LWN.net Weekly Edition for March 27, 2008
Striking gold in binutils
A new linker is not generally something that arouses much interest outside of the hardcore development community—or even inside it—unless it provides something especially eye-opening. A newly released linker, called gold has just that kind of feature, though, because it runs up to five times as fast as its competition. For developers who do a lot of compile-link-test cycles, that kind of performance increase can significantly increase their efficiency.
Linking is an integral part of code development, but it can be invisible, as it is often invoked by the compiler. The sidebar accompanying this article is meant for non-developers or those in need of a refresher about linker operation. For those who want to know even more, the author of gold, Ian Lance Taylor, has a twenty-part series about linker internals on his weblog, starting with this entry.
For Linux systems, the GNU Compiler Collection (GCC) has been the workhorse by providing a complete toolchain to build programs in a number of different languages. It uses the ld linker from the binutils collection. With the announcement that gold has been added to binutils, there are now two choices for linking GCC-compiled programs.
A linker overview
For non-developers, a quick overview of the process that turns source code into executable programs may be helpful. Compilers are programs that turn C—or other high-level languages—into object code. Linkers then collect up object code and produce an executable. Usually the linker will not only operate on object code created from a project's source, but will also reference libraries of object code—the C runtime library libc for example. From those objects, the linker creates an executable program that a user can invoke from the command line. The linker allows program code in one file to refer to a code or data object in another file or library. It arranges that those references are usable at run time by substituting an address for the reference to an object. This "links" the two properly in the executable. Things get more complicated when considering shared libraries, where the library code is shared by multiple concurrent executables, but this gives a rough outline of the basics of linker operation.
The intent is for gold to be a complete drop-in replacement for ld—though it is not quite there yet. It is currently lacking support for some command-line options and Linux kernels that are linked with it do not boot, but those things will come. It also currently only supports x86 and x86_64 targets, but for many linker jobs, gold seems to be working well. The speed seems to be very enticing to some developers, with Bryan O'Sullivan saying:
Performance was definitely the goal that Taylor set for gold development. It supports ELF (Executable and Linking Format) objects and runs on UNIX-like operating systems only. Only supporting one object/executable format, along with a fresh start and an explicit performance goal are some of the reasons that gold outperforms ld.
Tom Tromey likes the looks of the code:
Because the implementation is geared for speed, Taylor used techniques that may confuse some. He has some concerns about the maintainability of his implementation:
Overall, it seems to be getting a nice reception by the community, with
O'Sullivan commenting that he is "looking forward to the point where
gold entirely supplants the existing binutils linker. I expect that won't
take too long, once Mozilla and KDE developers find out about the
performance boost.
" Once gold gets to that point, Taylor
is already thinking about concurrent
linking—running compiler and linker at the same time—as
the next big step.
There are two other ongoing projects that are working with the greater GCC ecosystem in interesting ways: quagmire and ggx. Quagmire is an effort to replace the GNU configure and build system—consisting of autoconf, automake, and libtool—with something that depends solely on GNU make. Currently, that system uses various combinations of the shell, m4, and portable makefiles to make the building and installation of programs easy—the famous "./configure; make" command line. The tools were written that way to try and ensure that users did not need to install additional packages to configure and build GNU tools. Quagmire, which has roots in a posting by Taylor recognizes that GNU make is ubiquitous, so basing a system around that makes a great deal of sense.
The ggx project is Anthony Green's step-by-step procedure to create an entire toolchain that can build programs for a processor architecture that he is creating as a thought experiment. The basic idea is to design the instruction set based on the needs of the compiler, in this case GCC, rather than the needs of the hardware designers. He is using GCC's ability to be retargeted for new architectures, along with its simulation capabilities to create a CPU that he can write programs for. As of this writing, he has a "hello world" program working, along with large chunks of the GCC test suite passing. Well worth a look.
Toward a free metaverse
Last month, an article about another attempt to free the proprietary Ryzom game expressed frustration with the implied idea that the free software community could not, on its own, create a game experience comparable to Ryzom. One of the resulting comments took issue with (what was seen as) a dismissive attitude toward the Second Life client and pointed out some of the work which is being done based on that client. So your editor decided to take another look. The bottom line is this: the work being done in this area is still in an early and unstable state, but it does have the potential to open a new frontier for free software in the area of virtual environments.The Second Life client for Linux is now in a beta release. "Beta," in this case, means that all of the features have, in some way, been implemented; now it's just a matter of making it all actually work. Your editor found the client to be slow, unwieldy, crash-prone, and very fussy about its graphics environment. Your editor's well-supported (in X) Intel-based desktop was not adequate for this client, for example; the associated documentation recommends a long list of cards which (for now) are only supported with proprietary drivers. Still, on the right system, the client is able to render three-dimensional worlds with the same quality that, well, Second Life has on any platform.
An alternative is OpenViewer, a C#/Mono-based, BSD-licensed viewer project. Your editor had little luck getting this client going, but the screenshots are nice. The developers appear to have made significant progress toward the creation of a functional, three-dimensional client; this is a project to watch. Less far along is the Aether project, which is working on a OpenViewer-based client meant to run within Firefox; thus far, it has a nice design diagram but not much else.
There is also RealXtend, a project based on the Second Life client which is emphasizing performance and visual quality. Unfortunately, it also seems to be emphasizing Windows support, so your editor did not give it a try.
Free software clients are certainly an important tool to have; we will not be able to access this kind of virtual environment without them. But it would be a real shame if these clients simply facilitated a world where we use free clients to access locked-down, proprietary virtual worlds on somebody else's server. What would be much better would be the ability to create our own virtual worlds - using free software, of course - and to link those worlds into a larger virtual universe. That is the formula which made the World Wide Web (and many other Internet services) work, and it should certainly be applicable in this context as well.
The good news is that people are working in this area. One project, OpenSim, has the look of something which is about to achieve much wider awareness as its features mature. In short, OpenSim is a virtual world server which can be deployed to create environments much like what one would find in Second Life. It works with the Second Life client and with OpenViewer as well, and it presents a very similar experience - at least, in the virtual worlds which have been deployed so far. Since it's free software, it can be customized toward the creation of different kinds of environments, including role-playing games and such.
It is written with C# and Mono - seemingly a common choice for this kind of software. The Mono environment, for all its faults and potential pitfalls, may well make it easier to create a cross-platform application with the requisite features.
What makes OpenSim really interesting, though, is its ability to connect servers together in a "grid" mode. Once this is done, a virtual world is not limited to a single entity's server (or imagination). Servers across the net can be interconnected into a single, larger world. This is the feature which has the potential to take OpenSim from another interesting project into something which transforms the net.
There are a number of people organizing grids with OpenSim now; there is a list of public grids on the OpenSim site. Some of them appear to be relatively proprietary operations offering the opportunity to buy virtual land - though subprime loans are unavailable. Others allow anybody connect their server into the grid and become part of the whole. These grids appear, in general, to be in a sort of early adopter state at the moment, but much of the fundamental functionality is there. How hard could it be to make it all work properly at this point?
The answer to that question, of course, is "quite hard." But the fact remains that people are working on this very interesting problem, and they are making significant progress toward solving it. These projects bear watching; they may well be planting the seeds of the systems we will all be using in the coming years.
Bruce Perens and the OSI board
The Open Source Initiative (OSI) was formed almost ten years ago to safeguard the "Open Source" name. Over the years it has approved licenses and attempted some other activities while, generally, having little relevance to the wider community. It has often been seen as a relatively closed and non-democratic organization. Now one of OSI's founders is trying to get back into the organization and change its direction; the outcome of the resulting discussion may (or may not) change the direction of the OSI.Bruce Perens has launched a bid to be elected to the OSI board of directors, but this bid has not been particularly well received by the current board. His on-line petition to collect community support specifies a number of reasons that he wants to be on the board—those reasons are ruffling some feathers. Outgoing board member Matt Asay has taken Perens to task for some of his statements as has OSI president Michael Tiemann.
Perens's reasons for wanting to be on the board are threefold: reducing the over-representation of vendors, trying to ensure Microsoft does not get a seat on the board, and reducing license proliferation. The idea of a Microsoft seat on an open source organization's board is sure to rile a segment of the community, which is undoubtedly part of what Perens is hoping for. The likelihood of that happening is pretty small, though. Tiemann makes it clear that the board doesn't elect companies at all:
Microsoft and its employees do not currently contribute to open source in any substantial way, so there is little that would lead the board to nominate them. If that ever changes, it would be pretty disingenuous to deny someone a seat because of their employer's past—or even at that time, current—misbehavior. In addition, it is hard to see how one board member—Perens or someone "controlled" by Microsoft—is going to make such a crucial difference in what the board does anyway. In many ways, the Microsoft connection is a red herring—one sure to rally the troops, though.
Reducing license proliferation is a noble goal, one that the OSI tried to tackle a few years back without much in the way of tangible success. Perens states that he would like to see OSI do more reduce the number of licenses, but his claims about the number of licenses needed have raised eyebrows:
Part of the reason that Tiemann and others are skeptical is due to some obvious bad blood between the board and Perens over the license proliferation committee. LWN covered some of that "debate" in August 2005. Perens clearly believes he should have been a member just as strongly as others on the board seem to feel he should not have been. When the board was formed without him as a member, Perens refused to participate in the process in any way. It seems to stick in the craw of some for Perens to now claim that he has the solution. Russ Nelson, former OSI president and current board member—as well as a member of the committee—sums up the frustration in a comment on Tiemann's post:
Having a solution is not the same as convincing people to adopt it.
It is rather interesting to see Perens trying to get back on the board that he famously resigned from in 1999 after having founded the organization with Eric Raymond in 1998. This is not the first time Perens has lost interest and/or resigned from some form of community leadership position; Debian and UserLinux spring to mind. Though none of the expressed concerns about his candidacy have mentioned it, some must be wondering how long it would be before ideology or a shifting focus caused Perens to move on from a board position if he were elected.
Perens has been an excellent advocate for free software and/or open source over the years, but his tendency towards self-promotion grates on some. It may not be an ego thing, as he claims, but it certainly rubs some people the wrong way. The ego issue is one of the reasons that board observer Andrew Oliver does not support Perens for the board:
Asay certainly doesn't see Perens as having the right credentials either:
The petition drive came about because Tiemann encouraged Perens to show that there was strong community support for him to be a part of the board. As of this writing, the petition has garnered more than 1700 "signatures", which Perens believes is enough:
The OSI board is "self-replacing" with current board members nominating and electing candidates for empty slots. Each director serves for a three-year term, with roughly one-third coming up for election each year—though this year there are five slots to be filled. Three directors are standing for re-election, leaving two slots open. Unfortunately, it's not clear when the actual election will be held, nor is there likely to be any advance notice of who has been nominated. Transparency, it seems, is not one of the attributes of OSI.
Self-replacement and overlapping terms of office tend to give a certain stability to a board, but it also creates a kind of inbreeding. It is unlikely that a board will nominate people who think substantially differently from themselves. This is one thing that Perens is trying to circumvent with his very public candidacy. Whatever else can be said about Perens's candidacy, it is clear that he would bring a different voice into the OSI boardroom.
But, what is OSI really? Is it an organization that is somehow supposed to represent all of the diverse voices in the community? At the moment it appears to exist for the purpose of approving licenses and "protecting the Open Source Definition". Perens thinks it could be more than that. OSI itself seems to agree as they have been moving towards more relevance in the community. Oliver describes that effort:
OSI and its board are currently in a state of flux, trying to define a role for themselves that is broader than just a license approval body. There doesn't seem to be a lot of discontent within the board that might lead to Perens or another controversial figure being added. Whether this leads to continued stagnation or a more vibrant OSI remains to be seen. A more interesting question might be: will anyone care?
If OSI starts to do visible things for the community, it will finally acquire some relevance. Given the attitude towards his candidacy, it seems unlikely that Perens will be able to lead the board in that direction. Which leaves it up to the current board and the two new members—neither of which are likely to be Perens—to find a way to make the community care.
Security
Voting machine integrity through transparency
It is hard to believe that governments would spend money on voting equipment that they are not allowed to test, but that is exactly what multiple counties in New Jersey appear to have done. They are certainly not alone, many other places are likely to have the same restrictions on "their" voting machines. This begs the question: where are the free software voting systems?
Union County wanted to ask Ed Felten to look at the voting machines it purchased from Sequoia Voting Systems because of several anomalies—less charitably known as miscounts—observed when using them in the primary elections. Once Sequoia got wind of the plan, they emailed Felten a nastygram because he might engage in "non-compliant analysis" of the machines in violation of the Sequoia license. It seems quite likely that is exactly what Felten and the county clerk had in mind as a third-party analysis is the only sensible way to evaluate voting machines.
Other jurisdictions have done better of late, with Felten's Freedom to Tinker weblog noting that California has denied certification for two voting machines from Election Systems & Software (ES&S). California Secretary of State Debra Bowen has been at the forefront of trying to ensure that voting machines work correctly. LWN's home state of Colorado also decertified a number of voting machines, but, like the earlier California study, it was done after those machines were purchased. As in California, it seems likely that Colorado will be using those machines in November.
Things are getting a little better, perhaps, but no one has, as yet, tried to take on the four major voting machine makers with a system that is built with security in mind. There is no reason that the source code for a voting machine could not be made available for study. The voting machine vendors claim all sorts of proprietary secret sauce in their code, but that isn't the real reason they hide it. Covering up their shoddy code is much more likely.
Every independent review of voting machines has found numerous, fundamental security flaws that should make anyone with an interest in the integrity of the election process cringe. Many of those analyses were done without the source code, so there is little doubt that even uglier problems would have been found in the code itself. It just cannot be that difficult to produce something vastly more secure than what is made available today.
One could speculate about the motives of these companies, but instead looking at what could be built, with mostly off-the-shelf software, is more fruitful. The place to start is by hiring a few good security-minded developers, while lining up an independent review team. One might guess that Felten and his associates would be a good place to start.
A stripped down Linux system could very easily be the basis for a voting machine, but other free software choices would serve just as well. Some user interface code for touchscreens and alternative input methods for those with disabilities would need to be written. Some kind of printing output device would need to be made a part of the system so that voter-verifiable audit trails—better yet, ballots that can be put into a locked box—can be created.
Source code availability does not, in and of itself, ensure vote security. That code needs to be reviewed by as many experts as can be found. In addition, there needs to be some mechanism to show that the source code being reviewed is the same as that being run.
For that reason, the system itself might run on some kind of Trusted Platform Module (TPM) chip so that interested parties can verify that the published code is the same as that running on the system. If the system runs Linux, it might use the integrity management patches for that. Most importantly, the outside interfaces (network, USB, PCMCIA, etc.) to the device would either not be present or be very tightly controlled. Any kind of removable vote recording memory would need adequate cryptographic safeguards to eliminate tampering between vote taking and vote tabulating machines.
Instead of an emphasis on PR, schmoozing, and bamboozling non-technical folks, the focus of a free software voting system would be on transparency. The number one goal would be to give everyone, from the least technical voter to the Bruce Schneiers of the world: confidence in the machines and the process. It is hard to fathom how anyone could want anything less.
The last updated vulnerabilities section
It would seem that the majority of the readers of this page are willing to part with the updated vulnerabilities section. Based on the comments we got over the last two weeks, we decided to remove it in future editions. So, this is the last week you will find one on the security page. You can always visit http://lwn.net/Vulnerabilities/ to get a look at the most recent vulnerabilities in our database.
New vulnerabilities
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2007-6430 CVE-2008-1332 CVE-2008-1333 | ||||||||||||||||||||
| Created: | March 20, 2008 | Updated: | April 25, 2008 | ||||||||||||||||||||
| Description: | From the Debian alert:
CVE-2007-6430: Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. CVE-2008-1332: Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2008-1289 CVE-2008-1390 | ||||||||
| Created: | March 24, 2008 | Updated: | March 26, 2008 | ||||||||
| Description: | From the Red Hat bugzilla: CVE-2008-1289: Two buffer overflows exist in the RTP payload handling code of Asterisk. Both overflows can be caused by an INVITE or any other SIP packet with SDP. The request may need to be authenticated depending on configuration of the Asterisk installation. The first overflow is caused by sending a payload number that surpasses the programmed maximum payload number of 256. This causes an invalid memory write outside of the buffer. While this does not allow the attacker to write arbitrary data it does allow the attacker to write a 0 to other memory locations. The second overflow is caused by sending more than 32 RTP payloads. This causes a buffer on the stack to overflow allowing the attacker to write values between 0 and 256 (the maximum payload number) to memory locations after the buffer. CVE-2008-1390: Due to the way that manager IDs are calculated, this 32-bit integer is likely to have a much larger than average number of 1s, which greatly reduces the number of guesses an attacker would have to make to successfully predict the manager ID, which is used across multiple HTTP queries to hold manager state. | ||||||||||
| Alerts: |
| ||||||||||
bzip2: denial of service
| Package(s): | bzip2 | CVE #(s): | CVE-2008-1372 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 24, 2008 | Updated: | March 30, 2009 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
Firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 26, 2008 | Updated: | July 28, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Firefox 2.0.0.13 release contains fixes for several vulnerabilities; see this list for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
JBoss: inject and execute arbitrary commands
| Package(s): | JBoss | CVE #(s): | CVE-2007-6306 CVE-2007-6433 | ||||
| Created: | March 25, 2008 | Updated: | March 26, 2008 | ||||
| Description: | The JFreeChart component was vulnerable to multiple cross-site scripting (XSS) vulnerabilities. An attacker could misuse the image map feature to inject arbitrary web script or HTML via several attributes of the chart area. The setOrder method in the org.jboss.seam.framework.Query class did not properly validate user-supplied parameters. This vulnerability allowed remote attackers to inject and execute arbitrary EJBQL commands via the order parameter. | ||||||
| Alerts: |
| ||||||
krb5: memory use after free
| Package(s): | krb5 | CVE #(s): | CVE-2007-5901 | ||||||||||||||||
| Created: | March 24, 2008 | Updated: | April 7, 2010 | ||||||||||||||||
| Description: | From the CVE entry: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libsilc: buffer overflow
| Package(s): | libsilc | CVE #(s): | |||||||||
| Created: | March 24, 2008 | Updated: | March 26, 2008 | ||||||||
| Description: | From the Red Hat bugzilla: SILC Toolkit contains a possible buffer overflow from PKCS#1 message decoding in versions earlier than 1.1.7. Specially crafted digital signature can be used to crash the program. | ||||||||||
| Alerts: |
| ||||||||||
namazu: cross-site scripting
| Package(s): | namazu | CVE #(s): | CVE-2008-1468 | ||||||||||||
| Created: | March 26, 2008 | Updated: | August 29, 2008 | ||||||||||||
| Description: | The sanitizing of input to namazu does not work properly with certain encodings, allowing HTML directives and script code to be injected into content. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openssh: hijacking of forwarded X connections
| Package(s): | openssh | CVE #(s): | CVE-2008-1483 | ||||||||||||||||||||||||||||
| Created: | March 25, 2008 | Updated: | May 14, 2008 | ||||||||||||||||||||||||||||
| Description: | OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
ruby: directory traversal
| Package(s): | ruby | CVE #(s): | CVE-2008-1145 | ||||||||||||||||||||
| Created: | March 25, 2008 | Updated: | August 29, 2008 | ||||||||||||||||||||
| Description: | Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
serendipity : insufficient input sanitizing
| Package(s): | serendipity | CVE #(s): | CVE-2007-6205 CVE-2008-0124 | ||||
| Created: | March 25, 2008 | Updated: | March 26, 2008 | ||||
| Description: | Serendipity, a weblog manager, did not properly sanitize input to several scripts which allowed for cross site scripting. | ||||||
| Alerts: |
| ||||||
ssl-cert: certificate disclosure
| Package(s): | ssl-cert | CVE #(s): | CVE-2008-1383 | ||||
| Created: | March 20, 2008 | Updated: | March 26, 2008 | ||||
| Description: | From the Gentoo alert:
Robin Johnson reported that the docert() function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as src_compile() or src_install(), which will result in the generated SSL keys being included inside binary packages (binpkgs). A local attacker could recover the SSL keys from publicly readable binary packages when "emerge" is called with the "--buildpkg (-b)" or "--buildpkgonly (-B)" option. Remote attackers can recover these keys if the packages are served to a network. | ||||||
| Alerts: |
| ||||||
viewvc: multiple vulnerabilities
| Package(s): | viewvc | CVE #(s): | CVE-2008-1290 CVE-2008-1291 CVE-2008-1292 | ||||
| Created: | March 20, 2008 | Updated: | March 26, 2008 | ||||
| Description: | From the Gentoo alert:
Multiple unspecified errors were reportedly fixed by the ViewVC development team. A remote attacker could send a specially crafted URL to the server to list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT folders, and view restricted content via the revision view, the log history, or the diff view. | ||||||
| Alerts: |
| ||||||
xine-lib: arbitrary code execution
| Package(s): | xine-lib | CVE #(s): | CVE-2008-0073 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 24, 2008 | Updated: | October 30, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla: Secunia Research has discovered a vulnerability in xine-lib, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to overwrite arbitrary memory regions via an overly large "streamid" SDP parameter included in a malicious RTSP stream. Successful exploitation allows execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
xwine: several vulnerabilities
| Package(s): | xwine | CVE #(s): | CVE-2008-0930 CVE-2008-0931 | ||||
| Created: | March 21, 2008 | Updated: | March 26, 2008 | ||||
| Description: | The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current 2.6 development kernel is 2.6.25-rc7, released on March 25. Says Linus: "The shortlog has more details, but it boils down to some reverts, some docbook fixes, some sparse annotation fixups, a number of trivial patches, and a healthy sprinkling of small fixups. Give it a good testing, because we're hopefully now well on our way towards that eventual real 2.6.25 release!" Said shortlog can be found in the announcement, or see the long-format changelog for the details.
The current stable 2.6 kernel is 2.6.24.4, released on March 24. This release contains a large number of patches for significant problems in the 2.6.24 kernel.
Kernel development news
Quotes of the week
Kernel markers and binary-only modules
Kernel markers are a mechanism which allows developers to put static tracepoints into the kernel. Once placed, these markers can be used by operations staff to trace well-known events in running systems without that staff having to know about kernel code. Solaris provides a long list of static tracepoints for use with Dtrace, but Linux, thus far, has none. That situation should eventually change - static markers were only merged into the mainline in 2.6.24. But, as the developers start to look more seriously at markers, some interesting issues are coming up.
One of those emerged as a result of this
patch from Mathieu Desnoyers which allows proprietary modules to
contain markers. The fact that current kernels do not recognize markers in binary-only
modules is mostly an accident: markers are disabled in modules with any sort
of taint flag set as a way to prevent kernel crashes - a kernel oops being
a rather heavier-weight marker than most people wish to encounter.
Matthieu tightened that test in a way that allows markers in proprietary
modules, saying "let's see how people react
". Needless to
say, he saw.
One might well wonder why the kernel developers, not known for their sympathy toward proprietary modules in general, would want to consider letting those modules include static tracepoints. The core argument here is that static markers allow proprietary modules to export a bit more internal information to the kernel, and to their users. It is seen as a sort of (very) small opening up on the part of the proprietary module writer. Mathieu says:
The idea is that, by placing these tracepoints, module authors can help others learn more about what's going on inside the module and help people track down problems. The result should be a more stable kernel which - whether proprietary modules have been loaded or not - is generally considered to be a good thing.
On the other hand, there's no shortage of developers who are opposed to extending any sort of helping hand to binary module authors. Giving those modules more access to Linux kernel internals, it is argued, only leads to trouble. Ingo Molnar put it this way:
Ingo also worries that allowing binary modules to use markers will serve to make the marker API that much harder to change in the future. Since that API is quite young, chances are good that changes will happen. As much as the kernel developers profess not to care about binary-only modules, the fact of the matter is that there are good reasons to avoid breaking those modules. The testing community certainly gets smaller when testers cannot load the modules they need to make their systems work in the manner to which they have become accustomed. So it is possible that allowing proprietary modules to use markers could make the marker API harder to fix in future kernel releases.
The grumbles have been loud enough that Matthieu's patch will probably not be merged for 2.6.25. The idea is likely to come back again, but not necessarily right away: the marker feature may have been merged in 2.6.24, but it would appear that 2.6.25 will be released with no actual markers defined in the source. It's not clear that binary-only module authors are pushing to add tracepoints when none of the other developers are doing so. Until somebody starts actually using static markers, debates on where they can be used will continue to be of an academic nature.
Predictive ELF bitmaps
When the kernel executes a program, it must retrieve the code from disk, which it normally does by demand paging it in as required by the execution path. If the kernel could somehow know which pages would be needed, it could page them in more efficiently. Andi Kleen has posted an experimental set of patches that do just that.
Programs do not know about their layout on disk, nor is their path through the executable file optimized to reduce seeking, but with some information about which pages will be needed, the kernel can optimize the disk accesses. If one were to gather a list of the pages that get faulted in as a program runs, that information could be saved for future runs. It could then be turned into a bitmap indicating which of the pages should be prefetched.
Once you have such a bitmap, where to store it becomes a problem. Kleen's method uses a "hack" to the ELF format on disk, putting the bitmap at the end of the executable. This has a number of drawbacks: a seek to get the info, modifying the executable each time you train, and only allowing a single usage pattern system-wide. It does have one very nice attribute, though, the bitmap and executable stay in sync; if the executable changes, due to an upgrade for instance, the bitmap would get cleared in the process. Alternative bitmap storage locations—somewhere in users' home directories for example—do not have this property.
Andrew Morton questions whether this need be done in the kernel at all:
Ulrich Drepper does not want to see the ELF format abused in the fashion it was for this patch, Kleen doesn't either, but used it as an expedient. Drepper thinks the linker should be taught to emit a new header type which would store the bitmap. It would be near the beginning of the ELF file, eliminating the seek. A problem with that approach is that old binaries would not be able to take advantage of the technique; a re-linking would be required.
Then the question arises, how does that bitmap get initialized? Drepper suggests that systemtap be used:
Kleen's patch walks the page tables for a process when it is exiting, setting a bit in the bitmap if that page has been faulted in. Drepper sees this as suboptimal:
The problem is in finding the balance between just prefetching the entire
executable—which might be very wasteful—and prefetching the
subset of pages that are most commonly used. It will take some heuristics
to make that decision. As Drepper points out, recording the entire runtime
of a program "will result in all the pages of a
program to be marked (unless you have a lot of dead code in the binary
and it's all located together).
"
The place where Drepper sees a need for kernel support is in providing a bitmap interface to madvise() so that any holes in the pages that get prefetched do not get filled by the readahead mechanism. The current interface would require a call to madvise() for each contiguous region, which could be add up to a large number of calls. Both he and Morton favor the bulk of the work being done in user space.
Overall, there is lots more work to do before "predictive bitmaps" make their way into a Linux system—if they ever do. To start with, some benchmarking will have to be done to show that performance improves enough to consider making a change like this. David Miller expresses some pessimism about the approach:
Frankly, based upon my experiences then and what I know now, I think it's a lose to do this.
It is an interesting idea though, one that will likely crop up again if
this particular incarnation does not go anywhere. Since the biggest efficiency
gain is from reducing seeks, though, it may not be interesting long-term.
As Morton says, "solid-state disks are going to put a lot of code out
of a
job.
"
Atomic context and kernel API design
An API should refrain from making promises that it cannot keep. A recent episode involving the kernel's in_atomic() macro demonstrates how things can go wrong when a function does not really do what it appears to do. It is also a good excuse to look at an under-documented (but fundamental) aspect of kernel code design.Kernel code generally runs in one of two fundamental contexts. Process context reigns when the kernel is running directly on behalf of a (usually) user-space process; the code which implements system calls is one example. When the kernel is running in process context, it is allowed to go to sleep if necessary. But when the kernel is running in atomic context, things like sleeping are not allowed. Code which handles hardware and software interrupts is one obvious example of atomic context.
There is more to it than that, though: any kernel function moves into atomic context the moment it acquires a spinlock. Given the way spinlocks are implemented, going to sleep while holding one would be a fatal error; if some other kernel function tried to acquire the same lock, the system would almost certainly deadlock forever.
"Deadlocking forever" tends not to appear on users' wishlists for the kernel, so the kernel developers go out of their way to avoid that situation. To that end, code which is running in atomic context carefully follows a number of rules, including (1) no access to user space, and, crucially, (2) no sleeping. Problems can result, though, when a particular kernel function does not know which context it might be invoked in. The classic example is kmalloc() and friends, which take an explicit argument (GFP_KERNEL or GFP_ATOMIC) specifying whether sleeping is possible or not.
The wish to write code which can work optimally in either context is common, though. Some developers, while trying to write such code, may well stumble across the following definitions from <linux/hardirq.h>:
/*
* Are we doing bottom half or hardware interrupt processing?
* Are we in a softirq context? Interrupt context?
*/
#define in_irq() (hardirq_count())
#define in_softirq() (softirq_count())
#define in_interrupt() (irq_count())
#define in_atomic() ((preempt_count() & ~PREEMPT_ACTIVE) != 0)
It would seem that in_atomic() would fit the bill for any developer trying to decide whether a given bit of code needs to act in an atomic manner at any specific time. A quick grep through the kernel sources shows that, in fact, in_atomic() has been used in quite a few different places for just that purpose. There is only one problem: those uses are almost certainly all wrong.
The in_atomic() macro works by checking whether preemption is disabled, which seems like the right thing to do. Handlers for events like hardware interrupts will disable preemption, but so will the acquisition of a spinlock. So this test appears to catch all of the cases where sleeping would be a bad idea. Certainly a number of people who have looked at this macro have come to that conclusion.
But if preemption has not been configured into the kernel in the first place, the kernel does not raise the "preemption count" when spinlocks are acquired. So, in this situation (which is common - many distributors still do not enable preemption in their kernels), in_atomic() has no way to know if the calling code holds any spinlocks or not. So it will return zero (indicating process context) even when spinlocks are held. And that could lead to kernel code thinking that it is running in process context (and acting accordingly) when, in fact, it is not.
Given this problem, one might well wonder why the function exists in the first place, why people are using it, and what developers can really do to get a handle on whether they can sleep or not. Andrew Morton answered the first question in a relatively cryptic way:
In other words, in_atomic() works in a specific low-level situation, but it was never meant to be used in a wider context. Its placement in hardirq.h next to macros which can be used elsewhere was, thus, almost certainly a mistake. As Alan Stern pointed out, the fact that Linux Device Drivers recommends the use of in_atomic() will not have helped the situation. Your editor recommends that the authors of that book be immediately sacked.
Once these mistakes are cleared up, there is still the question of just how kernel code should decide whether it is running in an atomic context or not. The real answer is that it just can't do that. Quoting Andrew Morton again:
This pattern is consistent through the kernel - once again, the GFP_ flags example stands out in this regard. But it's also clear that this practice has not been documented to the point that kernel developers understand that things should be done this way. Consider this recent posting from Rusty Russell, who understands these issues better than most:
In fact, kmalloc() cannot figure out on its own whether sleeping is allowable or not. It has to be told by the caller. This rule is unlikely to change, so expect a series of in_atomic() removal patches starting with 2.6.26. Once that work is done, the in_atomic() macro can be moved to a safer place where it will not create further confusion.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Security-related
Virtualization and containers
Benchmarks and bugs
Page editor: Jonathan Corbet
Distributions
News and Editorials
Distribution-friendly projects - Part 1
[Editor's note: This article, which looks at the interactions of software projects and distribution providers, will be presented in three parts.]
Introduction
In today's world most users of Linux don't build their system from scratch by downloading the sources of the applications and libraries they need and building them by hand. Most users will use one or more distributions (the ones that best suit their needs), and they'll stick with the packages provided by the distribution for as long as they can.Power users may know how to get the software they want and build it so it runs, but the average user won't go around looking for software that is not readily available to them. The job of a distribution is, of course, to provide as much software as its users will need, sometimes changing the software so that it suits the needs of its users better.
The distribution's developers, the so-called downstream developers, have different responsibilities compared to the original software developers, the upstream developers. The former are responsible directly to their users, while the latter are usually more focused on implementing their software correctly for their own standards (which means for instance implementing a protocol exactly as described by the standard, or supporting a file format exactly as it should be).
Most of the time, these two objectives are compatible with one another, and users face an interface that hides the details of the implementation. Sometimes though there are user requests that upstream developers won't acknowledge, for instance: to parse a file that was written improperly by a commonly-used tool (maybe a proprietary tool that does not support free software). In these cases, some distributions tend to edit the source, creating a modified version for that particular distribution, with a different behaviour, interface, or what not.
It's because of cases like this, especially in the last few years, that there have been many arguments between original developers and distributions, which sometimes involved legal threats, forks or removal of software from distributions' repositories. It's not fun to watch these arguments going by, and sometimes it's all because of differences in opinion between the developers, or in how their experiences have affected their views.
Starting with the idea that everybody wants to have the software they wrote used, this article will try to explain what distributors want and why they ask the original developers to cooperate toward that goal. People who worked both as an upstream developer and as a downstream maintainer usually know what is being done with their code in a distribution and why. For people who have only seen one side, understanding of the needs or the reasons of the other side might be a very difficult task.
Technical and philosophical needs
The majority of the points where upstream and downstream have different views can be divided into technical and philosophical points. On the technical side, distributors need to make the software build on their system, without lots of workarounds, and it should follow the same behaviour as other software in their setup. On the philosophical side, they have needs relating to user requests and expectations. Users expect some consistency in how software looks and behaves on their system. Often, both of these kind of matters relate to the policy (written or unwritten) of that distributor.While one might actually expect a philosophical debate between developers on formats and how to implement a protocol, it's difficult to understand how so many arguments are caused by different technical requests. Unfortunately even the technical needs are often different between upstream projects and distributions. The only way to accommodate both is to provide choices, something that more times than not is considered bad by the upstream developers, who do not want the complication of too many choices.
I sincerely doubt there will ever be a time when all the upstream developers and the downstream maintainers will be on the same page, but it is possible to at least try to understand what the other side wants, and see if it's possible to cover their needs, without regressing. Even if that means increasing the complexity a bit. It is true that most of today's tools, in every area, are more sophisticated and complex than their equivalent years ago (tens of years for computer tools, hundreds of years for other areas).
[This ends part 1 of this article. Part 2 will look at the technical needs of distributions and the upstream developers. Finally, part 3 will cover the philosophical concerns and present some conclusions. Stay tuned for part 2, which should air in two weeks.]
New Releases
Ubuntu 8.04 LTS Beta released
The Ubuntu team has announced the beta release of Ubuntu 8.04 LTS (Long-Term Support) on desktop and server. "Codenamed "Hardy Heron", 8.04 LTS continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution." Beta editions of Kubuntu, Xubuntu, UbuntuStudio, and Mythbuntu are also available.
Fedora 9 beta is available
"Ah, spring... when a young penguin's fancy lightly turns to thoughts of... Beta testing! Yes, spring has sprung, and so has the Beta release of Fedora 9!" With that note, the Fedora developers announce their beta release and request that anybody interested in Fedora 9 help to test it out. There's a lot of interesting stuff in this release; see the announcement for details.
Distribution News
Fedora
Fedora Updates System
The new Fedora Updates System (bodhi) integrates with the Fedora Build System (koji) and lets any user give feedback on a specific update, be it in updates-testing or in the stable repository. Click below to see how you can help packagers test updates, give them feedback and even prevent a faulty package from being pushed into the repositories.kernel-libre (hopefully 100% Free) for Fedora 8 and rawhide
Alexandre Oliva writes: "I've stripped non-Free firmware bits from Fedora kernels for F8 and rawhide, starting from tools developed by the gNewSense folks and now in use by BLAG developers, and built alternate kernels that I've successfully booted up and used on my x86_64 notebook."
Gentoo Linux
Gentoo 2008.0 beta delayed
There have been some questions on the Gentoo lists about the unexplained delay in the 2008.0 beta release. What's going on is that two of the key developers involved have suffered a severe personal loss and are not currently able to work on that release. They ask for sympathy and understanding from the developer and user communities, and one hopes they get it.
Slackware Linux
Slackware 12.1 RC 1 ?
The March 19 entry in the slackware-current changelog says that Slackware 12.1 RC 1 is close. Click below for snippet of the log, or read the entire changelog.
Ubuntu family
Ubuntu 6.10 reaches end-of-life on April 26, 2008
Ubuntu 6.10 (Edgy Eft) will reach its end-of-life on April 26, 2008. "The supported upgrade path from Ubuntu 6.10 is via Ubuntu 7.04... Note that upgrades to version 7.10 and beyond are only supported in multiple steps, via an upgrade first to 7.04, then to 7.10. Both Ubuntu 7.04 and Ubuntu 7.10 continue to be actively supported with security updates and select high-impact bug fixes."
Other distributions
Fifteen years of NetBSD
The NetBSD project is celebrating its 15th anniversary. "Throughout the past fifteen years, NetBSD has increased the portability and security of the 4.4BSD operating system on which NetBSD was based, and added support for new processor and system families, while enhancing the system's performance to such an extent that NetBSD has become known as the most portable operating system in the world."
Blag linux-libre-2.6.24.4.0
BLAG Linux and GNU has made available a Linux 2.6.24.4 kernel with all non-free software removed. Click below for a link.
New Distributions
SliTaz GNULinux
SliTaz GNULinux is a very small desktop system that runs from live CD or live USB. SliTaz v1.0 is the first stable version to be released, after two years of development. This version, released March 22, 2008, weighs in at under 25Mb. This week's DistroWatch Weekly says "SliTaz GNU/Linux 1.0 - at 25 MB, it has to be the smallest desktop distro ever created!"
Distribution Newsletters
Fedora Weekly News Issue 125
The Fedora Weekly News for the week of March 17, 2008 looks at several announcements, Planet Fedora articles "Fedora University Tour", "FUDCon Boston 2008 at the Red Hat Summit" and "Notacon 5", and much more.openSUSE Weekly News, Issue 15
This week's edition of openSUSE Weekly News covers openSUSE 11.0 Alpha 3, SoC Student Application Period Open, Brainshare Digest, One-Click-Install improvements, and more.Ubuntu Weekly Newsletter #83
The Ubuntu Weekly Newsletter for March 22, 2008 covers Ubuntu LTS and Kubuntu 8.04 Beta releases, interview with Jerome Gotangco (former Community Council member), 8.04 release parties, Launchpad logo contest, Ubuntu Forum News, Document Freedom Day, and much more.DistroWatch Weekly, Issue 245
The DistroWatch Weekly for March 24, 2008 is out. "Debian-related happenings form the dominant topic of this issue. The feature story is an interview with Chris Hildebrandt, one of the main developers of the increasingly popular sidux distribution. How do the developers of this project test and stabilise Debian's unstable branch? And who is behind the seductive artwork and theme that graces its fast and cutting-edge desktop? Read below for answers. In the meantime, the Debian Installer team releases the first beta for Lenny, while Ubuntu unveils its own beta of the upcoming "Hardy Heron" Long-Term Support (LTS) release. But it isn't all about Debian. In the news section, Novell hints at an upcoming release of SUSE Linux Enterprise 11, the Fedora board votes to remove pointers to the Fluendo codecs, the PCLinuxOS community releases a GNOME edition, and NetBSD celebrates its 15th birthday. Finally, don't miss the new distribution section where you'll find SliTaz GNU/Linux - at just 25 MB, it has to be the smallest desktop live CD ever created! All this and more in this week's DistroWatch Weekly."
Interviews
People of openSUSE: Masim Sugianto
This week People of openSUSE introduces Masim Sugianto. "I'm an Indonesian, 32 years old, born and live in Bekasi-West Java, a small town near Jakarta - main city of Indonesia - since 17 May 1976. I married with my beloved Renny Dear Yuniastuty and a child named Muhammad "Zeze Vavai" Rivai Alifianto. I'm a happy blogger. I have about 7 blogs :-) . I'm currently working as an IT guy in East Jakarta."
Distribution reviews
First look at Ubuntu 8.04 "Hardy Heron" beta (ZDNet)
On the ZDNet blogs, Adrian Kingsley-Hughes has a look at the Ubuntu Hardy Heron beta. "I like Ubuntu. With each incarnation Im seeing improvements and betterments that make the OS better, more robust, more user friendly and more fully-featured. In fact, Ubuntu 8.04 is the first Linux distro that Ive come across that I would consider loading onto my notebook to replace Windows. Throughout my testing Ubuntu 8.04 beta has been reliable and performed flawlessly."
Page editor: Rebecca Sobol
Development
Introducing Sphinx, the Python documentation toolchain
The first public release of the Python Sphinx documentation system, which should not be confused with the CMU Sphinx speech recognition project, has been announced.
![[Python Sphinx]](https://static.lwn.net/images/ns/PythonSphinxlogo.png)
The Sphinx
introduction
states:
"The focus is on hand-written documentation, rather than auto-generated API docs. Though there is limited support for that kind of docs as well (which is intended to be freely mixed with hand-written content), if you need pure API docs have a look at Epydoc, which also understands reST.
"
An interesting feature of the Sphinx web pages is the inclusion of their own document source code. The document source code from the previously mentioned Sphinx introduction page is a good place to go to get a look at the reStructuredText language that Sphinx uses. More information on that language can be found in the A ReStructuredText Primer, the Quick reStructuredText user reference and the reStructuredText Cheat Sheet.
The Sphinx feature list includes:
- Cross-platform, works under a variety of operating systems.
- Support for the HTML, Windows HTML Help, and LaTeX output formats.
- Can use Jinja from the Django project for creating HTML templates.
- Includes semantic markup and automatic links for cross-referencing.
- The documentation tree is hierarchically structured.
- Indexes are automatically generated.
- Sphinx can optionally use the Pygments programming language syntax highlighter.
- Supports a number of extensions for code snippet testing and more.
The Python source code and related files for Sphinx are available for download here. The change log shows that a number of recent releases have been made. As of this writing, the current version is release 0.1.61950, dated March 26, 2008.
If you need to maintain a collection of web-based or print-based project documentation, Sphinx could be a very useful tool.
System Applications
Database Software
Postgres Weekly News
The March 23, 2008 edition of the Postgres Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Embedded Systems
BusyBox 1.10.0 is out
Unstable version 1.10.0 of BusyBox, a collection of command line utilities for embedded systems, has been announced. Click below for a list of new features and bug fixes.
Telecom
The Free Telephony Project announces Blackfin port
The Free Telephony Project has announced an Alpha FreePBX port for Blackfin Asterisk. "The goal of this project is to provide free hardware designs for telephone systems. Both the hardware and software are open. You are free to copy, modify and re-use the hardware designs. The hardware for a complete embedded Asterisk IP PBX (including multiple analog ports or a T1/E1) can be built for a few hundred dollars. No PC required! Our first product is the IP04. The IP04 is a low cost phone system that can switch phone calls from analog phones or phone lines over the Internet using VoIP. The IP04 is a professionally designed product that is in volume production today".
Web Site Development
Web Console: 0.2 beta released (SourceForge)
Version 0.2 beta of Web Console has been announced. "Web Console is a web-based application that allows remote users to execute UNIX/Windows shell commands on a server directly from a browser. Web Console is open source software written on Perl using AJAX technology - it is very light, beautiful and easy. Web Console 0.2 beta has been released that is a first public release of the Web Console."
Desktop Applications
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Beagle and Libbeagle 0.3.4 (new features, bug fixes and translation work)
- cairo snapshot 1.5.14 (new features and API change)
- Conduit 0.3.9 (new features, bug fixes and translation work)
- gswitchit-plugins 0.8 (new feature)
- Hotwire 0.721 (new features and bug fixes)
- Libgda 3.99.2 (bug fixes)
- libgnomekdb 2.22.0 (new features and translation work)
- Metacity 2.23.3 (bug fixes and translation work)
- nemiver 0.5.1 (new features, bug fixes and translation work)
KDE Software Announcements
The following new KDE software has been announced this week:- AI 20080321 (migration to PerlKDE)
- ALSA MIDI Kommander 0.3.1 (bug fix)
- Date Time Functions 0.1 (initial release)
- first4 1.4-beta2 (new features and bug fixes)
- Havekk's Amaork Announcer 0.1 (initial release)
- indywiki 0.9.8 (new features and bug fixes)
- Jukebox3D 0.6.0 (new features)
- KMetronome 0.8.1 (bug fixes)
- KMetronome 0.8.2 (bug fix)
- KMidimon 0.5.1 (new feature and bug fix)
- KMyMoney 0.8.9 (new feature)
- Kommander OpenWithDlg 0.1 (initial release)
- Kommander TimeWidget 0.2 (unspecified)
- KontaktDB / ContactDataBank 1.0.0.6a (new feature)
- Konvert2Ogg 0.2 (initial release)
- Krusader 1.90.0 (new features, bug fixes and translation work)
- KSplasher 0.9.8 beta (new features and bug fixes)
- ktikz 0.6 (new features and bug fixes)
- KTorrent 3.0.1 (bug fixes)
- LilyKDE 0.4.7 (new feature)
- LilyKDE 0.4.9 (new feature and license change)
- Minirok 0.9 (unspecified)
- PeaZip 2.0 (new features and bug fixes)
- Qtractor 0.1.2 (new features and bug fixes)
- Send torrent to MLdonkey 1.0 (initial release)
- Slax Tools 080318 (new features, documentation and translation work)
- TaskSwitch 0.2 (bug fixes)
- Twitter Client(Qt) 0.1 (initial release)
- webKam 0.2 (new features and code cleanup)
- Zhu3D 4.0.2 (new features, bug fixes and translation work)
Xorg Software Announcements
The following new Xorg software has been announced this week:- xf86-input-calcomp 1.1.2 (bug fix)
- xf86-input-digitaledge 1.1.1 (build change)
- xf86-input-dmc 1.1.2 (remove call to xf86XInputSetSendCoreEvents)
- xf86-input-dynapro 1.1.2 (remove call to xf86XInputSetSendCoreEvents)
- xf86-input-elographics 1.2.0 (bug fixes)
- xf86-input-fpit 1.2.0 (build change, remove call to xf86IsCorePointer)
- xf86-input-hyperpen 1.2.0 (build change)
- xf86-input-jamstudio 1.2.0 (build change)
- xf86-input-keyboard 1.3.0 (bug fixes and documentation work)
- xf86-input-magellan 1.2.0 (build change)
- xf86-input-microtouch 1.2.0 (build change, remove call to xf86XInputSetSendCoreEvents)
- xf86-input-mouse 1.3.0 (bug fixes and documentation work)
- xf86-input-mutouch 1.2.0 (build change)
- xf86-input-palmax 1.2.0 (build change)
- xf86-input-penmount 1.3.0 (build change)
- xf86-input-summa 1.2.0 (build change)
- xf86-input-tek4957 1.2.0 (build change)
- xf86-input-vmmouse 12.5.0 (bug fixes and build change)
- xf86-video-amd 2.7.7.7 (new features and bug fixes)
- xf86-video-dummy 0.3.0 (build change)
- xf86-video-intel 2.2.99.901 (new features and bug fixes)
- xf86-video-voodoo 1.2.0 (bug fixes, documentation work and build change)
xsel 1.2.0 released
Version 1.2.0 of xsel, a command-line utility for modifying the X selection buffer, has been announced. "This is a maintenance release, improving argument handling, documentation and X11 library detection."
Electronics
GNU Radio Release 3.1.2 available for download
Release 3.1.2 of GNU Radio, a software-defined radio system, has been announced. "Release 3.1.2 is a feature and maintenance release, incorporating numerous bug fixes and new functionality."
Encryption Software
GnuPG 2.0.9 released
Version 2.0.9 of the GnuPG encryption system has been announced, it features some new capabilities and bug fixes. "The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography."
Semeir: 2.4.7 Released (SourceForge)
Version 2.4.7 of Semeir has been announced. "Semeir is a Encryption algorythmn, Capable of Stream and block encryption. It is written in pure C. It is platform independant, and is promising for Embedded systems. Intended as an alternate, yet secure data encryption cipher. It has been a long few years since I originally submitted Semeir. Starting its humble 1.0.0 that I was never released, to the 2.1.3 that some have tried out. I apologize for taking so long to release the next version, which was not ready until now; requiring a near complete re-write of some functions, and addition of new functions. As well as pre-built functions that are ready to use, when linked with Zlib."
Financial Applications
SQL-Ledger 2.8.14 released
Version 2.8.14 of SQL-Ledger, a web-based accounting system, has been announced, it adds one new feature and some bug fixes.
Games
Games for Eclipse: version 3.2 released (SourceForge)
Version 3.2 of Games for Eclipse has been announced, it includes several bug fixes. "The goal of the project is to provide implementations of different games as plugins for Eclipse IDE (www.eclipse.org project)."
Graphics
Fraqtive: 0.4.0 Released (SourceForge)
Beta version 0.4.0 of Fraqtive, a Mandelbrot family fractal generator, has been announced. "A new version of Fraqtive is available. It has a completely new generator engine with support for SSE2, multi-core processors, different variants of fractals and many optimizations for almost real-time user experience. Also the user interface has been completely redesigned and rewritten using Qt4 to make Fraqtive available for both Linux and Windows platforms."
Interoperability
Wine 0.9.58 released
Version 0.9.58 of Wine has been announced. Changes include: The default version is now Windows XP, Many Richedit improvements, Beginning of jscript dll support, Shell folders now respect XDG directory configuration, Many translation updates and Lots of bug fixes.
Multimedia
HOgg 0.4.0 released
Version 0.4.0 of HOgg, a command line tool for manipulating Ogg files, is out. "This is the third public release. The focus is on correctness of Ogg parsing, production and editing. The capabilities of the hogg commandline tool are roughly on par with those of the oggz* tools."
Office Applications
Chandler Desktop 0.7.5 released
Version 0.7.5 of Chandler Desktop has been announced. "The Chandler Project is an open source, standards-based information manager designed for personal use and small group collaboration. The 0.7.5 release of Chandler Desktop simplifies the Chandler UI by changing elements confusing to new users. In particular, multiple toolbar buttons were removed, "tasks" were replaced with "starred items", the "triage" button was renamed to "clean up", and the items created when first starting have been made more useful. The sidebar list of collections can now be reordered by dragging them in-place. A variety of build/packaging and platform-specific bugs have also been fixed."
Miscellaneous
PyKeylogger: 1.0.1 released. (SourceForge)
Version 1.0.1 of PyKeylogger has been announced. "PyKeylogger is a simple keylogger written in python. It is primarily designed for backup purposes, but can be used as a stealth keylogger, too. It does not raise any trust issues, since it is a set of [relatively] short python scripts that you can easily examine. This is a bugfix release. Properly account for relative path names in ini settings and cli arguments by detecting full path location of program. Some about dialog prettification also took place."
Languages and Tools
Caml
Caml Weekly News
The March 25, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.
Java
JOSSO: Single Sign-On 1.7 Released (SourceForge)
Version 1.7 of JOSSO has been announced. "JOSSO - Java Open Single Sign-On - is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication and authorization. For more information contact our website at : http://www.josso.org The JOSSO Single Sign-on Project 1.7 release is out, bringing fully transparent single sign-on to BEA WebLogic 9 and Apache Geronimo 2 application servers, extending as well its interoperability span to generic JEE web container such as Jetty. As part of this release, a brand new Ajax user management application comes built-in for enabling out-of-the-box account provisioning."
Perl
Parrot 0.6.0 released
Version 0.6.0 of Parrot, a virtual machine aimed at running dynamic languages, has been announced. "This release is a milestone release featuring the revamping of Parrot Magic Cookies."
This Week on perl5-porters (use Perl)
The March 9-15, 2008 edition of This Week on perl5-porters is out with the latest Perl 5 news.Spring 2008 edition of The Perl Review
The spring 2008 edition of The Perl Review is available. Topics include: Compiling My Own perl, FMTIEWTK About Closures, Expecting Perl, Perl and Undecidability and The Year in Perl, 2007.
Python
Python-URL! - weekly Python news and links
The March 18, 2008 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk
Tcl-URL! - weekly Tcl news and links
The March 23, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Libraries
Pantheios: 1.0.1 (beta 112) released (SourceForge)
Version 1.0.1 beta 112 of Pantheios has been announced, it includes a change to standard UNIX convention lib prefixes in the makefiles. "Pantheios is an Open Source C/C++ Logging API library, offering an optimal combination of 100% type-safety, efficiency, genericity and extensibility. It is simple to use and extend, highly-portable (platform and compiler-independent) and, best of all, it upholds the C tradition of you only pay for what you use."
Version Control
Bazaar 1.3 released
Version 1.3 of the Bazaar version control system has been announced. "Since 1.2, we've improved the speed of several important operations, including log, annotate, and other operations on revision history. Several bugs have been fixed and new options and features have been added, including an option to hardlink files between working trees."
Mercurial 1.0 released
The 1.0 release of the Mercurial source code management system has been announced. Mercurial has been in production use in some time, but this release adds a number of new features and performance improvements anyway; see the announcement for details.
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Protecting the Internet Without Wrecking It (Boston Review)
The Boston Review is carrying a lengthy article by Jonathan Zittrain on protecting the net from security threats. In your editor's opinion, the analysis of the problems is good, while the proposed solutions are a bit more questionable. "What might this system look like? Roughly, it would take the form of toolkits to overcome the digital solipsism that each of our PCs experiences when it attaches to the Internet at large, unaware of the size and dimension of the network to which it connects. These toolkits would run unobtrusively on the PCs of participating users, reporting backto a central source, or perhaps only to each otherinformation about the vital signs and running code of that PC, which could help other PCs determine the level of risk posed by new code."
A number of responses have been posted, including one from Richard Stallman. "With free/libre software, no one has the power to make a malicious feature stick. Since the source code is available to the users, millions of programmers are in a position to spot and remove the malicious feature and release an improved version; someone will surely do so. Others can independently compare the two versions to assure you which version treats you right. As a practical fact, free software is generally devoid of designed-in malware.
"
Patent reform bill unable to clean up patent mess (ars technica)
ars technica takes a detailed look at the patent reform bill currently being considered in the U.S. Congress and comes away unimpressed. "Although the legislation includes provisions that are likely to moderately reduce the toll that patents take on high-tech innovation, none of the proposals address the fundamental problems that have cropped up in recent years. Opponents of software patents, in particular, will find the provisions of the Patent Reform Act underwhelming. Their best hope is that the Supreme Court tackles the issue in the coming years. If that doesn't happen, then they will likely need to wait for the situation to deteriorate further before there will be sufficient political will for serious reforms."
Companies
3DConnexion donates SpaceNavigators to KOffice (KDE.News)
KDE.News covers a hardware donation to KDE by 3DConnexion. "A couple of weeks ago Hans Bakker, who had never touched KOffice code before, started hacking on a Krita plugin for the 3DConnexion SpaceNavigator. Within a week or two he had a working plugin for Krita and it quickly became clear how cool these little devices are and how many possibilities for new user interaction paradigms they afford. So Hans suggested contacting Ettore Pasquini from 3DConnexion about the possibility of them donating a SpaceNavigator to the KOffice project for testing purposes. Well, that was only last week, and this week a box with three SpaceNavigators already landed on my desk."
Legal
India Has Voted NO to OOXML (Groklaw)
Groklaw reports that India has voted No to OOXML. "There is a difference, in other words, between supporting XML, what you might call pro forma support, and supporting OOXML as a standard. For that matter, there is a difference between support for Microsoft Office 2007 and support for OOXML. They are not the same thing, so when OpenOffice.org announces native read and write support for Office 2007 documents, that is all it means. It doesn't mean OpenOffice.org supports OOXML as a standard. No matter what Microsoft folks try to tell you."
From "happy hacking" to "screw you" - the story of Meraki (virishi.net)
From virishi.net comes a tale of woe in trying to use Meraki hardware to provide internet to part of Vancouver, British Columbia. It seems that this MIT Roofnet project commercial spin-off keeps changing its pricing models and licensing on the free software-based devices. "Then in February Meraki announced a change to their EULA (End User Licence Agreement) which precluded anyone from changing any of the software that they install on their units. This meant that from that point forward we would be breaking their rules, and maybe the law, by installing our own work on their hardware. Of course this could not be applied retroactively so we were free to continue to work with the hardware that we'd already bought but we intensified our search for alternatives to the Meraki hardware." (Seen on Slashdot).
Reviews
KDE 4.1: Visual Changelog (rev 783000) (PolishLinux.org)
PolishLinux.org takes a look at KDE 4.1 with lots of screenshots. "You don't always see this in the official changelogs but the KDE 4 development is progressing in an extraordinary speed. After a deep look at rev 777000 we are presenting you a new visual review of changes made to KDE 4 during the last couple of weeks." (Found on KDE.News)
Linux gains native RTOS emulation layer (LinuxDevices)
LinuxDevices takes a look at the Xenomai/SOLO project. "Newly available open source software could significantly increase Linux's utility in industrial computing applications. The Xenomai/SOLO project aims to provide VxWorks and other RTOS emulation in user-space on most any Linux kernel, and to deliver short, bounded application latency on kernels with built-in real-time capabilities."
Linux powers Zigbee-based home monitor (LinuxDevices)
LinuxDevices looks at a Linux-powered wireless security system. "A British startup called AlertMe.com has introduced a remotely managed security system that runs off a Linux-driven Hub. The AlertMe Hub tracks various sensors via Zigbee, and then reports back to AlertMe.com's servers, which in turn relay alarm events to the customer via SMS or email. Costing $800 plus $23.50 a month, the system alerts remote customers to events such as an intruder or a fire, says the company. The battery-powered, ZigBee-enabled devices in the AlertMe network include door and window sensors and alarm detectors that listen for existing smoke or carbon monoxide alarms."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
curl celebrates ten year anniversary
The curl project has announced its ten year anniversary. "Like many other projects, this started because of an itch. I wanted to get currency rates off the internet to allow an IRC bot to be able to provide an exchange service for users with accurate up-to-date rates. I thought the existing projects I found all did too much or did the wrong thing. That bot and service is now gone since long." (Thanks to Daniel Stenberg).
Document Freedom Day
The Free Software Foundation Europe has sent out a press release stating that March 26 is Document Freedom Day. "In a world where records are increasingly kept in electronic form, Open Standards are crucial for valuable information to outlive the application in which it was initially generated. The question of Document Freedom has severe repercussions for freedom of choice, competition, markets and the sovereignty of countries and their governments."
Audacious joins 2008 Google Summer of Code
The Audacious audio player project will take part in the 2008 Google Summer of Code. "Due to the success we've had in last year's Summer of Code, we are pleased to announce that we are participating in it again, and this time we're not limited to just Audacious. Atheme.org, the development teams who work on Audacious, charybdis, Atheme IRC Services, and other projects, is the mentoring organisation this year."
Audacity joins 2008 GSoC
The Audacity sound editor project has announced its participation in the Google Summer of Code 2008. "Students! Interested in supporting Audacity and earning a stipend this summer? Apply by 5:00 PM PDT on March 31, 2008 (00:00 UTC on April 1, 2008)! Audacity is a mentoring organization for the Google Summer of Code 2008! GSoC offers student developers $4,500 stipends to write code for various open source projects."
KDE Looking for Google Summer of Code Students (KDE.News)
KDE.News has announced the KDE group's participation in the 2008 Google's Summer of Code. "Google's Summer of Code will begin accepting applications soon and KDE will be participating for this fourth year. If you are a student over 18 and want to work on KDE this summer take a look at our ideas page. You are not restricted to what is listed there, other projects are welcome. Take the opportunity to talk to potential mentors over e-mail & IRC to see how feasible your project is, then write a project proposal for your application. You will have a week to apply starting from Monday, March 24."
KDE and OpenUsability offer summer stipends for students (KDE.News)
KDE.News has announced the Season of Usability coding project. "Our friends over at OpenUsability have just started a call for students of usability, user-interface design, and interaction design or related subjects for the Season of Usability. Season of Usability is a project that offers mentoring students that want to work on usability aspects of various projects, including KDE. Students are offered a stipend worth $US1000. KDE is involved in the Season of Usability with three possible stipends, two for students who want to work on the KDE 4 Human Interface Guidelines, another project aims for improving the toolbox and palette interaction KOffice."
Perl Foundation Summer of Code call for proposals (use Perl)
The Perl Foundation has announced its participation in the Google Summer of Code. "The Perl Foundation is participating in Google's 2008 Summer of Code(tm) and we have a lot of capable, willing mentors looking forward to working with some talented, driven students. So, we would like you to help find those students (and quickly -- the application period opens March 24th and closes March 31st.)"
PostgreSQL Summer of Code 2008
The PostgreSQL DBMS project has announced its participation in the 2008 Google Summer of Code. "For Summer of Code, Google will be paying for student internships to work on PostgreSQL features and applications. We've put up a list of ideas, including guidelines for submissions and more. Applications for students open March 25th, and close March 31, so urge any students you know to get your applications prepared right away!"
Samba participates in GSoC 2008
The Samba project has announced its participation in the 2008 Google Summer of Code. "Samba is again participating as a mentoring organization for the Google Summer of Code. If you are a student and interested in participating, check out our ideas list. We would appreciate if you could drop by on the samba-technical mailing list or in #samba-technical on Freenode and have a chat with us on the project you are interested in. The Samba Team would like to thank Google, Leslie Hawthorn in particular, for organizing this great project yet another year."
XMMS2 accepted to Google Summer of Code
The XMMS2 music player project has announced its participation in the 2008 Google Summer of Code. "Google has just announced the mentor organizations for Summer of Code 2008 and we are happy to announce that XMMS2 was selected to participate this year as well."
Commercial announcements
CodeWeavers announces CrossOver Games
CodeWeavers has announced their new CrossOver Games product. "CrossOver Games will allow you to install and play some of the most popular games available for Windows on your Mac or Linux system, all without needing to buy or run a copy of Windows. This includes support for Guild Wars, World of Warcraft, and many games through Steam, including Team Fortress 2, Portal, Half Life 2, Civilization IV, Peggle, and many others."
Likewise launches Open Spring '08
Likewise Software has announced the availability of their Open Spring '08 product. "Likewise Software, formerly Centeris, a leader in delivering authentication and audit solutions for mixed networks, today announced the availability of Likewise Open Spring '08, an Open Source offering that provides fast and easy integration of Linux, UNIX and Mac systems with Microsoft's Active Directory. This release brings the platforms supported by Likewise Open from a few to over 110 Linux, UNIX and Mac Platforms, or virtually all non-Windows enterprise platforms. Likewise Open Spring '08 is available today as a free download from http://www.likewisesoftware.com/download/index.php"
Linux Box Corporation announces partnership with Nagios Enterprises
The Linux Box Corporation has announced it has joined Nagios Enterprises in a partnership that will help both companies provide open source support for Nagios products to customers nationwide.A tour of the Microsoft open source lab
Microsoft's Port 25 weblog is carrying a tour of the company's open source software lab. "To some folks outside of Microsoft, the Open-Source Software Lab has been a sort of mysterious place. A place where we study Linux and open-source software, cursing our enemies while brewing our malevolent plans to combat those nasty FOSS developers. Oh, and we also have a death ray on the roof of building 17. It's Linux-powered, of course, just to add a little irony."
SFLC Announces Formation of Moglen Ravicher LLC
The Software Freedom Law Center has announced the formation of Moglen Ravicher LLC. "The Software Freedom Law Center (SFLC), provider of pro bono legal services to protect and advance free and open source software (FOSS), today announced the formation of Moglen Ravicher LLC, a law firm which will represent select for-profit clients that support FOSS but are not eligible to receive SFLC's pro bono services. An initial client of Moglen Ravicher LLC is OpenNMS, an open source enterprise grade network management platform. OpenNMS has retained the firm for representation regarding violations of the GNU General Public License (GPL)."
Oracle releases Clusterware for Oracle Unbreakable Linux
Oracle has announced the availability of Oracle Clusterware for its Oracle Unbreakable Linux support customers. "Oracle Clusterware is portable cluster software that groups together individual servers so they can cooperate as a single system. A fundamental component of Oracle Real Application Clusters, Oracle Clusterware can operate independently and helps ensure the protection of an application, Oracle or third-party."
REvolution Computing establishes advisory board
REvolution Computing has announced the establishment of a new advisory board. "REvolution Computing, a New Haven, CT-based provider of software for computational statistics, today announced the formation of an advisory board that includes many of the leading figures in the creation and development of open source communities. David Henderson, Director of Community for REvolution Computing, will be the director of the board, charged with coordinating the exchange and discussion between the board, the 'R' community and developers."
Trusted Computer Solutions announces Security Blanket 1.2 for Oracle Enterprise Linux
Trusted Computer Solutions has announced Security Blanket 1.2. "Security Blanket enables systems administrators to automatically configure and enhance the security level of their Linux operating platform by simplifying the current arduous methods for "hardening" systems that must be undertaken on a regular basis to meet security compliancy requirements."
Vyatta: Open-source Router for SMB Market
Vyatta has introduced the Vyatta 514, a networking appliance that combines Vyatta's open-source routing and security software with a small form factor hardware platform. "With integrated routing, firewall, and VPN features, the Vyatta 514 is ideally suited to connect small businesses and branch offices to the Internet or private networks. The Vyatta 514 provides all the security, performance, and functionality of proprietary networking solutions at a fraction of the cost."
Contests and Awards
FSF awards for Harald Welte and Groklaw
The Free Software Foundation has announced that Harald Welte is the recipient of this year's Award for the Advancement of Free Software, and Groklaw has won the groups Social Benefit Award. "The awards committee honored both Welte's technical contributions to projects like the Linux kernel and the OpenMoko mobile platform project, and his community leadership in safeguarding the freedom of free software users by successfully enforcing the GNU General Public License in over one hundred cases since the gpl-violations.org project began in 2004."
Plasma Themes Contest (KDE.News)
The KDE Plasma Themes Contest has been announced. "The KDE Plasma team is inviting everyone to participate in a contest to create Plasma themes from which a select few will be chosen to be included as a part of the upcoming KDE 4.1 release. This is a great opportunity to contribute to a very visible component of the KDE project, the Plasma desktop. A great feature of Plasma is the ability to theme components of the desktop using Scalable Vector Graphics (SVGs). This means there is no need for you to know C++ or any other programming language to create a great looking theme."
Upcoming Events
ELC 2008 Program Announced
The Embedded Linux Conference 2008 has announced its program for the conference being held April 15-17 in Mountain View, California. The conference features keynotes from Henry Kingman, Andrew Morton, and Tim Bird along with more than 50 sessions on a variety of embedded Linux topics. Click below for more information.The Linux Foundation hosts Spring Legal Summit
The Linux Foundation has announced a spring 2008 legal summit. "The Linux Foundation (LF), the nonprofit organization dedicated to accelerating the growth of Linux, today announced the details for its second Legal Summit, which will be held at the Motorola Customer Briefing Center in Schaumburg, Ill. on April 23, 2008."
LinuxWorld accepting applications for the Linux Garage
The LinuxWorld Conference & Expo is accepting applications for the Linux Garage. "Linux is now a part of phones, cars, satellite TV, multimedia, and more gizmos and gadgets than anyone can imagine. As embedded Linux continues to grow, the Linux Garage is the new demonstration area where the newest and coolest gadgets will be showcased at LinuxWorld 2008. The goal of the Linux Garage is to provide a forum for the creators of innovative devices that employ embedded Linux and to provide attendees a peek under the hood at gadgets they can be coding for. Established companies showcasing real products can buy space in the area, while early stage companies and pre-revenue inventors can apply for free space awarded on coolness factor."
Events: April 3, 2008 to June 2, 2008
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| April 3 April 4 |
E-Mail Systems Conference 2008 (Exim and other mail systems) | Birmingham, England |
| April 4 April 5 |
openSUSE Packaging Days II | IRC, Everywhere |
| April 7 April 9 |
IT360 Conference & Expo | Toronto, Canada |
| April 7 April 11 |
Django Bootcamp with Juan Pablo Claude | Atlanta, Georgia, USA |
| April 8 April 10 |
Linux Foundation Collaboration Summit | Austin, TX, USA |
| April 10 April 13 |
Go-OO Conference 2008 | Prague, Czech Republic |
| April 12 April 13 |
Open Source Developers Conference Taiwan, 2008 | Taipei, Taiwan |
| April 12 April 13 |
LugRadio Live USA 2008 | San Francisco, CA, USA |
| April 12 April 18 |
KDevelop Developer Meeting 2008 | Munich, Germany |
| April 14 April 18 |
Embedded Systems Conference - Silicon Valley | San Jose, CA, USA |
| April 14 April 17 |
MySQL Conference and Expo | Santa Clara, CA, USA |
| April 14 April 18 |
Samba eXPerience 2008 | Göttingen, Germany |
| April 15 April 17 |
Embedded Linux Conference 2008 | Mountain View, CA, USA |
| April 15 April 17 |
SOA in Health Care | Chicago, IL, USA |
| April 16 April 18 |
X Developers' Conference 2008 | Mountain View, CA, USA |
| April 16 April 18 |
X Developers' Conference for 2008 | Mountain View, USA |
| April 16 April 18 |
Croatian Linux User Conference | Zagreb, Croatia |
| April 17 April 19 |
9th International Free Software Forum | Porto Alegre, Brazil |
| April 18 April 19 |
Third Annual Silicon Valley Ruby Conference | San Jose, CA, USA |
| April 18 April 20 |
National Collegiate Cyber Defense Competition | San Antonio, TX, USA |
| April 18 April 20 |
Penguicon 2008 | Troy, Michigan, USA |
| April 21 April 25 |
Open Source meets Industry: Application Park and International Congress | Hannover, Germany |
| April 22 | The Mobile Future | Santa Clara, CA, USA |
| April 22 April 25 |
Web 2.0 Expo | San Francisco, CA, USA |
| April 22 | OSADL International Congress | Hannover, Germany |
| April 23 April 24 |
Troopers 2008 Security Conference | Munich, Germany |
| April 23 | Linux Foundation Spring Legal Summit | Schaumburg, IL, USA |
| April 25 April 29 |
Open Tech Summit Taiwan 2008 | Taipei, Taiwan |
| April 25 April 26 |
Guademy 2008 | Valencia, Spain |
| April 27 May 2 |
INTEROP Las Vegas 2008 | Las Vegas, NV, USA |
| April 28 May 4 |
Monotone Developer Summit | Wuppertal, Germany |
| May 2 May 3 |
Maker Faire Bay Area | San Mateo, CA, USA |
| May 5 May 9 |
Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, Georgia, USA |
| May 8 | Embedded Masterclass 2008 | London, UK |
| May 8 May 11 |
Libre Graphics Meeting 2008 | Wroclaw, Poland |
| May 8 May 9 |
IV WHYFLOSS CONFERENCE MADRID 08 | Madrid, Spain |
| May 9 May 11 |
Pycon Italia Due | Firenze, Italy |
| May 12 May 14 |
Where 2.0 Conference | Burlingame, CA, USA |
| May 13 | Embedded Masterclass 2008 | Bristol, UK |
| May 15 | NLUUG spring conference 2008 | Ede, the Netherlands |
| May 15 May 16 |
YAPC::Asia 2008 | Tokyo, Japan |
| May 15 May 16 |
V WHYFLOSS CONFERENCE CORRIENTES 08 | Corrientes, Argentina |
| May 16 May 17 |
FOSSCamp 2008 | Prague, Czech Republic |
| May 17 May 18 |
4th Int. Workshop on Software Engineering for Secure Systems (SESS'08) | Leipzig, Germany |
| May 17 May 18 |
French-speaking Python Days | Paris, France |
| May 19 May 23 |
AFS and Kerberos Best Practices Workshop 2008 | Newark, NJ, USA |
| May 20 May 23 |
PGCon 2008 | Ottawa, Ontario, Canada |
| May 20 May 21 |
Digital Standards Organization (Digistan) Workshop | The Hague, The Netherlands |
| May 21 May 22 |
EUSecWest 2008 | London, England |
| May 21 May 22 |
linuxdays.ch Genève | Genève, Switzerland |
| May 28 May 31 |
LinuxTag 2008 where .com meets .org | Berlin, Germany |
| May 29 June 1 |
RailsConf 2008 | Portland, OR, USA |
| May 29 May 30 |
SyScan08 Hong Kong | Hong Kong, China |
| May 30 May 31 |
eLiberatica 2008 - The benefits of Open and Free Technologies | Bucharest, Romania |
If your event does not appear here, please tell us about it.
Event Reports
PyCon 2008: A look back (AMK's Journal)
Andrew Kuchling covers the PyCon 2008 Python conference. "With every PyCon the organizers try various innovations, some of which work and some of which don't. Now that PyCon 2008 is over and I've had a chance to recover from sleep deprivation, here's my re-cap."
Page editor: Forrest Cook