04 Debian DSA-1521-1 lighttpd 2008-03-16 rPath rPSA-2008-0106-1 lighttpd 2008-03-12

Comments (none posted)

LIVE555 Media Server: denial of service

Package(s):	live	CVE #(s):	CVE-2007-6036
Created:	March 14, 2008	Updated:	March 19, 2008
Description:	From the Gentoo advisory: Luigi Auriemma reported a signedness error in the parseRTSPRequestString() function when processing short RTSP queries. A remote attacker could send a specially crafted RTSP query to the vulnerable server, resulting in a crash.
Alerts:	Gentoo 200803-22 live 2008-03-13

Comments (none posted)

phpMyAdmin: cross-site scripting

Package(s):	phpMyAdmin	CVE #(s):	CVE-2007-6100
Created:	March 14, 2008	Updated:	March 19, 2008
Description:	Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth.lib.php in phpMyAdmin before 2.11.2.2, when logins are authenticated with the cookie auth_type, allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter to index.php, a different vulnerability than CVE-2005-0992.
Alerts:	SuSE SUSE-SR:2008:006 sarg, phpMyAdmin, xine, bind, dbus-1, silc-toolkit, boost 2008-03-14

Comments (none posted)

roundup: unspecified vulnerability

Package(s):	roundup	CVE #(s):	CVE-2008-1474
Created:	March 13, 2008	Updated:	May 28, 2008
Description:	Roundup suffers from a failure to properly escape HTML input, creating a cross-site scripting vulnerability.
Alerts:	Gentoo 200805-21 roundup 2008-05-27 Debian DSA-1554-2 roundup 2008-05-06 Debian DSA-1554-1 roundup 2008-04-22 Fedora FEDORA-2008-2370 roundup 2008-03-13 Fedora FEDORA-2008-2471 roundup 2008-03-13

Comments (none posted)

sarg: arbitrary code execution

Package(s):	sarg	CVE #(s):	CVE-2008-1167 CVE-2008-1168
Created:	March 13, 2008	Updated:	March 28, 2008
Description:	From the Gentoo alert: Sarg is vulnerable to the execution of arbitrary code when processed with untrusted input files. Sarg (Squid Analysis Report Generator) is a tool that provides many informations about the Squid web proxy server users activities: time, sites, traffic, etc.
Alerts:	Mandriva MDVSA-2008:079 sarg 2007-03-27 SuSE SUSE-SR:2008:006 sarg, phpMyAdmin, xine, bind, dbus-1, silc-toolkit, boost 2008-03-14 Gentoo 200803-21 sarg 2008-03-12

Comments (none posted)

silc-toolkit: stack-based buffer overflow

Package(s):	silc-toolkit	CVE #(s):	CVE-2008-1227
Created:	March 14, 2008	Updated:	July 31, 2008
Description:	Stack-based buffer overflow in the silc_fingerprint function in lib/silcutil/silcutil.c in Secure Internet Live Conferencing (SILC) Toolkit 1.1.5, and unspecified earlier versions, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via long input data. NOTE: some of these details are obtained from third party information.
Alerts:	Mandriva MDVSA-2008:158 silc-toolkit 2008-07-30 Gentoo 200804-27 silc-toolkit 2008-04-24 SuSE SUSE-SR:2008:006 sarg, phpMyAdmin, xine, bind, dbus-1, silc-toolkit, boost 2008-03-14

Comments (none posted)

smarty: arbitrary code execution via crafted search string

Package(s):	smarty	CVE #(s):	CVE-2008-1066
Created:	March 17, 2008	Updated:	November 14, 2011
Description:	From the Debian advisory: It was discovered that the regex module in Smarty, a PHP templating engine, allows attackers to call arbitrary PHP functions via templates using the regex_replace plugin by a specially crafted search string.
Alerts:	Gentoo 201111-04 PEAR-PhpDocumentor 2011-11-11 Gentoo 201006-13 smarty 2010-06-02 Fedora FEDORA-2008-2650 gallery2 2008-04-17 Fedora FEDORA-2008-2587 gallery2 2008-04-17 SuSE SUSE-SR:2008:007 unzip, tomcat, moodle, xine 2008-03-28 Fedora FEDORA-2008-2656 php-pear-PhpDocumentor 2008-03-26 Debian DSA-1520-1 smarty 2008-03-16

Comments (none posted)

unzip: arbitrary code execution

Package(s):	unzip	CVE #(s):	CVE-2008-0888
Created:	March 18, 2008	Updated:	April 7, 2008
Description:	From the Debian advisory: Tavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library's free routine, potentially leading to arbitrary code execution.
Alerts:	Gentoo 200804-06 unzip 2008-04-06 SuSE SUSE-SR:2008:007 unzip, tomcat, moodle, xine 2008-03-28 rPath rPSA-2008-0116-1 unzip 2008-03-21 Ubuntu USN-589-1 unzip 2008-03-20 Mandriva MDVSA-2008:068 unzip 2007-03-18 Red Hat RHSA-2008:0196-01 unzip 2008-03-18 Debian DSA-1522-1 unzip 2008-03-17

Comments (none posted)

xine-lib: buffer overflow

Package(s):	xine	CVE #(s):	CVE-2008-1161
Created:	March 14, 2008	Updated:	August 21, 2008
Description:	Buffer overflow in the Matroska demuxer (demuxers/demux_matroska.c) in xine-lib before 1.1.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code or via a Matroska file with invalid frame sizes.
Alerts:	Ubuntu USN-635-1 xine-lib 2008-08-06 Mandriva MDVSA-2008:178 xine-lib 2008-08-20 Debian DSA-1536-1 xine-lib 2008-03-31 SuSE SUSE-SR:2008:006 sarg, phpMyAdmin, xine, bind, dbus-1, silc-toolkit, boost 2008-03-14

Comments (none posted)

Kernel release status

The current 2.6 development kernel is 2.6.25-rc6, released on March 16. The changes are mostly fixes, but there's still quite a few of them for this point in the release cycle. See the announcement for details, or the long-format changelog for lots of details.

A handful of changes have gone into the mainline git repository since the 2.6.25-rc6 release.

As of this writing, vger.kernel.org is down, slowing the development process somewhat. Or, perhaps, slowing talk and speeding development. Regardless, the failure (a disk in vger's RAID array) is being addressed with the intent of getting vger back online as soon as possible.

Comments (1 posted)

Quotes of the week

-- How Evgeniy Polyakov gets work done

-- Greg Kroah-Hartman

Comments (none posted)

Recovering deleted files from ext3

Carlo Wood seems to have mistakenly deleted his home directory and instead of reaching for his backups, he dug into the ext3 filesystem structure. The result is an in-depth look at ext3 including how to undelete files. The end result is an ext3grep tool that looks like it might be rather useful. "However, this is utter nonsense. All information is still there, also the block pointers. It is just slightly less likely that those are still there (than on ext2), since they have to be recovered from the journal. On top of that, the meta data is less coherently related to the real data so that heuristic algorithms are needed to find things back." (seen at Val Henson's weblog)

Comments (9 posted)

Generic semaphores

Most kernel patches delete some code, replacing it with newer and (presumably) better code. Much of the time, it seems, the new code is more voluminous than what came before. Occasionally, though, a patch comes along which deletes over 7600 lines of code - replacing it with a mere 314 lines - while claiming to maintain the same functionality. Matthew Wilcox's generic semaphore patch is one of those changes.

In essence, a semaphore is a counter with a wait queue attached to it. When kernel code wants to access the resource protected by the semaphore, it makes a call to:

    void down(struct semaphore *sem);

This call will check the counter associated with sem; if it is greater than zero, the counter will be decremented and control returns to the caller. Otherwise the caller will be put to sleep until sometime in the future when the counter has been increased again. Increasing the counter - when the the protected resource is no longer needed - is done with a call to up(). Semaphores can be used in any situation where there is a need to put an upper limit on the number of processes which can be within a given critical section at any time. In practice, that upper limit is almost always set to one, resulting in semaphores which are used as a straightforward mutual exclusion primitive.

In current kernels, semaphores are implemented with highly-optimized, architecture-specific code. There are, in fact, more than twenty independent semaphore implementations in the kernel code base. Matthew's patch rips all of that out and replaces it with a single, generic implementation which works on all architectures. After the patch is applied, a semaphore looks like this:

    struct semaphore {
	spinlock_t		lock;
	int			count;
	struct list_head	wait_list;
    };

The implementation follows from this definition in a straightforward way: the spinlock is used to protect manipulations of count, while wait_list is used to put processes to sleep when they must wait for count to increase. The actual code, of course, is somewhat complicated by performance and interrupt-safety considerations, but it remains relatively short and simple.

One might ask: why weren't semaphores done this way in the first place? The answer is that, once upon a time (prior to 2.6.16), semaphores were one of the primary mutual exclusion mechanisms in the kernel. The 2.6.16 cycle brought in mutexes from the realtime tree, and most semaphore users were converted over. So semaphores, which were once a performance-critical primitive, are now much less so. As a result, any need there may have been for carefully hand-tuned, architecture-specific code is gone. So the code might as well go too.

The other question which comes up is: why are semaphores still being used at all? The number of semaphore users has dropped considerably since 2.6.16, but there are still a number of them in the kernel. Some of those could certainly be converted to mutexes, but doing so requires a careful audit of the code to be sure that the semaphore's counting feature is not being used. Once that work is done, it may turn out that, in some places, a semaphore is truly the right data structure. So semaphores are likely to remain - but they'll require rather less code than before.

Comments (11 posted)

The return of authoritative hooks

The containers developers have what would seem to be a relatively straightforward problem: they would like to control access to devices on a per-container basis. Then containers could safely be granted access to specific devices without compromising the overall security of the system - even if a container has a root-capable process which can create new device files. Implementing this feature has been a longer journey than these developers had imagined, though, with the "device whitelist" feature being sent around to different kernel subsystems almost like one of those famous garbage barges from years past. A final resting place may have been found, though, and it may signal a change in how some security decisions are made in the kernel in the future.

The original version of the patch, posted by Pavel Emelyanov, set up a control group for the management of device accessibility within containers. The actual rules - and their enforcement - were stored deep within the device model subsystem. This drew an objection from Greg Kroah-Hartman, who suggested that, instead, this kind of access control should done either with udev or with the Linux security module (LSM) subsystem. Udev does not give the desired degree of control and, apparently, can be problematic for those wanting to run older distributions within containers, so it was not seriously considered. The LSM suggestion was, after some resistance, taken to heart, though.

The result was the device whitelist LSM patch, posted by Serge Hallyn. It was a stacking security module which made changes to a number of hooks. This is where James Morris came in and suggested that, instead, the whitelist should just be added to the existing capabilities security module. Then there would be no need for a separate module and things could be generally simplified.

So Serge duly rolled out version 3 of the patch which moved the whitelist into the capabilities module. But this one ran into resistance as well. Quoting James Morris again:

Casey Schaufler also didn't like this idea:

At this point, the complaint was clearly not with just the device whitelist, but with the capabilities module as well. It seems that capabilities are a bit of a poor fit with the LSM idea as a whole. The fact that they exist at all is a bit of a historical artifact; some developers wanted to see them implemented that way to show the flexibility of the LSM interface and to let capabilities be omitted from embedded setups. As it happens, it's still not possible to remove capabilities, and they impose a bit of a cost on all other security modules.

The core problem is this: LSM, fundamentally, is a restrictive mechanism. An LSM hook can deny an action, but it can never empower a process to do something it would not have been allowed to do in the absence of the security module. The decision to disallow "authoritative hooks" was made explicitly back in 2001 as a way of restricting the scope of LSM modules and, hopefully, ensuring that those modules would not themselves become security problems.

But capabilities are an inherently authoritative mechanism - a capability check verifies the existence of a special permission which would otherwise not be there. The device whitelist is the same sort of thing: it grants access which would otherwise be denied. So it fits poorly with the LSM model.

Serge came back with yet another patch which takes the whitelist code out of the LSM framework and, instead, inserts a separate set of hooks into the relevant places in the code. Those hooks sit right next to the LSM hooks, but operate in a permissive manner. So far, this approach seems to be passing muster, with no developers (yet) talking about booting it out into yet another subsystem.

Things may yet change, though. Casey Schaufler is now talking about the creation of a "Linux privilege module" framework for the management of all permissions checks. The normal discretionary access control checks could be moved there, as could all capability and "are they root?" logic. And, of course, the device whitelist code. Nobody has really spoken out against this idea - but, then, nobody has seen any code yet either. But, if things continue in this direction, authoritative hooks may have finally found a home, many years after having been rejected from the LSM mechanism.

Comments (8 posted)

A new suspend/hibernate infrastructure

While attending conferences, your editor has, for some years, made a point of seeing just how many other attendees have some sort of suspend and resume functionality working on their laptops. There is, after all, obvious value in being able to sit down in a lecture hall, open the lid, and immediately start heckling the speaker via IRC without having to wait for the entire bootstrap sequence to unfold. But, regardless of whether one is talking about suspend-to-RAM ("suspend") or suspend-to-disk ("hibernation"), there are surprisingly few people using this capability. Despite the efforts which have been made by developers and distributors, suspend and hibernate still just do not work reliably for a lot of people.

For your editor, suspend always works, but the success rate of the resume operation is about 95% - just enough to keep using it while inspiring a fair amount of profanity in inopportune places.

Various approaches to fixing suspend and hibernation have been proposed; these include TuxOnIce and kexec jump. Another possibility, though, is to simply fix the code which is in the kernel now. There is a lot that has to be done to make that goal a reality, including making the whole process more robust and separating the suspend and hibernation cases which, as Linus has stated rather strongly several times, are really two different problems. To that end, Rafael Wysocki has posted a new suspend and hibernation infrastructure for devices which has the potential to improve the situation - but at a cost of creating no less than 20 separate device callbacks.

For the (relatively) simple suspend case, there are four basic callbacks which should be provided in the new pm_ops structure by each bus and, eventually, by every device:

    int (*prepare)(struct device *dev);
    int (*suspend)(struct device *dev);

    int (*resume)(struct device *dev);
    void (*complete)(struct device *dev);

When the system is suspending, each device will first see a call to its prepare() callback. This call can be seen as a sort of warning that the suspend is coming, and that any necessary preparation work should be done. This work includes preventing the addition of any new child devices and anything which might require the involvement of user space. Any significant memory allocations should also be done at this time; the system is still functional at this point and, if necessary, I/O can be performed to make memory available. What should not happen in prepare() is actually putting the device into a low-power state; it needs to remain functional and available.

As usual, a return value of zero indicates that the preparation was successful, while a negative error code indicates failure. In cases where the failure is temporary (a race with the addition of a new child device is one possibility), the callback should return -EAGAIN, which will cause a repeat attempt later in the process.

At a later point, suspend() will be called to actually power down the device. With the current patch, each device will see a prepare() call quickly followed by suspend(). Future versions are likely to change things so that all devices get a prepare() call before any of them are suspended; that way, even the last prepare() callback can count on the availability of a fully-functioning system.

The resume process calls resume() to wake the device up, restore it to its previous state, and generally make it ready to operate. Once the resume process is done, complete() is called to clean up anything left over from prepare(). A call to complete() could also be made directly after prepare() (without an intervening suspend) if the suspend process fails somewhere else in the system.

The hibernation process is more complicated, in that there are more intermediate states. In this case, too, the process begins with a call to prepare(). Then calls are made to:

    int (*freeze)(struct device *dev);
    int (*poweroff)(struct device *dev);

The freeze() callback happens before the hibernation image (the system image which is written to persistent store) is created; it should put the device into a quiescent state but leave it operational. Then, after the hibernation image has been saved and another call to prepare() made, poweroff() is called to shut things down.

When the system is powered back up, the process is reversed through calls to:

    int (*quiesce)(struct device *dev);
    int (*restore)(struct device *dev);

The call to quiesce() will happen early in the resume process, after the hibernation image has been loaded from disk, but before it has been used to recreate the pre-hibernation system's memory. This callback should quiet the device so that memory can be reassembled without being corrupted by device operations. A call to complete() will follow, then a call to restore(), which should put the device back into a fully-functional state. A final complete() call finishes the process.

There are still two more hibernation-related callbacks:

    int (*thaw)(struct device *dev);
    int (*recover)(struct device *dev);

These functions will be called when things go wrong; once again, each of these calls will be followed by a call to complete(). The purpose of thaw() is to undo the work done by freeze() or quiesce(); it should put the device back into a working state. The recover() call will be made if the creation of the hibernation image fails, or if restoring from that image fails; its job is to clean up and get the hardware back into an operating state.

For added fun, there are actually two sets of pm_ops callbacks. One is for normal system operation, but there is another set intended to be called when interrupts are disabled and only one CPU is operational - just before the system goes down or just after it comes back up. Clearly, interactions with devices will be different in such an environment, so different callbacks make sense. But the result is that fully 20 callbacks must be provided for full suspend and hibernate functionality. These callbacks have been added to the bus_type structure as:

    struct pm_ops *pm;
    struct pm_ops *pm_noirq;

Fields by the same name have also been added to the pci_driver structure, allowing each device driver to add its own version of these callbacks. For now, the old PCI driver suspend() and resume() callbacks will be used if the pm_ops structures have not been provided, and no drivers have been converted (at least in the patch as posted).

As of this writing, discussion of the patch is hampered by an outage at vger.kernel.org. There are some concerns, though, and things are likely to change in future revisions. Among other things, the number of "no IRQ" callbacks may be reduced. But, with luck, the final resolution will leave us all in a position where suspend and hibernate work reliably.

Comments (7 posted)

Electing the openSUSE board

The openSUSE project takes another step in becoming a true community project. The current openSUSE board, appointed by Novell, will soon be replaced by an elected board. The question that is being debated on the opensuse-project mailing list is "Who can vote for the openSUSE board?"

Among the openSUSE community there are Members and a larger number of Users. ""openSUSE Members" are specifically distinguished contributors who have brought a continued and substantial contribution to the openSUSE project. They are approved by the openSUSE board." Becoming a user is as easy as registering on the wiki.

Some possible answers to the "who can vote" question include:

• members only
• anyone (members + registered users)
• members + non-members vouched for by members
• members + users who have signed the Guiding Principles

At this time the number of members is low. There are concerns that having members (who are appointed by the board) as the only voters for the board could exclude the greater community. On the other hand opening up elections to the greater user community is difficult to police. It should be verifiable that those who are eligible to vote have only one vote counted. Other projects may serve as a guide for this issue.

Debian has the Debian Voting Information page which defines how voting is done and how votes are counted. Debian restricts voting to Debian Developers (DDs), who much sign their vote with their key which is also on the official keyring. DDs may vote more than once, but only the last vote is counted, so voting is restricted and it's easy to insure one-vote-per-person.

The Fedora project has defined Fedora Board Elections more recently than Debian. This document states that 5 of 9 seats on the board are appointed by the board. Voting is open for the remaining seats to those who have a valid account in the Fedora Account System. Getting an account on the Fedora Account System requires an application and approval process that is somewhat similar to becoming an openSUSE Member.

The GNOME Foundation Elections process was also raised as a model. GNOME membership is open to any contributor willing to go through the application process.

Given those three examples it does seem that voting privileges are typically restricted to a subset of the community that has made both a commitment and continuing contributions to the project. The main difference is that openSUSE membership is relatively new and is therefore a small segment of the greater community. Over time the membership will grow and members only elections may become more appealing. In any case, the procedures that are defined for this election may be changed for subsequent elections.

Comments (1 posted)

64 Studio 2.1rc1 is out

The first release candidate for 64 Studio 2.1 is available for testing. Click below for a look at known bugs, download and other information.

Full Story (comments: none)

Debian Installer Lenny Beta1

The first beta of the Debian Lenny installer is available for testing. There are many new features that were not in the etch installer. "The debian-installer team is still looking for active contributors for new features, bug triaging and squashing, improvements on the manual and the developer documentation. If you want Lenny to release on time, please join and help."

Full Story (comments: none)

Announcing Foresight 2.0

Foresight Linux 2.0 has been released for the x86 and x86_64 platforms, it features the recently released GNOME 2.22 desktop environment. "Foresight Linux is a Linux distribution for your desktop that features a rolling release schedule that always keeps your desktop up to date. Foresight includes innovative applications that make using your computer easy, including Banshee for music management, F-Spot for photo management, as well as vibrant user and developer community. New in Foresight 2.0: The Foresight 2.0 features a new tar-based installer, that should install in less than 10 minutes, including formatting a 200 GB hard drive."

Full Story (comments: 9)

Mandriva Linux 2008 Spring RC 2 "Aceras" released

The second release candidate of Mandriva Linux 2008.1 is available. " This pre-release includes support for easy synchronization of Windows Mobile 5+, Blackberry and Nokia devices, the Codeina multimedia codec installation system, support for Radeon HD 3xxx series graphics cards, more improvements to the Mandriva software installation tools, the finalized 2008 Spring theme, a new metapackage for easily installing a complete LAMP setup, and available KDE 4.0.2."

Full Story (comments: none)

Ulteo Application System Beta1 ready for download

Ulteo has released the Ulteo Application System (AS) Beta1. The AS is an installable version of Ulteo, for the local PC, that comes with applications and features. The previously released Online Desktop (OD) uses the network to provide applications and online document storage. "automatic synchronization of documents with the Ulteo Online Desktop, automatic upgrading, new "My Digital life" panel, full installation in about 5 minutes, hundreds applications available--That's what user can find in this just-released installable version of Ulteo Application System Beta1."

Full Story (comments: none)

Bits from the Lintian maintainers

Russ Allbery presents a look at Debian lintian development. "Lintian has been under fairly active development for the past couple of years. We've been averaging a "large" release closing a double-digit number of bugs every couple of months or so, usually followed by a few quick bug fix releases in new checks. There have been 18 Lintian releases since the etch release. Lintian currently has 674 different tags, up from the 500 milestone about four years ago despite consolidation of closely-related tags."

Full Story (comments: none)

Bits about Bug Squashing Parties (BSPs)

Debian bug squashing parties are happening in real life. Even if you are not close to any of the actual locations where people are squashing bugs, you join in on IRC. Click below for more information on where and when people will be squashing those release critical bugs in Lenny.

Full Story (comments: none)

Status of dependency based boot sequencing release goal 2008-03

Petter Reinholdtsen looks at the status of the release goal of converting the Debian boot sequencing to use dynamic and dependency based ordering instead of hardcoded sequence numbers. "To weed out these bugs, testing is needed. As there are still a lot of problems with packages not propagating into testing, I would recommend to limit testing to unstable installations at the moment."

Full Story (comments: none)

Fedora 9 to remove pointers to proprietary codecs

The Fedora project board met on March 11 and decided to remove the pointers to the "non-free" Fluendo codecs from Codeina (aka CodecBuddy) for Fedora 9. This is a big change from the Fedora 8 behavior. The only Fluendo codec that will still be referenced from Codeina is the free MP3 codec, which may have patent problems in some jurisdictions. As might be guessed, there are folks on both sides of this contentious issue. Some think it runs counter to the ideals of Fedora, while others lament the treatment of Fluendo. LWN covered Codeina/CodecBuddy last November.

Comments (18 posted)

Fedora's advice on GPL compliance

The Fedora Project has been worried about remaining in compliance with the GPL while handing out binary distribution CDs. The result is this set of guidelines. "Now, if someone at the show asks, you can encourage them to download the code themselves (and become a contributor to Fedora). If they insist on getting source code on physical media, then provide them with CDs with the source code. This is an additional bit of work on the part of our Ambassadors, but it protects both the Ambassadors, and the Fedora Project, from any undue criticism and future obligation under these licenses."

Full Story (comments: 19)

K12Linux Development Resources

K12Linux sub-project is working to integrate LTSP5 into Fedora 9. LTSP enables any machine to become a terminal server and to boot thin clients.

Full Story (comments: none)

Fedora Board Recap 2008-MAR-04

Here's a look at the March 4, 2008 meeting of the Fedora Board, where topics included Secondary Arch Hosting, Post-release updates of custom spins, and several other topics.

Full Story (comments: none)

Fedora Board Recap 2008-MAR-11

Click below for a look at the March 11 meeting of the Fedora board. Topics discussed include Post-release updates of custom spins, Google Start Page, Codeina, and several other topics.

Full Story (comments: none)

Tiemann speech online

Michael Tiemann's "Fedora in the Enterprise" speech from FUDCon Raleigh 2008 is now available in Ogg Theora format on the Fedora torrent site. "Unfortunately, some scheduling and technical conflicts meant we couldn't capture the entire speech, but only the first 15 minutes. We're sorry for the inconvenience, and hope you enjoy the segment we were able to provide."

Full Story (comments: none)

Gentoo Council summary for 13 March 2008

Click below for some notes from the March 13 meeting of the Gentoo council. Continuing topics include slacker arches, GLEP 46 and EAPI=0. New topics include Summer of Code, package maintainers, amd64 arch team and big bug list, and more.

Full Story (comments: none)

Synchronizing with Windows Mobile 5 and 6 made easy in Mandriva Linux 2008 Spring

Adam Williamson has been working on "the easiest ever support for synchronizing with Windows Mobile 5 and 6 devices in any distribution", for the upcoming Mandriva Linux 2008 Spring. "Support is included for synchronizing with both KDE (KDE PIM) and GNOME (Evolution). Similarly easy synchronization is also possible with many Nokia phones and with Blackberry devices."

Full Story (comments: none)

openSUSE Packaging Days II

openSUSE Packaging Days is an event for application developers, project contributors and anyone else who wants to learn how to provide binary packages for all the popular distributions. The openSUSE Build Service will do most of the work for you. Join in on IRC Freenode at #opensuse-buildservice during April 4 - 5, 2008, where community members will be standing by to to provide support and answer questions about using the build service and creating packages.

Full Story (comments: none)

openSUSE participates in Google Summer of Code: Looking for Mentors, Projects, Students

openSUSE has been accepted into the Google Summer of Code 2008. "We're now in the "interim period" for students to discuss application ideas with mentoring organizations. (That'd be us.) Students will then have from March 24th through March 31st to apply to Google." Students should look at the ideas page for more information and timeline.

Full Story (comments: none)

Recordings of FOSDEM talks are online

openSUSE has made available videos from FOSDEM. They are linked from this page.

Full Story (comments: none)

Ubuntu gets SELinux

It's official: SELinux is now available in the Ubuntu development ("Hardy Heron") distribution. "This is the result of the amazing work of the ubuntu-security and ubuntu-hardened teams, as well as the huge contributions from the folks at Tresys. (note: SELinux will not be the default, but is available as a security option.)" Installing it is a simple apt operation.

Comments (none posted)

Ubuntu Technical Board decisions

Matt Zimmerman reports on two decisions made by the Ubuntu Technical Board regarding the Ubuntu 8.04 release. 1) Automatic indexing in tracker will be disabled by default. 2) The SPARC port will not be officially supported in Ubuntu 8.04. Click below for details.

Full Story (comments: none)

Celebrating Hug Day - 20 March 2008

Ubuntu hug days have going on regularly, each one targeting some part of Hardy that needs work. This one on the 20th is dedicated to NetworkManager. Find out more about Hug Days.

Full Story (comments: none)

Clonezilla Live

Clonezilla Live combines Debian Live with Clonezilla to create a tool for easily cloning individual machines using a CD, DVD or USB flash drive. Clonezilla live 1.0.9-19 (stable) was recently announced.

Comments (none posted)

Ubuntu Weekly Newsletter #82

The Ubuntu Weekly Newsletter for March 15, 2008 covers the Ubuntu 8.04 beta freeze, Ubuntu Classroom team, the return of Ubuntustats.com, LoCo projects from the Jordanian, New Mexico, and UK teams, Ubuntu Studio at Sheffield University, and much more.

Full Story (comments: none)

OpenSUSE Weekly News/14

In this week's openSUSE Weekly News you'll find Videos and Slides from FOSDEM 2008, openSUSE to Participate in Google Summer of Code 2008, Novell Free Hugs at CeBit 2008, KIWI-LTSP 0.3.14 Now Out, LimeJeOS, the openSUSE-based JeOS is Born, Banshee 1.0Alpha1 is Available with 1-Click-Install, New KDE Four Live and updated KDE 4.1 Snapshot Packages, HP to preload SUSE Linux Enterprise Desktop on Notebooks, Desktops, In Tips and Tricks: Best Practices for Editing Configuration Files, Upcoming: openSUSE 11.0 Alpha 3 (later today), and more.

Comments (none posted)

Gentoo Monthly Newsletter

The March edition of the Gentoo Monthly Newsletter covers Gentoo Trustee Election Result, New operations lead for SPARC, New Gentoo Book, Council Meeting Summary, and several other topics.

Comments (none posted)

Fedora Weekly News Issue 124

The Fedora Weekly News for March 10, 2008 is out. "In Announcements, we have "Announcing the relaunch of the Fedora BugZappers!" In Planet Fedora, we have "OLS (Ottawa Linux Symposium)", "Fluendo, Bastien, et al", "Desktop User Guide (Needs help to finish it off)", and "OpenExpo 2008 - Day 2"" Several other topics are covered as well.

Full Story (comments: none)

Debian's misc development news (#5)

This edition of misc development news covers the Debian Documentation Project switch to SVN, Machine-interpretable debian/copyright, WNPP status changes sent to PTS subscribers, a new method for device probing in grub-install / update-grub and policy checker linda removed from testing/unstable. Click below for details.

Full Story (comments: none)

DistroWatch Weekly, Issue 244

The DistroWatch Weekly for March 17, 2008 is out. "PC-BSD, a user-friendly variant of FreeBSD with a web-based software installation system, continues to deliver updated releases on a regular basis. We'll take a look at the just-released version 1.5. Does it support modern hardware well? And can it challenge the popular desktop Linux distributions? Read below for some answers. In the news section, Ubuntu enters a beta freeze stage, KNOPPIX gets busy with bug fixes, the Hungarian PCLinuxOS community releases PCe17OS, OpenBSD publishes the 4.3 information page, and Dru Lavigne announces the availability of an up-to-date BSDA certification DVD. Also in this issue, learn about pkg-get, a package management utility for OpenSolaris and follow an interesting analysis of the DistroWatch Page Hit Ranking logs as published by a group of data mining researchers in France."

Comments (none posted)

DebConf8 Registration closes soon

Registration for DebConf8 will close at the end of this month. DebConf8 will take place in Mar del Plata, Argentina from Sunday 10 to Saturday 16 August 2008.

Full Story (comments: none)

People of openSUSE: Timo Hönig

People of openSUSE introduce Timo Hönig. "What do you think was your most important contribution to the openSUSE project/community or what is the contribution that you're most proud of? Definitely the times when I broke D-Bus in late RC phase. Those times made people realized how buggy their own applications are, as the applications nicely threw signal 11. Other than that, all of my open source projects."

Comments (none posted)

Red Hat Enterprise Linux 5.2 Beta released (Linux-Watch)

Linux-Watch takes a look at the Red Hat Enterprise Linux 5.2 beta release. "This beta is being made available across the entire RHEL family. So you can try both the vanilla RHEL 5.2 and the Advanced Platform version on the AMD and Intel 64, Itanium, S/390, System p, and System z platforms. The beta for the RHEL 5 Desktop for x86 and AMD64/Intel is also being made available. The major upgrades are going to be in virtualization. RHEL is upgrading its core virtualization hypervisor, Xen, to Xen 3.1.2. It also features improvements in its NUMA (Non-Uniform Memory Access) interface as well as support for up to 64 processors per system with up to 512GB of memory per server."

Comments (6 posted)

The Banshee Music Management and Playback Utility

The Banshee project is creating a music management and playback utility for the GNOME desktop. The Banshee home page states:

Version 1.0 Alpha 1 (0.98.1) of Banshee has been announced. New features in this release include:

• A code rewrite with an emphasis on performance improvements and better resource usage.
• A new Album Browser feature with the ability to display album artwork.
• A Play Queue feature for building on-the-fly music playlists.
• New search capabilities for locating artists, albums and song titles.
• Integration with the Last.fm music sharing service.
• A built-in 10 band audio equalizer.
• The new ability to play from a playlist while browsing new sources.

The version 1-0.98.1 change log file has more detailed information on the new release.

This 1.0 alpha release of Banshee is missing a number of features that were present in the earlier 0.13.2 version. There is no support for hardware devices yet, so it is not possible to import or burn CDs, talk to iPod devices or deal with USB or MTP devices. Numerous plugins have also been left out, so it is not possible to access podcasts, internet radio, music sharing services, etc. The release announcement states:

Banshee 1-0.98.1 was installed on a system running an Athlon XP 1700 processor and 512MB of RAM. The operating system was the alpha 6 release of Ubuntu Hardy Heron for i386. The following steps were required to get the software running:

#apt-get install gnome-common automake1.9 monodoc
#apt-get build-dep banshee
The banshee-1-0.98.1.tar.bz2 source file was downloaded,
uncompressed and untarred.
$./configure --prefix=/usr
$make
#make install
$banshee-1

Banshee fired up as expected. Your author converted a few CDs to flac files and copied them to the system for testing. It did not take much effort to figure out how to play individual tracks and build playlists. The standard play/pause buttons and skip to previous or next track buttons worked as one would expect. The built-in equalizer worked, although it tended to produce audible clipping if a frequency band was turned up too high.

Unlike earlier versions of Banshee, the only internet music channel shown in version 1.0 was Last.fm. It was possible to use the standalone last.fm binary to access the site, but Banshee was only able to list the selections, not play them. The error message: don't know how to handle audio/mpeg... led to the source of the problem. The installation page was consulted, a large collection of gstreamer0.10-plugins were installed with the Synaptic package manager, and Banshee was restarted. Last.fm content came through loud and clear. One final issue was noticed with Banshee. When the application was run from the command line and exited using the GUI, it left the GNOME terminal in a locked-up state.

Future releases of Banshee will likely include fixes for some of the aforementioned issues. Banshee is an interesting application that can be used for combining a wide variety of audio listening functions into one place.

Comments (8 posted)

DbUnit: 2.2.1 released (SourceForge)

Stable version 2.2.1 of DbUnit has been announced. "DbUnit is a JUnit extension targeted for database-driven projects that, among other things, puts your database into a known state between test runs. The DbUnit Framework team is pleased to announce the dbunit-2.2.1 release! Changes in this version include: New features: Created H2 data factory Issue: 1897612. New point Datatype on MySqlDataTypeFactory Issue: 1798605.Thanks to Vera Wahler. Fixed Bugs".

Comments (none posted)

PostgreSQL 8.3.1, 8.2.7 update release

Versions 8.3.1 and 8.2.7 of the PostgreSQL DBMS have been announced. "Updates for versions 8.3 and 8.2 of the PostgreSQL database management system are available today. This minor release fixes more than 20 minor issues uncovered by our community in PostgreSQL 8.3.0 and 8.2.6 over the last few weeks. All users of 8.3 and 8.2 are urged to schedule an upgrade at the earliest reasonable opportunity."

Full Story (comments: none)

Postgres Weekly News

The March 16, 2008 edition of the Postgres Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

SQLite version 3.5.7 announced

Version 3.5.7 of the SQLite DBMS has been announced. "Version 3.5.7 fixes several minor and obscure bugs, especially in the autoconf-generated makefile. Upgrading is optional. This release of SQLite is considered stable and ready for production use."

Comments (none posted)

umtsmon: 0.8 released (SourceForge)

Version 0.8 of umtsmon has been announced. "This program is to control your UMTS PCCard: enter SIM PIN code, send and receive SMS and control/monitor the network connection. umtsmon 0.8 has a lot of new features".

Comments (none posted)

announcing allmydata.org version 0.9

Version 0.9 of allmydata.org, a secure decentralized filesystem, is out. "This release of allmydata.org "Tahoe" will form the basis of the next consumer backup product from Allmydata, Inc. This release adds extensive "visibility into the grid" -- the web user interface now shows detailed information about the nodes comprising the grid and fine-grained statistics about the time and space used for the storage and retrieval operations."

Full Story (comments: none)

FreeNAS: 0.686.3 released (SourceForge)

Version 0.686.3 of FreeNAS has been announced. FreeNAS is available as a bootable ISO image. "NAS (Network Attached Storage) server supporting: CIFS, FTP, NFS, RSYNC, SSH, AFP, Unison, UPnP, iSCSI protocols, local and MS Domain authentication, Software RAID (JBOD,0,1,5), disk encryption with a Full WEB configuration interface. 32MB only. Majors changes: - Remove consolehm sensor support because it doesn't work/recognize up-to-date hardware. Will be replaced with FreeBSD 7.0 sensor framework in FreeNAS 0.7. - WebGUI uses NiftyCubes for rounded corners with CSS and Javascript. - Validate minutes/hours/days/months/week days configuration on misc WebGUI pages (e.g. scheduled shutdown/reboot, RSYNC local, ...)."

Comments (none posted)

ezRADIUS: initial release (SourceForge)

The initial release of ezRADIUS has been announced. The software is: "FreeRADIUS and chillispot web-based management. It's easy, simple and expandable. The main aim is to provide wireless administrator a simple web-based management application to manage wireless client. FreeRADIUS must configured to use MySQL as backend. Beta version of ezRADIUS finally released. This is initial release for testbed and feedback gaining."

Comments (none posted)

Flourish Player: v0.01 released (SourceForge)

Version 0.01 of the cross-platform Flourish Player has been announced. "Flourish Player aims to be a simple, fully customizable Flash (SWF) audio player able to be embedded into HTML pages. It can be built and fully customized using only free software. I am proud to announce that Flourish Player - the flash audio player for the web that can be fully customized with a toolchain containing only free and open source software - has now been released in version v0.01."

Comments (none posted)

Midgard 1.8.7 released

Version 1.8.7 of Midgard has been released. "The Midgard Project has released stable, 1.8.7 release version of the Midgard Open Source Content Management System. Midgard 1.8.7 "Flying Pancake" release includes major bugfixes and enhancements."

Full Story (comments: none)

Audacious 1.5.0 released

Version 1.5.0 of Audacious, an audio player, has been announced. "We've been able to keep the hg tree in a releasable state during this entire development cycle, so we've gone ahead and released Audacious 1.5.0. You will probably want to be aware of some changes in direction, in a nutshell, we're moving support for winamp2 skins to a plugin, and providing a new default UI which we feel is more suited to audacious."

Comments (none posted)

eSpeak 1.36.02 announced

Version 1.36.02 of eSpeak, a text to speech synthesizer, has been announced. Changes include a faster top speed, improvements to the Polish version and bug fixes.

Comments (none posted)

pytagsfs version 0.5.0 released

Version 0.5.0 of pytagsfs, a FUSE filesystem that presents multiple views of tagged media files, is out. "This release includes significant enhancements as well as critical bug fixes: * Support for Python 2.4. * Support for source tree monitoring with Gamin; pytagsfs should now be cross-platform compatible. * Improved performance handling updates to the source tree. * Support for more graceful handling of path collisions. * Fixes for two serious bugs affecting data integrity (#195476, #195477)."

Full Story (comments: none)

Millennium BSA: 4.0 Now Available (SourceForge)

Version 4.0 of Millennium BSA has been announced. "Millennium Business Suite Anywhere (BSA) is web based ERP/CRM solution with integrated BPM. Millennium BSA automates resources' planning (MRPII), distribution, inventory, payroll, HR, purchase, sales. Millennium BSA is distributed under GPL V2."

Comments (none posted)

GNOME 2.22 released (GnomeDesktop)

GnomeDesktop covers the release of GNOME 2.22. "Among the most significant additions in this release are the addition of a photo and video taking application that integrates with your webcam called Cheese, a new VNC viewer called Vinagre and the addition of an advanced and integrated IDE, Anjuta. Notable improvements are the improved support for DVD playback, subtitles and VLC support in the Totem video player, an improved international clock applet, Google calendar integration in Evolution, improved accessibility for web apps and a whole new library to support networked file-systems."

Comments (none posted)

GARNOME 2.22.0 released

Version 2.22.0 of GARNOME, the bleeding edge GNOME distribution, is out. "We are pleased to announce the release of GARNOME 2.22.0. This release incorporates the GNOME 2.22.0 Desktop and Developer Platform, fine-tuned with love by the GARNOME Team. It includes updates and fixes after the GNOME freeze, together with a host of third-party GNOME packages, Bindings and the Mono(tm) Platform."

Full Story (comments: none)

GNOME 2.23 Schedule

The GNOME 2.23 schedule has been announced. "The official schedule of GNOME 2.23/2.24 development cycle is available at: http://live.gnome.org/TwoPointTwentythree".

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

• Capuchin 0.3.0 and capuchin-glib 0.1 (code rewrite)
• Epiphany 2.22.0 (new features, bug fixes and translation work)
• gbrainy 0.6 (new features and bug fixes)
• GtkImageView 1.6.1 (unspecified)
• libgdamm 3.0.0 (API/ABI stable release)
• MonoDevelop 1.0 (new features)
• nemiver 0.5.0 (new features and bug fixes)
• Sabayon 2.22.0 (bug fixes and translation work)
• Tasque 0.1.5 (new features and bug fixes)

You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

• AI - AltimatOS Installer 20080313 (code rework)
• Audex 0.5 (initial release)
• BeeDiff 1.5 (new features and bug fixes)
• digiKam 0.9.4-beta1 (new features and bug fixes)
• DOSBox4linux 1.2.2 (unspecified)
• ifliftwall 0.3.2 (unspecified)
• Kate Symbol Viewer Plugin 1.11.0 (new features)
• KBibTeX 0.2.1 (new features, bug fixes and translation work)
• KGRUBEditor 0.6 (new features and bug fixes)
• Kipi 0.1.5 (new features and bug fixes)
• kipi-plugins 0.1.5 (new features and bug fixes)
• KontaktDB / ContactDataBank 1.0.0.5 (new feature)
• LastFMNotify 0.2 (new feature)
• libkdcraw 0.1.4 (new features and bug fix)
• LilyKDE 0.4.5 (new features)
• Net Sharer 0.4.8 (unspecified)
• Perl Audio Converter 4.0.2 (new features, bug fixes and translation work)
• PokerTH 0.6.1 (new feature and translation work)
• QTrans 0.2.0.4 (unspecified)
• Simple Root Actions Menu 1.4.0 (bug fix)
• TaskSwitch 0.1 (initial release)
• Txt Reader 0.4.2 (unspecified)
• WebKam 20080314 (new feature)
• Yakuake 2.9.1 (KDE 4 release, bug fixes and translation work)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

New XCB socket handoff mechanism for Xlib/XCB and other libraries

An RFC has gone out for a new XCB socket handoff mechanism for Xlib/XCB and other libraries. "Libraries like Xlib/XCB, some XCB language bindings, and potentially others have a common problem: they want to share the X connection with XCB. This requires coordination of request sequence numbers. XCB currently has an Xlib-specific lock, and allows Xlib to block XCB from making requests. The attached patches to XCB replace that lock with a handoff mechanism, xcb_take_socket, allowing external code to ask XCB for permission to take over the write side of the socket and send raw data with xcb_writev. The caller of xcb_take_socket must supply a callback which XCB can call when it wants the write side of the socket back to make a request. This callback synchronizes with the external socket owner, flushes any output queues if appropriate, and then returns the sequence number of the last request sent over the socket."

Full Story (comments: 1)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• libxkbfile 1.0.5 (bug fix and build change)
• libXScrnSaver 1.1.3 (new features and bug fixes)
• libXv 1.0.4 (code cleanup and documentation work)
• xf86-video-apm 1.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-ark 0.7.0 (new features, build and big fixes, code cleanup)
• xf86-video-ast 0.85.0 (new features, build and bug fixes, code cleanup)
• xf86-video-chips 1.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-cirrus 1.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-fbdev 0.4.0 (new features, build and bug fixes, code cleanup)
• xf86-video-glint 1.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-i128 1.3.0 (new features, build and bug fixes, code cleanup)
• xf86-video-i740 1.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-neomagic 1.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-rendition 4.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-s3 0.6.0 (new features, build and bug fixes, code cleanup)
• xf86-video-s3virge 1.10.0 (new features, build and bug fixes, code cleanup)
• xf86-video-savage 2.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-siliconmotion 1.6.0 (new features, build and bug fixes, code cleanup)
• xf86-video-sis 0.10.0 (new features, build and bug fixes, code cleanup)
• xf86-video-sisusb 0.9.0 (new features, build and bug fixes, code cleanup)
• xf86-video-tdfx 1.4.0 (new features, build and bug fixes, code cleanup)
• xf86-video-trident 1.3.0 (new features, build and bug fixes, code cleanup)
• xf86-video-tseng 1.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-v4l 0.2.0 (new features, build and bug fixes, code cleanup)
• xf86-video-vmware 10.16.0 (new features, build and bug fixes, code cleanup)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

jack-keyboard 2.3 released

Version 2.3 of jack-keyboard has been announced, it includes one new feature and some bug fixes. "jack-keyboard is a virtual MIDI keyboard - a program that allows you to send JACK MIDI events (play ;-) using your PC keyboard. It's somewhat similar to vkeybd, except it uses JACK MIDI instead of ALSA, and the keyboard mapping is much better - it uses the same layout as trackers (like Impulse Tracker) did, so you have two and half octaves under your fingers."

Full Story (comments: none)

pAny2DVD: initial release (SourceForge)

The initial release of pAny2DVD has been announced. "Let your videos convert to DVD-compliant MPEG-2 video format! pany2dvd.pl is a simple cmdline tool that helps you convert your video files into DVD-compliant MPEG2 video. The process of determining the right parameters is fairly sophisticated and almost fully automated."

Comments (none posted)

GCC 4.2.4 Status Report

The March 15, 2008 edition of the GCC 4.2.4 Status Report has been published. "The GCC 4.2 branch is open for commits under normal release branch rules. All fixes going on that branch should first have gone on trunk and 4.3 branch. GCC 4.2.4 is due around 2008-04-02, so 4.2.4-rc1 should be built by one of the release managers around 2008-03-26. Any further 4.2 releases after 4.2.4 may depend on whether there is expressed user and developer interest in further releases from this branch, or whether 4.3 has been widely adopted in place of 4.2."

Full Story (comments: none)

GCC 4.3.1 Status Report

The March 15, 2008 edition of the GCC 4.3.1 Status Report has been published. "The GCC 4.3 branch is open for commits under normal release branch rules. GCC 4.3.1 is due no later than 2008-05-05, but if a workaround for the x86 direction flag issue is agreed and committed soon then 4.3.1-rc1 may come around a week after such a workaround is committed to the branch, with the release following about a week later subject to no problems requiring 4.3.1-rc2 to be built."

Full Story (comments: none)

Caml Weekly News

The March 18, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

OpenSwing: 1.5.1 released (SourceForge)

Version 1.5.1 of OpenSwing has been announced. "OpenSwing is a component library that provides a rich set of advanced graphics components and a framework for developing java applications based on Swing front-end. It can be applied both to rich client applications and Rich Internet Applications. In this release: Included support for JPA/EJB 3.0/TopLink Essentials: JPAUtils class has been provided to easily support grid pagination, filtering, sorting from OpenSwing GridControl to JPA API. Added "demo35" sample application to show how to combine JPA with OpenSwing. Updated web site documentation by adding description about how to use together JPA and OpenSwing."

Comments (none posted)

This Week on perl5-porters (use Perl)

The March 1-8, 2008 edition of This Week on perl5-porters is out with the latest Perl 5 news.

Comments (none posted)

Perl 6 Design Meeting Minutes (use Perl)

The minutes from the March 12, 2008 Perl 6 Design Meeting have been published. "The Perl 6 design team met by phone on 12 March 2008. Allison, Jerry, Will, Mitchell, Nicholas, Jesse, and chromatic attended."

Comments (none posted)

Python 2.6/3.0 release schedule

The release schedule for Python 2.6/3.0 is out. "Neal Norwitz and I have worked out the schedule for Python 2.6 and 3.0, which will be released in lockstep. We will be following a monthly release schedule, with releases to occur on the first Wednesday of the month. We'll move to a 2 week schedule for the release candidates. Executive summary: Python 2.6 and 3.0 finals are planned for September 3, 2008."

Comments (none posted)

Python-URL! - weekly Python news and links

The March 18, 2008 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl-URL! - weekly Tcl news and links

The March 17, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Guilt version 0.29 announced

Version 0.29 of Guilt, a series of bash scripts which add a Mercurial queues-like functionality and interface to git, is out. "This release is quite uneventful. It is made up of a few fixes here and there, and complete regression suite rewrite. Unfortunately, most of the exciting Guilt development went on in a topic branch, but the changes are far too invasive for me to include them in v0.29, so I'm going to merge that in for v0.30."

Full Story (comments: none)

The Linux binutils 2.18.50.0.5 is released

Version 2.18.50.0.5 of the Linux binutils has been announced. "This is the beta release of binutils 2.18.50.0.5 for Linux, which is based on binutils 2008 0314 in CVS on sourceware.org plus various changes. It is purely for Linux. All relevant patches in patches have been applied to the source tree. You can take a look at patches/README to see what have been applied and in what order they have been applied."

Full Story (comments: none)

Libtool 2.2 announced

Version 2.2 of Libtool, a generic library support script, has been announced. "It seems that after years of development, Libtool-2.0 was skipped and, instead, Libtool-2.2 has been released!"

Full Story (comments: 3)

Flash vs. hard drive battle heats up (Fortune)

Another one from the "benefits of the patent system" department: Fortune talks with Seagate CEO Bill Watkins about why that company is not worried about the increasing popularity of flash-based solid-state drives. "But in case flash prices continue to plummet and the flash drives really do catch on, Watkins has something else up his sleeve.... Seagate and Western Digital (WDC), two of the major hard drive makers, have patents that deal with many of the ways a storage device communicates with a computer, Watkins says. It stands to reason that sooner or later, Seagate will sue - particularly if it looks like SSDs could become a real threat."

Comments (20 posted)

Plan for voting machine probe dropped after lawsuit threat (nj.com)

Following up on yesterday's item about the threats made by Sequoia Voting against Ed Felten: NJ.com reports that plans for an independent audit of Sequoia's voting machines have been dropped. "Sequoia maintains the errors, which were documented in at least five counties, occurred due to mistakes by poll workers. The firm, which is based in Colorado, examined machines in Middlesex Count, and concluded that poll workers had pushed the wrong buttons on the control panels, resulting in errors in the numbers of ballots cast. But officials found it odd that such an error never occurred before and the clerk's association wanted further testing. On the advice of county's attorneys, however, [county clerk Joanne] Rajoppi said today she must forego all plans for independent analysis."

Comments (15 posted)

Novell starts talking SLES 11 (eWeek)

eWeek reports on Novell's plans for SUSE Linux Enterprise Server 11, as discussed at the company's BrainShare 2008 conference. "The technical areas of primary focus will be the mission-critical data center, the tools to allow Unix-to-Linux migration, green IT, and continued work on the Linux desktop, [CTO Jeff] Jaffe said. On the mission-critical data center front, SLES 11 will include automated and assisted self-healing capabilities, including single-node clusters and automated hardware failure detection, he said."

Comments (6 posted)

Matthias Ettrich: The KDE-Man! (EFYtimes)

EFYtimes has an interview with KDE founder Matthias Ettrich covering KDE history, his role at Trolltech, KDE 4, and more. "I mean, try to compare Windows XP with KDE 3: nobody in their right mind would choose Windows over GNU/Linux based on the desktop experience alone. The Web problem has also been solved. Microsoft clearly lost the Web war -- they failed to enhance the Web in a proprietary way. What remains are some legal issues on the multimedia side that can be mostly worked around, the office documents formats issue and the flood of applications that only run on Windows, mostly games."

Comments (12 posted)

Linux Foundation: We'd love to work with Microsoft (InfoWorld)

InfoWorld presents an interview with the Linux Foundation's executive director Jim Zemlin. "InfoWorld: So are Microsoft's days as the dominant provider of desktop and server and maybe even handheld operating systems numbered? Zemlin: Monopolies don't last forever, so I mean, I think they've got a long way to go. It's just natural over time that people aren't going to allow a single company to dominate the market. But the more important thing that Microsoft I think is grappling with now, and you saw that recently they've opened up their protocols and they're trying to be a more open company, is they realize that there's been a fundamental shift in how companies create innovative products and compete in the marketplace. And companies are doing that through open and mass collaboration."

Comments (1 posted)

Interview: Tobias König about the development of Akonadi

kubuntu-de.org has an interview with Tobias König regarding Akonadi, the new personal information storage facility for KDE 4. "At first the most important: Akonadi is not a groupware server! In contrast, Akonadi is an intermediate storage and abstraction layer for PIM data. This is similar to Phonon, for multimedia or Solid for hardware. Akonadi abstracts the access and maintenance of data for the rest of the system (i.e. the address book or the calendar). This is achieved by offering a common interface for all the data."

Comments (none posted)

Hands on: open-source scripting environment Komodo Edit 4.3 (ars technica)

ars technica reviews the newly-freed Komodo Edit release. "Komodo Edit has a decent range of features that put it squarely between a conventional editor and a full-fledged IDE. The feature set includes basic project management, a snippet system, effective find-and-replace with support for regular expressions, extremely robust support for plug-ins and user modification, a tab-based multiple document interface, syntax highlighting and folding, code completion and tips, and basic code validation."

Comments (4 posted)

BusyBox Developers Agree To End GPL Lawsuit Against Verizon

Busybox developers have agreed to dismiss another GPL enforcement lawsuit, this time against Verizon Communications. Verizon was distributing Actiontec equipment that had Busybox installed and were not providing the code to downstream users. "'Actiontec takes great pride in providing innovative, quality products to its customers, while respecting the intellectual property rights of third parties,' said Dean Chang, Actiontec's President and CEO. 'We appreciate the value of the technological contributions of the open source community, and look forward with renewed commitment to working cooperatively with them.'" Click below for the full press release from the Software Freedom Law Center.

Full Story (comments: 3)

Patent Office Grants EFF's request for reexamination of Online Gaming Patent

The Electronic Frontier Foundation has announced that the U.S. Patent and Trademark Office has granted a request for a reexamination of an online gaming patent. "Sheldon F. Goldberg was awarded the illegitimate patent for online gaming systems that use tournament-style play, advertising, and real-time updates of ladder-rankings in multi-player games. Goldberg has used this bogus patent to coerce licensing fees from numerous small businesses. In the reexamination request, EFF along with Paul Grewal and Brad Waugh of Day Casebeer Madrid & Batchelder show that the technology covered by the Goldberg patent had been widely disseminated in the public domain for years before Goldberg made his claim."

Full Story (comments: none)

Audacity and Google Summer of Code 2008

The Audacity sound editor project will be involved in the 2008 Google Summer of Code. "We are now seeking student participants. As we wrote in our application: At student selection stage, we look for evidence that the student has a real interest in our project, 'Do they actually use it?' rather than just choosing some project that is part of GSoC."

Comments (none posted)

gEDA GSoC 2008 project ideas

The gEDA electronic design tool project has announced a list of projects that could be used in the 2008 Google Summer of Code. "This page contains various ideas for projects, organized by the tool. You can use these as fodder for creating your application to Google. Also, if you have your own idea, feel free to share it with the gEDA developers – they might like it more than any project on this list!"

Comments (none posted)

WorldForge and the Google Summer of Code

The WorldForge virtual world project has announced its participation in the Google Summer of Code. "WorldForge has been accepted as a mentoring organization for the Google Summer of Code 2008. If you are a student interested in participating, see our project ideas list, visit us in the #lounge channel on irc.worldforge.org or say hello on the general mailing list. We are looking forward to hearing from you."

Comments (none posted)

10-year anniversary of the Linux-HA project

Alan Robertson has announced the ten year anniversary of the Linux-HA project. "The 10-year anniversary of the first working code was this week. I announced it 10 years ago yesterday."

Full Story (comments: 2)

Changes at OLPC

Ivan Krstić, the developer behind the One Laptop Per Child security model (among other things), has posted a message about his departure from that project. "I cannot subscribe to the organization's new aims or structure in good faith, nor can I reconcile them with my personal ethic. Having exhausted other options, three weeks ago I resigned my post at OLPC. It's been an outstanding experience, and I truly wish OLPC the best in its future endeavors. My belief in the mission is in no way compromised, and I will miss my coworkers dearly."

Comments (7 posted)

Sequoia v. Ed Felten

Ed Felten, who is starting to make a habit of drawing cease-and-desist notices from manufacturers, has posted a notice from Sequoia Voting Systems telling him not to analyze any voting machines. "Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property." Certainly a democracy would have no reason to want to know about the "behavior" of its voting machines.

Comments (44 posted)

United States PostgreSQL Association is launched!

The United States PostgreSQL Association has been launched. The association will support PostgreSQL in the US through user group development, conferences, education initiatives and fun.

Full Story (comments: 1)

USENIX opens access to conference proceedings

USENIX has announced that it has decided to offer open access to the proceedings from all of its conferences. "This significant decision will allow universal access to some of the most important technical research in advanced computing. In making this move USENIX is setting the standard for open access to information, an essential part of its mission." One might argue that it's a bit late to be "setting standards" in this regard, but it's still a good thing.

Comments (3 posted)

Alcatel-Lucent to integrate Red Hat Enterprise Linux and realtime

Alcatel-Lucent and Red Hat have announced a partnership. "Alcatel-Lucent and Red Hat, the leading provider of open source solutions, will integrate Red Hat Enterprise Linux and Realtime technologies in Alcatel-Lucent communication products for small and medium enterprises (SME). The collaboration supports Alcatel-Lucent's Dynamic Enterprise commitment to interconnecting people,networks, process and knowledge in a flexible, open environment while helping Red Hat expand its business."

Comments (none posted)

Funambol helps AGPLv3 license gain OSI approval

Funambol is helping the AGPLv3 license to achieve OSI approval. "Funambol, the leading provider of Mobile 2.0 messaging software powered by open source, today announced that the AGPLv3 has received formal approval by the Open Source Initiative (OSI). Funambol led the process of the license's approval by the OSI after adopting AGPLv3 in November. It was the first company to adopt the license, which closes the "ASP loophole"."

Full Story (comments: none)

Ingres CAFE Brews up Interest With the Eclipse Open Source Development Community

Ingres Corporation has announced the launch of Ingres CAFE. "Ingres Corporation, a leading provider of open source database management software, announced today the creation of Ingres CAFE(TM) (Consolidated Application Foundation for Eclipse), which brings together in one bundle all the components developers need to create and deploy rich Java applications built using the Eclipse Foundation's open source development framework."

Comments (none posted)

Linspire and Fluendo announce partnership

Linspire, Inc. has announced a partnership with Fluendo S.A. involving the distribution of multimedia software via the CNR.com site. "Immediately available and one-click accessible through CNR.com's easy-to-use software delivery service, Fluendo's multimedia software products are now available to Freespire 2.0, Linspire 6.0, Ubuntu 7.04 and 7.10 users and will soon expand to additional popular Linux distributions".

Comments (none posted)

Nokia on its relationship with the open source community

Quim Gil has posted a brief note with pointers to a talk by Ari Jaaksi (in text, audio (MP3) and PDF slides forms) on how Nokia wants to work with the open source community. "We at Nokia are working hard to get it. We have to. We need to get better in communicating our strategies and plans. We need to be more open and get even more involved in various projects and communities. We must be better at articulating our views, providing information and code back, and supporting the community. We must be sure we support freedom and openness and do not try to limit anybody’s work. But at the same time, we must be better at telling what is OK for us and what is not."

Comments (16 posted)

Sesame Workshop welcomes Novell to the neighborhood

Novell has announced that it will work with Sesame Workshop. "Novell today announced that Sesame Workshop, the non-profit educational organization behind the ground-breaking children's television program "Sesame Street," has selected Novell to streamline its hardware and software infrastructure."

Comments (none posted)

Packt Publishing donates over $100,000 to open-source projects

Packt Publishing Ltd has announced that it has donated more than $100K to open-source projects. "Following its first donation to the phpMyAdmin project in April 2004, the company has gone on to provide sustained support for over thirty different open source projects. Packt has introduced initiatives such as the Open Source Project Royalty Scheme and Open Source CMS Award to provide sustained donations to projects over the last four years. The Open Source Project Royalty Scheme allows projects to benefit from the publication of a book, as they are allocated a percentage of every copy sold."

Comments (none posted)

SourceLabs debuts new class of tools for Linux and Java

SourceLabs has announced new Self-Support offering for Linux and Java. "Until now customers have had to choose between using open source software without support or buying traditional support contracts from vendors at a cost and service level that hasn't always made sense. Now they have a third choice," said Byron Sebastian, CEO and Founder of SourceLabs. "Our Self-Support Suites together with our Swik.net social network use unique patent-pending technology that enables open source professionals to quickly access better information and analytical tools than support vendors have traditionally had at their fingertips. Much in the same way OSS commoditized the software industry, marking a huge shift in the way technology is developed and operates, we are extending that value to software support."

Comments (none posted)

Sun Microsystems becomes platinum member of The Open Group

The Open Group has announced that Sun Microsystems, Inc. has become a platinum member of the organization. "In this capacity, Sun will play a leading role in advancing best practices, standards and professional certification programs related to enterprise architects and IT Specialists, including The Open Group's Architecture Framework (TOGAF(TM)), IT Architect Certification (ITAC) and the IT Specialist Certification (ITSC)."

Comments (none posted)

New O'Reilly Radar Report--The Facebook Application Ecosystem

O'Reilly has published the book The Facebook Application Platform by Shelley D. Farnham.

Full Story (comments: none)

The Photograph: Composition and Color Design--New from Rocky Nook

Rocky Nook has published the book The Photograph: Composition & Color Design by Harald Mante.

Full Story (comments: none)

FSFE Newsletter

The March 17, 2008 edition of the FSFE Newsletter is online with the latest Free Software Foundation Europe news. Topics include: Microsoft's so-called 'interoperability' pledge excludes primary competitors, FSFE calls on Microsoft to release interoperability information without restrictions, FSFE at FOSDEM in Brussels, Belgium, SELF conference in Sofia, Bulgaria, FSFE participates in a global day for document liberation, FSFE announces the first European Licensing and Legal Workshop, Jonas ?berg in Sofia, Bulgaria, FSFE Context Briefing on DIS-29500: Deprecated before use?, "Fairware" for the Protestant Church in Germany, Late breakfast for Rhineland Fellows and RMS in Berlin.

Full Story (comments: none)

Linux Installfest workshop in Davis, CA

The Linux Users' Group of Davis will hold its next "Linux Installfest" workshop in Davis, California on April 13, 2008.

Full Story (comments: none)

Web 2.0 Expo San Francisco announces keynote lineup

TechWeb has announced the keynote lineup for Web 2.0 Expo San Francisco 2008. Registration has been opened for the conference. "TechWeb (formerly CMP) and O'Reilly Media, Inc., co-producers of Web 2.0 Expo, today announced the lineup of keynotes scheduled to appear at the upcoming Web 2.0 Expo San Francisco 2008 -- a list that includes Marc Andreessen, Max Levchin and Johnathan Schwartz, and many others. Web 2.0 Expo is the global annual gathering of developers, designers, marketers, and business professionals building the next generation Web, taking place April 22-25, 2008 at Moscone West."

Comments (none posted)

Events: March 27, 2008 to May 26, 2008

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
March 26 March 28	CanSecWest 2008	Vancouver, BC, Canada
March 29 March 30	PostgreSQL Conference East 2008	College Park, MD, USA
March 31 April 2	UKUUG Spring 2008 Conference - Dynamic Languages	Birmingham, England
March 31	2008 European Workshop on System Security	Glasgow, Scotland
March 31 April 2	UKUUG Spring 2008 Conference	Birmingham, England
March 31 April 2	Sharkfest Wireshark Network Analysis Summit	Los Altos Hills, CA, USA
April 2	First meeting UKUUG PostgreSQL SIG	Birmingham, England
April 3 April 4	E-Mail Systems Conference 2008 (Exim and other mail systems)	Birmingham, England
April 4 April 5	openSUSE Packaging Days II	IRC, Everywhere
April 7 April 9	IT360 Conference & Expo	Toronto, Canada
April 7 April 11	Django Bootcamp with Juan Pablo Claude	Atlanta, Georgia, USA
April 8 April 10	Linux Foundation Collaboration Summit	Austin, TX, USA
April 10 April 13	Go-OO Conference 2008	Prague, Czech Republic
April 12 April 13	Open Source Developers Conference Taiwan, 2008	Taipei, Taiwan
April 12 April 13	LugRadio Live USA 2008	San Francisco, CA, USA
April 12 April 18	KDevelop Developer Meeting 2008	Munich, Germany
April 14 April 18	Embedded Systems Conference - Silicon Valley	San Jose, CA, USA
April 14 April 17	MySQL Conference and Expo	Santa Clara, CA, USA
April 14 April 18	Samba eXPerience 2008	Göttingen, Germany
April 15 April 17	Embedded Linux Conference 2008	Mountain View, CA, USA
April 15 April 17	SOA in Health Care	Chicago, IL, USA
April 16 April 18	X Developers' Conference 2008	Mountain View, CA, USA
April 16 April 18	X Developers' Conference for 2008	Mountain View, USA
April 16 April 18	Croatian Linux User Conference	Zagreb, Croatia
April 17 April 19	9th International Free Software Forum	Porto Alegre, Brazil
April 18 April 19	Third Annual Silicon Valley Ruby Conference	San Jose, CA, USA
April 18 April 20	National Collegiate Cyber Defense Competition	San Antonio, TX, USA
April 18 April 20	Penguicon 2008	Troy, Michigan, USA
April 21 April 25	Open Source meets Industry: Application Park and International Congress	Hannover, Germany
April 22	The Mobile Future	Santa Clara, CA, USA
April 22 April 25	Web 2.0 Expo	San Francisco, CA, USA
April 22	OSADL International Congress	Hannover, Germany
April 23 April 24	Troopers 2008 Security Conference	Munich, Germany
April 23	Linux Foundation Spring Legal Summit	Schaumburg, IL, USA
April 25 April 29	Open Tech Summit Taiwan 2008	Taipei, Taiwan
April 25 April 26	Guademy 2008	Valencia, Spain
April 27 May 2	INTEROP Las Vegas 2008	Las Vegas, NV, USA
April 28 May 4	Monotone Developer Summit	Wuppertal, Germany
May 2 May 3	Maker Faire Bay Area	San Mateo, CA, USA
May 5 May 9	Ruby on Rails Bootcamp with Charles B. Quinn	Atlanta, Georgia, USA
May 8	Embedded Masterclass 2008	London, UK
May 8 May 11	Libre Graphics Meeting 2008	Wroclaw, Poland
May 8 May 9	IV WHYFLOSS CONFERENCE MADRID 08	Madrid, Spain
May 9 May 11	Pycon Italia Due	Firenze, Italy
May 12 May 14	Where 2.0 Conference	Burlingame, CA, USA
May 13	Embedded Masterclass 2008	Bristol, UK
May 15	NLUUG spring conference 2008	Ede, the Netherlands
May 15 May 16	YAPC::Asia 2008	Tokyo, Japan
May 15 May 16	V WHYFLOSS CONFERENCE CORRIENTES 08	Corrientes, Argentina
May 16 May 17	FOSSCamp 2008	Prague, Czech Republic
May 17 May 18	4th Int. Workshop on Software Engineering for Secure Systems (SESS'08)	Leipzig, Germany
May 17 May 18	French-speaking Python Days	Paris, France
May 19 May 23	AFS and Kerberos Best Practices Workshop 2008	Newark, NJ, USA
May 20 May 23	PGCon 2008	Ottawa, Ontario, Canada
May 20 May 21	Digital Standards Organization (Digistan) Workshop	The Hague, The Netherlands
May 21 May 22	EUSecWest 2008	London, England
May 21 May 22	linuxdays.ch Genève	Genève, Switzerland

If your event does not appear here, please tell us about it.