User: Password:
Subscribe / Log in / New account Weekly Edition for November 13, 2008

Fedora release cycles: longer or shorter?

By Jonathan Corbet
November 12, 2008
The Fedora 10 release is currently planned for November 25 - somewhat later than had been originally intended. Delays in Fedora releases are certainly not unheard-of, even when the project isn't coping with a major compromise of its fundamental infrastructure (the full story of which, it should be noted, still has not been told). Fedora 10 looks like it will be worth the wait, but the project is not waiting for the release to start thinking about its upcoming release cycles. A couple of discussions related to this topic provide some interesting insights into the pressures being felt by Fedora's leadership.

A recent video review of Fedora 10 was seen by the project as being something other than entirely favorable. But the biggest complaint expressed by the project is on a different subject: credit for work which is done by Fedora developers. Quoting Fedora leader Paul Frields:

Another point that had me scratching my head was the same host indicating that Fedora had a lot of features that were in Ubuntu 8.10. This is certainly true, but the differentiator is that many of these features were *built* by Fedora contributors, inside and outside Red Hat. It's important for us to keep emphasizing this fact.

Subsequent discussion indicates that a number of Fedora developers feel that other distributions - Ubuntu in particular - are stealing Fedora's thunder by shipping Fedora-developed improvements first. This is not the first time this kind of concern has been raised; it has been asserted that Novell's behind-closed-doors XGL work was done that way to keep Ubuntu from shipping it first. Fedora does not appear to be considering pulling its development from public view - that would run counter to the project's open nature - but some other responses are being discussed.

More than anything else, the Fedora project would like to ensure that the world knows about the work its developers are doing. Initiatives like the feature list for each release help to get information out ahead of the actual software release. There is also talk of more aggressive blogging, outreach to news sites, etc. The project has even posted a proposed marketing schedule which would help to ensure that all the right marketing activities are happening at the right points in the release cycle.

Former Fedora leader Max Spevack had a different suggestion to offer:

If "features" and "first" are hurting because of where we are in the calendar compared to the Ubuntu release, allowing them the chance to release their new distro first and to receive a lot of credit for new features when reviewers and press don't understand where the upstream work is being done (in Fedora, for example), then Fedora Marketing should ask the Fedora Board to think about altering our "May Day" and "Halloween" release targets by a little bit, so that Fedora's cycle finishes before Ubuntu's.

This proposal brings to mind a vision of distributors racing to be the first to release, leading to ever-shorter cycles and a corresponding decrease in release quality. It is hard to imagine that the first mover has such an overwhelming marketing advantage; there must be a better way.

It does not look like Fedora will attempt a "first post" counterattack anytime soon. In fact, if the recently-posted Fedora 11 release schedule proposal is adopted, the exact opposite will happen. In the past, Fedora has responded to a much-delayed release by shortening the following release cycle in an attempt to get back on schedule. For Fedora 11, it would appear that this will not happen; there will be no attempt to go for a "May Day" release.

The reasoning against shortening the Fedora 11 cycle comes down to this:

Fedora 11 will be extremely important to Red Hat Enterprise Linux (otherwise known as RHEL). RHEL 6 planning has looked to use Fedora 10 and Fedora 11 as releases to work out new technologies and features that are desired in RHEL 6. This includes a lot of upstream work that is being done, and targeted to land in these two releases.

So a shortened Fedora 11 cycle would make it harder to get all of the changes planned for RHEL6 in. That's problematic for Red Hat, and, since Red Hat pays for much of Fedora's existence, Red Hat's problems become Fedora's problems. Beyond that, though, it seems that a number of core Red Hat engineers will be working on Fedora during the next cycle to help get RHEL6-targeted features into shape. If the next cycle is shorter, Fedora will get less attention from those developers. Fedora would like to avoid that situation and take advantage of the RHEL team's attention while it can.

So the proposal is to retain the six-month cycle for Fedora 11 and release around the beginning of June. The Fedora 12 cycle, though, would be shortened to get the project back to the original schedule. The hope is that the advance notice will make it easier to plan for a short release cycle; Jesse Keating also suggests that the project "could even focus more on polish issues in F12 than large sweeping features." The more cynically-minded among us might conclude that Fedora 11 will be stuffed full of bleeding-edge new stuff that the RHEL team wants to evaluate, and Fedora 12 will be the release where all of that work is actually stabilized. But your editor would never want to be cynical.

The initial response to the proposed schedule is almost entirely positive, so it seems likely that things will go that way. Some Fedora developers may feel that releasing behind Ubuntu gives the project a public relations disadvantage, but other concerns are seen as being more important. Since those "other concerns" can be seen as "take the time to focus a lot of work on pulling together new features for an upcoming stable release," this set of priorities seems hard to argue with.

Comments (31 posted)

NLUUG/ELCE: Embedded devices and free software

By Jake Edge
November 12, 2008

On successive days, Harald Welte and David Woodhouse gave different views of the relationship between embedded companies and the free software communities whose code the companies are increasingly using. Their outlooks were not contradictory, but instead complementary; each came at the topic from a different direction. Welte looked mostly at what companies, particularly chip vendors could do better, while Woodhouse looked at what things the community could do to improve.

Welte and Woodhouse spoke at the co-located NLUUG autumn Mobility conference and Embedded Linux Conference Europe in Ede, the Netherlands, November 6 and 7. The Congrescentrum De Reehorst facility was excellent, well-suited to an event of this type which is not surprising as NLUUG has been holding two events there each year for the last ten years or so. In addition, the conference was well-organized and run; clearly displaying the experience that comes from the 26 years that NLUUG has been in existence.

[ The following covers Welte's presentation, Woodhouse's talk will be covered in a subsequent article. ]

[De Reehorst]

Welte kicked things off on Thursday with a talk entitled "How chipmakers should (not) support free software". As the conference got a bit of a late start and was already 15 minutes behind at that point, Welte said that he would make the time up because "everyone can understand gzip compressed speech". More seriously, he outlined his experience as a member of the Linux community, embedded developer, chip manufacturer from his recent work with Via, as well as a customer of consumer-grade embedded devices for; all of which result in multiple relevant points of view.

Linux is being found in more and more devices today—some less than obvious. Welte listed fairly well-known things like mobile phones and in-flight entertainment systems, but then noted that there are DSL Access Multiplexers (e.g. DSLAMs), payphones, ATMs, as well as vending and exercise machines that also run Linux.

Vendors of those devices are using free and open source software (FOSS) because of its strengths, which he outlined. There is a great deal of innovative and creative development done in FOSS because the barriers to entry are fairly low: the codebase is easy to read—at least in comparison to closed source—and there are standard development tools that are freely available. Because development is done in the open, developers will be embarrassed if their software architecture or code is bad. This also results in better security because of the code review that takes place.


The outcome of using FOSS this way is that "we should have a perfect world" with tons of embedded products, all secure and maintainable, that allow for additional or alternate functionality via third parties. The first of those, many embedded products, has been achieved, but we are still waiting for the other two, Welte said.

He contrasted a user's experience with Linux on PCs today with the experience provided by most embedded devices. For PCs, you can download the kernel, build it and it will run, with most hardware supported. You can choose from multiple distributions, any of which will have a kernel close to that of a mainline kernel and provide regular security updates. These are "things we are used to for many years", but things are not that way in the embedded space.

In the embedded world, every CPU or system-on-a-chip (SoC) has its own kernel tree, typically based on some ancient version of the kernel, that never gets cleaned up or submitted for mainline inclusion. So, they get no benefit from new features or security fixes in the kernel. There are no distributions to choose from, either for users or board makers and, even if updates are generated, there is generally no packaging system to use to update the code; re-flashing the entire device is required.

In Welte's words, "this sucks!" The embedded vendors get unstable and unmaintainable software with "security nightmares" and no innovation from elsewhere. The vendors have kernels that have diverged so far from the mainline that new features or fixes can't be backported, nor can their kernels get merged upstream. This is because the vendors tend to be very short-sighted, only focusing on getting one particular device out the door.

From Welte's perspective, embedded vendors do not understand the real potential of FOSS. They do not think in terms of creating platforms that others can build atop. In general, "they would rather sell a new [device] rather than improve the existing one". So, the vendors compete on the basis of the features their proprietary competitors implement rather than figuring out how to take advantage of the true strengths of FOSS. If, instead, they used FOSS to its fullest, they could outcompete the proprietary vendors in ways that could not be matched—except by using FOSS.

Turning to the chip vendors, Welte points out that there are two types of customers: Linux-aware and Linux-unaware. The Linux-aware customers—whose numbers are growing—will seek out vendors whose Linux support is better. It is already relatively late in the game: "if you don't have proper FOSS support, you will lose the 'openness competition'".

Chip manufacturers should be engaging in "sustainable development" by releasing kernels developed against the mainline in cooperation with the community. One large mistake these vendors make is to think their customers are only the tier-one companies that buy chips directly. There are many more downstream users of a chip once it has been integrated into other hardware; the buyers of those devices are also important as they will determine the success or failure of the product.

Unsurprisingly, Welte recommends that the development be done in the open, with a public development tree. Releases should not just be stable snapshots or big code drops; "post early, post often" should be the governing principle. FOSS is not just a technology, as chip vendors tend to think, it is a research and development philosophy that needs to be integrated into both the internal and external processes of the chip vendor.

On the external side, making documentation available, without a non-disclosure agreement (NDA)—or at worst a FOSS-friendly NDA—is essential. Internally, there is normally quite a bit of learning required to understand the FOSS philosophy. This will require training for engineers as well as product management folks. Having a clear FOSS support strategy, with clear goals, is important for making it work.

Product management needs to understand that supporting Linux is mostly a process of understanding the development model. The Linux APIs are not a particularly big hurdle, but understanding the community and how to work within it can be. Supporting Linux should mean supporting the mainline, not just N distributions, as N will grow over time, which leads to more problems. It is important to recognize that Linux-aware customers care as much about the quality of the code as they do about price and performance.

Engineering management needs to encourage engineers to communicate with the community, which requires real internet access. When faced with adding functionality to some FOSS code, they should be looking at ways to cooperate with others who have similar needs, rather than reinventing the wheel. Engineers need to figure out how and where to ask the right kinds of questions. They also need to learn that code is written to be read, not just executed; "this is something new to many people".

The community also has responsibilities to help the chip makers by providing "non-partisan" documentation because these manufacturers often have "no clue where to start or who to talk to" when they start considering supporting Linux. Commercial embedded distributors have a different perspective from the community so documentation from the community viewpoint is required. Welte says that various Linux Foundation sponsored efforts are helping in this area, but more needs to be done. A mentoring program of some sort might help by having FOSS developers willing to work with engineers to walk them through the process of getting their code upstream. The community must also work to keep from scaring chip vendor engineers away by being overly rude or terse; it is important that valid criticism be fully explained.

Welte sees a number of current or looming problems for chip vendors in supporting Linux, mostly involving patents or technology licensing issues. Various licensing regimes (like those for MPEG or Sony's memory stick) impose requirements that essentially preclude the development of free software drivers to talk to devices that implement those technologies. Everyone in the industry has these problems, though, so Welte suggests that they band together to present a case to the license holders; with enough smaller players working together, their voice can be heard.

On the whole, Welte is somewhat pessimistic about where embedded devices are headed. He certainly sees more FOSS being used in devices in the future, but expects to see them still be restricted so that they cannot leverage the full potential of FOSS. He does see "some very dim light at the end of a very far tunnel" with projects like Openmoko, but also efforts by some chip vendors, notably Intel, to fully support Linux.

It was not that many years ago when the desktop Linux situation looked as bleak as the embedded space does today, so there is hope. Presentations like Welte's can only help to bring that about. The audience contained many embedded developers, hopefully they can help their company's management see the benefits that Welte outlines so that his perfect world comes about sooner, but if the desktop is any guide, it will come about eventually.

Comments (18 posted)

NLUUG/ELCE: Embedded Linux and the community

By Jake Edge
November 12, 2008

As one of two embedded maintainers for the Linux kernel, David Woodhouse is in an excellent position to see where the community is failing to keep up its end of the bargain. At the recent co-located NLUUG and Embedded Linux conferences, his keynote on the second day made it very clear what areas he sees that need improvement. We fairly regularly hear about things that companies should be doing—see the report on Harald Welte's first day keynote—but the community should certainly keep an eye on its behavior as well. In his presentation, Woodhouse notes multiple projects that are not upstreaming their changes; he also notes things that individuals could do to make Linux better.

He started by pointing out that "it's not entirely clear what 'embedded' means", as there are many kinds of devices that have embedded attributes. Things like headless, handheld, low power, small size, limited ram, or limited persistent storage tend to be a part of the description of embedded devices, but there is "no real definition that I'm aware of that makes any sense".

Woodhouse then went on to see if he could define what an "embedded maintainer" is and does. He doesn't see the role as chasing patches to get them included upstream, it is more of an advocate role. Keeping an eye out for stupidity in the kernel using Bloatwatch and other tools as well as encouraging people—in various companies as well as in different parts of the community—to work together on solutions to problems they have in common are all part of the job.

From Woodhouse's perspective, companies are "getting a lot better" in terms of their Linux support. Less promising is the community: "We suck, really". He looked at a number of community embedded projects—like OpenWrt, Maemo, Moblin, and OLPC—to see how well they work with upstream; what he found was rather discouraging.

By looking at several concrete criteria, such as how many unsubmitted local kernel patches there were, how accessible their source is, and how old the kernel is that the project is using, Woodhouse is judging those projects the same way that companies are measured. Of the four projects that he looked at, only one, OLPC, was "mostly OK", the rest varied from "less good" to "FAIL".

Moblin for example, only had 23 outstanding patches, but those were against kernel 2.6.24. OpenWrt had a better kernel version, 2.6.27, but had 160 outstanding patches, plus an extra 425 files weighing in at 125,000 lines of code, which prompted a "sorry!" from an OpenWRT developer in the audience. OLPC has just a few outstanding patches against, while Woodhouse couldn't even find the kernel source for Maemo.

Getting work upstream is extremely important. Running older kernels and backporting fixes and features may seem like it saves time, but "it never works in the long run, it's a false economy". Woodhouse listed the usual suspects as reasons to get things upstream: code review, compile testing, updates for kernel API changes, and automated bug checking. He also mentioned the Kernel Janitors, whose efforts are generally useful, even though they are "often a little misguided, sometimes they don't engage their brain before sending patches". All of these benefits only come from getting code into the mainline.

The theme of the talk is summed up in one statement: "Divergence is pain"

The theme of the talk is summed up in one statement: "Divergence is pain". Any time that your code is not current with the most recent kernels or your patches are not making their way upstream, it should be felt as pain because diverging from upstream will end up causing exactly that. The pain may not be felt until later, but Woodhouse wants developers to recognize the problems caused by divergence so that they are averse to it right from the start.

Looking at the reasons why code is hoarded is instructive, he says. One of the reasons that is often heard, as well as Woodhouse's opinion, are summed up in a bullet point on one of his slides: "too hard to write decent code get code accepted". Another reason is that there is not enough time in the schedule for getting code merged. Many "see it as an extra part of the process after the driver is complete", which is the wrong way to look at it. Drivers and other features should be shared early on the appropriate mailing list so that any problems are dealt with near the beginning of development.

An issue related to code quality is that many times drivers are developed for ancient versions of the kernel, but that really shouldn't be a barrier as any "decent code will port relatively easily". Sometimes there is resistance to changes by the upstream developers. An example he noted was a feature that allowed multicast to be optionally removed from the IPv4 networking stack. It saved a fair amount of space for embedded devices that did not need that functionality, but David Miller and other networking developers were not very interested. This is where the embedded maintainer role can come into play as Woodhouse can step in to try to help convince the upstream developers.

Woodhouse had specific suggestions for making the situation better. "For a start, put everything in git trees" as it allows others to look at and test the code. Each feature should have its own topic tree that gets pulled into the main tree and developers should regularly assess the outstanding code to determine if it is ready to be moved upstream. Working with the upstream developers, getting them involved, and getting them to care about the feature or driver is crucial. In cases where a logjam develops, call on Woodhouse or Andrew Morton, they "can't promise any miracles, but often it can help".

Something that Woodhouse would like to see more developers do is to adopt a driver. There are countless drivers in SourceForge and elsewhere that are not upstream, so he suggests that folks "pick one driver, just tidy it up and make it acceptable upstream". Incidentally, Woodhouse is no fan of SourceForge: "I don't think I wrote 'don't use SourceForge' on any of the slides, but pretend that it's there". He mentioned the -staging tree as a possible destination for adopted drivers, though he is skeptical of the tree, "but it exists, we should see if we can get something from it".

Woodhouse summed up his talk with a simple statement: "We need to work better as a community before we can point fingers at companies who don't play nicely". It is certainly true that the community needs to set a good example for companies to follow. By highlighting some of our failures, Woodhouse has done the community a great favor, we can and, with luck, will do better.

Comments (9 posted)

Page editor: Jonathan Corbet


Storm botnet used to study spam

By Jake Edge
November 12, 2008

Spam is a problem that all email users suffer from but getting a handle on the economics of spamming has never been easy. A group of researchers has changed that to some extent by publishing a study [PDF] that looks at the conversion rate of spam emails. While the methods they used were somewhat ethically questionable, the data it provides is quite useful and interesting.

In the study, the Storm botnet's "command and control" (C&C) infrastructure was infiltrated in such a way that spam messages sent by Storm worker nodes would point the URLs in the spam at sites controlled by the researchers. By doing this, they could determine how much spam was sent and, more importantly, how much of it was clicked on. While sending spam is not very costly, it clearly does not have a zero cost. This means that—unbelievable though it sometimes seems—people actually do click through spam emails; not only that, they actually make purchases from the sites where they land.

The researchers set up fake pharmacy sites—selling male enhancement products amongst other things—that would be reached via the spam links. To protect the spam "victims", a visitor to the site would be allowed to get to the checkout stage before showing a site error. It seems plausible that nearly everyone willing to fill their shopping cart with such products and enter the checkout process is a very likely buyer. In this way, the study could count not only those who followed the links, but also those who were likely to buy.

What they found was that of 350 million emails sent—they estimate 82 million actually delivered—ten thousand recipients visited the site for a click-through rate of 0.003%. Of those, 28 users actually tried to check out with products totaling over $2700. The study was run for 26 days, so this could have resulted in roughly $100 per day of revenue.

Also of interest were the campaigns that were run to test the propagation of the Storm malware. This is normally done by sending spam that directs users to a website (via a "you have received a postcard" message) and entices them into clicking a link that will download and install the malware. The percentages of click-throughs were slightly higher (0.004-0.006%), but a rather large percentage of those (almost 10%) actually clicked the malware link once they reached the website. The researcher's version would download a benign executable, but the clear implication is that a small, but useful, number of users would actually add themselves to the botnet more-or-less voluntarily.

While the study is quick to point out that it represents only one data point, there is some value in extrapolating what the botnet might be able to generate in terms of revenue:

Different campaigns, using different tactics and marketing different products will undoubtedly produce different outcomes. Indeed, we caution strongly against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context. At the same time, it is tempting to speculate on what the numbers we have measured might mean. We succumb to this temptation below, with the understanding that few of our speculations can be empirically validated at this time.

The conclusion is that something on the order of $7000-9500 per day could be generated, which equates to $2.5-3.5 million per year—a tidy sum by any measure. There is some additional speculation that because of the retail cost of sending spam (rumored to be something like $80 per million sent), it only makes sense that the Storm operators and the "pharmacies" are one and the same. The sites used for propagation of the Storm malware have similarities to those used by the shopping sites, which also indicates a close association between the two. The study makes the following, perhaps overly optimistic, argument:

If true, this hypothesis is heartening since it suggests that the third-party retail market for spam distribution has not grown large or efficient enough to produce competitive pricing and thus, that profitable spam campaigns require organizations that can assemble complete "soup-to-nuts" teams. Put another way, the profit margin for spam (at least for this one pharmacy campaign) may be meager enough that spammers must be sensitive to the details of how their campaigns are run and are economically susceptible to new defenses.

The full paper is well worth a read for those interested in botnets or spam, but there are some ethical questions to consider as well. Is it reasonable to use other people's computers for your research without their consent? There is no easy answer to that question. The researchers outline their argument, which boils down to "we strictly reduce harm". Because they are just intercepting and modifying orders that are already being sent to workers, their research did not increase the amount of spam sent, nor did it increase the work that others' computers would do.

Since the spam that they arrange to be sent is harmless—at least in terms of selling bogus medicine or propagating malware—they have actually reduced the number of harmful spams sent. While their arguments seem at least well-thought-out, it is not something that would be fun to try to explain to a judge bent on enforcing some of the poorly-thought-out computer crime statutes. The researchers seem confident that their methods will pass muster, though: "We have been careful to design experiments that we believe are both consistent with current U.S. legal doctrine and are fundamentally ethical as well."

It is difficult to see how this kind of data could be gathered without co-opting Storm or another spam-sending botnet. From that standpoint, the researchers took the only path they could, but they certainly appear to have considered the legal and ethical landscape. While there may be a tendency to overestimate how widely applicable the data is—which the authors warn against—it does provide a nice look under the covers of the botnets delivering spam to one's inbox daily.

Comments (9 posted)

Brief items

More fun with Android

If you read this bug entry, you'll see that getting root access on an Android-based phone is rather easier than originally thought. It seems that the phone simply boots with a root shell listening to the keyboard, regardless of any other applications running. Be careful what you type... (a bit more information can be found on this page).

Comments (6 posted)

New vulnerabilities

acroread: multiple vulnerabilities

Package(s):acroread CVE #(s):CVE-2008-2549 CVE-2008-2992 CVE-2008-4812 CVE-2008-4813 CVE-2008-4814 CVE-2008-4815 CVE-2008-4817
Created:November 12, 2008 Updated:January 13, 2009

From the Red Hat advisory:

Several input validation flaws were discovered in Adobe Reader. A malicious PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader. (CVE-2008-2549, CVE-2008-2992, CVE-2008-4812, CVE-2008-4813, CVE-2008-4814, CVE-2008-4817)

The Adobe Reader binary had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local attacker able to convince another user to run Adobe Reader in an attacker-controlled directory could run arbitrary code with the privileges of the victim. (CVE-2008-4815)

Gentoo 200901-09 acroread 2009-01-13
SuSE SUSE-SR:2008:026 libxml2, phpMyAdmin, lighttpd, OpenOffice_org, imp, clamav, acroread, htop, cups 2008-11-24
Red Hat RHSA-2008:0974-01 acroread 2008-11-12

Comments (none posted)

blender: arbitrary code execution

Package(s):blender CVE #(s):CVE-2008-4863
Created:November 12, 2008 Updated:January 14, 2010

From the Red Hat bugzilla entry:

Untrusted search path vulnerability in BPY_interface in Blender 2.46 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function.

Gentoo 201001-07 blender 2010-01-13
Mandriva MDVSA-2009:038-1 blender 2009-12-08
Mandriva MDVSA-2009:038 blender 2008-02-16
Ubuntu USN-699-1 blender 2008-12-22
Fedora FEDORA-2008-10448 blender 2008-12-03
Fedora FEDORA-2008-9447 blender 2008-11-12
Fedora FEDORA-2008-9411 blender 2008-11-12

Comments (none posted)

dovecot: denial of service

Package(s):dovecot CVE #(s):CVE-2008-4907
Created:November 12, 2008 Updated:December 15, 2008

From the Ubuntu advisory:

It was discovered that certain email headers were not correctly handled by Dovecot. If a remote attacker sent a specially crafted email to a user with a mailbox managed by Dovecot, that user's mailbox would become inaccessible through Dovecot, leading to a denial of service.

Gentoo 200812-16 dovecot 2008-12-14
Ubuntu USN-666-1 dovecot 2008-11-07

Comments (none posted)

drupal-cck: cross site scripting

Package(s):drupal-cck CVE #(s):
Created:November 7, 2008 Updated:November 24, 2008
Description: From the Drupal advisory: The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.

Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.

This is only an issue if you need any role separation between administrators and users with the "administer content" permission.

Fedora FEDORA-2008-10000 drupal-cck 2008-11-22
Fedora FEDORA-2008-9479 drupal-cck 2008-11-07

Comments (none posted)

faad2: arbitrary code execution

Package(s):faad2 CVE #(s):CVE-2008-4201
Created:November 12, 2008 Updated:November 12, 2008

From the Gentoo advisory:

The ICST-ERCIS (Peking University) reported a heap-based buffer overflow in the decodeMP4file() function in frontend/main.c.

A remote attacker could entice a user to open a specially crafted MPEG-4 (MP4) file in an application using FAAD2, possibly leading to the execution of arbitrary code.

Gentoo 200811-03 faad2 2008-11-09

Comments (none posted)

flash-plugin: multiple vulnerabilities

Package(s):flash-plugin CVE #(s):CVE-2008-4818 CVE-2008-4819 CVE-2008-4823 CVE-2008-4822 CVE-2008-4821
Created:November 12, 2008 Updated:November 12, 2008

From the Red Hat advisory:

Flash Player contains a flaw in the way it interprets HTTP response headers. An attacker could use this flaw to conduct a cross-site scripting attack against the user running Flash Player. (CVE-2008-4818)

A flaw was found in the way Flash Player handles the ActionScript attribute. A malicious site could use this flaw to inject arbitrary HTML content, confusing the user running the browser. (CVE-2008-4823)

A flaw was found in the way Flash Player interprets policy files. It was possible to bypass a non-root domain policy, possibly allowing a malicious site to access data in a different domain. (CVE-2008-4822)

A flaw was found in how Flash Player's jar: protocol handler interacts with Mozilla. A malicious flash application could use this flaw to disclose sensitive information. (CVE-2008-4821)

Updated Flash Player also extends mechanisms to help prevent an attacker from executing a DNS rebinding attack. (CVE-2008-4819)

Red Hat RHSA-2008:0980-02 flash-plugin 2008-11-12

Comments (none posted)

gallery: multiple vulnerabilities

Package(s):gallery CVE #(s):CVE-2008-3600 CVE-2008-3662 CVE-2008-4129 CVE-2008-4130
Created:November 12, 2008 Updated:December 15, 2008

From the Gentoo advisory:

* Digital Security Research Group reported a directory traversal vulnerability in contrib/phpBB2/modules.php in Gallery 1, when register_globals is enabled (CVE-2008-3600).

* Hanno Boeck reported that Gallery 1 and 2 did not set the secure flag for the session cookie in an HTTPS session (CVE-2008-3662).

* Alex Ustinov reported that Gallery 1 and 2 does not properly handle ZIP archives containing symbolic links (CVE-2008-4129).

* The vendor reported a Cross-Site Scripting vulnerability in Gallery 2 (CVE-2008-4130).

Fedora FEDORA-2008-11218 gallery2 2008-12-13
Fedora FEDORA-2008-11258 gallery2 2008-12-13
Fedora FEDORA-2008-11230 gallery2 2008-12-13
Gentoo 200811-02 gallery 2008-11-09

Comments (none posted)

gnutls: man in the middle attacks

Package(s):gnutls CVE #(s):CVE-2008-4989
Created:November 11, 2008 Updated:September 28, 2009
Description: From the Red Hat advisory: Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates.
Fedora FEDORA-2009-8622 gnutls 2009-08-15
Ubuntu USN-809-1 gnutls12, gnutls13, gnutls26 2009-08-19
SuSE SUSE-SR:2009:009 openswan/strongswan, clamav, gstreamer-0_10-plugins-base, gnome-panel, postgresql, acroread_ja, ghostscript-devel, xine-devel/libxine-devel, moodle, gnutls, udev 2009-04-21
Debian DSA-1719-2 gnutls13 2009-02-28
Debian DSA-1719-1 gnutls13 2009-02-10
Gentoo 200901-10 gnutls 2009-01-14
Ubuntu USN-678-2 gnutls 2008-12-10
SuSE SUSE-SR:2008:027 squirrelmail, gnutls, rubygem-activerecord, rubygem-actionpack, samba, dbus-1, pdns, php5, pam_krb5 2008-12-09
Ubuntu USN-678-1 gnutls12, gnutls13, gnutls26 2008-11-26
Fedora FEDORA-2008-10000 gnutls 2008-11-22
Mandriva MDVSA-2008:227-1 gnutls 2008-11-17
rPath rPSA-2008-0322-1 gnutls 2008-11-17
Slackware SSA:2008-320-01 gnutls 2008-11-17
Mandriva MDVSA-2008:227 gnutls 2008-11-12
Fedora FEDORA-2008-9530 gnutls 2008-11-12
Fedora FEDORA-2008-9600 gnutls 2008-11-12
CentOS CESA-2008:0982 gnutls 2008-11-11
Slackware SSA:2008-315-01 gnutls 2008-11-11
Red Hat RHSA-2008:0982-01 gnutls 2008-11-11

Comments (none posted)

kvm: heap overflow

Package(s):kvm CVE #(s):CVE-2008-4539
Created:November 12, 2008 Updated:May 13, 2009

This is evidently a reoccurrence of CVE-2007-1320, which has the following description:

Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.

Ubuntu USN-776-2 USN-776-1 fixed 2009-05-13
Ubuntu USN-776-1 kvm 2009-05-12
Debian DSA-1799-1 qemu 2009-05-11
Fedora FEDORA-2008-11727 kvm 2008-12-24
Fedora FEDORA-2008-11705 kvm 2008-12-24
Fedora FEDORA-2008-10000 kvm 2008-11-22
Fedora FEDORA-2008-9556 kvm 2008-11-12

Comments (none posted)

mysql-dfsg: symlink traversal

Package(s):mysql-dfsg-5.0 CVE #(s):CVE-2008-4098 CVE-2008-4097
Created:November 6, 2008 Updated:June 4, 2010
Description: From the Debian advisory: A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access.
Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Gentoo 201201-02 mysql 2012-01-05
Pardus 2010-73 mysql-server 2010-06-04
Red Hat RHSA-2010:0109-01 mysql 2010-02-16
Mandriva MDVSA-2010:012 mysql 2010-01-17
Mandriva MDVSA-2010:011 mysql 2010-01-17
CentOS CESA-2010:0110 mysql 2010-02-17
Ubuntu USN-897-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-02-10
Mandriva MDVSA-2009:326 mysql 2009-12-07
CentOS CESA-2010:0109 mysql 2010-03-01
Red Hat RHSA-2010:0110-01 mysql 2010-02-16
Red Hat RHSA-2009:1067-01 Red Hat Application Stack 2009-05-26
Mandriva MDVSA-2009:094 mysql 2009-04-22
Ubuntu USN-671-1 mysql-dfsg-5.0 2008-11-17
SuSE SUSE-SR:2008:025 apache2, ipsec-tools, kernel-bigsmp, flash-player, mysql, ktorrent 2008-11-14
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12
Debian DSA-1662-1 mysql-dfsg-5.0 2008-11-06

Comments (none posted)

php-Smarty: remote code execution

Package(s):php-Smarty CVE #(s):CVE-2008-4811
Created:November 7, 2008 Updated:June 3, 2010
Description: From the CVE entry: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 r2797 and earlier allows remote attackers to execute arbitrary PHP code via vectors related to templates and a \ (backslash) before a dollar-sign character.
Gentoo 201006-13 smarty 2010-06-02
Ubuntu USN-791-1 moodle 2009-06-24
Mandriva MDVSA-2009:052 php-smarty 2009-02-24
Debian DSA-1691-1 moodle 2008-12-22
Fedora FEDORA-2008-10409 php-Smarty 2008-11-26
Fedora FEDORA-2008-9420 php-Smarty 2008-11-07
Fedora FEDORA-2008-9401 php-Smarty 2008-11-07

Comments (none posted)

uw-imap: unspecified vulnerability

Package(s):uw-imap CVE #(s):
Created:November 6, 2008 Updated:November 12, 2008
Description: From this imap-uw advisory: There is a security bug in versions of the programs tmail and dmail distributed with the IMAP Toolkit versions 2007c or earlier (all versions prior to 2008-10-29). This includes the version distributed with Alpine 2.00.
Fedora FEDORA-2008-9396 uw-imap 2008-11-06
Fedora FEDORA-2008-9383 uw-imap 2008-11-06

Comments (none posted)

wordpress: arbitrary command execution

Package(s):wordpress CVE #(s):CVE-2008-4796
Created:November 7, 2008 Updated:December 11, 2009
Description: From the CVE entry: The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.
Debian DSA-1871-2 wordpress 2009-08-27
Debian DSA-1871-1 wordpress 2009-08-23
Ubuntu USN-791-1 moodle 2009-06-24
Fedora FEDORA-2009-3280 moodle 2009-04-02
Fedora FEDORA-2009-3283 moodle 2009-04-02
Fedora FEDORA-2008-11550 moodle 2008-12-21
Fedora FEDORA-2008-11577 moodle 2008-12-21
Fedora FEDORA-2009-0819 moodle 2009-01-21
Debian DSA-1691-1 moodle 2008-12-22
Fedora FEDORA-2009-0814 moodle 2009-01-21
Fedora FEDORA-2008-9903 moodle 2008-11-22
Fedora FEDORA-2008-9508 moodle 2008-11-08
Fedora FEDORA-2008-9502 moodle 2008-11-08
Fedora FEDORA-2008-9257 wordpress 2008-11-07
Fedora FEDORA-2008-9304 wordpress 2008-11-07
Gentoo 201702-26 nagios-core 2017-02-21

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.28-rc4, released on November 9. "Nothing hugely exciting here. Various small fixes all over. There's a delayed FAT update which includes some movement of files around, and there's two fixes for some really long-standing problems (not really regressions, but nasty bugs) in Unix domain file descriptor passing." This release also contains a new Fujitsu MB862xx framebuffer driver and the introduction of a new internal API for dealing with CPU masks. See the long-format changelog for all the details.

As of this writing, just over 200 fixes have been merged into the mainline git repository since the 2.6.28-rc4 release.

The current stable 2.6 kernel is, released on November 7. It contains a long list of fixes accompanied by a stronger-than-usual encouragement to upgrade. The update is in the review process as of this writing; it will likely be released on November 14.

The and stable kernel updates came out on November 10. They both contain a long list of fixes, and both are intended to be the last in the series. Users who are dependent on these updates will want to consider moving to 2.6.27 in the near future.

Comments (none posted)

Kernel development news

Quotes of the week

Google was going to be an interesting case of a large company hiring people both from the embedded world and also the existing Linux development community and then producing an embedded device that was intended to compete with the very best existing platforms. I had high hopes that this combination of factors would result in the Linux community as a whole having a better idea what the constraints and requirements for high-quality power management in the embedded world were, rather than us ending up with another pile of vendor code sitting on an FTP site somewhere in Taiwan that implements its power management by passing tokenised dead mice through a wormhole.

To a certain extent, my hopes were fulfilled. We got a git server in California.

-- Matthew Garrett

We should stop using CPP, which is the outdated tech of the sixties. We should go with the new wave of the seventies and use this shiny new "C" language that's all the rage with features like type checking and stuff.
-- Ingo Molnar

If four heads have exploded (thus far) over one piece of code, perhaps the blame doesn't lie with those heads.
-- Andrew Morton

Comments (none posted)

Tracking of testers and bug reporters - a status report

By Jonathan Corbet
November 11, 2008
A recurring topic at kernel summits is proper recognition for users who report bugs and test fixes. These people help the development process considerably, but they are far less visible than the developers who are creating those bugs in the first place. Since we would like to have more testers and reporters, it makes sense to reward them in whatever way we can. One of the strongest currencies we hold is credit for work done. So it stands to reason that crediting those who help the development process is in the interest of everybody involved.

One mechanism developed for this purpose is a set of tags applied to patches before they are merged into the mainline. When a patch fixes a bug, the user(s) who reported that bug should be credited through the addition of a Reported-by: tag. Similarly, testers are credited with the Tested-by: tag. As it happens, some developers have adopted the habit of using Reported-and-tested-by: as a way of saving valuable newlines in the common case where a user fills both roles.

There is a certain warm feeling that comes with having one's name stored in a changelog entry in the kernel source repository. But the amount of visibility which comes from this event is relatively small. So your editor decided to hack up his git data mining utility to track these tags. Without further ado, here are the top problem reporters and patch testers for the 2.6.27 development cycle:

Most credited 2.6.27 testers
Reported-by credits
Adrian Bunk4321.0%
Robert P. J. Day125.9%
Eric Sesterhenn52.4%
Andrew Morton42.0%
Alexey Dobriyan42.0%
Denys Fedoryshchenko42.0%
Yinghai Lu31.5%
David S. Miller31.5%
Vegard Nossum31.5%
Stephen Rothwell31.5%
Juha Leppanen31.5%
Russell King21.0%
Andi Kleen21.0%
Ingo Molnar21.0%
Benjamin Herrenschmidt21.0%
Daniel J Blueman21.0%
Daniel Exner21.0%
Manuel Lauss21.0%
Atsushi Nemoto21.0%
Mikael Pettersson21.0%
Tested-by: credits
Ingo Molnar74.6%
Andrew Savchenko63.9%
Rene Herman42.6%
Mariusz Kozlowski32.0%
Alexey Dobriyan32.0%
Tino Keitel32.0%
Robert Jarzmik32.0%
KOSAKI Motohiro21.3%
Benjamin Herrenschmidt21.3%
Larry Finger21.3%
Kenji Kaneshige21.3%
Jack Howarth21.3%
Gerald Schaefer21.3%
Dennis Jansen21.3%
Daniel J Blueman21.3%
Daniel Exner21.3%
Steven Noonan21.3%
Lawrence Greenfield21.3%
Mark Langsdorf21.3%

All told, there were a total of 205 Reported-by: and 153 Tested-by: credits entered during the 2.6.27 kernel cycle. This is arguably a reasonable start for a new tag, but it seems clear that a lot of problem reporters are not, yet, being credited in this manner. Your editor became curious to see just who is taking the time to credit these people; they, too, deserve some credit. A bit more script hacking yielded these tables:

Developers giving credits in 2.6.27
Reported-by credits
Adrian Bunk4421.5%
Linus Torvalds125.9%
Ingo Molnar83.9%
Andrew Morton73.4%
Peter Zijlstra73.4%
Bartlomiej Zolnierkiewicz62.9%
Yinghai Lu52.4%
Jarek Poplawski52.4%
Jiri Kosina52.4%
Hugh Dickins42.0%
FUJITA Tomonori42.0%
Paul Mundt42.0%
Vegard Nossum31.5%
Russell King31.5%
Jeremy Fitzhardinge31.5%
Roland McGrath31.5%
Haavard Skinnemoen31.5%
Dmitry Torokhov31.5%
David Woodhouse31.5%
Oleg Nesterov31.5%
Tested-by: credits
Pekka Enberg74.6%
Linus Torvalds74.6%
Takashi Iwai53.3%
Bartlomiej Zolnierkiewicz53.3%
Peter Zijlstra42.6%
Rafael J. Wysocki42.6%
Yinghai Lu42.6%
Hugh Dickins42.6%
Alan Stern42.6%
Eric Miao42.6%
Thomas Gleixner32.0%
Lennert Buytenhek32.0%
Alex Chiang32.0%
Krzysztof Helt32.0%
Stefan Richter32.0%
Andy Whitcroft32.0%
KOSAKI Motohiro21.3%
Dennis Jansen21.3%
Andrew Morton21.3%
David S. Miller21.3%

The end result: Adrian Bunk gave over 20% of the total bug reporting credits - to himself. Beyond that, a number of the core developers are taking at least some time to credit those who report bugs and test patches. But, in the end, the 10,628 changesets merged for 2.6.27 probably contained quite a few more patches which could have carried such tags. If the reporting and testing tags are to become truly useful and significant, they will have to be more universally used.

While your editor was at it, he also collected statistics for Reviewed-by: tags. These tags differ in that they are offered by the reviewer, who thereby states that a reasonably thorough review has been done and the code has not been found seriously wanting. Code review is perennially in short supply in just about any free software project, so, again, proper credit for reviewers seems like more than just a good idea. Here's the top 2.6.27 credited reviewers:

Developers with the most reviews (total 123)
Ingo Molnar2318.7%
Paul Jackson129.8%
Peter Zijlstra118.9%
Christoph Lameter108.1%
Aneesh Kumar K.V75.7%
KOSAKI Motohiro64.9%
Paul E. McKenney64.9%
Jeff Moyer54.1%
Robert P. J. Day43.3%
Nadia Derbey32.4%
Paul E. McKenney32.4%
Mingming Cao21.6%
Michael Buesch21.6%
Li Zefan21.6%
Matthew Wilcox21.6%
Ingo Oeser21.6%
Badari Pulavarty21.6%

If these numbers are to be believed, only 123 reviews were performed over the 2.6.27 development cycle. Even the most cynical observer is likely to agree that a bit more reviewing than that is going on. Most reviewers do not offer the associated tag, so their contribution goes unrecorded. In particular, Andrew Morton, who seems to review almost every patch which appears, should be at the top of the above list.

Clearly, the task of ensuring proper credit for testers, bug reporters, and reviewers is still in its initial stages. But one has to start somewhere; this is more information than we had before. Hopefully, over time, the habit of crediting those who help with the development process will become more widespread. And that, with luck, will encourage more testing and bug reporting and, as a result, a better kernel.

Comments (7 posted)

/dev/ksm: dynamic memory sharing

By Jonathan Corbet
November 12, 2008
The kernel generally goes out of its way to share identical memory pages between processes. Program text is always shared, for example. But writable pages will also be shared between processes when the kernel knows that the contents of the memory are the same for all processes involved. When a process calls fork(), all writable pages are turned into copy-on-write (COW) pages and shared between the parent and child. As long as neither process modified the contents of any given page, that sharing can continue, with a corresponding reduction in memory use.

Copy-on-write with fork() works because the kernel knows that each process expects to find the same contents in those pages. When the kernel lacks that knowledge, though, it will generally be unable to arrange sharing of identical pages. One might not think that this would ordinarily be a problem, but the KVM developers have come up with a couple of situations where this kind of sharing opportunity might come about. Your editor cannot resist this case proposed by Avi Kivity:

Consider the typical multiuser gnome minicomputer with all 150 users reading at the same time instead of working. You could share the firefox rendered page cache, reducing memory utilization drastically.

Beyond such typical systems, though, consider the case of a host running a number of virtualized guests. Those guests will not share a process-tree relationship which makes the sharing of pages between them easy, but they may well be using a substantial portion of their memory to hold identical contents. If that host could find a way to force the sharing of pages with identical contents, it should be able to make much better use of its memory and, as a result, run more guests. This is the kind of thing which gets the attention of virtualization developers. So the hackers at Qumranet Red Hat (Izik Eidus, Andrea Arcanageli, and Chris Wright in particular) have put together a mechanism to make that kind of sharing happen. The resulting code, called KSM, was recently posted for wider review.

KSM takes the form of a device driver for a single, virtual device: /dev/ksm. A process which wants to take part in the page sharing regime can open that device and register (with an ioctl() call) a portion of its address space with the KSM driver. Once the page sharing mechanism is turned on (via another ioctl()), the kernel will start looking for pages to share.

The algorithm is relatively simple. The KSM driver, inside a kernel thread, picks one of the memory regions registered with it and start scanning over it. For each page which is resident in memory, KSM will generate an SHA1 hash of the page's contents. That hash will then be used to look up other pages with the same hash value. If a subsequent memcmp() call shows that the contents of the pages are truly identical, all processes with a reference to the scanned page will be pointed (in COW mode) to the other one, and the redundant page will be returned to the system. As long as nobody modifies the page, the sharing can continue; once a write operation happens, the page will be copied and the sharing will end.

The kernel thread will scan up to a maximum number of pages before going to sleep for a while. Both the number of pages to scan and the sleep period are passed in as parameters to the ioctl() call which starts scanning. A user-space control process can also pause scanning via another ioctl() call.

The initial response to the patch from Andrew Morton was not entirely enthusiastic:

The whole approach seems wrong to me. The kernel lost track of these pages and then we run around post-facto trying to fix that up again. Please explain (for the changelog) why the kernel cannot get this right via the usual sharing, refcounting and COWing approaches.

The answer from Avi Kivity was reasonably clear:

For kvm, the kernel never knew those pages were shared. They are loaded from independent (possibly compressed and encrypted) disk images. These images are different; but some pages happen to be the same because they came from the same installation media.

Izik Eidus adds that, with this patch, a host running a bunch of Windows guests is able to overcommit its memory 300% without terribly ill effects. This technique, it seems, is especially effective with Windows guests: Windows apparently zeroes all freed memory, so each guest's list of free pages can be coalesced down to a single, shared page full of zeroes.

What has not been done (or, at least, not posted) is any sort of benchmarking of the impact KSM has on a running system. The scanning, hashing, and comparing of pages will require some CPU time, and it is likely to have noticeable cache effects as well. If you are trying to run dozens of Windows guests, cache effects may well be relatively low on your list of problems. But that cost may be sufficient to prevent the more general use of KSM, even though systems which are not using virtualization at all may still have a lot of pages with identical contents.

Comments (25 posted)

The sad story of the em28xx driver

By Jonathan Corbet
November 11, 2008
Over the last year or two, the kernel development process has been changed in a deliberate attempt to make the addition of new drivers easier. It has become clear that out-of-tree drivers often do not get any better until they are merged; meanwhile, users want those drivers and distributors are shipping them. So it would seem that everybody's interests are served by getting those drivers into the mainline tree. Experience with drivers merged under this policy has generally been positive; once those drivers head for the mainline, they get more attention and tend to improve quickly.

Given that, one might well wonder why Markus Rechberger's recently submitted "empia" driver series is encountering so much resistance. This driver works with a number of video acquisition devices based on Empia chips; many of those are not supported by the kernel now. As an Empia Technology employee, Markus has access to the relevant data sheets and is, thus, well placed to write a fully-functional driver. There are users who will attest that the drivers work, and that Markus provides good support for them. But, as things stand now, it would appear that this driver is not headed for the mainline.

What we have here is a classic story of an impedance mismatch between a developer and the development community. In the process, this long story has helped to give the Video4Linux development community a bit of a reputation as a dysfunctional family - a perception which those developers are only now beginning to overcome. The sad truth would seem to be that, while working with the community is something that a couple thousand developers do with little trouble every year, there will always be a few who have difficulties.

A quick review of some of the history is in order here. Markus was one of the authors of the original em28xx driver, first merged for the 2.6.15 kernel. His efforts to enhance that driver quickly ran into trouble, though, when he tried to make substantial changes to the low-level tuner interface - changes which affected a number of other drivers. These changes were not popular in the Video4Linux community, and there were fears that they could break unrelated drivers. So this code was not merged.

In response to this rejection, Markus claimed ownership of the em28xx driver and asked that it be removed from the mainline kernel. He then continued development of the code, hosting it on his own server. There was even a period where the code was relicensed to the MPL, apparently as part of an attempt to prevent it from being taken into the mainline. Eventually, Markus came back with a new approach which moved much of the tuner code into user space. That solution, too, failed to pass review; nobody else could really see much advantage in moving that much driver code out of the kernel. The fact that Markus clearly intended to have some of that code appear in the form of binary-only blobs did not help his case. So the user-space approach, like its predecessor, was not merged.

While Markus was working on his own version of the code, others were putting patches into the mainline em28xx driver. At times, Markus tried to block those changes. The tone of the discussion is, perhaps, best seen from this note sent to Video4Linux maintainer Mauro Carvalho Chehab:

Best would be to replace you as a maintainer since you don't have any respect of others work either. Companies should be aware that if they try to submit any code to you they will loose the authority over _their_ work.

Of course, losing "authority" over code is inherent in releasing that code under a license like the GPL. This attempt to exercise control over freely-licensed code was slapped down by Andrew Morton and others, but it left unpleasant memories behind.

Now Markus is back with a driver that, to all appearances, duplicates the functionality of a driver which is already in the mainline kernel. It is not hard to see this submission as an attempt to retake control of that driver and, perhaps, restart the discussions from past years. So it is not entirely surprising that this driver has not been received with a great deal of enthusiasm. In short, Markus has been told to go away until he is prepared to submit his work in the form of a series of small patches to the in-tree em28xx driver.

The advantages of improving the current driver, rather than duplicating some of its functionality in a new code base, are clear. It would avoid the confusion which can come from having two drivers for the same hardware in the tree, and it would minimize the risk of losing important fixes which have been applied to the in-tree code. This is, also, the way that kernel developers are normally expected to do their work. On the other hand, video developer Hans Verkuil reviewed the new driver and concluded:

In my opinion it's pretty much hopeless trying to convert the current em28xx driver into what you have. It's a huge amount of work that no one wants to do and (in this case) with very little benefit.

This review notwithstanding, Mauro has indicated that he is not interested in accepting this patch. But rejecting Markus's new driver out of hand might just be a mistake. There seems to be little doubt that it has developed well beyond the in-tree driver; it supports a wider range of devices. Failure to merge it risks losing the work that has been done, and, perhaps, losing the future work of a developer who, for all his faults, is clearly trying to provide a better experience for Video4Linux users.

Having multiple drivers for the same hardware in the kernel is not an ideal situation, but it is also not without precedent. The IDE and parallel ATA subsystems provide redundant support for a wide range of hardware. The e1000 and e1000e drivers had overlapping coverage for some time. In such cases, the long-term goal is usually to work toward the removal of one of the drivers.

So one could make the case for merging the new driver and, eventually, removing the older one. In the process, the new driver could receive some much-needed attention from other developers. It has coding style and copyright attribution problems; a quick review has also left your editor wondering about locking issues. But such problems are common to drivers which have spent a lot of time out of tree; they are simply something to fix. Meanwhile, this driver contains the result of years of work and access to the relevant data sheets; freezing it out may not be in the best interests of kernel developers or users.

Comments (22 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers


Filesystems and block I/O

Memory management



Virtualization and containers

Benchmarks and bugs


Page editor: Jonathan Corbet


News and Editorials

Reinventing the Fedora desktop

By Rebecca Sobol
November 12, 2008
Now that Fedora 10 is nearing completion, it is time to start looking forward to the shape of Fedora 11. Matthias Clasen started a discussion with a post to the Fedora-desktop list, including a pointer to the whiteboard where people can fill in their ideas. The page contains some ideas guaranteed to warm an editor's heart and a few which inspire rather less enthusiasm.

So what are the Fedora desktop people pondering? Some of the ideas include:

  • Removing icons from the desktop menus. The reasoning behind this change would appear to be "Windows and OS X do it that way."

  • Fixing up power management. Among other things, those posting to the wiki note "When the user changes the brightness, he doesn't appreciate if the computer turns it right back down again"; better late than never. Better power management also involves turning off blinking cursors, which would also be a welcome change.

  • "Better fonts" is on the list; that seems to translate to better and easier ways for users to install new fonts. There is some wondering about whether the current packaging system is really the best way to deal with fonts.

  • The volume control has been singled out for special attention. One of its claimed problems is the vast number of sliders which can appear for a complex audio device; it is true that it can become overwhelming. But playing "find the hidden slider" when some audio source is inaudible is not a better state of affairs. There is also a worrisome note to the effect that Windows has a better volume control because it is not removable. So, in the future, we may have a volume control whether we want it or not.

  • Replacing the panel altogether, along the lines of the ideas bashed out at the recent GNOME hackfest, is under consideration. This would, of course, be a major change to the desktop which would not be welcomed by all users.

  • Somebody has noticed that the flurry of "notification" windows can get a little irritating. So different approaches to notifications are being considered.

  • A new approach to system settings is also under consideration. The idea would be to get away from the "preferences" and "administration" menus in favor of a single window with a search feature.

  • There is talk of better location awareness, but it appears to be limited to mundane tasks like setting the time zone automatically. It seems like it should be possible to set more ambitious goals in this area.

  • The Fedora developers note that Ubuntu beat them to shipping a working "guest user" implementation. Surely they will now contribute to improving that implementation, rather than making their own...right?

  • Evidently users should not be asked to distinguish between hibernating the system (which saves memory to disk and powers off) and suspending (which keeps main memory powered up). To avoid this problem, Fedora might implement a "hybrid suspend" which saves to disk but still keeps RAM energized for a fast restart. There are a number of practical problems to solve in this area, not the least of which being that waiting for a full hibernate when you want to suspend the system quickly can be obnoxious.

  • Fast boot is, naturally, on the list.

There is a lot more on the list - far more than the Fedora developers can hope to implement (or even integrate) in the near future. But the process is a good one, and some of these ideas will certainly show up in future Fedora releases. With any luck at all, the Linux desktop will continue to improve for a long time.

Comments (14 posted)

New Releases

OpenSolaris 2008.11 RC1

The OpenSolaris project has announced an initial release candidate build for the OpenSolaris 2008.11 release. "IMPORTANT NOTE: The development builds have undergone limited testing and users should expect to uncover issues as the next release is developed. Bug reports and requests for enhancement are welcome..."

Comments (3 posted)

Distribution News

Debian GNU/Linux

Debian Pure Blends

The Debian Project has announced "Debian Pure Blends" - essentially a rebranding of the concept formerly known as "custom Debian distributions." "We realised that the old name Custom Debian Distributions just sended the wrong message to outsiders: The conclusion that CDDs are something else than Debian was too 'obvious' if people did not read the relevant documentation." It looks a lot like Fedora's "Spins," but without the worry about what deserves to be called a "Pure Blend" and what does not. More information can be found on the wiki and in this detailed paper.

Full Story (comments: 15)

Debconf 8 internationalization sessions report

The Debian internationalization team met in Merida, Extremadura, Spain. This report (click below) is bit late in coming, but it does contain much information about what the team has been doing, with links to videos of the meetings, and notice that another meeting will take place later this month.

Full Story (comments: none)

Summary from the Debian-EDU irc meeting

Skolelinux/Debian-EDU developers met via IRC on November 5, 2008. Click below for a meeting summary covering the next (Lenny based) release.

Full Story (comments: none)


Nominations open for December Fedora Elections

The announcement says it all: "With one round of elections in the US out of the way, it's now time to turn our attention to more pressing matters - Fedora Election Season has begun." There are open seats on the project board and on a few steering committees. Some have complained in the past that these seats are dominated by Red Hat employees; now is the time to rectify that - if it is really a problem in need of fixing.

Full Story (comments: none)

Fedora Board IRC meeting 1800 UTC 2008-11-18

The Fedora Board will be meeting on IRC on Tuesday, November 18, 2008. This is a public meeting so feel free to join in, even if you are not a Fedora developer. Click below for more information.

Full Story (comments: none)

Fedora 10 upgrade FAQ

Fedora has issued a call for users and contributors to help with the Fedora 10 FAQ. If you have unanswered questions, feel free to ask. If you have answers not yet on the FAQ feel free to add them. Here is the Fedora 10 Earlybird FAQ.

Full Story (comments: none)

Fedora Classroom

A number of IRC sessions on various topics related to Free Software and Fedora were held via IRC at #fedora-classroom in The IRC logs have been published for those interested. There will be more Fedora-classroom sessions coming up next month.

Full Story (comments: none)

Fedora Release Engineering Meeting Recap

Click below for a brief recap the Fedora Release Engineering Meeting, held November 3, 2008. Topics Preview Release and the Fedora 11 Schedule.

Full Story (comments: none)

Fedora Board Recap

Click below for a brief recap of the November 4, 2008 meeting of the Fedora Advisory Board. Topics include Fedora Wide Elections, FUDCon F11 Update and Communicating Spins.

Full Story (comments: none)

SUSE Linux and openSUSE

openSUSE Board Meeting Minutes

The first meeting of the newly elected openSUSE board occurred on November 5, 2008. The outgoing board also attended to get the new board up to speed on the current issues. Click below for the minutes of that meeting.

Full Story (comments: none)

Ubuntu family

Edubuntu meeting minutes

The Edubuntu community had a development meeting recently. Click below for the minutes. Topics include Introduction of the Sugar environment, Should Edubuntu have a strategy document?, Naming/Branding ("Edubuntu", "Ubuntu in Education", "Ubuntu Education Edition"), Drop Alternate CD LTSP installation and instead use GUI from Ubuntu Desktop, and Should Edubuntu produce a demo LiveCD?.

Full Story (comments: none)

Distribution Newsletters

Arch Linux Newsletter

The November 2008 issue of the Arch Linux Newsletter is out. "Welcome to another issue of the Arch Linux Newsletter. What is going on in the Arch Linux Development world? We are working diligently to solve the problem with orphaned, unmaintained and bug-pending packages in the repositories, for better quality control. Inspired by Allan, Pierre has provided a new package in the extra repository called pkgstats, which allows all Archers to easily provide the development team with a list of packages you have installed. With the input you provide, we will now be able to prioritize our work, and focus on the packages Archers use most. Also, we can more easily see which AUR packages deserve to be in community and vice versa."

Comments (none posted)

Fedora Weekly News #151

This week issue of the Fedora Weekly News is out. "This week's action-packed Virtualization section investigates how the "OpenNebula Libvirt Implementation" could allow access to EC2 using libvirt APIs; Announcements announces "Elections Are Coming"; Developments peeks at the addition of LiveConnect to IcedTea; Artwork relays well-earned "Praise for the Solar Theme". Translation covers l10n work being done and SecurityAdvisories lists essential updates. As always there is much more worth reading in this issue."

Full Story (comments: none)

OpenSUSE Weekly News/45

This issue of the OpenSUSE Weekly News looks at Lukas Ocilka: YaST-Mascot Contest-How to submit your ideas, openSUSE News: Fix for openSUSE 11.1 Beta 4, The openSUSE Board, Jan Weber: Announcing Easy-KIWI-GUI, Stephan Binner: openSUSE 11.1-Plasma-Desktop-Toolbox and several other topics.

Comments (none posted)

Ubuntu Weekly Newsletter #116

The Ubuntu Weekly Newsletter for October 8, 2008 covers: Mark Shuttleworth interview, Ubuntu Open Week, Jaunty: Open for development, New MOTU, What about my bug, Relaunch of German UWN translation, Ultamaix, LoCo Release Parties, Launchpad Developer Interview, Ubuntu Podcast #11, IBM Lotus Adds Ubuntu support to Symphony Apps, TimeVault simplifies data backup for Ubuntu users, and much more.

Full Story (comments: none)

Distribution meetings


There will be a FUDCon (Fedora User and Developer Conference) at this year's FOSS.IN. FOSS.IN will be held November 25 - 29, 2008 in Bangalore, India. FUDCon India 2008 will be a one day event on November 28th.

Comments (none posted)

Newsletters and articles of interest

Fedora 10 preview release shines like a star (Ars Technica)

Ars Technica takes a quick look at Fedora 10 Preview. "Fedora 10 offers some nice new features, including the new Plymouth graphical boot system, a new version of Network Manager with improved support for 3G connectivity, better printing support, and lots of virtualization improvements. It ships with version 2.6.27 of the Linux kernel, which brings significantly improved webcam device compatibility, and GNOME 2.24, the latest version of the popular desktop environment. The reliability of the audio stack gets a big boost in this release with the inclusion of glitch-free PulseAudio. Package management is also much better thanks to the inclusion of RPM 4.6 and better PackageKit integration."

Comments (none posted)

Releasing YaST separately?

Joe "Zonker" Brockmeier ponders on releasing YaST without openSUSE. "YaST is, for me, one of openSUSE's major strengths, and I think it'd be beneficial for other distros and projects to use and extend. Linux, after all these years, still lacks a good, comprehensive, and cross-distro system management tool that's suitable for use at the console or from the desktop. (YaST qualifies as good and comprehensive, in my book, but falls down on the "cross-distro" part.)"

Comments (5 posted)


People of openSUSE: Claes Backstrom

The People of openSUSE interviewed Claes Backstrom. "This week on "People of openSUSE" we have interviewed openSUSE Election Committee member, Senior Linux Trainer and VMware Trainer Claes Backstrom. Besides all these titles he has he still has time to package games on openSUSE Build Service, beta testing, and promoting openSUSE in his North European cold country, Sweden!"

Comments (none posted)

Page editor: Rebecca Sobol


The Gumstix Overo - a miniature X Window System platform

By Forrest Cook
November 12, 2008

Attendees at this year's Kernel Summit were treated to an early prototype version of the Gumstix Overo miniature Linux-powered cpu board on top of the Overo Buddy motherboard. The system packs all of the functions of a desktop computer onto a platform that is slightly larger than a credit card.

The Specifications for the Overo processor board include:

  • A 600 MHz Texas Instruments OMAP 3503 processor.
  • 256 MB of DDR RAM.
  • 256 MB of NAND Flash RAM.
  • A microSD adapter slot with a 2.0 GB memory stick.
  • WiFi and Bluetooth ports.
  • A USB 2.0 port.
  • Stereo Audio input and output ports.
  • A port for driving a graphical LCD panel.
  • An assortment of Analog and Digital I/O ports.
The Overo Buddy motherboard adds even more functionality including a digital video (DVI) controller and two more USB ports.

Upon receiving the Overo Buddy board, the only way to establish a connection was via an emulated serial connection over one of the USB ports using the provided USB cable, as explained here. This worked as advertised, it was possible to watch the system boot up and then log into a root shell. At this point, your author decided to try the installation of the latest software on the removable microSD memory. As directed by the instructions, the software image was downloaded and installed on the memory using another machine and the provided microSD adapter card. Again, this proceeded without any problems and the machine booted with the new image.

[Gumstix Overo] Running the full X environment required purchasing a USB hub, a USB keyboard and mouse, an assortment of USB cables and a Mini DVI to DVI adapter for the monitor connection. The Mini DVI adapter was a bit wide, and the strain relief around the Overo Buddy's power supply connector had to be clipped off to allow the two connectors to be plugged in at the same time.

Getting the USB cabling right was a bit of a challenge. On the first attempt, the DVI monitor showed an X login window, but the keyboard and mouse were not active. Digging through the documentation revealed the source of the problem. The OTG USB port needed a type A cable and your author was using a type B cable. The Wikipedia USB documentation was consulted, and your author used a special surface mount soldering iron to create a tiny solder jumper between pins 4 and 5 of the Overo Buddy's micro-USB jack, simulating the correct cable. Upon booting, the keyboard and mouse came to life.

When logging into the Overo's X Window System, one is presented with the simple but effective Enlightenment window manager. Applications include the typical collection of an X terminal, a file manager, a text editor (gpe_edit) the Midori web browser, a mail client, an instant messenger client, and a selection of four games. Also included are the AbiWord word processor, the Gnumeric spread sheet and basic audio record and play utilities. A large collection of GUI-based admin tools and window system configuration tools are available. Both ssh and scp are also installed on the system, so secure network connections are possible. Unfortunately, both the audio recorder and player froze up during basic tests, and their windows did not go away until the system was rebooted, this appears to be some kind of audio hardware issue.

The next step to having a functioning system would be to have some kind of networking. The Overo processor has built-in 802.11 wireless networking and Bluetooth, but neither of those systems functioned. That is a known issue with some of the early-run prototype boards. One still has the option of adding USB WiFi and Ethernet boards to the Overo, several devices are supported natively. Once networking can be established, it should be possible to use the network-based applications, transfer user data add more application packages.

Having so much functionality in something as tiny as the Overo Buddy board seems like an amazing technological feat. Gumstix has truly achieved a new milestone in the miniaturization of Linux systems. Production versions of this system are scheduled for release in the fourth quarter of 2008.

Comments (21 posted)

System Applications

Clusters and Grids

oVirt 0.95 released

Version 0.95 of oVirt, an open virtual machine management system, has been announced, it adds new capabilities and bug fixes.

Full Story (comments: none)

Database Software

Firebird adds Sphinx support

The Firebird DBMS project has announced the addition of Sphinx support. "Sphinx is a very powerful and popular free open source full-text search engine. At the end of October 2008, Sphinx was released. During the summer, Vlad Khorsun and Pierre Yager made a patch for Sphinx, to have it support Firebird. Now, with the blessing of its author, Andrew Aksyonoff, they want to make their patch and Windows binaries publicly available for you to try out. Whilst it is still far from real "full text search" support in Firebird, Vlad and Pierre believe it is a first little step in that direction." A Linux patch is also available.

Comments (none posted)

FlameRobin: .9 released (SourceForge)

Version .9 of FlameRobin has been announced. "FlameRobin is a lightweight and cross-platform administration and management GUI for the Firebird DBMS. A new release is out. It brings new features like Firebird 2.1 support, tabbed browsing, etc."

Comments (none posted)

Hibernate Pojo Generator: v0.9.5 released (SourceForge)

Version 0.9.5 of Hibernate Pojo Generator has been announced. "Hibernate Pojo Generator generates all the Java code necessary to access a database via Hibernate Annotations (+ Spring) including JUnit tests (1 per table) that are able to run immediately without further customizations. New release: adds maven support, db version checking and more."

Comments (none posted)

PostgreSQL Weekly News

The November 9, 2008 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

Embedded Systems

BusyBox 1.13.0 (unstable) and BusyBox 1.12.2 (stable) released

Unstable version 1.13.0 and stable version 1.12.2 of BusyBox, a collection of command line utilities for embedded systems, have been announced. The releases feature the new blkid and devmem applets, other improvements and bug fixes.

Comments (none posted)

Desktop Applications

Audio Applications

Amarok Insider Issue 13

Issue 13 of the Amarok Insider has been published. Topics include: "Release plans, Final look for 2.0, Context View, The Playlist, Brand new PopUp Dropper, Web services unmasked, A bit about Biased playlists, Scripting, Mac OS X and Windows installers, Features missing in 2.0, How to help and Cool tips: Two roks."

Comments (none posted)

Jokosher October Update

An October Update document for the Jokosher audio editor has been published. Topics include: "Jokosher 0.10 Released, PulseAudio and JACK support, Jokosher 0.10.1 Bug Fix Release and Multichannel Recording Works!"

Comments (none posted)

NASPRO 0.1.1 is out

Version 0.1.1 of NASPRO has been announced. "NASPRO, recursive acronym for "NASPRO Architecture for Sound PROcessing", is a free/open source, modular and cross-platform sound processing framework with a strong emphasys on interoperability. Its main aim is to provide users and developers a full-featured tool to do sound manipulation using heterogeneous technologies which are already available (such as LADSPA or LV2 plugins) and at the same time make it easy to develop new ones without breaking interoperability."

Full Story (comments: none)

SoX 14.2.0 released

Version 14.2.0 of SoX, an audio processing toolkit, has been announced. See the Change Log for release highlights.

Full Story (comments: none)

Desktop Environments

GNOME 2.25.1 released

Version 2.25.1 of GNOME has been announced. "And here's the beginning of a new cycle! 2.25.1 marks the first release towards our 2.26 release that will happen in March 2009. Until then, I'm sure we'll see some good changes going on -- like all the efforts about getting rid of libgnome or cleaning up various things."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at

Comments (none posted)

KDE Commit-Digest for 5th October 2008 (KDE.News)

The October 15, 2008 edition of the KDE Commit-Digest has been announced. The content summary says: "Support for image file previews in the "FolderView" Plasmoid, which are enabled by default. Kross support for making comic providers using scripting languages in the "Comic" Plasma applet. First fully-working version of the QEdje script engine for Plasma is moved into kdereview, then into kdebase. More progress in the "Weather" Plasmoid, more integration of D-Bus in PowerDevil..."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week: More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Desktop Publishing

LyX 1.6.0 is released

Version 1.6.0 of LyX, a GUI front-end for the TeX typesetter, has been announced. "LyX 1.6.0 is the culmination of 15 months of hard work and you can find an overview of the new features here:".

Full Story (comments: none)


Wine 1.1.8 announced

Version 1.1.8 of Wine has been announced. Changes include: "Substantial parts of inetcomm implemented (for Outlook), Still better crypt32 support, Memory management improvements, Theming support for buttons and Various bug fixes."

Comments (none posted)


MediaInfo: released (SourceForge)

Version of MediaInfo, a utility that supplies technical and tag information about video or audio files, has been announced. "In this release: Albanian, Chinese (Simplified), Chinese Traditional), Turkish, Italian, German, Polish languages are updated, DTS High Resolution Audio, DTS Master Audio and DTS Express support, AES3 (PCM) support, interlacement in VC-1 in WMV files detection, E-AC-3 in MPEG-4 container support, and a lot of bugs correction".

Comments (none posted)

Music Applications

guitarix second release announced

The second release of guitarix has been announced. "guitarix is a simple Linux amplifier for jack(Jack Audio Connektion Kit) with one input and two outputs. Designed to get nice thrash/metal/rock guitar sounds. There are controls for bass, treble, gain, preamp, balance, distortion, freeverb, impulse response (), crybaby(wah) and echo . A fixed resonator will be used when distortion is disabled. For 'pressure' in the sound you can use the feedback and feedforward sliders."

Full Story (comments: none)

Tardigrade Inc. announces Tapeutape-0.1.0 and Tranches-0.1.0

Tardigrade Inc. has announced the release of Tapeutape-0.1.0 and Tranches-0.1.0. "I've just opened a new website to release the new versions of Tapeutape (virtual sampler) and Tranches (beat repeat/redirect/rearrange). These new versions include better gui, better lash support, and bug corrections (thanks Ken Restivo). New features will follow."

Full Story (comments: none)

Office Applications

PeaZip: 2.4 released today (SourceForge)

Version 2.4 of PeaZip, a file and archive manager, has been announced. "Release 2.4 continue the path of previous release in enhancing the usability of PeaZip, expecially as general purpose file manager. New localizations and new icons are featured, drag and drop on Windows benefits of an information panel which follows the mouse, and clipboard was made more powerful and flexible, optionally allowing multiple cut/copy operations to be stored in the clipboard."

Comments (none posted)

release 0.71.3 of Task Coach is available

Version 0.71.3 of Task Coach has been announced, some bugs have been fixed. "Task Coach is a simple task manager that allows for hierarchical tasks, i.e. tasks in tasks. Task Coach is open source (GPL) and is developed using Python and wxPython."

Full Story (comments: none)

Office Suites

KOffice Sprint 2008 (KDE.News)

KDE.News covers the KOffice Sprint, held in Berlin. "Talking to developers revealed the status of several of the applications. The many changes in the core of KOfficelibs but also further down the stack, like KDELibs and Qt 4 forced Kexi to rewrite large parts of the application. This means despite the fact the KDE 3 version was very mature and stable, Kexi won't be joining the 2.0 release. Nonetheless, the developers stress that version 1.6.x is still ahead of the competition, at least in the Free Software world."

Comments (none posted)


EMC: 2_2.2.7 Released (SourceForge)

Version 2_2.2.7 of EMC has been announced, this is a bug fix release. "EMC is software that implements real-time control of equipment such as machine tools, robots, and coordinate measuring machines. It runs in realtime under Linux with the RTlinux or RTAI patch. It provides a software PLC, and uses the HAL for flexibility."

Comments (none posted)

TakeNote 0.4.4 announced

Version 0.4.4 of TakeNote has been announced, it adds several new features. "TakeNote is ideal for storing your class notes, TODO lists, research notes, journal entries, paper outlines, etc in a simple notebook hierarchy with rich-text formatting, images, and more. Using full-text search, you can retrieve any note for later reference."

Full Story (comments: none)

Languages and Tools


LLVM 2.4 released

Version 2.4 of the LLVM compiler is out. "LLVM 2.4 includes many bug fixes, much faster compile times at -O0, substantially better code generation in various cases, a new PIC16 target, new IR features, and numerous other improvements and features." Lots of details can be found in the release notes.

Full Story (comments: none)


Caml Weekly News

The November 11, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)


Perl 5.8.9 RC1 released (use Perl)

Version 5.8.9 RC1 of Perl has been announced. "This is a maintenance release for perl 5.8.x, providing bug fixes and integrating module updates from CPAN."

Comments (none posted)

This Week on perl5-porters (use Perl)

The October 20-26, 2008 edition of This Week on perl5-porters is out with the latest Perl 5 news.

Comments (none posted)


TCPDF: 4.2.006 was released. (SourceForge)

Version 4.2.006 of TCPDF has been announced. "This version fixes a bug on HTML justification. TCPDF is a Free Libre Open Source PHP class for generating PDF documents without requiring external extensions.TCPDF Supports UTF-8, Unicode, RTL languages and (x)HTML. TCPDF project was started in 2002 and now it is freely used all over the world by millions of people."

Comments (none posted)


Python 3.0rc2 announced

Version 3.0rc2 of Python has been announced. "On behalf of the Python development team and the Python community, I am happy to announce the second release candidate for Python 3.0. This is a release candidate, so while it is not suitable for production environments, we strongly encourage you to download and test this release on your software. We expect only critical bugs to be fixed between now and the final release, currently planned for 03- Dec-2008."

Full Story (comments: none)

RPyC 3.00-final released

Version 3.00-final of RPyC has been announced. "RPyC (Remote Python Call) is a transparent and symmetrical python library for remote procedure calls, clustering and distributed- computing. RPyC makes use of object-proxying, a technique that employs python's dynamic nature, to overcome the physical boundaries between processes and computers, so that remote objects can be manipulated as if they were local."

Full Story (comments: none)


Tcl-URL! - weekly Tcl news and links

The November 11, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)


XPL Editor: Multimodal features (SourceForge)

Version 0.1 of The XPL editor has been announced. "The XPL editor is an RCP Eclipse application based on the eXtensible Presentation Language, an xml-based presentation language built on top of Visual Design Patterns. For more information about XPL, visit The XPL Editor 0.1 has been released, improving the multimodal features and the XSL Transformation of XPL Pages for the eXtensible Dynamic Presentation Manager (XDPM), a framework for the multimodal and multichannel presentation, published on Sourceforge."

Comments (none posted)


dlib C++ Library: 17.12 Released (SourceForge)

Version 17.12 of dlib has been announced, it adds bug fixes and usability improvements. "The dlib C++ library is a modern general purpose C++ toolkit with a focus on portability and program correctness. It comes with extensive documentation and thorough debugging modes. The library provides a platform abstraction layer for common tasks such as interfacing with network services, handling threads, and creating graphical user interfaces. Additionally, the library implements many useful algorithms such as data compression routines, linked lists, binary search trees, linear algebra and matrix utilities, machine learning algorithms, XML and general text parsing, and many other general utilities."

Comments (none posted)

Version Control

Announcing bzr 1.9

Version 1.9 of bzr, a distributed version control system, has been announced. "This release of Bazaar adds a new repository format, ``1.9``, with smaller and more efficient index files. This format can be specified when creating a new repository, or used to losslessly upgrade an existing repository. bzr 1.9 also speeds most operations over the smart server protocol, makes annotate faster, and uses less memory when making checkouts or pulling large amounts of data."

Full Story (comments: none)

GIT released

Version of GIT, a distributed version control system, has been announced, it includes a long list of bug fixes and documentation updates.

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

The Durable Internet: Preserving Network Neutrality without Regulation

Timothy Lee has posted a lengthy paper on the network neutrality debate. One can guess its conclusions simply by noting that it is hosted at the Cato Institute, but those conclusions are backed up by substantial research and reasoning. "Yet many deregulationists underestimate the importance of the Internet's end-to-end architecture and are too cavalier about abandoning the neutral network for a tiered, filtered, more centrally managed one. The decentralization made possible by the Internet's open architecture is the key to its astonishing growth, and there is little reason to think that it would be improvement for the Internet's decentralized 'dumb' architecture to be replaced by a more centralized 'smart' one." Worth a read for those who are interested in this subject.

Comments (16 posted)


Creative releases Linux GPL X-Fi drivers (Fudzilla)

Lars-Göran Nilsson reports that Creative has released Linux drivers with source code under the GPLv2 for its X-Fi and X-Fi Titanium series of sound cards for both 32 and 64-bit operating systems. "We'd expect a wide range of people jumping at the opportunity to be able to develop their own Linux drivers for the X-Fi cards and implement the missing features and ad some of their own. We can't wait to see what happens, but it might be some time before we see full feature support, but it's great to see that Creative has finally come to its senses."

Comments (19 posted)

Linux Adoption

European Commission publishes guidelines on the procurement of FOSS (fossbazaar)

Martin Michlmayr covers recently published guidelines on the procurement of open source software from the European Commission. "The Open Source Repository and Observatory (OSOR), a new site sponsored by the European Commission to foster the exchange of FOSS related information and software among European public administrations, recently published guidelines on the procurement of open source software. Public administrations in Europe have to follow public tender procedures and the new guidelines give practical and legal advice on how open source software and related services can be incorporated into the procurement process."

Comments (none posted)


Bilski: What It Means, Part 2 -- Listening to the Dissenting Opinions (Groklaw)

Groklaw continues looking into the Bilski decision. "So let's look now at the dissenting opinions, as text, so you can give consideration to the point of view of those who sincerely believe that patents should cover more than they now can. You'll note that the State Street decision was in 1998. Some of these justices were sitting on the court at that time. The decision in State Street was decided by three judges, Giles Sutherland Rich, who passed away in 1999, and justices Plage and Bryson, still serving. Judge Rich wrote the decision in State Street, when he was 94 years old. Most of the 16 judges that decided Bilski were serving in 1998, only four of them having been appointed later than that. You'll see Justice Newman referenced in one of the footnotes of that State Street decision, footnote 10. So she is no newbie to patent law."

Comments (none posted)

Bilski - What It Means, Part 3 - The Mayer Dissent and Some Intangibility Questions (Groklaw)

Groklaw continues an analysis of the Bilski case, which is about the patentability of business methods. "I know. It takes us into OMG territory. It's what Bilski was trying to address. The AT&T decision built on and depended on State Street, and Judge Mayer is saying that State Street came out of the blue, contradicting prior common law and the patent statutes, and it really needs to be clearly killed off and buried, along with any of its children, because it was a mistake, one that launched what he calls "a legal tsunami" of regrettable patents on what ought to be the unpatentable."

Comments (none posted)


Booting Debian in 14 seconds (Debian-administration) has made an attempt to reproduce the five-second Linux boot experiment using Debian. "Inspired by this work, and because I have the same laptop, I decided to try to reproduce their results. So far I have not come very close to their 5 seconds, but I have made some significant improvements compared to the default boot time for Debian on that machine; this article describes what I've done."

Comments (23 posted)


Test Center review: Specialty Linuxes to the rescue (InfoWorld)

InfoWorld reviews several small Linux distributions. "SliTaz Linux is a unique Linux breed created from scratch by Christophe Lincoln. Heavy application of gzip and lzma compression, plus removal of everything but 'the minimum necessary to make it work' (in the estimation of SliTaz's creator) have reduced its boot image to a remarkable 30MB."

Comments (none posted)

Is Smolt the Key to Counting Linux Users? (InternetNews)

InternetNews takes a look at Smolt, a hardware profiling tool developed by Fedora. "Linux users are not an easy bunch to profile or to count. Many Linux users download the operating system for free and never perform any kind of systems registration to enumerate their hardware. That's where Smolt may be able to help fill the gap. Smolt is an open source hardware profiling technology that is already being used by Red Hat's Fedora and is set for inclusion in the upcoming Novell OpenSUSE 11.1 release."

Comments (19 posted)

Page editor: Forrest Cook


Commercial announcements

Appro deploys supercomputing clusters to US national labs

Appro has announced the deployment of three supercomputing clusters. "Appro, a leading provider of supercomputing solutions, today announces the final deployment of Appro Supercomputing Clusters to Advanced Simulation and Computing (ASC) that integrates the work of the three National Nuclear Security Administration (NNSA) Defense Programs laboratories: Lawrence Livermore National Laboratory, Los Alamos National Laboratory and Sandia National Laboratories. This procurement was awarded to Appro last year for the TLCC07 program."

Full Story (comments: none)

Discretix to provide media content protection for ACCESS

Discretix has announced the availability of Discretix CPRM (Content Protection for Recordable Media) for the ACCESS mobile Linux platform. "Discretix CPRM (Content Protection for Recordable Media) secures the distribution and use of music, video and other premium content on SD cards and mobile handsets. As a software-based security solution, CPRM Client eliminates the need for a dedicated hardware CPRM chip, reducing Bill of Materials cost and greatly improving flexibility for mobile device OEMs. Fully compliant with 4C-Entity standards, CPRM Client protects music, movies, photos and other multimedia content subject to commercial digital rights while in use or in storage."

Full Story (comments: none)

Fixstars Acquires Terra Soft Solutions

Terra Soft Solutions, home of Yellow Dog Linux, has been acquired by Fixstars Corporation. "The new subsidiary "Fixstars Solutions, Inc.", of San Jose, California, maintains the entire Terra Soft staff, product line, and regional offices in Loveland, Colorado." Former Terra Soft CEO Kai Staats is now COO of Fixstars Solutions.

Full Story (comments: none)

Movial releases open source code to mobile Linux community

Movial has announced the release of Movial Browser D-Bus Bridge. "Movial, the company that inspires rich, intuitive Internet experiences, today announced it has released its innovative Browser D-Bus Bridge open source code into the Mobile Linux community. Movial Browser D-Bus Bridge removes the complexity of Linux User Interface (UI) development and empowers Web developers and designers, operators and device manufacturers for the first time ever, to easily create extremely capable UIs for open handsets. This technology helps transform Web widgets into seamless user driven mobile applications providing new, value-added and differentiated services and superior user experiences."

Comments (none posted)

Novell's transition program

Novell has announced a transition program to help companies move to SUSE Linux. "The new program is in response to growing customer demand for help as they make the strategic decision to transition their data center Linux infrastructure from existing third-party distributions, such as Red Hat Enterprise Linux and CentOS, to SUSE Linux Enterprise Server." Once upon a time, distributors competed mostly against Unix and Windows; now they are starting to compete more strongly against each other.

Comments (12 posted)

Wing IDE 3.1.5 released

Version 3.1.5 of Wing IDE, a cross-platform commercial Python IDE, has been announced. "Wingware has released version 3.1.5 of Wing IDE, a bugfix release for all three product levels of Wing IDE."

Full Story (comments: none)

Yoggie Opens up its Miniature Hardware Firewall

Yoggie Security Systems has launched its Open Firewall Pico and Open Firewall SOHO, the first open hardware firewalls based on its Gatekeeper technology. "The Open Firewall products are extremely powerful Linux-based miniature computers with 520 MHz ARM CPU, 128 RAM and 128 Flash memory. These unique products will enable developers, security professionals and hobbyists to experiment with Yoggie's own open source hardware firewall for the first time."

Comments (none posted)

New Books

Desktop GIS--New from Pragmatic Bookshelf

Pragmatic Bookshelf has published the book Desktop GIS by Gary E. Sherman.

Full Story (comments: none)

Contests and Awards

Cisco announces AXP Developer Contest

Cisco has announced a development contest for their Application Extension Platform. "Cisco is inviting application developers who "think outside the box", to innovate and promote the concept of the network as a platform. This is your opportunity to build exciting Linux based applications on the Cisco Application Extension Platform (AXP), and win a share of the total prize pool valued at US $100,000."

Comments (1 posted)

TPF awards Hague Grants

The Perl Foundation has awarded Hague Grants to Jerry Gay, a core Parrot and 'Rakudo' Perl 6 implementation hacker, and Patrick Michaud, head of the 'Rakudo' Perl 6 implementation on the Parrot VM.

Comments (none posted)

Education and Certification

New Java Programming Certificate Series announced by O'Reilly

The O'Reilly School of Technology is holding a Java Programming Certificate Series. "The O'Reilly School of Technology (OST) has announced the addition of a new Java Programming Certificate Series to its current list of offerings. Designed to introduce beginning and entry-level programming students to Java and object-oriented concepts, the program helps students progressively attain the advanced skills they need to compete in today's career market. With satisfactory completion of the series, students earn a Certificate for Professional Development from the University of Illinois Office of Continuing Education."

Full Story (comments: none)

Meeting Minutes

Perl 6 Design Minutes (use Perl)

The minutes from the October 29, 2008 Perl 6 Design Meeting have been published. "The Perl 6 design team met by phone on 29 October 2008. Larry, Allison, Patrick, Jerry, Will, Jesse, Nicholas, and chromatic attended."

Comments (none posted)

Calls for Presentations

DOCHS Extends Call For Papers (LinuxMedNews)

LinuxMedNews has announced the DOCHS Extends Call For Papers. "DOHCS the 2009 Demonstrating Open Source Heath Care Solutions conference, has extended their call for presentations until November 15th. The 3rd Annual DOHCS conference will be held on February 20, 2009 at the LAX Westin Hotel in Los Angeles, CA."

Comments (none posted)

FOSDEM 2009: Call for participation

A call for participation has gone out for FOSDEM 2009. "FOSDEM is probably the most developer-oriented Free and Opensource conference, taking place in Brussels, Belgium on Saturday 7 and Sunday 8 February 2009. Apart from having many invited speakers, the conference offers developer rooms, stands and lightning talks to projects from the Free and Opensource community." The submission deadline is December 26.

Full Story (comments: none)

SCALE Calls For Speakers

A call for speakers has gone out for SCALE, the 7th Annual So Cal Linux Expo. The event takes place on February 20-22, 2009 in Los Angeles, CA, the submission deadline is November 30.

Full Story (comments: none)

UKUUG Spring 2009 - Call For Papers

A call for papers has gone out for the UKUUG Spring Conference. "UKUUG's annual Large Installation Systems Administration (LISA) conference will take place in London from 24-26 March 2009. The conference will be preceded by a Kerberos tutorial. We are currently accepting talks; so if you are a systems administrator, we want to hear from you." Submissions are due by November 26.

Full Story (comments: none)

Upcoming Events

ERP5 World Forum, Paris

The first ERP5 World Forum will be held on December 1, 2008 in Paris, France as part of a larger international Open World Forum. "Nexedi wants to invite all ERP5 users, developers and academic researchers to participate in ERP5 World Forum organized as part of Open World Forum in Paris on December 1, 2008. This will be a collaborative innovation event that will focuses on ERP5 and ERP5 Express communities meeting to discuss and define the road map of ERP5 based on recent advances and latest trends in disciplines of management."

Full Story (comments: none)

O'Reilly Reveals ETech 2009 program

O'Reilly has announced the program for ETech 2009. "Registration has opened for ETech, the O'Reilly Emerging Technology Conference, scheduled for March 9-12 at the Fairmont Hotel in San Jose, California. Conference chair Brady Forrest has unveiled the program, which explores the technology of abundance and constraints to discover ideas that matter."

Full Story (comments: none)

The Linux Audio Conference 2009

The 2009 Linux Audio Conference will take place at La Casa della Musica in Parma, Italy on April 16-19, 2009. "The LAC will go outside Germany for the first time, but we will keep close to the familiar four-day format with paper presentations, workshops, electro-acoustic music concerts, and the Linux Sound Night."

Comments (none posted)

Pure Data and sound design workshop - Poitiers, France

The Pure Data and sound design workshop will take place in Poitiers, France on November 25-27, 2008. "Part of the 2008 edition of the make art festival, this 3-days workshop taught by Andy Farnell (GB) and assisted by Stéphane Léveillé (FR) is focused on sound design and Pure Data software. It aims to familiarize with the basics of sound, audio synthesis and effects using Pd. While learning how to build their own sounds and musical tools, the participants will end up playing all together over the local network."

Full Story (comments: none)

Events: November 20, 2008 to January 19, 2009

The following event listing is taken from the Calendar.

November 16
November 20
Middle East IT Security Conference Dubai, UAE
November 19
November 20
Linux Foundation Japan Symposium Tokyo, Japan
November 20
November 21
FreedomHEC Taipei 2008 Taipei, Taiwan
November 22 The phpnw08 conference Manchester, UK
November 22 PGDay Rio de la Plata Buenos Aires, Argentina
November 22 Mandriva 2009 Installfest Everywhere, World
November 25
November 29
FOSS.IN 2008 Bangalore, India
November 25
November 30
make art 2008 Poitiers, France
November 28 Informazione geografica aperta e libera Pontedera (PI), Italy
November 28
November 29
WhyFLOSS La Plata - Argentina La Plata, Argentina
November 29 LinuxDay in Vorarlberg (Deutschland, Schweiz, Liechtenstein und Österreich) Dornbirn, Austria
December 1 First Nuxeo Developer Day Paris, France
December 1
December 2
Open World Forum Paris, France
December 2
December 5
Open Source Developers' Conference 2008 Sydney, NSW, Australia
December 4
December 7
PIKSEL08 - code dreams Bergen, Norway
December 5
December 6
FOSSCamp Mountain View, CA, USA
December 5
December 13
International Joint Conferences on Computer, Information, and Systems Sciences, and Engineering Online
December 7
December 12
Computer Measurement Group Conference 2008 Las Vegas, NV, USA
December 8
December 12
Ubuntu Developer Summit Mountain View, CA, USA
December 8 Forum PHP Paris 2008 Paris, France
December 10
December 11
First Workshop on I/O Virtualization San Diego, CA, USA
December 13 NLLGG meeting/BSD Community Day Utrecht, The Netherlands
December 27
December 30
Chaos Communication Congress Berlin, Germany
January 8
January 11
Consumer Electronics Show Las Vegas, NV, USA
January 9
January 11
Fedora User and Developer Conference Boston, USA
January 15
January 16
Foundations of Open Media Software 2009 Hobart, Tasmania, Australia
January 17
January 23
Camp KDE 2009 Negril, Jamaica

If your event does not appear here, please tell us about it.

Web sites

OpenLogic debuts OLEX Wazi web site

OpenLogic has announced the launch of their OLEX Wazi site. "OLEX Wazi is a clearinghouse for the timeliest commentary on open source, said Kim Weins, senior vice president of marketing at OpenLogic. It features innovative content from the best thinkers in open source today. We're looking for ongoing contributions from a range of experts and will collaborate with the best technical, legal and business minds in the field."

Full Story (comments: none)

Page editor: Forrest Cook

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds