A recent video review of Fedora 10 was seen by the project as being something other than entirely favorable. But the biggest complaint expressed by the project is on a different subject: credit for work which is done by Fedora developers. Quoting Fedora leader Paul Frields:
Subsequent discussion indicates that a number of Fedora developers feel that other distributions - Ubuntu in particular - are stealing Fedora's thunder by shipping Fedora-developed improvements first. This is not the first time this kind of concern has been raised; it has been asserted that Novell's behind-closed-doors XGL work was done that way to keep Ubuntu from shipping it first. Fedora does not appear to be considering pulling its development from public view - that would run counter to the project's open nature - but some other responses are being discussed.
More than anything else, the Fedora project would like to ensure that the world knows about the work its developers are doing. Initiatives like the feature list for each release help to get information out ahead of the actual software release. There is also talk of more aggressive blogging, outreach to news sites, etc. The project has even posted a proposed marketing schedule which would help to ensure that all the right marketing activities are happening at the right points in the release cycle.
Former Fedora leader Max Spevack had a different suggestion to offer:
This proposal brings to mind a vision of distributors racing to be the first to release, leading to ever-shorter cycles and a corresponding decrease in release quality. It is hard to imagine that the first mover has such an overwhelming marketing advantage; there must be a better way.
It does not look like Fedora will attempt a "first post" counterattack anytime soon. In fact, if the recently-posted Fedora 11 release schedule proposal is adopted, the exact opposite will happen. In the past, Fedora has responded to a much-delayed release by shortening the following release cycle in an attempt to get back on schedule. For Fedora 11, it would appear that this will not happen; there will be no attempt to go for a "May Day" release.
The reasoning against shortening the Fedora 11 cycle comes down to this:
So a shortened Fedora 11 cycle would make it harder to get all of the changes planned for RHEL6 in. That's problematic for Red Hat, and, since Red Hat pays for much of Fedora's existence, Red Hat's problems become Fedora's problems. Beyond that, though, it seems that a number of core Red Hat engineers will be working on Fedora during the next cycle to help get RHEL6-targeted features into shape. If the next cycle is shorter, Fedora will get less attention from those developers. Fedora would like to avoid that situation and take advantage of the RHEL team's attention while it can.
So the proposal is to retain the six-month cycle for Fedora 11 and release around the beginning of June. The Fedora 12 cycle, though, would be shortened to get the project back to the original schedule. The hope is that the advance notice will make it easier to plan for a short release cycle; Jesse Keating also suggests that the project "could even focus more on polish issues in F12 than large sweeping features." The more cynically-minded among us might conclude that Fedora 11 will be stuffed full of bleeding-edge new stuff that the RHEL team wants to evaluate, and Fedora 12 will be the release where all of that work is actually stabilized. But your editor would never want to be cynical.
The initial response to the proposed schedule is almost entirely positive, so it seems likely that things will go that way. Some Fedora developers may feel that releasing behind Ubuntu gives the project a public relations disadvantage, but other concerns are seen as being more important. Since those "other concerns" can be seen as "take the time to focus a lot of work on pulling together new features for an upcoming stable release," this set of priorities seems hard to argue with.
On successive days, Harald Welte and David Woodhouse gave different views of the relationship between embedded companies and the free software communities whose code the companies are increasingly using. Their outlooks were not contradictory, but instead complementary; each came at the topic from a different direction. Welte looked mostly at what companies, particularly chip vendors could do better, while Woodhouse looked at what things the community could do to improve.
Welte and Woodhouse spoke at the co-located NLUUG autumn Mobility conference and Embedded Linux Conference Europe in Ede, the Netherlands, November 6 and 7. The Congrescentrum De Reehorst facility was excellent, well-suited to an event of this type which is not surprising as NLUUG has been holding two events there each year for the last ten years or so. In addition, the conference was well-organized and run; clearly displaying the experience that comes from the 26 years that NLUUG has been in existence.
[ The following covers Welte's presentation, Woodhouse's talk will be covered in a subsequent article. ]
Welte kicked things off on Thursday with a talk entitled "How chipmakers should (not) support free software". As the conference got a bit of a late start and was already 15 minutes behind at that point, Welte said that he would make the time up because "everyone can understand gzip compressed speech". More seriously, he outlined his experience as a member of the Linux community, embedded developer, chip manufacturer from his recent work with Via, as well as a customer of consumer-grade embedded devices for gpl-violations.org; all of which result in multiple relevant points of view.
Linux is being found in more and more devices today—some less than obvious. Welte listed fairly well-known things like mobile phones and in-flight entertainment systems, but then noted that there are DSL Access Multiplexers (e.g. DSLAMs), payphones, ATMs, as well as vending and exercise machines that also run Linux.
Vendors of those devices are using free and open source software (FOSS) because of its strengths, which he outlined. There is a great deal of innovative and creative development done in FOSS because the barriers to entry are fairly low: the codebase is easy to read—at least in comparison to closed source—and there are standard development tools that are freely available. Because development is done in the open, developers will be embarrassed if their software architecture or code is bad. This also results in better security because of the code review that takes place.
The outcome of using FOSS this way is that "we should have a perfect world" with tons of embedded products, all secure and maintainable, that allow for additional or alternate functionality via third parties. The first of those, many embedded products, has been achieved, but we are still waiting for the other two, Welte said.
He contrasted a user's experience with Linux on PCs today with the experience provided by most embedded devices. For PCs, you can download the kernel, build it and it will run, with most hardware supported. You can choose from multiple distributions, any of which will have a kernel close to that of a mainline kernel and provide regular security updates. These are "things we are used to for many years", but things are not that way in the embedded space.
In the embedded world, every CPU or system-on-a-chip (SoC) has its own kernel tree, typically based on some ancient version of the kernel, that never gets cleaned up or submitted for mainline inclusion. So, they get no benefit from new features or security fixes in the kernel. There are no distributions to choose from, either for users or board makers and, even if updates are generated, there is generally no packaging system to use to update the code; re-flashing the entire device is required.
In Welte's words, "this sucks!" The embedded vendors get unstable and unmaintainable software with "security nightmares" and no innovation from elsewhere. The vendors have kernels that have diverged so far from the mainline that new features or fixes can't be backported, nor can their kernels get merged upstream. This is because the vendors tend to be very short-sighted, only focusing on getting one particular device out the door.
From Welte's perspective, embedded vendors do not understand the real potential of FOSS. They do not think in terms of creating platforms that others can build atop. In general, "they would rather sell a new [device] rather than improve the existing one". So, the vendors compete on the basis of the features their proprietary competitors implement rather than figuring out how to take advantage of the true strengths of FOSS. If, instead, they used FOSS to its fullest, they could outcompete the proprietary vendors in ways that could not be matched—except by using FOSS.
Turning to the chip vendors, Welte points out that there are two types of customers: Linux-aware and Linux-unaware. The Linux-aware customers—whose numbers are growing—will seek out vendors whose Linux support is better. It is already relatively late in the game: "if you don't have proper FOSS support, you will lose the 'openness competition'".
Chip manufacturers should be engaging in "sustainable development" by releasing kernels developed against the mainline in cooperation with the community. One large mistake these vendors make is to think their customers are only the tier-one companies that buy chips directly. There are many more downstream users of a chip once it has been integrated into other hardware; the buyers of those devices are also important as they will determine the success or failure of the product.
Unsurprisingly, Welte recommends that the development be done in the open, with a public development tree. Releases should not just be stable snapshots or big code drops; "post early, post often" should be the governing principle. FOSS is not just a technology, as chip vendors tend to think, it is a research and development philosophy that needs to be integrated into both the internal and external processes of the chip vendor.
On the external side, making documentation available, without a non-disclosure agreement (NDA)—or at worst a FOSS-friendly NDA—is essential. Internally, there is normally quite a bit of learning required to understand the FOSS philosophy. This will require training for engineers as well as product management folks. Having a clear FOSS support strategy, with clear goals, is important for making it work.
Product management needs to understand that supporting Linux is mostly a process of understanding the development model. The Linux APIs are not a particularly big hurdle, but understanding the community and how to work within it can be. Supporting Linux should mean supporting the mainline, not just N distributions, as N will grow over time, which leads to more problems. It is important to recognize that Linux-aware customers care as much about the quality of the code as they do about price and performance.
Engineering management needs to encourage engineers to communicate with the community, which requires real internet access. When faced with adding functionality to some FOSS code, they should be looking at ways to cooperate with others who have similar needs, rather than reinventing the wheel. Engineers need to figure out how and where to ask the right kinds of questions. They also need to learn that code is written to be read, not just executed; "this is something new to many people".
The community also has responsibilities to help the chip makers by providing "non-partisan" documentation because these manufacturers often have "no clue where to start or who to talk to" when they start considering supporting Linux. Commercial embedded distributors have a different perspective from the community so documentation from the community viewpoint is required. Welte says that various Linux Foundation sponsored efforts are helping in this area, but more needs to be done. A mentoring program of some sort might help by having FOSS developers willing to work with engineers to walk them through the process of getting their code upstream. The community must also work to keep from scaring chip vendor engineers away by being overly rude or terse; it is important that valid criticism be fully explained.
Welte sees a number of current or looming problems for chip vendors in supporting Linux, mostly involving patents or technology licensing issues. Various licensing regimes (like those for MPEG or Sony's memory stick) impose requirements that essentially preclude the development of free software drivers to talk to devices that implement those technologies. Everyone in the industry has these problems, though, so Welte suggests that they band together to present a case to the license holders; with enough smaller players working together, their voice can be heard.
On the whole, Welte is somewhat pessimistic about where embedded devices are headed. He certainly sees more FOSS being used in devices in the future, but expects to see them still be restricted so that they cannot leverage the full potential of FOSS. He does see "some very dim light at the end of a very far tunnel" with projects like Openmoko, but also efforts by some chip vendors, notably Intel, to fully support Linux.
It was not that many years ago when the desktop Linux situation looked as bleak as the embedded space does today, so there is hope. Presentations like Welte's can only help to bring that about. The audience contained many embedded developers, hopefully they can help their company's management see the benefits that Welte outlines so that his perfect world comes about sooner, but if the desktop is any guide, it will come about eventually.
As one of two embedded maintainers for the Linux kernel, David Woodhouse is in an excellent position to see where the community is failing to keep up its end of the bargain. At the recent co-located NLUUG and Embedded Linux conferences, his keynote on the second day made it very clear what areas he sees that need improvement. We fairly regularly hear about things that companies should be doing—see the report on Harald Welte's first day keynote—but the community should certainly keep an eye on its behavior as well. In his presentation, Woodhouse notes multiple projects that are not upstreaming their changes; he also notes things that individuals could do to make Linux better.
He started by pointing out that "it's not entirely clear what 'embedded' means", as there are many kinds of devices that have embedded attributes. Things like headless, handheld, low power, small size, limited ram, or limited persistent storage tend to be a part of the description of embedded devices, but there is "no real definition that I'm aware of that makes any sense".
Woodhouse then went on to see if he could define what an "embedded maintainer" is and does. He doesn't see the role as chasing patches to get them included upstream, it is more of an advocate role. Keeping an eye out for stupidity in the kernel using Bloatwatch and other tools as well as encouraging people—in various companies as well as in different parts of the community—to work together on solutions to problems they have in common are all part of the job.
From Woodhouse's perspective, companies are "getting a lot better" in terms of their Linux support. Less promising is the community: "We suck, really". He looked at a number of community embedded projects—like OpenWrt, Maemo, Moblin, and OLPC—to see how well they work with upstream; what he found was rather discouraging.
By looking at several concrete criteria, such as how many unsubmitted local kernel patches there were, how accessible their source is, and how old the kernel is that the project is using, Woodhouse is judging those projects the same way that companies are measured. Of the four projects that he looked at, only one, OLPC, was "mostly OK", the rest varied from "less good" to "FAIL".
Moblin for example, only had 23 outstanding patches, but those were against kernel 2.6.24. OpenWrt had a better kernel version, 2.6.27, but had 160 outstanding patches, plus an extra 425 files weighing in at 125,000 lines of code, which prompted a "sorry!" from an OpenWRT developer in the audience. OLPC has just a few outstanding patches against 220.127.116.11, while Woodhouse couldn't even find the kernel source for Maemo.
Getting work upstream is extremely important. Running older kernels and backporting fixes and features may seem like it saves time, but "it never works in the long run, it's a false economy". Woodhouse listed the usual suspects as reasons to get things upstream: code review, compile testing, updates for kernel API changes, and automated bug checking. He also mentioned the Kernel Janitors, whose efforts are generally useful, even though they are "often a little misguided, sometimes they don't engage their brain before sending patches". All of these benefits only come from getting code into the mainline.[PULL QUOTE: The theme of the talk is summed up in one statement: "Divergence is pain" END QUOTE]
The theme of the talk is summed up in one statement: "Divergence is pain". Any time that your code is not current with the most recent kernels or your patches are not making their way upstream, it should be felt as pain because diverging from upstream will end up causing exactly that. The pain may not be felt until later, but Woodhouse wants developers to recognize the problems caused by divergence so that they are averse to it right from the start.
Looking at the reasons why code is hoarded is instructive, he says. One of
the reasons that is often heard, as well as Woodhouse's opinion, are summed
up in a bullet
point on one of his slides: "too hard to
code get code accepted". Another reason is that there is
not enough time in the schedule for getting code merged. Many "see
it as an extra part of the process after the driver is complete",
which is the wrong way to look at it. Drivers and other features should be
shared early on the appropriate mailing list so that any problems are dealt
with near the beginning of development.
An issue related to code quality is that many times drivers are developed for ancient versions of the kernel, but that really shouldn't be a barrier as any "decent code will port relatively easily". Sometimes there is resistance to changes by the upstream developers. An example he noted was a feature that allowed multicast to be optionally removed from the IPv4 networking stack. It saved a fair amount of space for embedded devices that did not need that functionality, but David Miller and other networking developers were not very interested. This is where the embedded maintainer role can come into play as Woodhouse can step in to try to help convince the upstream developers.
Woodhouse had specific suggestions for making the situation better. "For a start, put everything in git trees" as it allows others to look at and test the code. Each feature should have its own topic tree that gets pulled into the main tree and developers should regularly assess the outstanding code to determine if it is ready to be moved upstream. Working with the upstream developers, getting them involved, and getting them to care about the feature or driver is crucial. In cases where a logjam develops, call on Woodhouse or Andrew Morton, they "can't promise any miracles, but often it can help".
Something that Woodhouse would like to see more developers do is to adopt a driver. There are countless drivers in SourceForge and elsewhere that are not upstream, so he suggests that folks "pick one driver, just tidy it up and make it acceptable upstream". Incidentally, Woodhouse is no fan of SourceForge: "I don't think I wrote 'don't use SourceForge' on any of the slides, but pretend that it's there". He mentioned the -staging tree as a possible destination for adopted drivers, though he is skeptical of the tree, "but it exists, we should see if we can get something from it".
Woodhouse summed up his talk with a simple statement: "We need to work better as a community before we can point fingers at companies who don't play nicely". It is certainly true that the community needs to set a good example for companies to follow. By highlighting some of our failures, Woodhouse has done the community a great favor, we can and, with luck, will do better.
Spam is a problem that all email users suffer from but getting a handle on the economics of spamming has never been easy. A group of researchers has changed that to some extent by publishing a study [PDF] that looks at the conversion rate of spam emails. While the methods they used were somewhat ethically questionable, the data it provides is quite useful and interesting.
In the study, the Storm botnet's "command and control" (C&C) infrastructure was infiltrated in such a way that spam messages sent by Storm worker nodes would point the URLs in the spam at sites controlled by the researchers. By doing this, they could determine how much spam was sent and, more importantly, how much of it was clicked on. While sending spam is not very costly, it clearly does not have a zero cost. This means that—unbelievable though it sometimes seems—people actually do click through spam emails; not only that, they actually make purchases from the sites where they land.
The researchers set up fake pharmacy sites—selling male enhancement products amongst other things—that would be reached via the spam links. To protect the spam "victims", a visitor to the site would be allowed to get to the checkout stage before showing a site error. It seems plausible that nearly everyone willing to fill their shopping cart with such products and enter the checkout process is a very likely buyer. In this way, the study could count not only those who followed the links, but also those who were likely to buy.
What they found was that of 350 million emails sent—they estimate 82 million actually delivered—ten thousand recipients visited the site for a click-through rate of 0.003%. Of those, 28 users actually tried to check out with products totaling over $2700. The study was run for 26 days, so this could have resulted in roughly $100 per day of revenue.
Also of interest were the campaigns that were run to test the propagation of the Storm malware. This is normally done by sending spam that directs users to a website (via a "you have received a postcard" message) and entices them into clicking a link that will download and install the malware. The percentages of click-throughs were slightly higher (0.004-0.006%), but a rather large percentage of those (almost 10%) actually clicked the malware link once they reached the website. The researcher's version would download a benign executable, but the clear implication is that a small, but useful, number of users would actually add themselves to the botnet more-or-less voluntarily.
While the study is quick to point out that it represents only one data point, there is some value in extrapolating what the botnet might be able to generate in terms of revenue:
The conclusion is that something on the order of $7000-9500 per day could be generated, which equates to $2.5-3.5 million per year—a tidy sum by any measure. There is some additional speculation that because of the retail cost of sending spam (rumored to be something like $80 per million sent), it only makes sense that the Storm operators and the "pharmacies" are one and the same. The sites used for propagation of the Storm malware have similarities to those used by the shopping sites, which also indicates a close association between the two. The study makes the following, perhaps overly optimistic, argument:
The full paper is well worth a read for those interested in botnets or spam, but there are some ethical questions to consider as well. Is it reasonable to use other people's computers for your research without their consent? There is no easy answer to that question. The researchers outline their argument, which boils down to "we strictly reduce harm". Because they are just intercepting and modifying orders that are already being sent to workers, their research did not increase the amount of spam sent, nor did it increase the work that others' computers would do.
Since the spam that they arrange to be sent is harmless—at least in terms of selling bogus medicine or propagating malware—they have actually reduced the number of harmful spams sent. While their arguments seem at least well-thought-out, it is not something that would be fun to try to explain to a judge bent on enforcing some of the poorly-thought-out computer crime statutes. The researchers seem confident that their methods will pass muster, though: "We have been careful to design experiments that we believe are both consistent with current U.S. legal doctrine and are fundamentally ethical as well."
It is difficult to see how this kind of data could be gathered without co-opting Storm or another spam-sending botnet. From that standpoint, the researchers took the only path they could, but they certainly appear to have considered the legal and ethical landscape. While there may be a tendency to overestimate how widely applicable the data is—which the authors warn against—it does provide a nice look under the covers of the botnets delivering spam to one's inbox daily.
Brief itemsthis bug entry, you'll see that getting root access on an Android-based phone is rather easier than originally thought. It seems that the phone simply boots with a root shell listening to the keyboard, regardless of any other applications running. Be careful what you type... (a bit more information can be found on this page).
|Package(s):||acroread||CVE #(s):||CVE-2008-2549 CVE-2008-2992 CVE-2008-4812 CVE-2008-4813 CVE-2008-4814 CVE-2008-4815 CVE-2008-4817|
|Created:||November 12, 2008||Updated:||January 13, 2009|
From the Red Hat advisory:
Several input validation flaws were discovered in Adobe Reader. A malicious PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader. (CVE-2008-2549, CVE-2008-2992, CVE-2008-4812, CVE-2008-4813, CVE-2008-4814, CVE-2008-4817)
The Adobe Reader binary had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local attacker able to convince another user to run Adobe Reader in an attacker-controlled directory could run arbitrary code with the privileges of the victim. (CVE-2008-4815)
|Created:||November 12, 2008||Updated:||January 14, 2010|
From the Red Hat bugzilla entry:
Untrusted search path vulnerability in BPY_interface in Blender 2.46 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function.
|Created:||November 12, 2008||Updated:||December 15, 2008|
From the Ubuntu advisory:
It was discovered that certain email headers were not correctly handled by Dovecot. If a remote attacker sent a specially crafted email to a user with a mailbox managed by Dovecot, that user's mailbox would become inaccessible through Dovecot, leading to a denial of service.
|Created:||November 7, 2008||Updated:||November 24, 2008|
|Description:||From the Drupal advisory: The Content Construction Kit (CCK) allows certain privileged users to add custom fields to content types using a web browser.
Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permission are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross site scripting attack (XSS) may lead to the malicious user gaining full administrative access.
This is only an issue if you need any role separation between administrators and users with the "administer content" permission.
|Created:||November 12, 2008||Updated:||November 12, 2008|
From the Gentoo advisory:
The ICST-ERCIS (Peking University) reported a heap-based buffer overflow in the decodeMP4file() function in frontend/main.c.
A remote attacker could entice a user to open a specially crafted MPEG-4 (MP4) file in an application using FAAD2, possibly leading to the execution of arbitrary code.
|Package(s):||flash-plugin||CVE #(s):||CVE-2008-4818 CVE-2008-4819 CVE-2008-4823 CVE-2008-4822 CVE-2008-4821|
|Created:||November 12, 2008||Updated:||November 12, 2008|
From the Red Hat advisory:
Flash Player contains a flaw in the way it interprets HTTP response headers. An attacker could use this flaw to conduct a cross-site scripting attack against the user running Flash Player. (CVE-2008-4818)
A flaw was found in the way Flash Player handles the ActionScript attribute. A malicious site could use this flaw to inject arbitrary HTML content, confusing the user running the browser. (CVE-2008-4823)
A flaw was found in the way Flash Player interprets policy files. It was possible to bypass a non-root domain policy, possibly allowing a malicious site to access data in a different domain. (CVE-2008-4822)
A flaw was found in how Flash Player's jar: protocol handler interacts with Mozilla. A malicious flash application could use this flaw to disclose sensitive information. (CVE-2008-4821)
Updated Flash Player also extends mechanisms to help prevent an attacker from executing a DNS rebinding attack. (CVE-2008-4819)
|Package(s):||gallery||CVE #(s):||CVE-2008-3600 CVE-2008-3662 CVE-2008-4129 CVE-2008-4130|
|Created:||November 12, 2008||Updated:||December 15, 2008|
From the Gentoo advisory:
* Digital Security Research Group reported a directory traversal vulnerability in contrib/phpBB2/modules.php in Gallery 1, when register_globals is enabled (CVE-2008-3600).
* Hanno Boeck reported that Gallery 1 and 2 did not set the secure flag for the session cookie in an HTTPS session (CVE-2008-3662).
* Alex Ustinov reported that Gallery 1 and 2 does not properly handle ZIP archives containing symbolic links (CVE-2008-4129).
* The vendor reported a Cross-Site Scripting vulnerability in Gallery 2 (CVE-2008-4130).
|Created:||November 11, 2008||Updated:||September 28, 2009|
|Description:||From the Red Hat advisory: Martin von Gagern discovered a flaw in the way GnuTLS verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust invalid certificates.|
|Created:||November 12, 2008||Updated:||May 13, 2009|
This is evidently a reoccurrence of CVE-2007-1320, which has the following description:
Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.
|Package(s):||mysql-dfsg-5.0||CVE #(s):||CVE-2008-4098 CVE-2008-4097|
|Created:||November 6, 2008||Updated:||June 4, 2010|
|Description:||From the Debian advisory: A symlink traversal vulnerability was discovered in MySQL, a relational database server. The weakness could permit an attacker having both CREATE TABLE access to a database and the ability to execute shell commands on the database server to bypass MySQL access controls, enabling them to write to tables in databases to which they would not ordinarily have access.|
|Created:||November 7, 2008||Updated:||June 3, 2010|
|Description:||From the CVE entry: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 r2797 and earlier allows remote attackers to execute arbitrary PHP code via vectors related to templates and a \ (backslash) before a dollar-sign character.|
|Created:||November 6, 2008||Updated:||November 12, 2008|
|Description:||From this imap-uw advisory: There is a security bug in versions of the programs tmail and dmail distributed with the IMAP Toolkit versions 2007c or earlier (all versions prior to 2008-10-29). This includes the version distributed with Alpine 2.00.|
|Created:||November 7, 2008||Updated:||December 11, 2009|
|Description:||From the CVE entry: The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.|
Page editor: Jake Edge
Brief itemsreleased on November 9. "Nothing hugely exciting here. Various small fixes all over. There's a delayed FAT update which includes some movement of files around, and there's two fixes for some really long-standing problems (not really regressions, but nasty bugs) in Unix domain file descriptor passing." This release also contains a new Fujitsu MB862xx framebuffer driver and the introduction of a new internal API for dealing with CPU masks. See the long-format changelog for all the details.
As of this writing, just over 200 fixes have been merged into the mainline git repository since the 2.6.28-rc4 release.
The current stable 2.6 kernel is 18.104.22.168, released on November 7. It contains a long list of fixes accompanied by a stronger-than-usual encouragement to upgrade. The 22.214.171.124 update is in the review process as of this writing; it will likely be released on November 14.
The 126.96.36.199 and 188.8.131.52 stable kernel updates came out on November 10. They both contain a long list of fixes, and both are intended to be the last in the series. Users who are dependent on these updates will want to consider moving to 2.6.27 in the near future.
Kernel development news
To a certain extent, my hopes were fulfilled. We got a git server in California.
One mechanism developed for this purpose is a set of tags applied to patches before they are merged into the mainline. When a patch fixes a bug, the user(s) who reported that bug should be credited through the addition of a Reported-by: tag. Similarly, testers are credited with the Tested-by: tag. As it happens, some developers have adopted the habit of using Reported-and-tested-by: as a way of saving valuable newlines in the common case where a user fills both roles.
There is a certain warm feeling that comes with having one's name stored in a changelog entry in the kernel source repository. But the amount of visibility which comes from this event is relatively small. So your editor decided to hack up his git data mining utility to track these tags. Without further ado, here are the top problem reporters and patch testers for the 2.6.27 development cycle:
Most credited 2.6.27 testers
Reported-by credits Adrian Bunk 43 21.0% Robert P. J. Day 12 5.9% Eric Sesterhenn 5 2.4% Andrew Morton 4 2.0% Alexey Dobriyan 4 2.0% Denys Fedoryshchenko 4 2.0% Yinghai Lu 3 1.5% David S. Miller 3 1.5% Vegard Nossum 3 1.5% Stephen Rothwell 3 1.5% Juha Leppanen 3 1.5% Russell King 2 1.0% Andi Kleen 2 1.0% Ingo Molnar 2 1.0% Benjamin Herrenschmidt 2 1.0% Daniel J Blueman 2 1.0% Daniel Exner 2 1.0% Manuel Lauss 2 1.0% Atsushi Nemoto 2 1.0% Mikael Pettersson 2 1.0%
Tested-by: credits Ingo Molnar 7 4.6% Andrew Savchenko 6 3.9% Rene Herman 4 2.6% Mariusz Kozlowski 3 2.0% Alexey Dobriyan 3 2.0% Tino Keitel 3 2.0% Robert Jarzmik 3 2.0% KOSAKI Motohiro 2 1.3% Benjamin Herrenschmidt 2 1.3% Larry Finger 2 1.3% Kenji Kaneshige 2 1.3% Jack Howarth 2 1.3% Gerald Schaefer 2 1.3% Dennis Jansen 2 1.3% Daniel J Blueman 2 1.3% Daniel Exner 2 1.3% Steven Noonan 2 1.3% Rus 2 1.3% Lawrence Greenfield 2 1.3% Mark Langsdorf 2 1.3%
All told, there were a total of 205 Reported-by: and 153 Tested-by: credits entered during the 2.6.27 kernel cycle. This is arguably a reasonable start for a new tag, but it seems clear that a lot of problem reporters are not, yet, being credited in this manner. Your editor became curious to see just who is taking the time to credit these people; they, too, deserve some credit. A bit more script hacking yielded these tables:
Developers giving credits in 2.6.27
Reported-by credits Adrian Bunk 44 21.5% Linus Torvalds 12 5.9% Ingo Molnar 8 3.9% Andrew Morton 7 3.4% Peter Zijlstra 7 3.4% Bartlomiej Zolnierkiewicz 6 2.9% Yinghai Lu 5 2.4% Jarek Poplawski 5 2.4% Jiri Kosina 5 2.4% Hugh Dickins 4 2.0% FUJITA Tomonori 4 2.0% Paul Mundt 4 2.0% Vegard Nossum 3 1.5% Russell King 3 1.5% Jeremy Fitzhardinge 3 1.5% Roland McGrath 3 1.5% Haavard Skinnemoen 3 1.5% Dmitry Torokhov 3 1.5% David Woodhouse 3 1.5% Oleg Nesterov 3 1.5%
Tested-by: credits Pekka Enberg 7 4.6% Linus Torvalds 7 4.6% Takashi Iwai 5 3.3% Bartlomiej Zolnierkiewicz 5 3.3% Peter Zijlstra 4 2.6% Rafael J. Wysocki 4 2.6% Yinghai Lu 4 2.6% Hugh Dickins 4 2.6% Alan Stern 4 2.6% Eric Miao 4 2.6% Thomas Gleixner 3 2.0% Lennert Buytenhek 3 2.0% Alex Chiang 3 2.0% Krzysztof Helt 3 2.0% Stefan Richter 3 2.0% Andy Whitcroft 3 2.0% KOSAKI Motohiro 2 1.3% Dennis Jansen 2 1.3% Andrew Morton 2 1.3% David S. Miller 2 1.3%
The end result: Adrian Bunk gave over 20% of the total bug reporting credits - to himself. Beyond that, a number of the core developers are taking at least some time to credit those who report bugs and test patches. But, in the end, the 10,628 changesets merged for 2.6.27 probably contained quite a few more patches which could have carried such tags. If the reporting and testing tags are to become truly useful and significant, they will have to be more universally used.
While your editor was at it, he also collected statistics for Reviewed-by: tags. These tags differ in that they are offered by the reviewer, who thereby states that a reasonably thorough review has been done and the code has not been found seriously wanting. Code review is perennially in short supply in just about any free software project, so, again, proper credit for reviewers seems like more than just a good idea. Here's the top 2.6.27 credited reviewers:
Developers with the most reviews (total 123) Ingo Molnar 23 18.7% Paul Jackson 12 9.8% Peter Zijlstra 11 8.9% Christoph Lameter 10 8.1% Aneesh Kumar K.V 7 5.7% KOSAKI Motohiro 6 4.9% Paul E. McKenney 6 4.9% Jeff Moyer 5 4.1% Robert P. J. Day 4 3.3% Nadia Derbey 3 2.4% Paul E. McKenney 3 2.4% Mingming Cao 2 1.6% Michael Buesch 2 1.6% Li Zefan 2 1.6% Matthew Wilcox 2 1.6% Ingo Oeser 2 1.6% Badari Pulavarty 2 1.6%
If these numbers are to be believed, only 123 reviews were performed over the 2.6.27 development cycle. Even the most cynical observer is likely to agree that a bit more reviewing than that is going on. Most reviewers do not offer the associated tag, so their contribution goes unrecorded. In particular, Andrew Morton, who seems to review almost every patch which appears, should be at the top of the above list.
Clearly, the task of ensuring proper credit for testers, bug reporters, and reviewers is still in its initial stages. But one has to start somewhere; this is more information than we had before. Hopefully, over time, the habit of crediting those who help with the development process will become more widespread. And that, with luck, will encourage more testing and bug reporting and, as a result, a better kernel.
Copy-on-write with fork() works because the kernel knows that each process expects to find the same contents in those pages. When the kernel lacks that knowledge, though, it will generally be unable to arrange sharing of identical pages. One might not think that this would ordinarily be a problem, but the KVM developers have come up with a couple of situations where this kind of sharing opportunity might come about. Your editor cannot resist this case proposed by Avi Kivity:
Beyond such typical systems, though, consider the case of a host running a
number of virtualized guests. Those guests will not share a process-tree
relationship which makes the sharing of pages between them easy, but they
may well be using a substantial portion of their memory to hold identical
contents. If that host could find a way to force the sharing of pages with
identical contents, it should be able to make much better use of its memory
and, as a result, run more guests.
This is the kind of thing which gets the attention of virtualization
developers. So the hackers at
Qumranet Red Hat (Izik
Eidus, Andrea Arcanageli, and Chris Wright in particular) have put
together a mechanism to make that kind of sharing happen. The resulting
code, called KSM, was recently posted for wider review.
KSM takes the form of a device driver for a single, virtual device: /dev/ksm. A process which wants to take part in the page sharing regime can open that device and register (with an ioctl() call) a portion of its address space with the KSM driver. Once the page sharing mechanism is turned on (via another ioctl()), the kernel will start looking for pages to share.
The algorithm is relatively simple. The KSM driver, inside a kernel thread, picks one of the memory regions registered with it and start scanning over it. For each page which is resident in memory, KSM will generate an SHA1 hash of the page's contents. That hash will then be used to look up other pages with the same hash value. If a subsequent memcmp() call shows that the contents of the pages are truly identical, all processes with a reference to the scanned page will be pointed (in COW mode) to the other one, and the redundant page will be returned to the system. As long as nobody modifies the page, the sharing can continue; once a write operation happens, the page will be copied and the sharing will end.
The kernel thread will scan up to a maximum number of pages before going to sleep for a while. Both the number of pages to scan and the sleep period are passed in as parameters to the ioctl() call which starts scanning. A user-space control process can also pause scanning via another ioctl() call.
The initial response to the patch from Andrew Morton was not entirely enthusiastic:
The answer from Avi Kivity was reasonably clear:
Izik Eidus adds that, with this patch, a host running a bunch of Windows guests is able to overcommit its memory 300% without terribly ill effects. This technique, it seems, is especially effective with Windows guests: Windows apparently zeroes all freed memory, so each guest's list of free pages can be coalesced down to a single, shared page full of zeroes.
What has not been done (or, at least, not posted) is any sort of benchmarking of the impact KSM has on a running system. The scanning, hashing, and comparing of pages will require some CPU time, and it is likely to have noticeable cache effects as well. If you are trying to run dozens of Windows guests, cache effects may well be relatively low on your list of problems. But that cost may be sufficient to prevent the more general use of KSM, even though systems which are not using virtualization at all may still have a lot of pages with identical contents.
Given that, one might well wonder why Markus Rechberger's recently submitted "empia" driver series is encountering so much resistance. This driver works with a number of video acquisition devices based on Empia chips; many of those are not supported by the kernel now. As an Empia Technology employee, Markus has access to the relevant data sheets and is, thus, well placed to write a fully-functional driver. There are users who will attest that the drivers work, and that Markus provides good support for them. But, as things stand now, it would appear that this driver is not headed for the mainline.
What we have here is a classic story of an impedance mismatch between a developer and the development community. In the process, this long story has helped to give the Video4Linux development community a bit of a reputation as a dysfunctional family - a perception which those developers are only now beginning to overcome. The sad truth would seem to be that, while working with the community is something that a couple thousand developers do with little trouble every year, there will always be a few who have difficulties.
A quick review of some of the history is in order here. Markus was one of the authors of the original em28xx driver, first merged for the 2.6.15 kernel. His efforts to enhance that driver quickly ran into trouble, though, when he tried to make substantial changes to the low-level tuner interface - changes which affected a number of other drivers. These changes were not popular in the Video4Linux community, and there were fears that they could break unrelated drivers. So this code was not merged.
In response to this rejection, Markus claimed ownership of the em28xx driver and asked that it be removed from the mainline kernel. He then continued development of the code, hosting it on his own server. There was even a period where the code was relicensed to the MPL, apparently as part of an attempt to prevent it from being taken into the mainline. Eventually, Markus came back with a new approach which moved much of the tuner code into user space. That solution, too, failed to pass review; nobody else could really see much advantage in moving that much driver code out of the kernel. The fact that Markus clearly intended to have some of that code appear in the form of binary-only blobs did not help his case. So the user-space approach, like its predecessor, was not merged.
While Markus was working on his own version of the code, others were putting patches into the mainline em28xx driver. At times, Markus tried to block those changes. The tone of the discussion is, perhaps, best seen from this note sent to Video4Linux maintainer Mauro Carvalho Chehab:
Of course, losing "authority" over code is inherent in releasing that code under a license like the GPL. This attempt to exercise control over freely-licensed code was slapped down by Andrew Morton and others, but it left unpleasant memories behind.
Now Markus is back with a driver that, to all appearances, duplicates the functionality of a driver which is already in the mainline kernel. It is not hard to see this submission as an attempt to retake control of that driver and, perhaps, restart the discussions from past years. So it is not entirely surprising that this driver has not been received with a great deal of enthusiasm. In short, Markus has been told to go away until he is prepared to submit his work in the form of a series of small patches to the in-tree em28xx driver.
The advantages of improving the current driver, rather than duplicating some of its functionality in a new code base, are clear. It would avoid the confusion which can come from having two drivers for the same hardware in the tree, and it would minimize the risk of losing important fixes which have been applied to the in-tree code. This is, also, the way that kernel developers are normally expected to do their work. On the other hand, video developer Hans Verkuil reviewed the new driver and concluded:
This review notwithstanding, Mauro has indicated that he is not interested in accepting this patch. But rejecting Markus's new driver out of hand might just be a mistake. There seems to be little doubt that it has developed well beyond the in-tree driver; it supports a wider range of devices. Failure to merge it risks losing the work that has been done, and, perhaps, losing the future work of a developer who, for all his faults, is clearly trying to provide a better experience for Video4Linux users.
Having multiple drivers for the same hardware in the kernel is not an ideal situation, but it is also not without precedent. The IDE and parallel ATA subsystems provide redundant support for a wide range of hardware. The e1000 and e1000e drivers had overlapping coverage for some time. In such cases, the long-term goal is usually to work toward the removal of one of the drivers.
So one could make the case for merging the new driver and, eventually, removing the older one. In the process, the new driver could receive some much-needed attention from other developers. It has coding style and copyright attribution problems; a quick review has also left your editor wondering about locking issues. But such problems are common to drivers which have spent a lot of time out of tree; they are simply something to fix. Meanwhile, this driver contains the result of years of work and access to the relevant data sheets; freezing it out may not be in the best interests of kernel developers or users.
Patches and updates
Core kernel code
Filesystems and block I/O
Virtualization and containers
Benchmarks and bugs
Page editor: Jonathan Corbet
News and Editorialsstarted a discussion with a post to the Fedora-desktop list, including a pointer to the whiteboard where people can fill in their ideas. The page contains some ideas guaranteed to warm an editor's heart and a few which inspire rather less enthusiasm.
So what are the Fedora desktop people pondering? Some of the ideas include:
There is a lot more on the list - far more than the Fedora developers can hope to implement (or even integrate) in the near future. But the process is a good one, and some of these ideas will certainly show up in future Fedora releases. With any luck at all, the Linux desktop will continue to improve for a long time.
New Releasesannounced an initial release candidate build for the OpenSolaris 2008.11 release. "IMPORTANT NOTE: The development builds have undergone limited testing and users should expect to uncover issues as the next release is developed. Bug reports and requests for enhancement are welcome..."
Debian GNU/LinuxWe realised that the old name Custom Debian Distributions just sended the wrong message to outsiders: The conclusion that CDDs are something else than Debian was too 'obvious' if people did not read the relevant documentation." It looks a lot like Fedora's "Spins," but without the worry about what deserves to be called a "Pure Blend" and what does not. More information can be found on the wiki and in this detailed paper.
FedoraWith one round of elections in the US out of the way, it's now time to turn our attention to more pressing matters - Fedora Election Season has begun." There are open seats on the project board and on a few steering committees. Some have complained in the past that these seats are dominated by Red Hat employees; now is the time to rectify that - if it is really a problem in need of fixing. Fedora 10 Earlybird FAQ. Fedora-classroom sessions coming up next month.
SUSE Linux and openSUSE
Distribution NewslettersNovember 2008 issue of the Arch Linux Newsletter is out. "Welcome to another issue of the Arch Linux Newsletter. What is going on in the Arch Linux Development world? We are working diligently to solve the problem with orphaned, unmaintained and bug-pending packages in the repositories, for better quality control. Inspired by Allan, Pierre has provided a new package in the extra repository called pkgstats, which allows all Archers to easily provide the development team with a list of packages you have installed. With the input you provide, we will now be able to prioritize our work, and focus on the packages Archers use most. Also, we can more easily see which AUR packages deserve to be in community and vice versa." This week's action-packed Virtualization section investigates how the "OpenNebula Libvirt Implementation" could allow access to EC2 using libvirt APIs; Announcements announces "Elections Are Coming"; Developments peeks at the addition of LiveConnect to IcedTea; Artwork relays well-earned "Praise for the Solar Theme". Translation covers l10n work being done and SecurityAdvisories lists essential updates. As always there is much more worth reading in this issue." OpenSUSE Weekly News looks at Lukas Ocilka: YaST-Mascot Contest-How to submit your ideas, openSUSE News: OpenOffice.org Fix for openSUSE 11.1 Beta 4, The openSUSE Board, Jan Weber: Announcing Easy-KIWI-GUI, Stephan Binner: openSUSE 11.1-Plasma-Desktop-Toolbox and several other topics.
Distribution meetingsFOSS.IN. FOSS.IN will be held November 25 - 29, 2008 in Bangalore, India. FUDCon India 2008 will be a one day event on November 28th.
Newsletters and articles of interesttakes a quick look at Fedora 10 Preview. "Fedora 10 offers some nice new features, including the new Plymouth graphical boot system, a new version of Network Manager with improved support for 3G connectivity, better printing support, and lots of virtualization improvements. It ships with version 2.6.27 of the Linux kernel, which brings significantly improved webcam device compatibility, and GNOME 2.24, the latest version of the popular desktop environment. The reliability of the audio stack gets a big boost in this release with the inclusion of glitch-free PulseAudio. Package management is also much better thanks to the inclusion of RPM 4.6 and better PackageKit integration." ponders on releasing YaST without openSUSE. "YaST is, for me, one of openSUSE's major strengths, and I think it'd be beneficial for other distros and projects to use and extend. Linux, after all these years, still lacks a good, comprehensive, and cross-distro system management tool that's suitable for use at the console or from the desktop. (YaST qualifies as good and comprehensive, in my book, but falls down on the "cross-distro" part.)"
Interviewsinterviewed Claes Backstrom. "This week on "People of openSUSE" we have interviewed openSUSE Election Committee member, Senior Linux Trainer and VMware Trainer Claes Backstrom. Besides all these titles he has he still has time to package games on openSUSE Build Service, beta testing, and promoting openSUSE in his North European cold country, Sweden!"
Page editor: Rebecca Sobol
Attendees at this year's Kernel Summit were treated to an early prototype version of the Gumstix Overo miniature Linux-powered cpu board on top of the Overo Buddy motherboard. The system packs all of the functions of a desktop computer onto a platform that is slightly larger than a credit card.
The Specifications for the Overo processor board include:
Upon receiving the Overo Buddy board, the only way to establish a connection was via an emulated serial connection over one of the USB ports using the provided USB cable, as explained here. This worked as advertised, it was possible to watch the system boot up and then log into a root shell. At this point, your author decided to try the installation of the latest software on the removable microSD memory. As directed by the instructions, the software image was downloaded and installed on the memory using another machine and the provided microSD adapter card. Again, this proceeded without any problems and the machine booted with the new image.
Running the full X environment required purchasing a USB hub, a USB keyboard and mouse, an assortment of USB cables and a Mini DVI to DVI adapter for the monitor connection. The Mini DVI adapter was a bit wide, and the strain relief around the Overo Buddy's power supply connector had to be clipped off to allow the two connectors to be plugged in at the same time.
Getting the USB cabling right was a bit of a challenge. On the first attempt, the DVI monitor showed an X login window, but the keyboard and mouse were not active. Digging through the documentation revealed the source of the problem. The OTG USB port needed a type A cable and your author was using a type B cable. The Wikipedia USB documentation was consulted, and your author used a special surface mount soldering iron to create a tiny solder jumper between pins 4 and 5 of the Overo Buddy's micro-USB jack, simulating the correct cable. Upon booting, the keyboard and mouse came to life.
When logging into the Overo's X Window System, one is presented with the simple but effective Enlightenment window manager. Applications include the typical collection of an X terminal, a file manager, a text editor (gpe_edit) the Midori web browser, a mail client, an instant messenger client, and a selection of four games. Also included are the AbiWord word processor, the Gnumeric spread sheet and basic audio record and play utilities. A large collection of GUI-based admin tools and window system configuration tools are available. Both ssh and scp are also installed on the system, so secure network connections are possible. Unfortunately, both the audio recorder and player froze up during basic tests, and their windows did not go away until the system was rebooted, this appears to be some kind of audio hardware issue.
The next step to having a functioning system would be to have some kind of networking. The Overo processor has built-in 802.11 wireless networking and Bluetooth, but neither of those systems functioned. That is a known issue with some of the early-run prototype boards. One still has the option of adding USB WiFi and Ethernet boards to the Overo, several devices are supported natively. Once networking can be established, it should be possible to use the network-based applications, transfer user data add more application packages.
Having so much functionality in something as tiny as the Overo Buddy board seems like an amazing technological feat. Gumstix has truly achieved a new milestone in the miniaturization of Linux systems. Production versions of this system are scheduled for release in the fourth quarter of 2008.
Clusters and Grids
Database Softwareannounced the addition of Sphinx support. "Sphinx is a very powerful and popular free open source full-text search engine. At the end of October 2008, Sphinx 0.9.8.1 was released. During the summer, Vlad Khorsun and Pierre Yager made a patch for Sphinx, to have it support Firebird. Now, with the blessing of its author, Andrew Aksyonoff, they want to make their patch and Windows binaries publicly available for you to try out. Whilst it is still far from real "full text search" support in Firebird, Vlad and Pierre believe it is a first little step in that direction." A Linux patch is also available. announced. "FlameRobin is a lightweight and cross-platform administration and management GUI for the Firebird DBMS. A new release is out. It brings new features like Firebird 2.1 support, tabbed browsing, etc." announced. "Hibernate Pojo Generator generates all the Java code necessary to access a database via Hibernate Annotations (+ Spring) including JUnit tests (1 per table) that are able to run immediately without further customizations. New release: adds maven support, db version checking and more."
Embedded SystemsBusyBox, a collection of command line utilities for embedded systems, have been announced. The releases feature the new blkid and devmem applets, other improvements and bug fixes.
Audio ApplicationsAmarok Insider has been published. Topics include: "Release plans, Final look for 2.0, Context View, The Playlist, Brand new PopUp Dropper, Web services unmasked, A bit about Biased playlists, Scripting, Mac OS X and Windows installers, Features missing in 2.0, How to help and Cool tips: Two roks." October Update document for the Jokosher audio editor has been published. Topics include: "Jokosher 0.10 Released, PulseAudio and JACK support, Jokosher 0.10.1 Bug Fix Release and Multichannel Recording Works!" NASPRO, recursive acronym for "NASPRO Architecture for Sound PROcessing", is a free/open source, modular and cross-platform sound processing framework with a strong emphasys on interoperability. Its main aim is to provide users and developers a full-featured tool to do sound manipulation using heterogeneous technologies which are already available (such as LADSPA or LV2 plugins) and at the same time make it easy to develop new ones without breaking interoperability." Change Log for release highlights.
Desktop EnvironmentsAnd here's the beginning of a new cycle! 2.25.1 marks the first release towards our 2.26 release that will happen in March 2009. Until then, I'm sure we'll see some good changes going on -- like all the efforts about getting rid of libgnome or cleaning up various things."
Desktop PublishingLyX 1.6.0 is the culmination of 15 months of hard work and you can find an overview of the new features here: http://wiki.lyx.org/LyX/NewInLyX16".
Interoperabilityannounced. Changes include: "Substantial parts of inetcomm implemented (for Outlook), Still better crypt32 support, Memory management improvements, Theming support for buttons and Various bug fixes."
Multimediaannounced. "In this release: Albanian, Chinese (Simplified), Chinese Traditional), Turkish, Italian, German, Polish languages are updated, DTS High Resolution Audio, DTS Master Audio and DTS Express support, AES3 (PCM) support, interlacement in VC-1 in WMV files detection, E-AC-3 in MPEG-4 container support, and a lot of bugs correction".
Music Applicationsguitarix is a simple Linux amplifier for jack(Jack Audio Connektion Kit) with one input and two outputs. Designed to get nice thrash/metal/rock guitar sounds. There are controls for bass, treble, gain, preamp, balance, distortion, freeverb, impulse response (), crybaby(wah) and echo . A fixed resonator will be used when distortion is disabled. For 'pressure' in the sound you can use the feedback and feedforward sliders." I've just opened a new website http://tardigrade-inc.com to release the new versions of Tapeutape (virtual sampler) and Tranches (beat repeat/redirect/rearrange). These new versions include better gui, better lash support, and bug corrections (thanks Ken Restivo). New features will follow."
Office Applicationsannounced. "Release 2.4 continue the path of previous release in enhancing the usability of PeaZip, expecially as general purpose file manager. New localizations and new icons are featured, drag and drop on Windows benefits of an information panel which follows the mouse, and clipboard was made more powerful and flexible, optionally allowing multiple cut/copy operations to be stored in the clipboard." Task Coach is a simple task manager that allows for hierarchical tasks, i.e. tasks in tasks. Task Coach is open source (GPL) and is developed using Python and wxPython."
Office Suitescovers the KOffice Sprint, held in Berlin. "Talking to developers revealed the status of several of the applications. The many changes in the core of KOfficelibs but also further down the stack, like KDELibs and Qt 4 forced Kexi to rewrite large parts of the application. This means despite the fact the KDE 3 version was very mature and stable, Kexi won't be joining the 2.0 release. Nonetheless, the developers stress that version 1.6.x is still ahead of the competition, at least in the Free Software world."
Miscellaneousannounced, this is a bug fix release. "EMC is software that implements real-time control of equipment such as machine tools, robots, and coordinate measuring machines. It runs in realtime under Linux with the RTlinux or RTAI patch. It provides a software PLC, and uses the HAL for flexibility." TakeNote is ideal for storing your class notes, TODO lists, research notes, journal entries, paper outlines, etc in a simple notebook hierarchy with rich-text formatting, images, and more. Using full-text search, you can retrieve any note for later reference."
Languages and Tools
CLLVM 2.4 includes many bug fixes, much faster compile times at -O0, substantially better code generation in various cases, a new PIC16 target, new IR features, and numerous other improvements and features." Lots of details can be found in the release notes.
Perlannounced. "This is a maintenance release for perl 5.8.x, providing bug fixes and integrating module updates from CPAN." This Week on perl5-porters is out with the latest Perl 5 news.
PHPannounced. "This version fixes a bug on HTML justification. TCPDF is a Free Libre Open Source PHP class for generating PDF documents without requiring external extensions.TCPDF Supports UTF-8, Unicode, RTL languages and (x)HTML. TCPDF project was started in 2002 and now it is freely used all over the world by millions of people."
PythonOn behalf of the Python development team and the Python community, I am happy to announce the second release candidate for Python 3.0. This is a release candidate, so while it is not suitable for production environments, we strongly encourage you to download and test this release on your software. We expect only critical bugs to be fixed between now and the final release, currently planned for 03- Dec-2008." RPyC (Remote Python Call) is a transparent and symmetrical python library for remote procedure calls, clustering and distributed- computing. RPyC makes use of object-proxying, a technique that employs python's dynamic nature, to overcome the physical boundaries between processes and computers, so that remote objects can be manipulated as if they were local."
IDEsannounced. "The XPL editor is an RCP Eclipse application based on the eXtensible Presentation Language, an xml-based presentation language built on top of Visual Design Patterns. For more information about XPL, visit http://semantics.eng.it/xpl/index.html. The XPL Editor 0.1 has been released, improving the multimodal features and the XSL Transformation of XPL Pages for the eXtensible Dynamic Presentation Manager (XDPM), a framework for the multimodal and multichannel presentation, published on Sourceforge."
Librariesannounced, it adds bug fixes and usability improvements. "The dlib C++ library is a modern general purpose C++ toolkit with a focus on portability and program correctness. It comes with extensive documentation and thorough debugging modes. The library provides a platform abstraction layer for common tasks such as interfacing with network services, handling threads, and creating graphical user interfaces. Additionally, the library implements many useful algorithms such as data compression routines, linked lists, binary search trees, linear algebra and matrix utilities, machine learning algorithms, XML and general text parsing, and many other general utilities."
Version ControlThis release of Bazaar adds a new repository format, ``1.9``, with smaller and more efficient index files. This format can be specified when creating a new repository, or used to losslessly upgrade an existing repository. bzr 1.9 also speeds most operations over the smart server protocol, makes annotate faster, and uses less memory when making checkouts or pulling large amounts of data."
Page editor: Forrest Cook
Linux in the news
Recommended Readinga lengthy paper on the network neutrality debate. One can guess its conclusions simply by noting that it is hosted at the Cato Institute, but those conclusions are backed up by substantial research and reasoning. "Yet many deregulationists underestimate the importance of the Internet's end-to-end architecture and are too cavalier about abandoning the neutral network for a tiered, filtered, more centrally managed one. The decentralization made possible by the Internet's open architecture is the key to its astonishing growth, and there is little reason to think that it would be improvement for the Internet's decentralized 'dumb' architecture to be replaced by a more centralized 'smart' one." Worth a read for those who are interested in this subject.
Companiesreports that Creative has released Linux drivers with source code under the GPLv2 for its X-Fi and X-Fi Titanium series of sound cards for both 32 and 64-bit operating systems. "We'd expect a wide range of people jumping at the opportunity to be able to develop their own Linux drivers for the X-Fi cards and implement the missing features and ad some of their own. We can't wait to see what happens, but it might be some time before we see full feature support, but it's great to see that Creative has finally come to its senses."
Linux Adoptioncovers recently published guidelines on the procurement of open source software from the European Commission. "The Open Source Repository and Observatory (OSOR), a new site sponsored by the European Commission to foster the exchange of FOSS related information and software among European public administrations, recently published guidelines on the procurement of open source software. Public administrations in Europe have to follow public tender procedures and the new guidelines give practical and legal advice on how open source software and related services can be incorporated into the procurement process."
Legalcontinues looking into the Bilski decision. "So let's look now at the dissenting opinions, as text, so you can give consideration to the point of view of those who sincerely believe that patents should cover more than they now can. You'll note that the State Street decision was in 1998. Some of these justices were sitting on the court at that time. The decision in State Street was decided by three judges, Giles Sutherland Rich, who passed away in 1999, and justices Plage and Bryson, still serving. Judge Rich wrote the decision in State Street, when he was 94 years old. Most of the 16 judges that decided Bilski were serving in 1998, only four of them having been appointed later than that. You'll see Justice Newman referenced in one of the footnotes of that State Street decision, footnote 10. So she is no newbie to patent law." continues an analysis of the Bilski case, which is about the patentability of business methods. "I know. It takes us into OMG territory. It's what Bilski was trying to address. The AT&T decision built on and depended on State Street, and Judge Mayer is saying that State Street came out of the blue, contradicting prior common law and the patent statutes, and it really needs to be clearly killed off and buried, along with any of its children, because it was a mistake, one that launched what he calls "a legal tsunami" of regrettable patents on what ought to be the unpatentable."
Resourcesan attempt to reproduce the five-second Linux boot experiment using Debian. "Inspired by this work, and because I have the same laptop, I decided to try to reproduce their results. So far I have not come very close to their 5 seconds, but I have made some significant improvements compared to the default boot time for Debian on that machine; this article describes what I've done."
Reviewsreviews several small Linux distributions. "SliTaz Linux is a unique Linux breed created from scratch by Christophe Lincoln. Heavy application of gzip and lzma compression, plus removal of everything but 'the minimum necessary to make it work' (in the estimation of SliTaz's creator) have reduced its boot image to a remarkable 30MB." takes a look at Smolt, a hardware profiling tool developed by Fedora. "Linux users are not an easy bunch to profile or to count. Many Linux users download the operating system for free and never perform any kind of systems registration to enumerate their hardware. That's where Smolt may be able to help fill the gap. Smolt is an open source hardware profiling technology that is already being used by Red Hat's Fedora and is set for inclusion in the upcoming Novell OpenSUSE 11.1 release."
Page editor: Forrest Cook
Commercial announcementsAppro, a leading provider of supercomputing solutions, today announces the final deployment of Appro Supercomputing Clusters to Advanced Simulation and Computing (ASC) that integrates the work of the three National Nuclear Security Administration (NNSA) Defense Programs laboratories: Lawrence Livermore National Laboratory, Los Alamos National Laboratory and Sandia National Laboratories. This procurement was awarded to Appro last year for the TLCC07 program." Discretix CPRM (Content Protection for Recordable Media) secures the distribution and use of music, video and other premium content on SD cards and mobile handsets. As a software-based security solution, CPRM Client eliminates the need for a dedicated hardware CPRM chip, reducing Bill of Materials cost and greatly improving flexibility for mobile device OEMs. Fully compliant with 4C-Entity standards, CPRM Client protects music, movies, photos and other multimedia content subject to commercial digital rights while in use or in storage." The new subsidiary "Fixstars Solutions, Inc.", of San Jose, California, maintains the entire Terra Soft staff, product line, and regional offices in Loveland, Colorado." Former Terra Soft CEO Kai Staats is now COO of Fixstars Solutions. announced the release of Movial Browser D-Bus Bridge. "Movial, the company that inspires rich, intuitive Internet experiences, today announced it has released its innovative Browser D-Bus Bridge open source code into the Mobile Linux community. Movial Browser D-Bus Bridge removes the complexity of Linux User Interface (UI) development and empowers Web developers and designers, operators and device manufacturers for the first time ever, to easily create extremely capable UIs for open handsets. This technology helps transform Web widgets into seamless user driven mobile applications providing new, value-added and differentiated services and superior user experiences." announced a transition program to help companies move to SUSE Linux. "The new program is in response to growing customer demand for help as they make the strategic decision to transition their data center Linux infrastructure from existing third-party distributions, such as Red Hat Enterprise Linux and CentOS, to SUSE Linux Enterprise Server." Once upon a time, distributors competed mostly against Unix and Windows; now they are starting to compete more strongly against each other. Wingware has released version 3.1.5 of Wing IDE, a bugfix release for all three product levels of Wing IDE." launched its Open Firewall Pico and Open Firewall SOHO, the first open hardware firewalls based on its Gatekeeper technology. "The Open Firewall products are extremely powerful Linux-based miniature computers with 520 MHz ARM CPU, 128 RAM and 128 Flash memory. These unique products will enable developers, security professionals and hobbyists to experiment with Yoggie's own open source hardware firewall for the first time."
Contests and Awardsannounced a development contest for their Application Extension Platform. "Cisco is inviting application developers who "think outside the box", to innovate and promote the concept of the network as a platform. This is your opportunity to build exciting Linux based applications on the Cisco Application Extension Platform (AXP), and win a share of the total prize pool valued at US $100,000." Jerry Gay, a core Parrot and 'Rakudo' Perl 6 implementation hacker, and Patrick Michaud, head of the 'Rakudo' Perl 6 implementation on the Parrot VM.
Education and CertificationThe O'Reilly School of Technology (OST) has announced the addition of a new Java Programming Certificate Series to its current list of offerings. Designed to introduce beginning and entry-level programming students to Java and object-oriented concepts, the program helps students progressively attain the advanced skills they need to compete in today's career market. With satisfactory completion of the series, students earn a Certificate for Professional Development from the University of Illinois Office of Continuing Education."
Meeting MinutesThe minutes from the October 29, 2008 Perl 6 Design Meeting have been published. "The Perl 6 design team met by phone on 29 October 2008. Larry, Allison, Patrick, Jerry, Will, Jesse, Nicholas, and chromatic attended."
Calls for Presentationsannounced the DOCHS Extends Call For Papers. "DOHCS the 2009 Demonstrating Open Source Heath Care Solutions conference, has extended their call for presentations until November 15th. The 3rd Annual DOHCS conference will be held on February 20, 2009 at the LAX Westin Hotel in Los Angeles, CA." FOSDEM is probably the most developer-oriented Free and Opensource conference, taking place in Brussels, Belgium on Saturday 7 and Sunday 8 February 2009. Apart from having many invited speakers, the conference offers developer rooms, stands and lightning talks to projects from the Free and Opensource community." The submission deadline is December 26. UKUUG's annual Large Installation Systems Administration (LISA) conference will take place in London from 24-26 March 2009. The conference will be preceded by a Kerberos tutorial. We are currently accepting talks; so if you are a systems administrator, we want to hear from you." Submissions are due by November 26.
Upcoming EventsNexedi wants to invite all ERP5 users, developers and academic researchers to participate in ERP5 World Forum organized as part of Open World Forum in Paris on December 1, 2008. This will be a collaborative innovation event that will focuses on ERP5 and ERP5 Express communities meeting to discuss and define the road map of ERP5 based on recent advances and latest trends in disciplines of management." Registration has opened for ETech, the O'Reilly Emerging Technology Conference, scheduled for March 9-12 at the Fairmont Hotel in San Jose, California. Conference chair Brady Forrest has unveiled the program, which explores the technology of abundance and constraints to discover ideas that matter." Linux Audio Conference will take place at La Casa della Musica in Parma, Italy on April 16-19, 2009. "The LAC will go outside Germany for the first time, but we will keep close to the familiar four-day format with paper presentations, workshops, electro-acoustic music concerts, and the Linux Sound Night." Part of the 2008 edition of the make art festival, this 3-days workshop taught by Andy Farnell (GB) and assisted by Stéphane Léveillé (FR) is focused on sound design and Pure Data software. It aims to familiarize with the basics of sound, audio synthesis and effects using Pd. While learning how to build their own sounds and musical tools, the participants will end up playing all together over the local network."
|Middle East IT Security Conference||Dubai, UAE|
|Linux Foundation Japan Symposium||Tokyo, Japan|
|FreedomHEC Taipei 2008||Taipei, Taiwan|
|November 22||The phpnw08 conference||Manchester, UK|
|November 22||PGDay Rio de la Plata||Buenos Aires, Argentina|
|November 22||Mandriva 2009 Installfest||Everywhere, World|
|FOSS.IN 2008||Bangalore, India|
|make art 2008||Poitiers, France|
|November 28||Informazione geografica aperta e libera||Pontedera (PI), Italy|
|WhyFLOSS La Plata - Argentina||La Plata, Argentina|
|November 29||LinuxDay in Vorarlberg (Deutschland, Schweiz, Liechtenstein und Österreich)||Dornbirn, Austria|
|December 1||First Nuxeo Developer Day||Paris, France|
|Open World Forum||Paris, France|
|Open Source Developers' Conference 2008||Sydney, NSW, Australia|
|PIKSEL08 - code dreams||Bergen, Norway|
|FOSSCamp||Mountain View, CA, USA|
|International Joint Conferences on Computer, Information, and Systems Sciences, and Engineering||Online|
|Computer Measurement Group Conference 2008||Las Vegas, NV, USA|
|Ubuntu Developer Summit||Mountain View, CA, USA|
|December 8||Forum PHP Paris 2008||Paris, France|
|First Workshop on I/O Virtualization||San Diego, CA, USA|
|December 13||NLLGG meeting/BSD Community Day||Utrecht, The Netherlands|
|Chaos Communication Congress||Berlin, Germany|
|Consumer Electronics Show||Las Vegas, NV, USA|
|Fedora User and Developer Conference||Boston, USA|
|Foundations of Open Media Software 2009||Hobart, Tasmania, Australia|
|Camp KDE 2009||Negril, Jamaica|
If your event does not appear here, please tell us about it.
Web sitesOLEX Wazi site. "OLEX Wazi is a clearinghouse for the timeliest commentary on open source, said Kim Weins, senior vice president of marketing at OpenLogic. It features innovative content from the best thinkers in open source today. We're looking for ongoing contributions from a range of experts and will collaborate with the best technical, legal and business minds in the field."
Page editor: Forrest Cook
Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds