|
|
Subscribe / Log in / New account

LWN.net Weekly Edition for April 3, 2008

OOXML gets ISO approval

By Jake Edge
April 2, 2008

The votes are in, with Microsoft's Office Open XML (OOXML) format gaining international standard status. Both Microsoft and Ecma International jumped the gun a bit by proclaiming victory a day before the official announcement, but the writing was on the wall since the balloting closed on March 29. There are now two competing standards for office document formats that have been approved by the International Organization for Standardization (ISO): OOXML and Open Document Format (ODF).

The most recent vote was an opportunity for the national bodies to change their vote from September based on the outcome of the Ballot Resolution Meeting (BRM). The September vote was relatively close but OOXML did not pass, which led Ecma and Microsoft to try and address the 3,500 comments (1,000+ after eliminating duplicates) made by participating countries. The comments and the Microsoft/Ecma solutions to them were discussed during the five-day BRM meeting in Geneva in late February.

When the BRM was announced, many wondered how that number of comments could be handled in a week-long meeting, unfortunately the answer is: not very well. There was simply too much to cover, so the majority of comments—mostly substantive issues with OOXML—didn't get discussed and were voted on en masse. The majority of participants abstained (18) or failed to vote (4), with six voting to accept the changes proposed by Microsoft/Ecma and four voting against. This allowed the BRM process to complete, leaving it up to the national bodies to decide whether to change their September votes.

The outcome was again fairly close, but a net change of seven votes from "disapprove" to "approve" moved OOXML into approval. 24 of 32 votes from Participating countries were for approval, which is beyond the two-thirds majority required. Also, 86% of the Observing countries voted to approve, which is above the 75% required. In both cases, abstentions are not counted.

At some level, the outcome should not be surprising. Microsoft put a huge effort into ensuring OOXML standardization. Some would claim that they "gamed" the system—it's pretty clear they did—what's less clear is why, and what they plan to do next. Their tactics have been questionable, which leads many to believe they have an ulterior motive.

To start with, Ecma International essentially rubber-stamped a "specification" that Microsoft presented as ECMA-376. Then it was introduced to ISO on the "fast-track" process, which is meant for mature standards that have few gray areas or controversial parts. Whatever else can be said of OOXML, nearly anyone that is not firmly in the Microsoft camp can see that it is in no way mature, clear, or non-controversial—it is flawed at multiple levels.

One of the most puzzling things about the process is how we have ended up with two standards. In general, standards are supposed to be, well, standard, allowing multiple implementations that use the standard, but innovate in other areas. HTML and HTTP are standards, whereas Firefox, Safari, Konqueror, Opera, and Internet Explorer all implement those standards—some more faithfully than others—but provide different sets of features on top. Microsoft's argument for multiple standards is a disingenuous one: choice.

It would seem that Microsoft wants to paint this as a VHS vs. Betamax battle, where the consumer is able to choose the one best suited for their needs. But, both of the video recording standards were proprietary, with many arguing that the technically inferior choice "won". Microsoft is, of course, no stranger to having its choices—again arguably technically inferior and generally pushed through its near-monopoly on the desktop—come out on top.

One might be able to argue that competition between the standards is consumer-friendly if there is a level playing field. In order for that to happen, Microsoft would have to implement and deploy the competitive standard—something it has clearly said it will not do. It is hard to see how customers are going to be able to determine which of the two formats is "better" when most of them will only be given one choice.

Many also fear that free software (and other non-Microsoft proprietary) implementations of the standard will not be fully interoperable with the de facto standard because of specification inadequacies or patents. Many, including ODF editor Patrick Durusau have called for OOXML to be passed so that it can be clarified. Setting aside the obvious cart-before-the-horse problem, standards bodies are notoriously slow—it has been more than a year for the fast-track approval of OOXML for example—expecting that clarifications can be made through that process is somewhat alarming. More likely, changes will be made in the format emitted by various Microsoft products and then shoehorned into the standard some months or years later.

The claim that billions of documents exist in OOXML, which leads many to believe it should be adopted, is particularly galling to many. There is no OOXML standard yet—the final document has not yet been produced—but that is a minor issue. The fact is that even though a form of OOXML is available in recent Microsoft products, it is not the default and most documents have not been stored using it. The billions of documents are mostly stored in various versions of the proprietary DOC format that non-Microsoft users have been struggling to read for years.

The opponents of OOXML had their own share of misbehavior during this process. It is pretty unlikely that everyone who favored OOXML passage is in the pay of Microsoft, for example. The doom and gloom predictions of what will happen have sometimes been over the top as well. Free software is not about restricting choices—if folks want to store documents in OOXML, that is their decision.

So, what will happen to ODF? To many it looks like a truly vendor-neutral standard—warts and all—will be shoved aside by a truly vendor-specific one. Andy Updegrove, who has followed this process closely and fairly objectively in his weblog, sees things a bit differently. There is still a long way to go before OOXML supplants ODF, if it ever does, according to Updegrove:

That answer is this: if anyone had asked me to predict in August of 2005 (the date of the initial Massachusetts decision that set the ODF ball rolling) how far ODF might go and what impact it might have, I would never have guessed that it would have gone so far, and had such impact, in so short a period of time. I think it's safe to say that whatever happens with the OOXML vote is likely to have little true impact at all on the future success of ODF compliant products.

It is possible that Microsoft is changing its ways, but longtime Microsoft watchers, especially those who have been harmed by their tactics in the past, remain skeptical. One would guess Microsoft will be on its best behavior for the next two months while objections to the approval can still be raised. After that, we will see—over time—whether this is yet another lock-in play or whether they wish to play fair in the document storage arena. Every move they make will be closely scrutinized; there are risks to reverting to their previous behaviors. But, if we end up with a truly open standard, free of patent nonsense, and implementable by all, it doesn't really matter whether it is OOXML or ODF.

Comments (24 posted)

WebKit rising

By Jonathan Corbet
April 2, 2008
Once upon a time, there were no usable free web browsers for the Linux environment; the binary-only Netscape releases were all that was available to us. For many, the solution to the problem was to be found in the release of the Netscape source code; some years later, we got the Mozilla and Firefox browsers (based on the Gecko rendering engine) from this work. The KDE project, though, took a different route in the late 1990's, developing the KHTML renderer to use with the Konqueror application.

A few years later, Apple surprised the world by selecting KHTML as the base for its Safari browser, despite the fact that Gecko was more widely deployed. What followed was essentially a fork of KHTML and some bad blood between Apple and the KDE project. Over time, the two sides have come to a better understanding, but KHTML and Apple's version (WebKit) have remained separate. The existence of two KHTML forks may not last that much longer, though, and some interesting things appear to be happening.

One of those things is that Konqueror is slowly being moved over to WebKit as its rendering engine. The decision to go in this direction was made at the 2007 Akademy gathering, and work has been proceeding ever since. Current Ubuntu development releases include a preview version of Konqueror on WebKit. Work can be expected to continue in this direction, with the result that KHTML will slowly lose its prominence in the KDE project. The fork, in other words, is beginning to join, with the resulting software being called "WebKit." [Update: as can be seen in the comments, this paragraph overstated the case somewhat. Things might end up as described here, but that is not the case now.]

Meanwhile, it seems that people are actually starting to use Safari, to the point that web designers are thinking that they should actually test their sites with it. For what it's worth, Safari currently accounts for just over 3% of visits to LWN.net - relatively small compared to Firefox (over 60%), but, when added to Konqueror's 4.5%, it makes half of Internet Explorer's 15% share. One can argue that the mix of browsers used by LWN readers is not typical of the net as a whole, but, even so, it looks like WebKit-based browsers just might become a significant part of the Internet's software base.

When a GNOME project announces, on April 1, that it is moving over to a major component which came from the KDE camp, one can be forgiven for not taking it seriously. The story does not stop there, though. When a GNOME project announces, on April 1, that it is moving over to a major component which came from the KDE camp, one can be forgiven for not taking it seriously. But it would appear that this announcement from the Epiphany developers, saying that they are moving to WebKit as their sole rendering engine, is the real thing. Epiphany, remember, is the closest thing that GNOME has to an official web browser; it has users who swear by its better integration with the GNOME desktop. But Epiphany has always been based on the Gecko engine, and it seems that not a whole lot of users have seen reasons to stick with it over Firefox, which provides rather more functionality on the same engine. Epiphany is not a big force in the browser arena currently.

Last year, the Epiphany developers added an abstraction layer which allowed the browser to operate over multiple rendering engines, including WebKit. Now they have decided to take that layer back out and to support just one rendering engine: WebKit. The development team cites a number of reasons for moving away from Gecko, including release-cycle mismatches, a feature set which is driven by a competing project, and a lack of attention being paid to the Gecko/GTK embedding API. Gecko, they have decided, is not the best fit for Epiphany.

WebKit, instead, was designed for embedding - the WebKit project's goals explicitly rule out building a browser themselves - and the GNOME API is said to work very nicely. WebKit in GNOME uses technologies like Cairo and Pango, like many other GNOME applications. Overall, the Epiphany team feels like WebKit is a better match for what they are trying to do - and they suggest that a number of other GNOME projects move in that direction as well. The initial response from other GNOME participants appears to be positive, with the exception of some concerns about accessibility support in WebKit - concerns which, presumably, can be addressed.

The GNOME/KDE flame wars, happily, are some years behind us. Developers from both projects are more interested in cooperation these days, but, so far, much of that cooperation has been around relatively small, low-level components. An HTML rendering engine is not a small, low-level component, though. If both projects seriously work toward the improvement of WebKit, they will have started an era of rather higher cooperation than has been seen in the past. If this cooperation holds together, it can only be to the benefit of both projects, and to all other users of WebKit as well.

The Gecko engine is good code and a highly successful project. But it is also controlled by a company (Mozilla Corporation) whose agenda, beneficial though it may be, does not include the creation of successful competing browsers. So it's not entirely surprising that Gecko has not proved to be entirely suitable for groups trying to create those competing browsers. WebKit, at the outset, looks like it is better suited to this task. The WebKit project has expressed interest in working with GNOME; there might just be a productive partnership in the making here.

But it's worth remembering that WebKit, too, is a project developed by a company with its own objectives, few of which make any mention of turning 2009 into the real year of the Linux desktop. For now, though, WebKit has the look of a project with all the right attributes: real independence, merit-based access to the source repository, no requirement for copyright assignments, reasonable licensing, and the right goals. It may well be positioned to become a core component in the Linux desktop.

Comments (58 posted)

A creative example of the value of free drivers

By Jonathan Corbet
March 30, 2008
Free operating systems differ from the proprietary variety in a number of ways. One of the differences which is most evident to all users is in the provision of device drivers. With free systems, device drivers are free software, provided with the system itself. Proprietary systems tend to provide relatively few drivers; instead, proprietary drivers are shipped with the hardware itself and installed separately. Anybody who wonders about which model works better would be well advised to look at the events of March 28, when Creative Labs shut down an outside developer who had been working to improve Creative's drivers.

Creative is, of course, a long-time manufacturer of audio hardware. Opinions vary on the quality of that hardware, but there can be no doubt that Creative has been successful in this market. Creative's customers have found, though, that moving to Vista has been an unusually painful experience, even by the standards of that particular system. It seems that Creative's drivers have failed to provide the same level of functionality found in previous versions, leaving customers with crippled hardware. Strangely enough, said customers have not been entirely pleased with this state of affairs.

Enter a developer called "Daniel_K". Daniel took the time to figure out how the hardware worked and to patch Creative's drivers to, once again, provide access to the full capability of the hardware. He then made those drivers available to others. Creative hardware owners were happy about this: somebody had finally managed to solve the problems they had been complaining about. One would have expected Creative to be happy too; happy customers tend to be good for business.

That's not the way of it, though. Instead, Creative removed links to the fixed drivers from its forums and posted a public cease-and-desist letter. According to Creative's Phil O'Shaughnessy:

By enabling our technology and IP to run on sound cards for which it was not originally offered or intended, you are in effect, stealing our goods. When you solicit donations for providing packages like this, you are profiting from something that you do not own. If we choose to develop and provide host-based processing features with certain sound cards and not others, that is a business decision that only we have the right to make.

There can be little doubt that Creative is operating within its legal rights here. It has retained proprietary rights to its driver software, and it has imposed the usual sort of "thou shalt not reverse engineer" EULA on its users. So, while Daniel_K may (or may not) have been able to legally reverse engineer the driver (depending on his location), he almost certainly did not have the right to redistribute modified versions of Creative's drivers. Asking for donations to help him continue this activity will not have made him any friends at Creative either. When dealing with other peoples' proprietary software in this manner, one should not be surprised to get shutdown notices.

Creative may be on solid ground legally, but it still makes sense to look at what is going on here. One might have attributed the driver problems to a lack of competence at Creative, or, perhaps, to the general sort of misery that (your editor has heard) goes along with Vista. Instead, Creative's crippled drivers were the result of a "business decision." Rather than allow its customers to get the most out of the hardware they thought they owned, Creative decided to restrict that functionality, presumably as a way of motivating those customers to buy newer, shinier, better-supported hardware. Daniel_K, by making Creative's customers happier, was threatening Creative's chosen business strategy.

Now consider a company whose hardware is supported by free drivers. That company lacks the ability to use crippled drivers as a tool to "encourage" customers to replace their hardware. Instead, that company has every incentive to provide the best hardware possible and to ensure that said hardware works to its fullest capability. Such a company would welcome an outsider who made their products work better; those outsiders would be more likely to receive job offers than cease-and-desist letters. Rather than calling out the lawyers, this company could focus on the business of being a hardware company.

Your editor knows which sort of company he would (and does) choose to buy hardware from. Free drivers are not just a path toward higher-quality support, though that is typically the result. They are not just a way to help ensure that the kernel as a whole remains stable and debuggable. And free drivers are not just a way to help ensure that all can learn and benefit from the work which was done to get the hardware working. They are also a way to avoid the threat of manipulation by hardware vendors who have decided that providing the best value for customers is no longer a winning business strategy. That is a sort of freedom which is worth having.

Comments (53 posted)

Page editor: Jonathan Corbet

Security

Biometrics for identification

By Jake Edge
April 2, 2008

Using a fingerprint or other physical characteristic, called biometric data, for identity verification seems, at first glance, like a perfect solution to the problem. Unfortunately, there are some basic problems with using biometric information that way. If the biometric data can be gathered by others, it no longer makes such a good identifier.

As part of a political protest against including fingerprints in passports, the Chaos Computer Club (CCC) published a fingerprint of German Home Secretary Wolfgang Schäuble. Schäuble is a supporter of collecting fingerprint data to combat terrorism. The club not only published the picture, but also a film that can be placed over a finger to deceive fingerprint scanners. A club spokesman has usage recommendations as reported in heise online:

We recommend that you use the film whenever your fingerprint is taken, such as when you enter the US, stop over at Heathrow, or even when you touch bottles at your local super market -- just to be on the safe side

It seems unlikely that CCC's distributed finger film will actually leave the Secretary's print on a glass surface, but more sophisticated versions of the same basic idea should be able to. Various folks have shown that using an image of someone's fingerprint can fool most scanners. Even sophisticated scanners can be spoofed when that image is placed over a live finger—with body temperature and pulse. The problem is that while a fingerprint is unique, it isn't secret. CCC got theirs from a sympathizer who picked it up from a glass used by the Secretary during a speech.

Bruce Schneier is, as usual, ahead of the curve on this. In an article from nearly ten years ago, he drives home the point:

The moral is that biometrics work great only if the verifier can verify two things: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can't do that, it can't work. Biometrics are unique identifiers, but they are not secrets. (Repeat that sentence until it sinks in.)

Other forms of biometric identification exist, but are susceptible to the same kinds of problems. A voiceprint or facial identification scanner could be fairly easily subverted by secretly recording or photographing the subject. Retinal scans are trickier, perhaps, but technology to remotely (and surreptitiously) read them will probably come along. In many cases, an attacker may not even need to go to that amount of trouble because they can just extract—or pay to have someone else extract—that information from some database.

More and more of this kind of information is being gathered and centralized. The US has started fingerprinting all ten fingers of non-citizens who enter the country—other countries have started doing it in retaliation. One could hope the data retention policy for that information is similar to that of White House emails, but it is probably longer. Worse yet, it is probably stored with photographs, passport information, and signature of the subject.

The key to using biometrics correctly is to repeat the Schneier mantra:

Biometrics are powerful and useful, but they are not keys. They are useful in situations where there is a trusted path from the reader to the verifier; in those cases all you need is a unique identifier. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destroy. Biometrics are unique identifiers, but they are not secrets.

Revocation of a biometric identifier is difficult or impossible—if it is even known to be compromised. One could potentially switch fingers for fingerprint identification, or even switch eyes—once. Switching voiceprint, face, or DNA if and when that gets used, will be essentially impossible. Biometrics suffer from the same failure mode as using the same password everywhere, unless you can somehow use a different characteristic for each biometrically "protected" dataset—hard to do with limited body parts.

Biometric data does have its uses, but it has limitations as well. It seems seductively simple that your fingerprint is the same as you, but it isn't necessarily true. Now we just need to teach the politicians, which might be something that Schäuble is starting to learn.

Comments (34 posted)

New vulnerabilities

capp-lspp-config: privilege escalation

Package(s):lspp-eal4-config-ibm, capp-lspp-eal4-config-hp CVE #(s):CVE-2008-0884
Created:April 1, 2008 Updated:April 2, 2008
Description: The lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages contain utilities and documentation for configuring a machine for the Controlled Access Protection Profile, or the Labeled Security Protection Profile.

It was discovered that use of the "capp-lspp-config" script results in the "/etc/pam.d/system-auth" file being set to world-writable. Authorized local users who have limited privileges could then exploit this to gain additional access, or to escalate their privileges.

Alerts:
Red Hat RHSA-2008:0193-02 lspp-eal4-config-ibm, capp-lspp-eal4-config-hp 2008-04-01

Comments (2 posted)

centerim: command injection

Package(s):centerim CVE #(s):CVE-2008-1467
Created:April 2, 2008 Updated:April 2, 2008
Description: The centerim instant messaging interface passes unescaped URLs to the shell, allowing the injection of arbitrary commands.
Alerts:
Fedora FEDORA-2008-2869 centerim 2008-04-01
Fedora FEDORA-2008-2867 centerim 2008-04-01

Comments (none posted)

cups: buffer overflows

Package(s):cups CVE #(s):CVE-2008-0053 CVE-2008-1373
Created:April 1, 2008 Updated:October 16, 2008
Description: Two overflows were discovered in the HP-GL/2-to-PostScript filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code as the "lp" user if the file is printed. A buffer overflow flaw was discovered in the GIF decoding routines used by CUPS image converting filters "imagetops" and "imagetoraster". An attacker could create a malicious GIF file that could possibly execute arbitrary code as the "lp" user if the file was printed.
Alerts:
Fedora FEDORA-2008-8844 cups 2008-10-16
Fedora FEDORA-2008-8801 cups 2008-10-16
Debian DSA-1625-1 cupsys 2008-08-01
Fedora FEDORA-2008-2131 cups 2008-04-08
Fedora FEDORA-2008-2897 cups 2008-04-08
rPath rPSA-2008-0136-1 cups 2008-04-04
SuSE SUSE-SA:2008:020 cups 2008-04-04
Ubuntu USN-598-1 cupsys 2008-04-02
Slackware SSA:2008-094-01 cups 2008-04-03
Mandriva MDVSA-2008:081 cups 2007-04-02
Gentoo 200804-01 cups 2008-04-01
Red Hat RHSA-2008:0206-01 cups 2008-04-01
Red Hat RHSA-2008:0192-01 cups 2008-04-01

Comments (none posted)

cups: multiple vulnerabilities

Package(s):cups CVE #(s):CVE-2008-1374 CVE-2004-0888 CVE-2005-0206
Created:April 1, 2008 Updated:August 6, 2008
Description: Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. An attacker could create a malicious PDF file that could possibly execute arbitrary code as the "lp" user if the file was printed. The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities.
Alerts:
rPath rPSA-2008-0245-1 cups 2008-08-05
Red Hat RHSA-2008:0206-01 cups 2008-04-01

Comments (none posted)

gnome-screensaver: information disclosure

Package(s):gnome-screensaver CVE #(s):CVE-2007-6389
Created:April 2, 2008 Updated:November 12, 2008
Description: The gnome-screensaver "leave message" feature can be used to read the contents of the user's clipboard, potentially disclosing useful information.
Alerts:
Ubuntu USN-669-1 gnome-screensaver 2008-11-11
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
SuSE SUSE-SA:2008:041 openwsman 2008-08-14
Mandriva MDVSA-2008:135 gnome-screensaver 2008-07-04
Fedora FEDORA-2008-3017 gnome-screensaver 2008-04-08
Fedora FEDORA-2008-2967 gnome-screensaver 2008-04-08
Fedora FEDORA-2008-2872 gnome-screensaver 2008-04-01
Fedora FEDORA-2008-2818 gnome-screensaver 2008-04-01

Comments (none posted)

gnome-screensaver: lock bypass

Package(s):gnome-screensaver CVE #(s):CVE-2008-0887
Created:April 2, 2008 Updated:November 12, 2008
Description: From the Red Hat advisory: A flaw was found in the way gnome-screensaver verified user passwords. When a system used a remote directory service for login credentials, a local attacker able to cause a network outage could cause gnome-screensaver to crash, unlocking the screen.
Alerts:
Ubuntu USN-669-1 gnome-screensaver 2008-11-11
Mandriva MDVSA-2008:132 gnome-screensaver 2008-07-04
SuSE SUSE-SR:2008:014 sudo, courier-authlib, gnome-screensaver, clamav, php5, ImageMagick, GraphicsMagick, mtr, bind, pcre, tomcat, squid, freetype2 2008-07-04
Gentoo 200804-12 gnome-screensaver 2008-04-11
Fedora FEDORA-2008-3017 gnome-screensaver 2008-04-08
Fedora FEDORA-2008-2967 gnome-screensaver 2008-04-08
Red Hat RHSA-2008:0218-01 gnome-screensaver 2008-04-03
Red Hat RHSA-2008:0197-01 gnome-screensaver 2008-04-02

Comments (none posted)

lighttpd: denial of service

Package(s):lighttpd CVE #(s):CVE-2008-1531
Created:April 1, 2008 Updated:May 19, 2008
Description: lighttpd 1.4.19 and earlier allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.
Alerts:
Fedora FEDORA-2008-4119 lighttpd 2008-05-17
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09
Fedora FEDORA-2008-3343 lighttpd 2008-04-29
Fedora FEDORA-2008-3376 lighttpd 2008-04-29
Debian DSA-1540-2 lighttpd 2008-04-15
Gentoo 200804-08 lighttpd 2008-04-10
Debian DSA-1540-1 lighttpd 2008-04-07
rPath rPSA-2008-0132-1 lighttpd 2008-03-31

Comments (none posted)

mod_suphp: symlink vulnerabilities

Package(s):mod_suphp CVE #(s):
Created:April 2, 2008 Updated:April 2, 2008
Description: mod_suphp 0.6.2 contains two symbolic link vulnerabilities which can be exploited to create a privilege escalation attack.
Alerts:
Fedora FEDORA-2008-2868 mod_suphp 2008-04-01
Fedora FEDORA-2008-2815 mod_suphp 2008-04-01

Comments (none posted)

phpMyAdmin: information disclosure

Package(s):phpMyAdmin CVE #(s):CVE-2008-1567
Created:April 2, 2008 Updated:February 2, 2009
Description: phpMyAdmin saves MySQL username and password information in (potentially unprotected) session data.
Alerts:
SuSE SUSE-SR:2008:026 libxml2, phpMyAdmin, lighttpd, OpenOffice_org, imp, clamav, acroread, htop, cups 2008-11-24
SuSE SUSE-SR:2009:003 boinc-client, xrdp, phpMyAdmin, libnasl, moodle, net-snmp, audiofile, xterm, amarok, libpng, sudo, avahi 2009-02-02
Mandriva MDVSA-2008:131 phpMyAdmin 2008-07-04
Debian DSA-1557-1 phpmyadmin 2008-04-24
Fedora FEDORA-2008-2874 phpMyAdmin 2008-04-01
Fedora FEDORA-2008-2825 phpMyAdmin 2008-04-01

Comments (none posted)

policyd-weight: insecure temp file

Package(s):policyd-weight CVE #(s):CVE-2008-1569
Created:March 27, 2008 Updated:April 11, 2008
Description: From the Debian alert: Chris Howells discovered that policyd-weight, a policy daemon for the Postfix mail transport agent, created its socket in an insecure way, which may be exploited to overwrite or remove arbitrary files from the local system.
Alerts:
Gentoo 200804-11 policyd-weight 2008-04-11
Debian DSA-1531-2 policyd-weight 2008-03-29
Debian DSA-1531-1 policyd-weight 2008-03-27

Comments (none posted)

tomcat: insecure ciphers

Package(s):tomcat CVE #(s):CVE-2007-1858
Created:March 28, 2008 Updated:April 2, 2008
Description: The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.
Alerts:
SuSE SUSE-SR:2008:007 unzip, tomcat, moodle, xine 2008-03-28

Comments (none posted)

xine-lib: multiple integer overflows

Package(s):xine CVE #(s):CVE-2008-1482
Created:April 1, 2008 Updated:September 10, 2008
Description: Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote attackers to trigger heap-based buffer overflows and possibly execute arbitrary code via (1) a crafted .FLV file, which triggers an overflow in demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an overflow in demuxers/demux_qt.c; (3) a crafted .RM file, which triggers an overflow in demuxers/demux_real.c; (4) a crafted .MVE file, which triggers an overflow in demuxers/demux_wc3movie.c; (5) a crafted .MKV file, which triggers an overflow in demuxers/ebml.c; or (6) a crafted .CAK file, which triggers an overflow in demuxers/demux_film.c.
Alerts:
Fedora FEDORA-2008-7572 xine-lib 2008-09-05
Ubuntu USN-635-1 xine-lib 2008-08-06
Gentoo 200808-01 xine-lib 2008-08-06
Mandriva MDVSA-2008:178 xine-lib 2008-08-20
Debian DSA-1586-1 xine-lib 2008-05-22
Fedora FEDORA-2008-2849 xine-lib 2008-04-08
Fedora FEDORA-2008-2945 xine-lib 2008-04-08
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04
Slackware SSA:2008-092-01 xine 2008-03-31

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.25-rc8, released on April 1. This one has a number of fixes and takes care of some of the most obnoxious remaining regressions; it could, conceivably, be the last -rc before the final 2.6.25 release. See the announcement for details, or the long-format changelog for lots of details.

The current -mm tree is 2.6.25-rc8-mm1. Recent changes to -mm include a big set of IDE patches, a new "special" page flag (see below), the device whitelist control group, writable mmap() support for the FUSE filesystem, the object debugging infrastructure patches, and lots of fixes.

Comments (none posted)

Kernel development news

Quotes of the week

This is "high" priority because the wife will kill me if she doesn't have her videos. And the adobe player won't install on current rawhide due to some library issues.
-- Linus Torvalds files a bug report.

Argh. My apologies for sloppiness of flame. Conclusion still stands.
-- Politeness, Al Viro style.

Comments (5 posted)

Toward better direct I/O scalability

By Jonathan Corbet
March 31, 2008
Linux enthusiasts like to point out just how scalable the system is; Linux runs on everything from pocket-size devices to supercomputers with several thousand processors. What they talk about a little bit less is that, at the high end, the true scalability of the system is limited by the sort of workload which is run. CPU-intensive scientific computing tasks can make good use of very large systems, but database-heavy workloads do not scale nearly as well. There is a lot of interest in making big database systems work better, but it has been a challenging task. Nick Piggin appears to have come up with a logical next step in that direction, though, with a relatively straightforward set of core memory management changes.

For some time, Linux has supported direct I/O from user space. This, too, is a scalability technology: the idea is to save processor time and memory by avoiding the need to copy data through the kernel as it moves between the application and the disks. With sufficient programming effort, the application should be able to make use of its superior knowledge of its own data access patterns to cache data more effectively than the kernel can; direct I/O allows that caching to happen without additional overhead. Large database management systems have had just that kind of programming effort applied to them, with the result that they use direct I/O heavily. To a significant extent, these systems use direct I/O to replace the kernel's paging algorithms with their own, specialized code.

When the kernel is asked to carry out a direct I/O operation, one of the first things it must do is to pin all of the relevant user-space pages into memory and locate their physical addresses. The function which performs this task is get_user_pages(): 

    int get_user_pages(struct task_struct *tsk, 
                       struct mm_struct *mm, 
		       unsigned long start,
		       int len,
		       int write,
		       int force,
		       struct page **pages, 
		       struct vm_area_struct **vmas);

A successful call to get_user_pages() will pin len pages into memory, those pages starting at the user-space address start as seen in the given mm. The addresses of the relevant struct page pointers will be stored in pages, and the associated VMA pointers in vmas if it is not NULL.

This function works, but it has a problem (beyond the fact that it is a long, twisted, complex mess to read): it requires that the caller hold mm->mmap_sem. If two processes are performing direct I/O on within the same address space - a common scenario for large database management systems - they will contend for that semaphore. This kind of lock contention quickly kills scalability; as soon as processors have to wait for each other, there is little to be gained by adding more of them.

There are two common approaches to take when faced with this sort of scalability problem. One is to go with more fine-grained locking, where each lock covers a smaller part of the kernel. Splitting up locks has been happening since the initial creation of the Big Kernel Lock, which is the definitive example of coarse-grained locking. There are limits to how much fine-grained locking can help, though, and the addition of more locks comes at the cost of more complexity and more opportunities to create deadlocks.

The other approach is to do away with locking altogether; this has been the preferred way of improving scalability in recent years. That is, for example, what all of the work around read-copy-update has been doing. And this is the direction Nick has chosen to improve get_user_pages().

Nick's core observation is that, when get_user_pages() is called on a normal user-space page which is already present in memory, that page's reference count can be increased without needing to hold any locks first. As it happens, this is the most common use case. Behind that observation, though, are a few conditions. One is that it is not possible to traverse the page tables if those tables are being modified at the same time. To be guaranteed that this will not happen, the kernel must, before heading into the page table tree, disable interrupts in the current processor. Even then, the kernel can only traverse the currently-running process's page tables without holding mmap_sem.

Lockless operation also will not work whenever pages which are not "normal" are involved. Some cases - non-present pages, for example - are easily detected from the information found in the page tables themselves. But others, such as situations where the relevant part of the address space has been mapped onto device memory with mmap(), are not readily apparent by looking at the associated page table entries. In this case, the kernel must look back at the controlling vm_area_struct (VMA) structure to see what is going on - and that cannot be done without holding mmap_sem. So it looks like there is no way to find out whether lockless operation is possible without first taking the lock.

The solution here is to grab a free bit in the page table entry. The PTE for a page which is present in memory holds the physical page frame address. In such addresses, the bottom 12 bits (for architectures using 4096-byte pages) will always be zero, so they can be dedicated to other purposes. One of them is used to indicate whether the page is present in memory at all; others indicate writability, whether it's a user-space page, whether it is dirty, etc. Nick's patch grabs one of the few remaining bits and calls it "PAGE_BIT_SPECIAL," indicating "special" pages. These are pages which, for whatever reason, do not have a readily-accessible struct page associated with them. Marking "special" pages in the page tables can help in a number of places; one of those is making it possible to determine whether lockless get_user_pages() is possible on a given page.

Once these pages are properly marked in the page tables, it is possible to write a function which makes a good attempt at a lockless get_user_pages(). Nick's proposal is called fast_gup(): 

    int fast_gup(unsigned long start, int nr_pages, 
                 int write, struct page **pages);

This function has a much simpler interface than get_user_pages() because it does not handle many of the cases that get_user_pages() can deal with. It only works with the current process's address space, and it cannot return pointers to VMA structures. But it can iterate through a set of page tables, testing each page for presence, writability, and "non-specialness," and incrementing each page's reference count (thus pinning it into physical memory) in the process. If it works, it's very fast. If not, it undoes things then falls back to get_user_pages() to do things the slow, old-fashioned way.

How much is this worth? Nick claims a 10% performance improvement running "an OLTP workload" (one of those unnameable benchmark suites, perhaps) using IBM's DB2 DBMS system on a two-processor (eight-core) system. The performance improvement, he says, may be greater on larger systems. But even if it remains at "only" 10%, this work is a clear step in the right direction for this kind of workload.

[Update: this interface was merged for the 2.6.27 kernel; the name was changed to get_user_pages_fast() but it is otherwise the same.]

Comments (none posted)

UBIFS

By Jonathan Corbet
April 2, 2008
The steady growth in flash-based memory devices looks set to transform parts of the storage industry. Flash has a number of advantages over rotating magnetic storage: it is smaller, has no moving parts, requires less power, makes less noise, is truly random access, and it has the potential to be faster. But flash is not without its own idiosyncrasies. Flash-based devices operate on much larger blocks of data: 32KB or more. Rewriting a portion of a block requires running an erase cycle on the entire block (which can be quite slow) and writing the entire block's contents. There is a limit to the number of times a block can be erased before it begins to corrupt the data stored there; that limit is low enough that it can bring a premature end to a flash-based device's life, especially if the same block is repeatedly rewritten. And so on.

A number of approaches exist for making flash-based devices work well. Many devices, such as USB drives, include a software "flash translation layer" (FTL); this layer performs the necessary impedance matching to make a flash device look like an ordinary block device with small sectors. Internally, the FTL maintains a mapping between logical blocks and physical erase blocks which allows it to perform wear leveling - distributing rewrite operations across the device so that no specific erase block wears out before its time - though some observers question whether low-end flash devices bother to do that. The use of FTL layers makes life easy for the rest of the system, but it is not necessarily the way to get the best performance out of the hardware.

If you can get to the device directly, without an FTL getting in the way, it is possible to create filesystems which embody an awareness of how flash works. Most of our contemporary filesystems are designed around rotating storage, with the result that they work hard to minimize time-consuming operations like head seeks. A flash-based filesystem need not worry about such issues, but it must be concerned about things like erase blocks instead. So making the best use of flash requires a filesystem written with flash in mind.

The main filesystem for flash-based devices on Linux is the venerable JFFS2. This filesystem works, but it was designed for devices which are rather smaller than those available today. Since JFFS2 must do things like rebuild the entire directory tree at mount time, it can be quite slow on large devices - for relatively small values of "large" by 2008 standards. JFFS2 is widely seen as reaching the end of its time.

A more contemporary alternative is LogFS, which has been discussed on these pages in the past. This work remains unfinished, though, and development has been relatively slow in recent times; LogFS has not yet been seriously considered for merging into the mainline. A more recent contender is UBIFS; this code is in a state of relative completion and its developers are asking for serious review.

UBIFS depends on the UBI layer, which was merged for 2.6.22. UBI ("unsorted block images") is not, technically, an FTL, but it performs a number of the same functions. At the heart of UBI is a translation table which maps logical erase blocks (LEBs) onto physical erase blocks (PEBs). So software using UBI to access flash sees a device providing a simple set of sequential blocks which apparently do not move. In fact, when an LEB is rewritten, the new data will be placed into a different location on the physical device, but the upper layers know nothing about it. So UBI makes problems like wear leveling and bad block avoidance go away for the upper layers. UBI also takes care of running time-consuming erase operations in the background when possible so that upper layers need not wait when writing a block.

One little problem with UBI is that the logical-to-physical mapping information is stored in the header of each erase block. So when the UBI layer initializes a flash device, it must read the header from every block to build the mapping table in memory; this operation clearly takes time. For 1GB flash devices, this initialization overhead is tolerable; in the future, when we'll be booting our laptops with terabyte-sized flash drives in them, the linear scan will be a problem. The UBIFS developers are aware of this issue, but believe that it can be solved at the UBI level without affecting the higher-level filesystem code.

By using UBI, the UBIFS developers are able to stop worrying about some aspects of flash-based filesystem design. Other problems remain, though. For example, the large erase blocks provided by flash devices require filesystems to track data at the sub-block level and to perform occasional garbage collection: coalescing useful information into new blocks so that the remaining "dead" space can be reclaimed. Garbage collection, along with the potential for blocks to turn bad, makes space management on flash devices tricky: freeing space may require using more space first, and there is no way to know how much space will actually become available until the work has been done.

In the case of UBIFS, space management is an even trickier problem for a couple of reasons. One is that, like a number of other flash filesystems, UBIFS performs transparent compression of the data. The other is that, unlike JFFS2, UBIFS provides full writeback support, allowing data to be cached in memory for some time before being written to the physical media. Writeback gives large performance improvements and reduces wear on the device, but it can lead to big trouble if the filesystem commits to writing back more data than it actually has the space to store. To deal with this problem, UBIFS includes a complex "budgeting" layer which manages outstanding writes with pessimistic assumptions on what will be possible.

Like LogFS, UBIFS uses a "wandering tree" structure to percolate changes up through the filesystem in an atomic manner. UBIFS also uses a journal, though, to minimize the number of rewrites to the upper-level nodes in the tree.

The latest UBIFS posting raised questions about how it compares with LogFS. The resulting discussion was ... not entirely technical, but a few clear points came out. UBIFS is in a more complete state and appears to perform quite a bit better at this time. LogFS is a lot less code, avoids the boot-time linear scan of the device, and is able to work (with some flash awareness) through an FTL. Which is better is not a question your editor is prepared to answer at this time; what does seem clear is that the growing competition between the two projects has the potential to inspire big improvements on both sides in the near future.

Comments (16 posted)

Where 2.6.25 came from

By Jonathan Corbet
April 2, 2008
The Linux Foundation has just published a white paper, written by Greg Kroah-Hartman, Amanda McPherson, and your editor, reviewing the origins of the code merged into the kernel from 2.6.11 through 2.6.24. As LWN readers know, the 2.6.25 kernel is getting close to release. So this seems like as good a time as any to look at what happened with the process in this release cycle.

As of this writing, 12,269 individual changesets have been merged for 2.6.25 - a new record. That beats the previous record (2.6.24, with a mere 10,353 changesets) by almost 2,000. There were 1,174 individual developers involved with 2.6.25, 419 of whom contributed one single patch. All told, those developers worked for 159 employers (that your editor could identify). The changes added 766,979 lines of code and removed 399,791, for a total growth of 367,188 lines.

Here is an updated version of a plot that your editor has been fond of showing during talks in recent years:

[Kernel lines-changed plot]

This plot shows a cumulative count of lines changed over time, with kernel release dates added in. The effects of the merge window policy can be seen in the stair-step appearance of the plot. The steps appear to be getting bigger, but the time between releases has also increased slightly, so the overall rate of change remains roughly constant. It is a high rate, with over five million lines changed - well over half the total - in the last two years.

So who did this work? Here is the traditional table of the most active developers in the 2.6.25 series:

Most active 2.6.25 developers
By changesets
Bartlomiej Zolnierkiewicz3042.5%
Patrick McHardy2191.8%
Adrian Bunk2121.7%
Ingo Molnar2071.7%
Paul Mundt2041.7%
Greg Kroah-Hartman1711.4%
Jesper Nilsson1661.4%
Thomas Gleixner1641.3%
Pavel Emelyanov1551.3%
Harvey Harrison1481.2%
Herbert Xu1361.1%
Mauro Carvalho Chehab1361.1%
Roland McGrath1341.1%
David Woodhouse1341.1%
Al Viro1321.1%
Michael Krufky1281.0%
Glauber Costa1271.0%
David S. Miller1120.9%
Andrew Morton1090.9%
Takashi Iwai1040.8%
By changed lines
Jesper Nilsson344073.7%
David Howells297333.2%
Eliezer Tamir261532.9%
Adrian Bunk219982.4%
Kumar Gala197532.2%
Paul Mundt189182.1%
Jiri Slaby180022.0%
Glenn Streiff165971.8%
Auke Kok139391.5%
David Gibson112551.2%
Michael Chan112541.2%
Ingo Molnar106791.2%
James Bottomley99071.1%
Christoph Hellwig97841.1%
Mauro Carvalho Chehab93321.0%
Bartlomiej Zolnierkiewicz91081.0%
Thomas Gleixner91041.0%
Patrick McHardy85630.9%
Michael Krufky81950.9%
Takashi Iwai78250.9%

There are some familiar names on this list, but also some new ones. Bartlomiej Zolnierkiewicz contributed more changesets than any other developer; his work is contained entirely within the IDE subsystem. Patrick McHardy works in the networking area, mostly (but not exclusively) with the netfilter subsystem. Adrian Bunk continues to make small fixes all over the tree and to relentlessly hunt down unused code for removal. Ingo Molnar remains busy in his new role as one of the x86 maintainers; scheduler work also accounts for a number of his changes. Paul Mundt maintains the SuperH architecture.

The picture is a little different when one considers how many lines of code were changed. Jesper Nillson's work was done within the CRIS architecture. David Howells works all over the tree; his largest contribution was the addition of the MN10300 architecture code. Eliezer Tamir contributed the bnx2x (Broadcom Everest) network driver, and Kumar Gala works with the PowerPC architecture.

There is relatively little change in the lists of employers associated with all of this work (please remember that the numbers associated with employers are necessarily approximate):

Most active 2.6.25 employers
By changesets
(None)191815.6%
Red Hat156212.7%
(Unknown)123210.0%
Novell8266.7%
IBM7586.2%
Intel5664.6%
SWsoft2662.2%
Oracle2502.0%
Astaro2191.8%
(Academia)2181.8%
Renesas Technology2171.8%
Movial2131.7%
Axis Communications1661.3%
linutronix1661.3%
Freescale1321.1%
Qumranet1271.0%
Google1241.0%
Analog Devices1211.0%
SGI1181.0%
(Consultant)1110.9%
By lines changed
(None)13211714.4%
(Unknown)11799312.8%
Red Hat10318811.2%
IBM592496.4%
Freescale523365.7%
Intel464665.1%
Novell417904.5%
Axis Communications393824.3%
Broadcom377894.1%
Renesas Technology237042.6%
Movial223272.4%
Hansen Partnership120761.3%
Marvell116611.3%
Oracle112141.2%
linutronix106491.2%
Astaro101671.1%
(Consultant)93421.0%
SWsoft78490.9%
MontaVista75170.8%
(Academia)73530.8%

As usual, one can also look at who applies a Signed-off-by header to code for which they are not the author. These headers illustrate the chain of trust which gets code into the kernel. For 2.6.25, the top approvers of patches are:

Sign-offs in the 2.6.25 kernel
By developer
Andrew Morton151312.2%
David S. Miller144411.7%
Ingo Molnar11539.3%
Thomas Gleixner9918.0%
John W. Linville6145.0%
Jeff Garzik4683.8%
Mauro Carvalho Chehab4473.6%
Greg Kroah-Hartman3452.8%
Paul Mackerras3072.5%
James Bottomley3062.5%
Jaroslav Kysela2922.4%
Linus Torvalds2492.0%
Len Brown2201.8%
Russell King1971.6%
Takashi Iwai1701.4%
Avi Kivity1671.4%
Bryan Wu1321.1%
Herbert Xu1231.0%
Roland Dreier1211.0%
Kumar Gala1070.9%
By employer
Red Hat418533.8%
Google151612.2%
linutronix9948.0%
(None)8837.1%
IBM6895.6%
Novell6114.9%
(Unknown)5344.3%
Intel4683.8%
Hansen Partnership3062.5%
Linux Foundation2542.1%
(Consultant)2422.0%
Qumranet1701.4%
Oracle1261.0%
SGI1261.0%
Freescale1211.0%
Cisco1211.0%
Analog Devices1150.9%
Astaro1070.9%
Renesas Technology820.7%
Movial780.6%

Some of these developers are quite busy; Andrew Morton is signing off more than twenty patches every day - weekends included. The gatekeepers to the kernel continue to work for a relatively small number of companies, with the top ten employers accounting for over 75% of all non-author signoffs.

All told, all these numbers paint a picture of a development process which is healthy and continues to set a fast pace. It incorporates work from an increasingly large community of developers who are able to work in a highly cooperative manner despite the fact that their employers are fierce competitors. There are very few projects like it.

(Thanks to Greg Kroah-Hartman for his help in the creation of these statistics).

Comments (6 posted)

Patches and updates

Kernel trees

Linus Torvalds Linux 2.6.25-rc8 ?
Andrew Morton 2.6.25-rc8-mm1 ?
Oliver Pinter v2.6.22.21-op1-rc2 ?

Architecture-specific

Dave Airlie x86: create array based interface to change page attribute ?

Core kernel code

Rafael J. Wysocki PM: Rework suspend and hibernation code for devices (rev. 2) ?
Rafael J. Wysocki PM: Rework suspend and hibernation code for devices (rev. 3) ?
Roland McGrath do_wait reorganization ?

Development tools

Subrata Modak The Linux Test Project has been Released for MARCH 2008 ?
Subrata Modak LTP-DEVEL RPMs for i386, x86_64, ia64, ppc64 & s390x ?
Mathieu Desnoyers Architecture Independent Markers ?

Device drivers

Dmitry Baryshkov Clocklib: generic clocks framework ?
Markus Becker mrv8k: Driver for "Marvell 88w8335 [Libertas]" ?
Magnus Damm i2c: SuperH Mobile I2C Bus Controller V4 ?
akepner@sgi.com dma: add dma_*map*_attrs() interfaces ?
Mark Brown WM97xx touchscreen drivers ?
Bjorn Helgaas PNP resource_table cleanups, v2 ?
Inaky Perez-Gonzalez WiMAX stack and drivers for Intel WiMAX Link 5050 ?

Filesystems and block I/O

Artem Bityutskiy UBIFS - new flash file system ?
Miklos Szeredi vfs: mountinfo (v4) ?
NeilBrown md: Subject: introduce get_priority_stripe() to improve raid456 write performance ?
David Howells Permit filesystem local caching [ver #35] ?
Eric Sandeen fiemap patches (RFC/testing) ?
Fabio Checconi BFQ I/O Scheduler ?
Erez Zadok 00/14 VFS/Unionfs updates/fixes/cleanups ?
Paul Clements NBD: add partition support ?
hooanon05@yahoo.co.jp AUFS: merging/stacking several filesystems ?
Barry Naujok XFS: case-insensitive lookup and Unicode support ?

Memory management

Balbir Singh Add an owner to the mm_struct (v2) ?
Nick Piggin : introduce fast_gup ?
Christoph Lameter [patch 0/9] [RFC] EMM Notifier V2 ?

Virtualization and containers

Nadia.Derbey-6ktuUTfB/bM@public.gmane.org Object creation with a pre-defined id (v2) ?
Avi Kivity KVM updates for the 2.6.26 merge window (part I) ?
Satoshi UCHIDA Yet another I/O bandwidth controlling subsystem for CGroups based on CFQ ?
Jeremy Fitzhardinge More Xen updates ?

Benchmarks and bugs

Rafael J. Wysocki 2.6.25-rc7-git2: Reported regressions from 2.6.24 ?

Miscellaneous

Chris Mason New Btrfs Wiki online ?
Chris Mason Btrfs hosting moving to kernel.org ?

Page editor: Jonathan Corbet

Distributions

News and Editorials

Debian Project Leader Election 2008

By Rebecca Sobol
April 2, 2008
The Debian Project Leader election is well underway. The debate is over and the first call for votes has gone out. If it seems like the process is going faster this year, that's because it is. Last year a constitutional amendment to reduce the length of the DPL election process was adopted by the developers.

There were three candidates nominated for this year's election; Marc Brockschmidt, Raphaël Hertzog and Steve McIntyre. Information about this election can be found on this year's vote page.

Steve McIntyre has been a Debian Developer for more than 11 years. During that time he acquired a wide range of packaging experience, worked on creating the official CDs (and DVDs) and hosting machines used by Debian.

Steve also served as Assistant Project Leader under Anthony Towns, so he has some idea of what the job entails. This is not the first time he's run for DPL either. In addition to this year's platform, his 2006 and 2007 platforms are also available.

While Steve has no plans to appoint a DPL team, he is willing to delegate tasks when appropriate. His goals include improving communications within the project and improving the workflow, getting people to ask for help when they need it or to step down when they can't devote enough time to the job.

In my opinion, a key part of working effectively is honesty. We can all suffer from a lack of time to do the jobs that we've promised to do. After all, real life has a nasty habit of intruding on our so-called "spare" time. So long as we don't let things delay too far, we can cope and still contribute. But at some point, we need to be more honest with ourselves and actually admit that we can't continue with the jobs that we've promised to do. It's a hard thing to do, but in a friendly community where we're all working together towards a common goal there should be no shame in asking for help.

Raphaël Hertzog is also no stranger to DPL elections. He ran in 2002 and 2007, in addition to this year.

Raphaël has proposed a small team of two other individuals (Moritz Muehlenhoff and Lucas Nussbaum) to help him with the DPL duties. His goals include making Debian more visible and recruiting more contributors.

While the number of packages in Debian increased a lot since 2001, the number of active developers stayed the same. We could definitely use more developers to continue increase the quality of our distribution (teams with hundreds of bugs are quite common). We made a first step with the Debian Maintainer proposal, but we can do more. I'm not saying that we should give upload rights to less skilled people: we don't want to compromise on quality.

He would also like to improve the core teams such as keyring managers, NM/DAM, ftpmasters, and the press team. Unofficial services that have proved useful (mentors.debian.net and backports.org) should be integrated officially into Debian.

Marc Brockschmidt has been a Debian Developer since 2004 and has been involved in many parts of Debian since then, including helping with the New Maintainer process, as an AM to dozens of people, at the NM Frontdesk and working with the release team. He also helps to manage a network of hosts used for autobuilding, porting and other Debian-related services. Improving communications is a popular goal for DPL candidates, but has some thoughts on that:

Before writing this platform, I had a look at the platforms of the past years and was amazed that nearly everyone talked about "improving communication", usually meaning that flaming shouldn't be allowed. I don't think this is possible - we can hardly replace all involved developers by cuddly stuffed animals. Good software developers have a strong opinion about topics dear to their heart, two good developers usually have two different opinions. Discussion, even bordering on flames, is OK - as long as it leads to a result.

He would like to see more "Bits from ..." mails on debian-devel-announce for better internal communication. He would also like to see better presentation of Debian to outsiders. Like Raphaël, he would like backports.org to become an official Debian service. Summer of Code has been useful in bringing together some cool ideas with people who can work on them. Marc would like to see that wiki page remain active throughout the year. Marc admits that he doesn't have as much free time as the DPL will take, and plans to delegate heavily, especially finding others to present Debian to the rest of the world at conferences.

Voting for these candidates will be open until April 13 and the term for the new DPL will start soon after, on April 17, 2008.

Comments (none posted)

New Releases

Gentoo 2008.0_beta1 unleashed

The Gentoo project has announced the release of the first beta for Gentoo Linux 2008.0. "You can help make 2008.0 amazing! Test out this beta and report any functionality issues you encounter. Since this is the first beta, we're looking only for bugs in functionality, not bugs in appearance such as desktop backgrounds or other artwork. We expect to release a second beta once your testing has helped us fix problems with this first beta." Get 2008.0_beta1 from the usual places.

Comments (none posted)

Fedora Unity releases updated Fedora 8 Re-Spin

The Fedora Unity Project has announced the release of new ISO Re-Spins (DVD and CD Sets) of Fedora 8. These Re-Spin ISOs are based on the officially released Fedora 8 installation media and include all updates released as of March 31st, 2008. The ISO images are available for i386, x86_64 and PPC architectures via Jigdo.

Full Story (comments: none)

Fedora Rawhide 20080328 Snapshot Released

Fedora has released a Rawhide (development branch) snapshot in ISO and Live forms. "The Live images were actually made from yesterday's rawhide as the attempt from today's rawhide overflowed the CD size. The CDs and DVDs were made with today's rawhide plus an updates.img inserted into them to resolve some known issues we found in testing this morning." Available only by bittorrent.

Full Story (comments: none)

Distribution News

Fedora

Fedora Mirrors Wanted

The Fedora project is looking for some new mirrors as they prepare for the Fedora 9 release. Additional public mirrors would be particularly useful in areas where there are large numbers of users, but few mirrors: China, India, Africa, and Brazil among them.

Full Story (comments: none)

Announcement list for Fedora Translation Community

Fedora has a new announce list for the Localization Project. The email address is fedora-trans-announce@redhat.com - or use the mailman interface to join.

Full Story (comments: none)

NOTICE: fedora-triage-list is being re-purposed

The recently relaunched Fedora BugZappers will be conducting their business on fedora-test-list@redhat.com. In its previous incarnation BugZappers email used fedora-triage-list. Going forward the fedora-triage-list will be used for notifications of mass changes. Click below for additional information.

Full Story (comments: none)

And now for something completely different...

Fedora's latest Special Interest Group (SIG) is the Python SIG. "Regardless of whether you are a newbie or a grizzled veteran, a Sunday dabbler or a hardcore hacker, or merely curious what this is all about, all are welcome." Sign up for the mailing list and join the discussion.

Full Story (comments: none)

Fedora Board Recap 2008-MAR-25

Click below for a recap of the March 25 meeting of the Fedora board. Topics include a followup to previous business, post-release updates of custom spins, trademark licensing, Fedora accounts, and more.

Full Story (comments: none)

SUSE Linux and openSUSE

openSUSE Board election proposal

The current openSUSE board has announced a proposal for future board elections. There is an open comment period of two weeks, beginning March 31 before the board will vote on the proposal. Click below to view the proposal.

Full Story (comments: none)

Ubuntu family

UbuntuHCL.org launched

UbuntuHCL.org is a comprehensive hardware database for Ubuntu users. You will find user submitted articles and reviews with comments, RSS feeds of the reviews and articles, enhanced user account security, a new user friendly layout and better search capabilities. Check out new hardware before you buy, and let other users know what works for you.

Comments (8 posted)

Standing down from the technical board

Matthew Garrett has resigned from his position as the community representative on the Ubuntu technical board. "However, as some of you possibly know, I've recently agreed to take a position with Red Hat. While I don't see this as being incompatible with being part of the Ubuntu community (and I certainly don't want to set a precedent!), this is likely to reduce the amount of time I have to be involved in Ubuntu. Without being an active member of the Ubuntu community, it's difficult for me to claim to represent it - and so, as a result, I will be standing down from the technical board in order to allow the election of a new community member."

Full Story (comments: none)

New Distributions

Myrinix

Myrinix - Digital Home Edition is a Debian and sidux) based live CD/DVD. Using Myrinix you can connect a High Definition Plasma TV or a big LCD screen to a central server that can record and play DVD or internet. Myrinix 2007-08/4 live CD/DVD is currently available for download.

Comments (none posted)

Distribution Newsletters

Fedora Weekly News Issue 126

The Fedora Weekly News for March 24, 2008 looks at the announcements of "F9 Beta release announcement", "Rawhide 20080328 Snapshot", "FUDCon Lodging", "Fedora Python SIG" and "Fedora Updates System", Planet Fedora articles "OS Wrangler and Server Developers still needed", "Reviewing toolchains -- publican and /cvs/docs", "NetworkManager and mobile broadband", "Persistence of vision" and "Seek ye students", and several other topics.

Full Story (comments: none)

OpenSUSE Weekly News/16

This edition of the openSUSE Weekly News looks at SoC application deadline extended, People of openSUSE: Marco Michna, openSUSE Board election proposal, openSUSE IRC - call for participation, Calling booth volunteers! LugRadio Live, LinuxFest Northwest, Packaging Day II, and more.

Comments (none posted)

Ubuntu Weekly Newsletter #84

The Ubuntu Weekly Newsletter for March 29, 2008 covers new MOTUs, Ubuntu 6.10 End-of-Life, Xubuntu refocuses, Ubuntu countdown graphics, Launchpad 1.2.3, Launchpad logo contest closing, Ubuntu UK Podcast #2, Reside@HOME: Linux Health Care, PWN To OWN (Ubuntu wins), and much more.

Full Story (comments: none)

Full Circle #11 - out now!

Full Circle Magazine, the Independent Magazine for the Ubuntu Linux Community, has announced the release of issue #11. Go to this page to download the issue in PDF.

Full Story (comments: none)

DistroWatch Weekly, Issue 246

The DistroWatch Weekly for March 31, 2008 is out. "Good things come in a small package and nowhere is this more evident than in the case of SliTaz GNU/Linux 1.0 - a new mini Linux distribution that packs a full desktop with many popular applications, utilities and web development tools into a 25 MB live CD. Complete with its own package management system, a text-mode installer and a remastering utility, SliTaz has to be one of the most impressive Linux distributions in recent memory. How can they pack so much into so little space? Read on for a first-look review of the project's 1.0 release. In other news, a Norwegian hardware site interviews Arch Linux project leader Aaron Griffin, Automatix announces the end of development of the popular software installation tool, Klaus Knopper releases the new KNOPPIX 5.3.1, and a nostalgic reader retraces the steps of installing Debian GNU/Linux 1.3 on today's hardware."

Comments (none posted)

Newsletters and articles of interest

Automatix development comes to an end (DesktopLinux)

DesktopLinux reports that development of Automatix is over. "Love it or hate it, anyone who runs Ubuntu has at least heard of Automatix. This program made it possible for any Ubuntu user to easily add a host of new programs and media codices to a desktop. Now, however, Automatix's developers are being pulled away to other projects, so they have announced that they will no longer be working on their popular software installation program."

Comments (1 posted)

Interviews

Arch Linux: Popular KISS distro (Hardware.no)

Hardware.no has an interview with Arch Linux developer Aaron Griffin. "I originally began using Arch back in 2003. You could say I grew up on Arch, as most of my heavy technical knowledge was learned on an Arch box. Later on, I was asked to come on board the core development team, and became the lead developer for pacman, as well as developing tools such as mkinitcpio."

Comments (none posted)

People of openSUSE: Marco Michna

People of openSUSE introduce Marco Michna. "When did you join the openSUSE community and what made you do that? Unfair question but lets answer it :-) I have been involved in the discussions from the idea to the execution. It was a nice process and good to see that top managers cared. I'm a member of the "community" since the first day I touched a S.u.S.E. system and always will be! My blood is green!"

Comments (none posted)

Page editor: Rebecca Sobol

Development

SDCC, the Small Device C Compiler

By Forrest Cook
April 1, 2008

SDCC is a multi-platform, multi-target C cross compiler that was originally written by Sandeep Dutta and has been further improved by a number of other people:

SDCC is a retargetable, optimizing ANSI - C compiler that targets the Intel 8051, Maxim 80DS390, Zilog Z80 and the Motorola 68HC08 based MCUs. Work is in progress on supporting the Microchip PIC16 and PIC18 series. SDCC is Free Open Source Software, distributed under GNU General Public License (GPL). Some of the features include:
  • ASXXXX and ASLINK, a Freeware, retargetable assembler and linker.
  • extensive MCU specific language extensions, allowing effective use of the underlying hardware.
  • a host of standard optimizations such as global sub expression elimination, loop optimizations (loop invariant, strength reduction of induction variables and loop reversing ), constant folding and propagation, copy propagation, dead code elimination and jump tables for 'switch' statements.
  • MCU specific optimizations, including a global register allocator.
  • adaptable MCU specific backend that should be well suited for other 8 bit MCUs
  • independent rule based peep hole optimizer.
  • a full range of data types: char (8 bits, 1 byte), short (16 bits, 2 bytes), int (16 bits, 2 bytes), long (32 bit, 4 bytes) and float (4 byte IEEE).
  • the ability to add inline assembler code anywhere in a function.
  • the ability to report on the complexity of a function to help decide what should be re-written in assembler.
  • a good selection of automated regression tests.

The SDCC package components include the sdcc compiler, the sdcpp C preprocessor, assemblers and linkers for the supported target processors, a simulator for the 8051 processor, the sdcdb source debugger and the packihx Intel hex file packing tool.

Version 2.8.0 of SDCC was announced on March 30, 2008, it includes the following changes: 

added predefined preprocessor macro SDCC_REVISION holding SDCC's subversion revision number
added preprocessor macros SDCC_PARMS_IN_BANK1, SDCC_FLOAT_REENT and SDCC_INT_LONG_REENT
sdcpp synchronized with GNU cpp 4.2.3
multiple infiles for sdcclib
added option --acall-ajmp: replaces lcall/ljmp with acall/ajmp
added support for many PIC devices
sdcc executables on Mac OS X are built as universal binaries,
   so that they can run on both ppc and i386 Mac OS X 
added --Werror command line option
Windows installer enhancements
generation of cdb debug info for as-z80 and link-z80
generation of cdb debug info for variables in pdata for mcs51
Tail call optimization for functions that take no parameters on Z80
Improved multiplication of unsigned chars on Z80
ISO/IEC 9899 standard compliant integer promotion of integer function arguments
   if --std-cXX is defined in command line

Numerous feature requests and bug fixes are included as well.

Your author downloaded SDCC 2.8.0 as a .tar.bz2 file onto a machine running Ubuntu 7.04 "Feisty Fawn". The file was uncompressed, and untared. The configure script was run and one package dependency issue was resolved by installing flex. The second run of configure worked, as did the make and make install steps. Running sdcc -v produced the expected result: SDCC : mcs51/gbz80/z80/avr/ds390/pic16/pic14/TININative/xa51/ds400/hc08 2.8.0 #5117 (Apr 1 2008) (UNIX).

A few test cases were compiled and assembled using the default MCS51 target, then using the -mz80 switch to produce output for a Z80 processor. All of the tests seemed to work, and produced readable Intel Hex files that appear to be suitable for movement to a development platform. Your author recognized the hex C30001 at the beginning of the code as a Z80 jump instruction, activate the wayback machine. This may be a long way from developing a working embedded application on real hardware using SDCC, it does show that the system builds and is stable enough to consider using as a development platform.

The Z80 and mcs51 microprocessors have been around since the late 1970s, newer versions are still being produced. The Microchip PIC microcontroller family and the Atmel AVR family are currently very popular microcontroller platforms. The AVR is the processor used in the recently featured Arduino open hardware microprocessor design, although that uses a different development system.

SDCC allows microprocessor applications to be written in C, and that greatly expands the range of problems that can be solved by small embedded machines. The field of C cross-compilers has traditionally been dominated by proprietary Windows-based software. SDCC allows one to develop embedded microprocessor designs using open-source software under Linux.

Comments (9 posted)

System Applications

Backup Software

GPB: version 0.03 (SourceForge)

Version 0.03 of GPB has been announced. "GPB can be a ready to use out of the box backup solution or it can be the foundation for you to build and improve upon. The core and the power of GPB lies in the use of Bash scripting. I just released version 0.03 of the GPB backup software. This version is a cleanup of the 0.02 code."

Comments (none posted)

Database Software

Postgres Weekly News

The March 30, 2008, 2008 edition of the Postgres Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

Interoperability

Samba 4.0.0alpha3 announced

Version 4.0.0alpha3 of Samba has been announced. "Samba 4 is the ambitious next version of the Samba suite that is being developed in parallel to the stable 3.0 series. The main emphasis in this branch is support for the Active Directory logon protocols used by Windows 2000 and above. Samba 4 is currently not yet in a state where it is usable in production environments."

Full Story (comments: none)

Mail Software

libdomainkeys: 0.69 released (SourceForge)

Version 0.69 of libdomainkeys has been announced. The software is: "A general purpose set of tools, C library and CPAN modules to help DomainKeys developers. The goal is that these tools and library can be easily adopted by all MTAs, LDAs and possibly MUAs. This project is about conforming to the DomainKeys standard, Here is a maintenance release. Nothing major, just some old patches that were sent in and a fix for a policy bug."

Comments (none posted)

Networking Tools

PowerDNS Recursor 3.1.5 released

Version 3.1.5 of PowerDNS Recursor has been announced. "We would like to thank Amit Klein of Trusteer for bringing a serious vulnerability to our attention which would enable a smart attacker to 'spoof' previous versions of the PowerDNS Recursor into accepting possibly mal[]icious data. Details can be found on http://www.trusteer.com/docs/powerdnsrecursor.html. It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 as soon as practicable, while we simultaneously note that busy servers are less susceptible to the attack, but not immune."

Full Story (comments: none)

Twisted 8.0 announced

Version 8.0 of the Twisted networking framework has been released by Twisted Matrix Laboratories. "Twisted 8.0 is a major feature release, with several new features and a great number of bug fixes. Some of the highlights follow. - The IOCP reactor is now much improved and many bugs have been resolved. - Twisted is now easy_installable. - Many improvements were made to Trial, Twisted's unit testing system. - A new memcache client protocol implementation was added. - So much more!"

Full Story (comments: none)

Security

OpenSSH 4.9 released

Version 4.9 of OpenSSH has been announced, it includes a number of new features, bug fixes and the following security fix: "Disable execution of ~/.ssh/rc for sessions where a command has been forced by the sshd_config ForceCommand directive. Users who had write access to this file could use it to execute abritrary commands. This behaviour was documented, but was an unsafe default and an extra hassle for administrators."

Full Story (comments: none)

Desktop Applications

Audio Applications

Ardour 2.4 released

Version 2.4 of Ardour, a multi-track audio workstation, has been announced. "Well, its over a month later than expected, but Ardour 2.4 is finally released. Right now, there is a source tarball and an Intel native version (details on IRC). A respectable list of new features, many small improvements and an important set of bug fixes make up the news for this one. "

Comments (none posted)

Desktop Environments

xmonad 0.7 released

Version 0.7 of xmonad has been announced, this release includes improved GNOME support and more. "xmonad is a tiling window manager for X. Windows are arranged automatically to tile the screen without gaps or overlap, maximising screen use. Window manager features are accessible from the keyboard: a mouse is optional. xmonad is extensible in Haskell, allowing for powerful customisation. Custom layout algorithms, key bindings and other extensions may be written by the user in config files. Layouts are applied dynamically, and different layouts may be used on each workspace. Xinerama is fully supported, allowing windows to be tiled on several physical screens."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE 4.0.3 Released

KDE 4.0.3 is out. This is primarily a maintenance release, but a number of improvements and optimizations have been folded in as well. See the changelog for details.

Full Story (comments: 8)

Digikam Plans for KDE 4 (KDE.News)

KDE.News looks at what's happening with Digikam. "There are many improvements including a cleaner user interface, improved performance, a new thumbnail bar, XMP support, ability to run on Mac OS X, GPS tagging using Google Maps, multiple album collections supporting collections on network shares and removable media, and auto gamma and white balance with RAW. Digikam is also the first open source photography tool with 16-bit colour depth support." Lots of screenshots included.

Comments (none posted)

KDE Software Announcements

KDE Software Announcements The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week: More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Desktop Publishing

Inkscape 0.46 released

Inkscape 0.46 is available; this release has a long list of new features, many of which were apparently developed by 2007 Google Summer of Code participants. "Inkscape can now directly import vector PDF files, and PDF export is greatly improved. Thus, Inkscape 0.46 provides an easy, open source tool for editing and creating PDF documents."

Full Story (comments: 1)

Electronics

gEDA Binary Suite v0.0.2 released

Version 0.0.2 of the gEDA Binary Suite, a collection of electronic design tools, has been announced. "I am pleased to announce the second official release (v0.0.2) of the gEDA Binary Suite for x86 GNU/Linux. I fixed some reported installation issues (thanks for all the reports) and I have linked this release on the gEDA download page."

Comments (none posted)

Encryption Software

GnuPG 1.4.9 released

Version 1.4.9 of the GnuPG encryption package has been announced, it features a fix for a possible security vulnerability that was introduced in version 1.4.8. "Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build and also better portable. In contrast to GnuPG-2 (e.g version 2.0.8) it comes with no support for S/MIME or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict."

Full Story (comments: none)

Instant Messaging

Akonadi Sprint Readies for KDE 4.1 (KDE.News)

KDE.News covers a recent sprint that was aimed at improving the Akonadi PIM framework. "Last weekend a group of developers gathered in Berlin at the KDAB office for an Akonadi sprint. The goal was simple, getting Akonadi in shape for the first public release of Akonadi when KDE 4.1 is released. In the couple of days they met, they made an amazing amount of 270 modifications to the KDE repository, and worked on average from 10am to 3am to make a big step into reaching that goal."

Comments (none posted)

Mapping Software

eWorld: 0.5 beta released (SourceForge)

Version 0.5 beta of eWorld has been announced. "eWorld is a framework to import mapping data from providers, such as OpenStreetMap.org (OSM), visualize it, edit and enrich it with events or annotational attributes and pass it to traffic simulators, such as SUMO or VanetMobiSim. The old eWorld team is proud to announce its last release: 0.5 beta. Many bugs were fixed and eWorld has a new, shiny visualizer interface to be used from other applications."

Comments (none posted)

Music Applications

Csound 5.08 released

Version 5.08 of Csound, a music synthesis system, has been announced. "The Csound team are pleased to announce that v5.08 finally made it to the download site. Largely a bug-fixing release, it does include an(other) internationalisation scheme, together with new opcodes, better line number tracking and the usual gratuitous changes."

Full Story (comments: none)

Office Suites

AbiWord v2.6.0 released

AbiWord 2.6.0 is out. See the release notes for a long list of new features, including wider language support, Gnumeric integration, collaborative real-time editing and, inevitably, an OOXML import filter.

Comments (4 posted)

OpenOffice.org 2.4 released

OpenOffice.org 2.4 is out. "Users will appreciate changes such as usability improvements in printing, and further enhancements to PDF handling (OpenOffice.org creates PDF files 'out of the box' to ISO standard). The default font is now DejaVu, which supports more languages/localisations than the previous BitStream Vera -part of a raft of localisation improvements covering languages from Hiligaynon to Quechua." See the announcement for more details on new features and improvements.

Full Story (comments: 34)

OpenOffice.org Newsletter

The March, 2008 edition of the OpenOffice.org Newsletter is out with the latest OO.o office suite articles and events.

Full Story (comments: none)

Web Browsers

Mozilla Firefox 3 Beta 5 released (MozillaZine)

MozillaZine has announced the release of Mozilla Firefox 3 Beta 5. "Mozilla Firefox 3 Beta 5 has been released for testing. The fifth beta of the next major Firefox version offers over 750 bug fixes over Beta 4, including improvements in user interface, location bar autocomplete, bookmark backup and restore, full page zoom and other new features based upon user feedback."

Comments (none posted)

Languages and Tools

BASIC

FreeBASIC: v0.18.4b released (SourceForge)

Version 0.18.4b of FreeBASIC, an open-source 32-bit compiler with MS-QuickBASIC syntax, has been announced. Changes include: "new fblite dialect, restructured installation on Linux (/usr/local), improved QB compatibility, bug fixes, bug fixes, bug fixes."

Comments (1 posted)

C

GCC 4.2.4 Status Report

The March 31, 2008 GCC 4.2.4 Status Report has been published. "The GCC 4.2 branch is open for commits under normal release branch rules. All fixes going on that branch should first have gone on trunk and 4.3 branch. GCC 4.2.4 was due around 2008-04-02, which we will miss by at least a week. No release manager did yet volunteer to handle this release."

Full Story (comments: none)

GCC 4.3.1 Status Report

The GCC 4.3.1 Status Report for March 31, 2008 has been published. "GCC 4.3.1 is due around 2008-05-05. If a workaround for the x86 direction flag issue is agreed and committed then 4.3.1-rc1 may come around a week after such a workaround is committed to the branch, with the release following about a week later subject to no problems requiring 4.3.1-rc2 to be built."

Full Story (comments: none)

Caml

Caml Weekly News

The April 1, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The March 16-22, 2008 edition of This Week on perl5-porters is out with the latest Perl 5 news. has been published.

Comments (none posted)

Python

CodeInvestigator 0.8.0

Version 0.8.0 of CodeInvestigator is out with a change to the directory setting screen. "CodeInvestigator is a tracing tool for Python programs. Running a program through CodeInvestigator creates a recording. Program flow, function calls, variable values and conditions are all stored for every line the program executes. The recording is then viewed with an interface consisting of the code. The code can be clicked: A clicked variable displays its value, a clicked loop displays its iterations."

Full Story (comments: none)

Tcl/Tk

Tcl-URL! - weekly Tcl news and links

The March 29, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Build Tools

CMake 2.6.0 Beta is ready for testing

Version 2.6.0 Beta CMake of has been announced. "Please try this version of CMake on your projects and report any issues to the list or the bug tracker ( I have added a CMake-2-6 version ). The biggest change by far is the new new cmake policies." (Thanks to Alexander Neundorf).

Comments (none posted)

Editors

GNU Emacs 22.2 released

Version 22.2 of GNU Emacs has been announced. "Emacs version 22 has a wide variety of new features, including GTK+ toolkit support, enhanced mouse support, a new keyboard macro system, improved Unicode support, and drag-and-drop operation on X, plus many new modes and packages including a graphical user interface to GDB, Python mode, the mathematical tool Calc, and the remote file editing system Tramp."

Full Story (comments: 1)

Version Control

GIT 1.5.4.5 announced

Version 1.5.4.5 of the GIT distributed version control system has been announced. "Among many fixes, a notable one is a regression we introduced in 1.5.4 that changed the behaviour of "git fetch there" when you have the URL information for "there" in .git/branches/there. Such a fetch should have updated your local branch "there", but 1.5.4 and later didn't. This should fix the breakage."

Full Story (comments: none)

Miscellaneous

How Do I Make This Hard to Misuse?

Kernel hacker Rusty Russell has some thoughts on how to make APIs hard to misuse. The idea is that in addition to making APIs easier to use, that they also be made hard to misuse. "So I've created a 'best' to 'worst' list: my hope is that by putting 'hard to misuse' on one axis in our mental graphs, we can at least make informed decisions about tradeoffs like 'hard to misuse' vs 'optimal'."

Comments (29 posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Interview: Aaron Seigo, KDE Project Lead (Sirius)

Tom Callway interviews KDE's Aaron Seigo. "Aaron: In a nutshell: KDE has grown up in just about every way imaginable in the years I've had the pleasure and privelege of being a contributor. The successful maturation of the project is certainly one indicator of its success, and the fact that it has done this while the active leadership has gone through a couple of generations shows that this likely to continue on. If anything defines KDE, it is the deep internalization of the values and goals of the group within every corner and sub-project." (Found on KDE.News)

Comments (22 posted)

Linux Unhackable At TippingPoint Contest (eFluxMedia)

While it is certainly not proof that Linux is hacker-proof, as some have reported it, the news that Linux was the only survivor of a hacking contest is a nice indication of lots of hard work that has been done to secure the OS. "The contest was in Vancouver, Canada and it had three phases: during the first day, only network attacks were allowed, but none of the laptops could be broken into remotely. In the second day, rules stated that the hacker could give instructions to a staff member. During the third day, the rules of the contest allow the installation of popular 3rd party client applications on the notebooks."

Comments (34 posted)

Trade Shows and Conferences

Asian Linux user groups aim wide (ZDNet Asia)

ZDNet Asia covers Linux user group activities in Beijing and Singapore. "The six year-old group [BLUG] which started with some 80 members, now has a membership of over 500. Its president, Frederic Muller, said he is expecting this number to double or even triple by the end of 2008, boosted in large by the group members' infectious enthusiasm."

Comments (none posted)

UK embedded conference features hands-on Linux workshop (LinuxDevices)

LinuxDevices looks forward to the sixth-annual Embedded Masterclass 2008 conference (May 8, 2008 in London and May 13, 2008 in Bristol, UK). "Aimed at professional engineers interested in real-time and embedded Linux, the workshop covers theory and hands-on practice on topics such as cross-development tools, root file systems, and kernel configuration and compilation. Other lessons include booting with u-boot, working with Busybox and Tinylogin, the separation between user and kernel space, and writing a driver to access the target board's LEDs."

Comments (none posted)

OSBC Panel Looks at the Future of the OS (eWeek)

eWeek covers an Open Source Business Conference panel discussion on the future of the operating system. "James Hughes, a vice president and fellow at Sun Microsystems, said operating systems do nothing without applications. The choice of operating systems is done by developers on the basis of how long it takes them to get their job done using that system. "So, the future of the operating system is to enable application developers to get their work done. They also want true and real support for their operating system, where someone actually answers the phone rather than just sending out e-mails to the community.""

Comments (3 posted)

Companies

Adobe joins Linux Foundation, develops Air for Linux (LinuxWorld)

LinuxWorld is reporting that Adobe has joined the Linux Foundation and released an alpha version of the Air framework for Linux. "Although the Linux Foundation hailed Adobe's arrival as 'a natural extension of its commitment to open standards and open source,' that commitment stops short of publishing source code for the Linux version of Air. Adobe's end-user license for the code explicitly forbids any attempt to 'reverse engineer, decompile, disassemble or otherwise attempt to discover the source code of the software.'"

Comments (17 posted)

With free clustering for Unbreakable Linux, Oracle goes after Red Hat (SearchEnterpriseLinux)

SearchEnterpriseLinux reports on Oracle's move to give away clustering software for its Unbreakable Linux distribution. "In an apparent competitive swipe at Red Hat Inc., Oracle Corp.announced on Wednesday, March 26, at InfoWorld's Open Source Business Conference that it would add Clusterware to its year-old Oracle Unbreakable Linux support program for all basic and premium-package customers -- and for free. By harnessing the collective processing power and storage capacity of multiple servers into a single system, Clusterware enables this system to be centrally monitored and managed."

Comments (16 posted)

Red Hat posts great 2008 fiscal year earnings (Linux-Watch)

Linux-Watch takes a look at Red Hat's 2008 fiscal year. "Anyone under the delusion that you can't make money from open source and Linux should have been on Red Hat's 2008 fiscal year earnings call on March 27. If they had been, they would have heard Red Hat executives report that the Linux giant posted net income of $76.7 million, or $0.36 per diluted share, for the year, compared with $59.9 million, or $.29 per diluted share, in the prior year."

Comments (none posted)

Reviews

One step forward: a review of GNOME 2.22 (ars technica)

ars technica reviews GNOME 2.22. "The notion of a GNOME Developer Suite was initially conceived during the GNOME 2.20 development cycle, but Anjuta 2 was not quite robust enough for inclusion at the time. Anjuta now joins Devhelp and Glade 3, adding a much-needed IDE to the suite. Although most experienced GNOME developers prefer to use text-based programmable editors like Vim and Emacs, Anjuta is very important because it reduces barriers to entry for new contributors and automates away much of the complexity associated with configuring Autotools for GNOME development."

Comments (none posted)

Miscellaneous

Ten Years Ago Today: Netscape Releases Communicator Source Code (MozillaZine)

MozillaZine takes a look at ten years of browsing. "Today marks ten years since Netscape Communications Corporation released the Netscape Communicator 5.0 source code. The source code was managed by Netscape-backed mozilla.org until 2003, and is now managed by Mozilla Foundation."

Comments (12 posted)

Another Reason Microsoft's OSP Isn't Good Enough (Groklaw)

Groklaw examines some issues with Microsoft's Open Specification Promise. "Here's an issue that affects everyone, not just FOSS developers, as explained by the Free Software Foundation South America in a long discussion of OOXML and why NBs should not approve it: It carries a number of dependencies on earlier Microsoft decisions, not all of which are part of the already-huge specification, and Microsoft's promise covers only fully-compliant implementations. But Microsoft Office isn't fully compliant with the OOXML (Office Open XML) specification, therefore those who seek interoperability with Microsoft's software won't be covered by its promise. Eek. I understand that to be saying that there are gaps in OSP coverage. You'll get documents you can't legally open unless you are using Microsoft's software, because the extensions found in Office but not in OOXML proper, so to speak, are not covered."

Comments (4 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Cairo participates in Google Summer of Code 2008

The Cairo graphics project has announced its participation in the Google Summer of Code 2008. "This is a fantastic opportunity for students to gain experience with the free-software community, work closely with experts, and also make a valuable contribution to a significant project. More than that, working with the cairo graphics library and community is a lot of fun! (And Google even pays the student a little bit.)"

Comments (none posted)

OpenMRS a participant in the 2008 Google Summer of Code (LinuxMedNews)

LinuxMedNews has announced the participation of the OpenMRS medical record system in the 2008 Google Summer of Code. "OpenMRS is excited to accept applications for the 2008 Google Summer of Code. It's the community's second year of participation in the project, which brought a dozen open source developers into the community to build facilities such as statistical patient matching algorithms, and quick installers into OpenMRS. If you're an actively enrolled student, and would like to spend your summer learning how to participate in an open source community, come visit our project page, and apply."

Comments (none posted)

OSA announces European plans

The Open Solutions Alliance has launched a new European chapter. "The OSA announced in January 2008 its plans to launch a global, chapter-based structure with the European chapter as its first chapter outside the United States. OSA Europe will address business users' requirements for open solutions by federating a European open source business ecosystem, promoting interoperability and developing synergies between European software vendors."

Full Story (comments: none)

Happy Run Some Old Web Browsers Day!

For those who hearken back to the days when browsers and web pages were far simpler, Jamie Zawinski has resurrected old domains and browsers for your viewing pleasure. "I had originally planned on re-hosting these web sites on an SGI Indy running Mosaic Netsite Commerce Server, just for maximal comedic value... and to see how long it took before someone Øwned it, since there must be someone out there who still remembers how to launch an assault on Irix 5.3. Unfortunately, that wasn't possible for political reasons explained below." (Seen on Boing Boing)

Comments (14 posted)

Commercial announcements

MainConcept announces cross-platform video and audio CODECs

MainConcept AG has announced the release of its Codec SDK 7.5. "MainConcept is the first industry-wide vendor providing its broad range of codecs in one concise package for Windows, Mac/Intel and Linux simultaneously, delivering on its mission to make every codec available for every platform. Based on a comprehensive set of industry codecs such as H.264, MPEG-2, DVCPRO HD, JPEG 2000, and Dolby(R)Digital, professional software developers are now able to seamlessly integrate low level codec components and DirectShow filters for video and audio encoding and decoding into their own solutions for any major PC platform."

Comments (none posted)

Open-Xchange Joins Eclipse Foundation

Open-Xchange has joined the Eclipse Foundation. "'Open-Xchange is the only independent, open source collaboration software project and product and as such, we are committed to embracing a fully open development framework that is cross platform and that embraces industry standards,' said Rafael Laguna, CEO, Open-Xchange. 'Today, we are inviting the Eclipse community to fully participate in the evolution of our open communication platform and by doing so, offering contributors and industry partners long-term security to continue independent development.'"

Full Story (comments: none)

Plat'Home launches Linux-based Eco-Friendly servers

Plat'Home is selling its OpenBlockSTM server in the USA. "Plat'Home, Japan's Linux technology pioneer, is bringing its OpenBlockSTM server, a small, easy-to-use, easy-to-configure solution for growing companies, to North America. Part of the first ecology-friendly line of Linux servers ever shipped in the United States, Plat'Home's OpenBlockS server has been built and tested to provide enterprise-grade reliability in its RISC-based hardware, and has eliminated moving parts including a hard disk drive and cooling fan. It is also RoHS certified, a European Union directive meaning free of lead, mercury, cadmium, hexavalent chromium and other damaging materials."

Full Story (comments: none)

Transgaming becomes Khronos Group Member

Transgaming has announced that it has joined the Khronos Group. "TransGaming Inc., a leading developer of portability and graphics technologies has become a Khronos Group Contributing Member, joining over one hundred industry leading technology companies. TransGaming will participate and vote with all Members in the ongoing development and promotion of open standards for the authoring and acceleration of dynamic media on platforms ranging from embedded systems to high-performance desktop and workstation systems."

Full Story (comments: none)

Volantis releases Mobility Server to the Open Source Community

Volantis Systems has released its Mobility Server to the open source community under the GNU General Public License (GPL), version three. The company also launched the Mobility Server Project to help developers build out the mobile platform.

Full Story (comments: 6)

Resources

The Linux Foundation's kernel development paper

The Linux Foundation has posted a white paper on the kernel development process written by Greg Kroah-Hartman, Amanda McPherson, and LWN editor Jonathan Corbet. There will be little new there for those who have read similar reports on LWN or seen Greg's talk, but it is, in your editor's humble opinion, a good summary of the information. Articles based on this information are starting to show up in the press; this paper is the source they are all working from.

Comments (20 posted)

SFLC releases paper on shareware redistribution of free software

The Software Freedom Law Center has announced announced a new paper on shareware redistribution of free software. "The Software Freedom Law Center (SFLC), provider of pro-bono legal services to protect and advance Free and Open Source Software (FOSS), today published a paper that addresses free software distributed as shareware in violation of its original license. The paper describes actions free software developers can take to prevent, discover and deal with shareware-related license infringement. It was written after several free software authors contacted SFLC with concerns about their software being incorporated into shareware products without attribution and without source code distribution."

Full Story (comments: none)

Education and Certification

LPI to Develop Enterprise-level "Security" Exam

The Linux Professional Institute has announced plans to develop a new "Security" exam elective for its LPIC-3 certification program. "Exam development for the LPI-303 "Security" elective is underway with the identification of job tasks associated with qualified candidates who have expertise in enterprise-level security skills. This will be followed by an extensive global Job Task Analysis survey in July-August 2008. The exam development program will also include objective and item development and a series of "beta" exams at special events around the world (October-November 2008). The initial LPIC-3 exams made successful and extensive use of volunteer participation in special "beta" exam events. Final exams are expected to be published and launched at the end of February 2009."

Full Story (comments: none)

Meeting Minutes

Perl 6 Design Minutes for 26 March 2008

The Minutes from the March 26, 2008 Perl 6 Design meeting have been posted. "The Perl 6 design team met by phone on 26 March 2008. Larry, Allison, Patrick, Will, Jerry, Jesse, Nicholas, and chromatic attended." Additional meeting notes are also available.

Comments (none posted)

Calls for Presentations

Nordic Perl Workshop 2008 - Call for Papers

A call for papers has gone out for the Nordic Perl Workshop 2008. "Stockholm Perl Mongers and its fellow Nordic Perl Mongers arranges the annual Nordic Perl Workshop in Stockholm, Sweden on the 24th and 25th of May (over a weekend). This is the second time the workshop is arranged in Stockholm and the 6th time in total. The venue for this years workshop is located right next to Vasaparken near Odenplan, in the heart of Stockholm. During summertime this is a green oasis where one can chill in the grass, watch people or take a break in some of the park's coffee-shops. Odenplan also offers a wide range of restaurants and pubs in it's vicinity." The submission deadline is May 2.

Comments (none posted)

Upcoming Events

Early Registration Extension for Linux Symposium

Early registration for Linux Symposium has been extended until April 15, 2008. The Linux Symposium will be held July 23 - 26, 2008 in Ottawa, Canada.

Full Story (comments: none)

Explore Mobile Future with Carnegie Mellon, UC Berkeley

"The Mobile Future: Technology Revolutionizing Our Lives" is a one-day conference gathering leading academics, researchers, pundits and industry experts to discuss their visions of this mobile future, along with technology and business models for achieving them. The conference will be held April 22, 2008, at the Santa Clara Convention Center in Santa Clara, Calif. USA.

Full Story (comments: none)

PHP TestFest 2008

PHP TestFest 2008 has been announced. "The PHP-QA team would like to announce the TestFest for the month of May 2008. The TestFest is an event that aims at improving the code coverage of the test suite for the PHP language itself. As part of this event, local User Groups (UG) are invited to join the TestFest. These UGs can meet physically or come together virtually. The point however is that people network to learn together. Aside from being an opportunity for all of you to make friends with like minded people in your (virtual) community, it also will hopefully reduce the work load for the PHP.net mentors."

Comments (none posted)

SDForum presents third annual Silicon Valley Ruby conference

SDForum has announced the Third Annual Silicon Valley Ruby Conference. "Keynote addresses will be delivered by Tim Bray, director of Web Technologies at Sun Microsystems, and John Lam, creator of the original RubyCLR, leading visionary for IronRuby and open source ambassador at Microsoft." The event will take place on April 18-19, 2008 at The Tech Museum in San Jose, CA.

Comments (none posted)

SELinux Developer Summit 2008, Ottawa

The SELinux Developer Summit will take place in Ottawa, Canada on July 22, 2008. "The SELinux Developer Summit will be a one day summit intended to provide a forum for focused technical discussion regarding current and future development plans for SELinux and related Flask/TE projects. The intended audience will consist of current SELinux developers, system/security administrators, distribution organizers/packagers, and power users. The format will be a mix of presentations and moderated discussion, including a panel where attendees will be invited to submit questions and feedback."

Full Story (comments: none)

TechInsights announces intellectual property symposium

TechInsights has announced the Intellectual Property Symposium, which will be co-located with the Embedded Systems Conference. "TechInsights today announced the industry panel topics for its inaugural Intellectual Property Symposium, a joint effort of EE Times, Semiconductor Insights and Portelligent, which is scheduled to take place April 15-16, 2008 at the San Jose Fairmont. The Intellectual Property Symposium is the first and only event to bring together the foremost legal, business and government minds to discuss the importance and logistics of properly protecting, managing and leveraging intellectual property."

Comments (none posted)

Event Reports

Tracing Summit coverage

The TracingSummit2008 recently took place in Montreal, Canada. "New electronic services rely on an increasingly sophisticated infrastructure composed of powerful servers, numerous fixed or mobile clients, and the system and networking software. The central processing units have evolved from simple processors, to symmetric multi-processors (SMP), non-uniform memory access (NUMA) SMPs and more recently multi-core (SMP on a single chip) systems. Embedded soft and hard real-time multi-core multi-computer systems are exceedingly difficult to debug and tune. Many problems, often timing related, only show under real loads, when the hardware (cache, page tables, synchronization) and software (operating system, virtual machines, libraries and applications) are interacting in real-time."

Full Story (comments: none)

Page editor: Forrest Cook


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds