BBC opens a little more content for Linux

The British Broadcasting Corporation (BBC) has long dabbled with free software, starting a number of new projects and opening content via their backstage developer network. Now they've announced a bold new step forward, releasing an experimental service—initially just for Linux users—with open access to some multimedia content, which has already spun out in unexpected ways.

The BBC's Research and Innovation team took a fairly conventional commissioning process for this experiment. Having identified the feature—help existing content to "surface" in multimedia applications, so users don't need to browse around the web site—they went on to find the right approach. George Wright and his team settled on integrating BBC content into the Totem media player with Canonical, aiming to get a first version out with the recent Intrepid release. Things then moved quickly. Discussions with the company contracted to do the Totem work (Collabora) started in spring 2008, although according to Christian Schaller from Collabora "it was probably around July things got concrete". Over a few autumn months the work was completed, opening up a large number of radio shows to Ubuntu users worldwide (although much of the content is restricted to the UK because that's who pays the TV license that funds the BBC).

This great new feature, exclusive to Ubuntu, was promoted in the Intrepid press release but received little attention in the media. Given that it still only delivers a fraction of the content you can get through iPlayer (proprietary Windows software full of DRM technology) this is hardly surprising. That you can stream Dirac-encoded videos released under Creative Commons licenses is obviously still a bit geeky for most.

But that doesn't stop free software developers. Barely days after the Totem announcement, Nikolaj Hald Nielsen wrote a script to neatly integrate the content in Amarok 2.0. As a core Amarok developer his main motivation was familiar: "I wanted to inspire other people to write similar scripts for Amarok 2, and I think it is important to have some good example scripts ready when Amarok 2.0.0 final is released". I've been watching the Amarok 2 betas come along, and having given the "get more features" dialogs in KDE a miss over the past few years, I was pleasantly surprised how well this worked. You just go to the script manager, click to get some more scripts, install the BBC script and—like magic—you get all the BBC content in the "internet" tab on the left.

Wright's team did all the hard low-level work to make this kind of adaptation straightforward. The Amarok script has delighted Wright, who is a long-time Amarok user; they've even been in touch with Nielsen to see how they can help improve the integration.

The question everyone wants an answer to is: will this ever match iPlayer for content range? Wright's team have a fairly wide remit, but they're not in charge of releasing content, so this is unlikely to change the Corporation's attitude towards DRM overnight. According to Wright, the content teams have given great feedback, but over the past five years we've seen promises of an open Creative Archive wither away, with a consumer-facing focus on proprietary products like iPlayer. Truly open content from the BBC, or even the volume of copyrighted-but-available archives released by the National Public Radio (NPR) in the US (also integrated into Amarok ), is probably still a long way off.

This new service is strictly experimental, Wright says, "it's a way to experiment with distribution platforms and free software". They've also learned a lot more about developing in a free software community; although many of them have been Linux users for years, this was a first for them. Working to the feature freezes for Gnome and Ubuntu Intrepid meant the UI isn't a nice as they might have hoped, but it's a great start.

The open service is here to stay. They're not sure if they'll keep developing the Totem feature and patching against mainline in Ubuntu or Totem; time will tell. More work between Collabora, the BBC, and Canonical is also uncertain. But, since the code is all open, we can definitely expect the Totem and Amarok features to be maintained. We can also look forward to more open content integrated into free desktops in the future in a way that is extremely difficult to do with proprietary platforms.

Comments (10 posted)

NLnet Foundation seeks projects to fund

A little-known organization—at least outside of its native home in the Netherlands—has quietly been funding various free software projects to the tune of roughly €2.5 million a year. Most of those projects have been in the Netherlands or Europe, but it is looking to expand its reach to the rest of the world. It is "actively encouraging" submissions of funding proposals for projects that involve network technology and will be released as open source, according to NLnet Foundation Director Valer Mischenko.

The Foundation grew out of the Netherlands' first internet provider, NLnet, which laid the original backbone along the rails in that country. In 1998, it was sold to UUNet and the proceeds were invested into the Foundation. The intent of the money was to fund technology, particularly internet technology. Because the internet depends on interoperability, it just makes sense to require projects that are funded to release their code, Mischenko says.

The Foundation prides itself on being quick to answer requests for funding as there are "not too many bureaucratic layers" to the organization. Projects that try to get government funding often fall behind because it takes so much time and effort to get a grant of some kind—the technology may well have moved on. Depending on the size of the project, and the amount of funding required, answers can come as quickly as just a few weeks.

Each year, two themes are chosen to focus on so that projects in those areas get priority for funding. For 2008, those themes are "Identity, Privacy, and Presence" and "Open Document Format" (ODF). While ODF is not directly connected to network technology, the internet will be a poorer place without open formats that can be freely shared.

Part of the ODF effort was helping governments understand the importance of open formats in general and ODF in particular. One of the outcomes of that work was that all agencies in the Netherlands must start using open formats or justify why they cannot.

The ODF theme is just one area where the Foundation has broadly interpreted its mission. It has helped fund the FSF Europe (FSFE) Freedom Task Force project for several years. In addition, it provided €200,000 to help pay for Eben Moglen's time to work on GPLv3 at the FSF. Mischenko notes that it is important for the foundation to fund things that will help "protect the network"; he and the board see these efforts as important in that regard.

The bulk of funding this year has gone into the Identity, Privacy, and Presence theme. A list of the currently funded projects has a number of interesting entries from support for Tor hidden services and an improved routing algorithm for GNUnet to hardware projects such as RFID Guardian and e-Passport.

The current structure of funding is made up of four "layers", each corresponding to how much the Foundation will provide as well as how long it will provide funding for. The first layer is for things like funding trips for developers and other community members to attend conferences and the like. The second layer is for commitments of up to €30,000. Currently around 15% of proposals for second layer funding are granted.

For larger projects, the third layer can provide 2-4 years of funding of up to €500-600,000 per year. The fourth layer projects are currently fixed for the next five years as the Foundation is funding DNSSEC work at NLnet Labs as well as work on intelligent agents at Vrije Universiteit Amsterdam.

Mischenko said that the board is "willing to hear about ideas that don't fit into the layers". He said that the Foundation will continue its current funding model "unless we hear a great world-changing idea that we put all our money in and then we are gone". It is not just projects that can be funded by the Foundation, any person, company, or organization can apply. "As long as it is a network technology and it will be put in open source", the Foundation will consider funding it.

[ Along those lines, the author would like to thank the NLnet Foundation for helping to fund his recent trip to the co-located NLUUG autumn Mobility conference and Embedded Linux Conference Europe in Ede, the Netherlands. ]

Comments (3 posted)

MinGW and why Linux users should care

The Minimalist GNU for Windows (MinGW) project is a way to get GCC and tools like binutils working to build software for the Windows environment—something that might not sound very interesting to Linux users or developers. But there are a number of advantages to porting and regularly testing free software on Windows, as Red Hat's Richard Jones and Dan Berrange explain in the following interview. Richard and Dan also describe Red Hat's involvement, how developers can participate, as well as how it all helps the free software cause.

LWN: Could you describe the MinGW project? How did it get started?

LWN: What is Red Hat's involvement in MinGW?

LWN: Why does Red Hat care? Are you going into the Windows software business now?

LWN: Why should free software developers care about MinGW? Does it do anything for them?

LWN: Is there anything in particular that developers should keep in mind to make life easier for people building their code for MinGW?

LWN: What are the biggest challenges that your project faces now? How can the community help?

LWN: Anything else you'd like to say to LWN readers?

[ We would like to thank Richard and Dan for taking time to answer our questions. ]

Comments (64 posted)

SSH plaintext recovery vulnerability

A somewhat mysterious SSH vulnerability has been reported in a way that unfortunately looks a bit like partial disclosure. In this case, though, there is a workaround that is supposed to alleviate the problem, so there are good reasons—as opposed to publicity-oriented reasons—to announce the flaw. While it is difficult to exploit, it does expose up to 32-bits of plaintext from within an SSH session which is a failure mode that is rather worrisome.

The flaw has only been confirmed in OpenSSH 4.7p1, but the announcement indicates that it is likely to be much more widespread: "We expect any RFC-compliant SSH implementation to be vulnerable to some form of the attack." The flaw is in the design of SSH and can allow an attacker who has "control over the network"—presumably the ability to monitor and inject traffic—to recover 32 plaintext bits with a very low probability (2^-18). The bits recovered come from an attacker-selected block of ciphertext. The attack leads to the termination of the SSH connection, so iterative attacks will be difficult or impossible.

It is hard to get too worked up about that kind of attack, even with much of the details lacking, but typically these kinds of flaws can be expanded in various ways. The announcement mentions variants that recover 14 bits with a probability of 2^-14. It also carries the following warning: "The success probabilities for other implementations are unknown (but are potentially much higher)." It is a security tautology that vulnerabilities only get bigger over time, which we have seen in various contexts, notably in DNS cache poisoning flaws over the years.

Another bit of information provided by the Centre for the Protection of National Infrastructure (CPNI), the UK government agency who issued the advisory, is that the attack analyzes "the behaviour of the SSH connection when handling certain types of errors". This particular attack is also only applicable to the default cipher-block chaining (CBC) mode, so switching to counter (CTR) mode works around the flaw.

OpenSSH supports the use of AES in CTR mode, which is what the advisory recommends using:

There is quite a bit of information in the advisory that might lead a determined attacker in the "right" direction. It might also provide enough for someone to come up with attacks that are more probable and/or reveal more plaintext. So far, the Internet Storm Center is reporting that they have not seen any evidence that the flaw is being exploited in the wild.

OpenSSH has not, as yet, addressed the issue, at least on their security page. At least in its current form, there is probably very little to worry about from this flaw, but very security-conscious SSH users will want to apply the workaround.

Comments (12 posted)

clamav: arbitrary code execution

Package(s):	clamav	CVE #(s):	CVE-2008-5050
Created:	November 17, 2008	Updated:	December 24, 2008
Description:	From the Mandriva advisory: An off-by-one error was found in ClamAV versions prior to 0.94.1 that could allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted VBA project file (CVE-2008-5050).
Alerts:	Gentoo 200812-21 clamav 2008-12-23 Debian DSA-1680-1 clamav 2008-12-04 SuSE SUSE-SR:2008:026 libxml2, phpMyAdmin, lighttpd, OpenOffice_org, imp, clamav, acroread, htop, cups 2008-11-24 Ubuntu USN-672-1 clamav 2008-11-17 Mandriva MDVSA-2008:229 clamav 2008-11-14

Comments (none posted)

cobbler: arbitrary code execution

Package(s):	cobbler	CVE #(s):
Created:	November 19, 2008	Updated:	November 24, 2008
Description:	From the Fedora advisory: Fixes a security vulnerability where a CobblerWeb user (if so configured) can import a Python module via a web-edited Cheetah template and run commands as root.
Alerts:	Fedora FEDORA-2008-10000 cobbler 2008-11-22 Fedora FEDORA-2008-9745 cobbler 2008-11-19 Fedora FEDORA-2008-9723 cobbler 2008-11-19

Comments (none posted)

firefox: policy bypass

Package(s):	Mozilla, firefox, seamonkey	CVE #(s):	CVE-2008-4582
Created:	November 14, 2008	Updated:	January 8, 2009
Description:	From the CVE entry: Mozilla Firefox 3.0.1 through 3.0.3 on Windows does not properly identify the context of Windows .url shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information via an HTML document that is directly accessible through a filesystem, as demonstrated by documents in (1) local folders, (2) Windows share folders, and (3) RAR archives, and as demonstrated by IFRAMEs referencing shortcuts that point to (a) about:cache?device=memory and (b) about:cache?device=disk, a variant of CVE-2008-2810.
Alerts:	Gentoo 201301-01 firefox 2013-01-07 Slackware SSA:2008-366-01 mozilla 2009-01-02 Debian DSA-1671-1 iceweasel 2008-11-24 Debian DSA-1669-1 xulrunner 2008-11-23 Ubuntu USN-667-1 firefox, firefox-3.0, xulrunner-1.9 2008-11-17 Fedora FEDORA-2008-9667 devhelp 2008-11-14 Fedora FEDORA-2008-9669 devhelp 2008-11-14 Fedora FEDORA-2008-9667 epiphany 2008-11-14 Fedora FEDORA-2008-9669 epiphany 2008-11-14 Fedora FEDORA-2008-9667 chmsee 2008-11-14 Fedora FEDORA-2008-9667 openvrml 2008-11-14 Debian DSA-1697-1 iceape 2009-01-07 Fedora FEDORA-2008-9667 cairo-dock 2008-11-14 Fedora FEDORA-2008-9669 cairo-dock 2008-11-14 Fedora FEDORA-2008-9669 chmsee 2008-11-14 Fedora FEDORA-2008-9667 firefox 2008-11-14 Fedora FEDORA-2008-9669 firefox 2008-11-14 Fedora FEDORA-2008-9667 blam 2008-11-14 Fedora FEDORA-2008-9667 evolution-rss 2008-11-14 Fedora FEDORA-2008-9669 evolution-rss 2008-11-14 Fedora FEDORA-2008-9667 gnome-web-photo 2008-11-14 Fedora FEDORA-2008-9669 gnome-web-photo 2008-11-14 Fedora FEDORA-2008-9667 galeon 2008-11-14 Fedora FEDORA-2008-9669 galeon 2008-11-14 Fedora FEDORA-2008-9667 gnome-python2-extras 2008-11-14 Fedora FEDORA-2008-9669 gnome-python2-extras 2008-11-14 Fedora FEDORA-2008-9667 liferea 2008-11-14 Fedora FEDORA-2008-9667 yelp 2008-11-14 Fedora FEDORA-2008-9669 yelp 2008-11-14 Fedora FEDORA-2008-9667 ruby-gnome2 2008-11-14 Fedora FEDORA-2008-9669 ruby-gnome2 2008-11-14 Fedora FEDORA-2008-9667 kazehakase 2008-11-14 Fedora FEDORA-2008-9669 kazehakase 2008-11-14 Fedora FEDORA-2008-9667 Miro 2008-11-14 Fedora FEDORA-2008-9669 Miro 2008-11-14 Fedora FEDORA-2008-9667 seamonkey 2008-11-14 Fedora FEDORA-2008-9669 seamonkey 2008-11-14 Fedora FEDORA-2008-9669 xulrunner 2008-11-14 Fedora FEDORA-2008-9669 gtkmozembedmm 2008-11-14 Fedora FEDORA-2008-9669 totem 2008-11-14 Fedora FEDORA-2008-9669 google-gadgets 2008-11-14 Fedora FEDORA-2008-9669 mugshot 2008-11-14 Fedora FEDORA-2008-9669 mozvoikko 2008-11-14 Fedora FEDORA-2008-9669 epiphany-extensions 2008-11-14 Fedora FEDORA-2008-9667 epiphany-extensions 2008-11-14 Debian DSA-1696-1 icedove 2009-01-07

Comments (4 posted)

firefox: arbitrary code execution

Package(s):	firefox	CVE #(s):	CVE-2008-5015
Created:	November 13, 2008	Updated:	November 26, 2008
Description:	Firefox has an arbitrary code execution vulnerability. From the Red Hat alert: A flaw was found in the way Firefox opened "file:" URIs. If a file: URI was loaded in the same tab as a chrome or privileged "about:" page, the file: URI could execute arbitrary code with the permissions of the user running Firefox.
Alerts:	Gentoo 201301-01 firefox 2013-01-07 SuSE SUSE-SA:2008:055 MozillaFirefox,MozillaThunderbird,seamonkey 2008-11-26 Mandriva MDVSA-2008:230 firefox 2008-11-17 Ubuntu USN-667-1 firefox, firefox-3.0, xulrunner-1.9 2008-11-17 CentOS CESA-2008:0978 firefox 2008-11-14 Fedora FEDORA-2008-9667 devhelp 2008-11-14 Fedora FEDORA-2008-9669 devhelp 2008-11-14 Fedora FEDORA-2008-9667 epiphany 2008-11-14 Fedora FEDORA-2008-9669 epiphany 2008-11-14 Fedora FEDORA-2008-9667 cairo-dock 2008-11-14 Fedora FEDORA-2008-9669 evolution-rss 2008-11-14 Fedora FEDORA-2008-9669 cairo-dock 2008-11-14 Fedora FEDORA-2008-9667 chmsee 2008-11-14 Fedora FEDORA-2008-9669 chmsee 2008-11-14 Fedora FEDORA-2008-9667 firefox 2008-11-14 Fedora FEDORA-2008-9669 firefox 2008-11-14 Fedora FEDORA-2008-9667 blam 2008-11-14 Fedora FEDORA-2008-9667 evolution-rss 2008-11-14 Fedora FEDORA-2008-9667 gnome-web-photo 2008-11-14 Fedora FEDORA-2008-9669 gnome-web-photo 2008-11-14 Fedora FEDORA-2008-9667 galeon 2008-11-14 Fedora FEDORA-2008-9669 galeon 2008-11-14 Fedora FEDORA-2008-9667 gnome-python2-extras 2008-11-14 Fedora FEDORA-2008-9669 gnome-python2-extras 2008-11-14 Fedora FEDORA-2008-9667 liferea 2008-11-14 Fedora FEDORA-2008-9667 yelp 2008-11-14 Fedora FEDORA-2008-9669 yelp 2008-11-14 Fedora FEDORA-2008-9667 openvrml 2008-11-14 Fedora FEDORA-2008-9667 ruby-gnome2 2008-11-14 Fedora FEDORA-2008-9669 ruby-gnome2 2008-11-14 Fedora FEDORA-2008-9667 kazehakase 2008-11-14 Fedora FEDORA-2008-9669 kazehakase 2008-11-14 Fedora FEDORA-2008-9667 Miro 2008-11-14 Fedora FEDORA-2008-9669 Miro 2008-11-14 Fedora FEDORA-2008-9667 seamonkey 2008-11-14 Fedora FEDORA-2008-9669 seamonkey 2008-11-14 Fedora FEDORA-2008-9669 xulrunner 2008-11-14 Fedora FEDORA-2008-9669 gtkmozembedmm 2008-11-14 Fedora FEDORA-2008-9669 totem 2008-11-14 Fedora FEDORA-2008-9669 google-gadgets 2008-11-14 Fedora FEDORA-2008-9669 mugshot 2008-11-14 Fedora FEDORA-2008-9669 mozvoikko 2008-11-14 Fedora FEDORA-2008-9669 epiphany-extensions 2008-11-14 Fedora FEDORA-2008-9667 epiphany-extensions 2008-11-14 Red Hat RHSA-2008:0978-01 firefox 2008-11-12

Comments (none posted)

geda-gnetlist: insecure tmp file usage

Package(s):	geda-gnetlist	CVE #(s):	CVE-2008-5148
Created:	November 19, 2008	Updated:	March 9, 2009
Description:	From the Red Hat bugzilla: sch2eaglepos.sh in geda-gnetlist 1.4.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/##### temporary file.
Alerts:	Gentoo 200903-08 geda 2009-03-07 Fedora FEDORA-2008-10000 geda-gnetlist 2008-11-22 Fedora FEDORA-2008-9730 geda-gnetlist 2008-11-19 Fedora FEDORA-2008-9694 geda-gnetlist 2008-11-19

Comments (none posted)

htop: process name sanitizing

Package(s):	htop	CVE #(s):	CVE-2008-5076
Created:	November 19, 2008	Updated:	November 25, 2008
Description:	From the Red Hat bugzilla: htop 0.7 writes process names to a terminal without sanitizing non-printable characters, which might allow local users to hide processes, modify arbitrary files, or have unspecified other impact via a process name with "crazy control strings."
Alerts:	SuSE SUSE-SR:2008:026 libxml2, phpMyAdmin, lighttpd, OpenOffice_org, imp, clamav, acroread, htop, cups 2008-11-24 Fedora FEDORA-2008-9944 htop 2008-11-22 Fedora FEDORA-2008-9728 htop 2008-11-19 Fedora FEDORA-2008-9791 htop 2008-11-19

Comments (none posted)

initscripts: denial of service

Package(s):	initscripts	CVE #(s):	CVE-2008-4832
Created:	November 13, 2008	Updated:	November 19, 2008
Description:	initscripts has a denial of service vulnerability. From the rPath alert: Previous versions of the initscripts package are vulnerable to a Denial of Service attack in which a local user may cause arbitrary files to be deleted at next boot time by creating symlinks under various /var subdirectories.
Alerts:	rPath rPSA-2008-0318-1 initscripts 2008-11-12

Comments (none posted)

libcdaudio: heap overflow

Package(s):	libcdaudio	CVE #(s):	CVE-2008-5030
Created:	November 13, 2008	Updated:	December 7, 2009
Description:	libcdaudio has an arbitrary code execution vulnerability. From the Debian alert: It was discovered that a heap overflow in the CDDB retrieval code of libcdaudio, a library for controlling a CD-ROM when playing audio CDs, may result in the execution of arbitrary code.
Alerts:	Mandriva MDVSA-2008:233-1 libcdaudio 2008-12-07 Gentoo 200903-31 libcdaudio 2009-03-17 Mandriva MDVSA-2008:233 libcdaudio 2008-11-20 Debian DSA-1665-1 libcdaudio 2008-11-12

Comments (none posted)

libxml2: multiple vulnerabilities

Package(s):	libxml2	CVE #(s):	CVE-2008-4225 CVE-2008-4226
Created:	November 17, 2008	Updated:	August 12, 2009
Description:	From the Red Hat advisory: An integer overflow flaw causing a heap-based buffer overflow was found in the libxml2 XML parser. If an application linked against libxml2 processed untrusted, malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code. (CVE-2008-4226) A denial of service flaw was discovered in the libxml2 XML parser. If an application linked against libxml2 processed untrusted, malformed XML content, it could cause the application to enter an infinite loop. (CVE-2008-4225)
Alerts:	Fedora FEDORA-2009-8491 libxml2 2009-08-11 Gentoo 200812-06 libxml2 2008-12-02 SuSE SUSE-SR:2008:026 libxml2, phpMyAdmin, lighttpd, OpenOffice_org, imp, clamav, acroread, htop, cups 2008-11-24 Fedora FEDORA-2008-10000 libxml2 2008-11-22 Slackware SSA:2008-324-01 libxml2 2008-11-20 Ubuntu USN-673-1 libxml2 2008-11-19 rPath rPSA-2008-0325-1 libxml2 2008-11-19 Mandriva MDVSA-2008:231 libxml2 2008-11-18 Fedora FEDORA-2008-9773 libxml2 2008-11-19 Fedora FEDORA-2008-9729 libxml2 2008-11-19 CentOS CESA-2008:0988 libxml2 2008-11-17 Debian DSA-1666-1 libxml2 2008-11-17 Red Hat RHSA-2008:0988-01 libxml2 2008-11-17 SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12

Comments (none posted)

mysql: denial of service

Package(s):	mysql-dfsg-5.0	CVE #(s):	CVE-2008-3963
Created:	November 18, 2008	Updated:	March 8, 2010
Description:	From the Ubuntu advisory: It was discovered that MySQL did not handle empty bit-string literals properly. An attacker could exploit this problem and cause the MySQL server to crash, leading to a denial of service.
Alerts:	Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12 Gentoo 201201-02 mysql 2012-01-05 rPath rPSA-2010-0014-1 mysql 2010-03-07 Mandriva MDVSA-2009:326 mysql 2009-12-07 CentOS CESA-2009:1289 mysql 2009-09-15 Red Hat RHSA-2009:1289-02 mysql 2009-09-02 Red Hat RHSA-2009:1067-01 Red Hat Application Stack 2009-05-26 Debian DSA-1783 mysql-dfsg-5.0 2009-04-29 Mandriva MDVSA-2009:094 mysql 2009-04-22 Ubuntu USN-671-1 mysql-dfsg-5.0 2008-11-17 SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12

Comments (none posted)

optipng: buffer overflow

Package(s):	optipng	CVE #(s):
Created:	November 13, 2008	Updated:	December 2, 2008
Description:	OptiPNG has a buffer overflow vulnerability. From the Fedora alert: A buffer overflow flaw has been found in the OptiPNG -- PNG image optimizer. This flaw is caused due to an boundary error in the BMP image reader, responsible for handling BMP images. Local unprivileged user could use this flaw to execu[t]e arbit[r]ary code via providing a specially crafted BMP image file to the optimizer.
Alerts:	Gentoo 200812-01 optipng 2008-12-02 Fedora FEDORA-2008-9633 optipng 2008-11-13 Fedora FEDORA-2008-9639 optipng 2008-11-13

Comments (none posted)

php: safe_mode bypass

Package(s):	php	CVE #(s):	CVE-2008-2665 CVE-2008-2666
Created:	November 17, 2008	Updated:	March 3, 2009
Description:	From the Gentoo advisory: Maksymilian Arciemowicz of SecurityReason Research reported that a design error in PHP's stream wrappers allows to circumvent safe_mode checks in several filesystem-related PHP functions (CVE-2008-2665, CVE-2008-2666).
Alerts:	rPath rPSA-2009-0035-1 php 2009-03-02 Slackware SSA:2008-339-01 php 2008-12-05 Gentoo 200811-05 php 2008-11-16

Comments (none posted)

quassel: issue with CTCP handling

Package(s):	quassel	CVE #(s):
Created:	November 14, 2008	Updated:	November 19, 2008
Description:	From this Quassel blog entry: Well, looks like 0.3.0.2 was not the last 0.3.0 release after all. coekie found an issue with CTCP handling in Quassel Core that allows attackers to send arbitrary IRC messages on your behalf. This issue is present in all versions prior to 0.3.0.3 and Git older than October 26th (rev. d7a0381). This has been fixed in the quassel-0.3.0.3 release and also in Git and the nightly builds.
Alerts:	Fedora FEDORA-2008-9658 quassel 2008-11-14

Comments (none posted)

seamonkey: multiple vulnerabilities

Package(s):	seamonkey, firefox, thunderbird	CVE #(s):	CVE-2008-0017 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5019 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024
Created:	November 13, 2008	Updated:	January 8, 2009
Description:	Seamonkey has multiple vulnerabilities. From the Red Hat alert: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-0017, CVE-2008-5013, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE-2008-5021) Several flaws were found in the way malformed content was processed. A web site containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-5012, CVE-2008-5022, CVE-2008-5023, CVE-2008-5024)
Alerts:	openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09 Gentoo 201301-01 firefox 2013-01-07 Ubuntu USN-668-1 mozilla-thunderbird, thunderbird 2008-11-26 SuSE SUSE-SA:2008:055 MozillaFirefox,MozillaThunderbird,seamonkey 2008-11-26 Debian DSA-1671-1 iceweasel 2008-11-24 Slackware SSA:2008-325-01 thunderbird 2008-11-24 Mandriva MDVSA-2008:235 mozilla-thunderbird 2008-11-20 Fedora FEDORA-2008-9901 thunderbird 2008-11-22 Debian DSA-1669-1 xulrunner 2008-11-23 CentOS CESA-2008:0976 thunderbird 2008-11-23 Fedora FEDORA-2008-9859 thunderbird 2008-11-21 Fedora FEDORA-2008-9807 thunderbird 2008-11-21 Red Hat RHSA-2008:0976-01 thunderbird 2008-11-19 Mandriva MDVSA-2008:230 firefox 2008-11-17 Ubuntu USN-667-1 firefox, firefox-3.0, xulrunner-1.9 2008-11-17 Slackware SSA:2008-320-04 seamonkey 2008-11-17 Slackware SSA:2008-320-03 mozilla-firefox 2008-11-17 CentOS CESA-2008:0978 firefox 2008-11-14 Fedora FEDORA-2008-9667 devhelp 2008-11-14 Fedora FEDORA-2008-9669 devhelp 2008-11-14 Fedora FEDORA-2008-9667 epiphany 2008-11-14 Fedora FEDORA-2008-9669 epiphany 2008-11-14 Fedora FEDORA-2008-9667 blam 2008-11-14 Fedora FEDORA-2008-9667 cairo-dock 2008-11-14 Fedora FEDORA-2008-9669 cairo-dock 2008-11-14 Fedora FEDORA-2008-9667 chmsee 2008-11-14 Fedora FEDORA-2008-9669 chmsee 2008-11-14 Fedora FEDORA-2008-9667 firefox 2008-11-14 Fedora FEDORA-2008-9669 firefox 2008-11-14 Fedora FEDORA-2008-9667 evolution-rss 2008-11-14 Fedora FEDORA-2008-9669 evolution-rss 2008-11-14 Fedora FEDORA-2008-9667 gnome-web-photo 2008-11-14 Fedora FEDORA-2008-9669 gnome-web-photo 2008-11-14 Fedora FEDORA-2008-9667 galeon 2008-11-14 Fedora FEDORA-2008-9669 galeon 2008-11-14 Fedora FEDORA-2008-9667 gnome-python2-extras 2008-11-14 Fedora FEDORA-2008-9669 gnome-python2-extras 2008-11-14 Fedora FEDORA-2008-9667 liferea 2008-11-14 Fedora FEDORA-2008-9667 yelp 2008-11-14 Fedora FEDORA-2008-9669 yelp 2008-11-14 Fedora FEDORA-2008-9667 openvrml 2008-11-14 Fedora FEDORA-2008-9667 ruby-gnome2 2008-11-14 Fedora FEDORA-2008-9669 ruby-gnome2 2008-11-14 Fedora FEDORA-2008-9667 kazehakase 2008-11-14 Fedora FEDORA-2008-9669 kazehakase 2008-11-14 Fedora FEDORA-2008-9667 Miro 2008-11-14 Fedora FEDORA-2008-9669 Miro 2008-11-14 Fedora FEDORA-2008-9667 seamonkey 2008-11-14 Fedora FEDORA-2008-9669 seamonkey 2008-11-14 Fedora FEDORA-2008-9669 xulrunner 2008-11-14 Fedora FEDORA-2008-9669 gtkmozembedmm 2008-11-14 Fedora FEDORA-2008-9669 totem 2008-11-14 Fedora FEDORA-2008-9669 google-gadgets 2008-11-14 Fedora FEDORA-2008-9669 mugshot 2008-11-14 Fedora FEDORA-2008-9669 mozvoikko 2008-11-14 Fedora FEDORA-2008-9669 epiphany-extensions 2008-11-14 Fedora FEDORA-2008-9667 epiphany-extensions 2008-11-14 Mandriva MDVSA-2008:228 mozilla-firefox 2008-11-13 Red Hat RHSA-2008:0978-01 firefox 2008-11-12 CentOS CESA-2008:0977 No RH alert RHSA-2008:0977-01 2008-11-13 Red Hat RHSA-2008:0977-01 seamonkey 2008-11-12 Debian DSA-1697-1 iceape 2009-01-07 Debian DSA-1696-1 icedove 2009-01-07

Comments (none posted)

vm-builder: privilege escalation

Package(s):	vm-builder	CVE #(s):
Created:	November 14, 2008	Updated:	November 19, 2008
Description:	From the Ubuntu advisory: Mathias Gug discovered that vm-builder improperly set the root password when creating virtual machines. An attacker could exploit this to gain root privileges to the virtual machine by using a predictable password. This vulnerability only affects virtual machines created with vm-builder under Ubuntu 8.10, and does not affect native Ubuntu installations.
Alerts:	Ubuntu USN-670-1 vm-builder 2008-11-13

Comments (none posted)

Kernel release status

The current 2.6 development kernel is 2.6.28-rc5, released on November 15. It contains the usual pile of fixes; see the long-format changelog for the details.

The current stable 2.6 kernel is 2.6.27.6, released on November 13. It includes a fair number of fixes, one of which has a CVE number attached. As of this writing, 46 patches are under review for inclusion in 2.6.27.7 which will likely be released soon.

Comments (none posted)

Quotes of the week

-- Andrew Morton

-- Alan Cox joining the scatological mood

Comments (none posted)

Photos from the 2008 Kernel Summit

The Linux Foundation has posted a set of photos from the 2008 Kernel Summit. If these pictures are to be believed, the Summit involved a lot of time spent consuming alcoholic beverages. But it was a more serious event than that, honest.

Comments (4 posted)

kerneloops.org records its 100,000th oops

Arjan van de Ven reports that kerneloops.org has recorded oops #100,000, just shy of its first birthday. The site gathers the output of kernel oops messages, which are the crash signatures from the kernel. The intent is to find out which are the most common in order to find and fix the underlying bugs. "Other than the top 2 items, which have patches, we've done a pretty good job of fixing the high occurrence bugs (excluding the binary drivers which we obviously cannot fix)" Click below for his full report.

Full Story (comments: 20)

UKUUG: Arnd Bergmann on interconnecting with PCIe

PCI express (PCIe) is not normally considered as a way to connect computers, rather it is a bus for attaching peripherals, but there are advantages to using it as an interconnect. Kernel hacker Arnd Bergmann gave a presentation at the recent UKUUG Linux 2008 conference on work he has been doing on using PCIe for IBM. He outlined the current state of Linux support as well as some plans for the future.

The availability of PCIe endpoints for much of the hardware in use today is one major advantage. By using PCIe, instead of other interconnects such as InfiniBand, the same throughput can be achieved with lower latency and power consumption. Bergmann noted that avoiding using a separate InfiniBand chip saves 10-30 watts which adds up rather quickly on a 30,000 node supercomputer.

There are some downsides to PCIe as well. There is no security model, for example, so a root process on one machine can crash other connected machines. There is also a single point of failure because if the PCIe root port goes down, it takes the network with it or, as Bergmann puts it: "if anything goes wrong, the whole system goes down". PCIe lacks a standard high-level interface for Linux and there is no generic code shared between the various drivers—at least so far.

As an example of a system that uses PCIe, Bergmann described the "Roadrunner" supercomputer that is currently the fastest in existence. It is a cluster of hybrid nodes, called "Triblades", each of which has one Opteron blade along with two Cell blades. The nodes are connected with InfiniBand, but PCIe is used to communicate between the processors within each node by using the Opteron root port and PCIe endpoints on the Cells.

There is other hardware that uses PCIe in this way, including the Fixstars GigaAccel 180 accelerator board and an embedded PowerPC 440/460 system-on-a-chip (SoC) board, both of which use the same Axon PCIe device. Bergmann also talked about PCIe switches and non-transparent bridges that perform the same kinds of functions as networking switches and bridges. Bridges are called "non-transparent" because they have I/O remapping tables—sometimes IOMMUs—that can be addressed by the two root ports that are connected via the bridge. These bridges may also have DMA engines to facilitate data transfer without host processor control.

Bergmann then moved on to the software side of things, looking at the drivers available—and planned—to support connection via PCIe. The first driver was written by Mercury Computers in 2006 for a Cell accelerator board and is now "abandonware". It has many deficiencies and would take a lot of work to get it into shape for the mainline.

Another choice is the driver used in the Roadrunner Triblade and the GigaAccel device which is vaguely modeled on InfiniBand. It has an interface that uses custom ioctl() commands that implement just eight operations, as opposed to hundreds for InfiniBand. It is "enormous for a Linux device driver", weighing in at 13,000 lines of code.

The Triblade driver is not as portable as it could be, as it is very specific to the Opteron and Cell architectures. On the Cell side, it is implemented as an Open Firmware driver, but the Opteron side is a PCIe driver. There is a lot of virtual ethernet code mixed in as well. Overall, it is not seen as the best way forward to support these kinds of devices in Linux.

Another approach was taken by a group of students sponsored by IBM who developed a virtual ethernet prototype to talk to an IBM BladeCenter from a workstation by way of a non-transparent bridge. Each side could access memory on the other by using ioremap() on one side and dma_map_single() on the other. By implementing a virtio driver, they did not have to write an ethernet driver, as the virtio abstraction provided that functionality. The driver was a bit slow, as it didn't use DMA, but it is a start down the road that Bergmann thinks should be taken.

He went on to describe a "conceptual driver" for PCIe endpoints that is based on the students' work but adds on things like DMA as well as additional virtio drivers. Adding a virtio block device would allow embedded devices to use hard disks over PCIe or, by implementing a Plan 9 filesystem (9pfs) virtio driver, individual files could be used directly over PCIe. All of this depends on using the virtio abstraction.

Virtio is seen as a useful layer in the driver because it is a standard abstraction for "doing something when you aren't limited by hardware". Networking, block device, and filesystem "hosts" are all implemented atop virtio drivers, which makes them available fairly easily. One problem area, though, is the runtime configuration piece. The problem there is "not in coming up with something that works, but something that will also work in the future".

Replacing the ioctl() interface with the InfiniBand verbs (ibverb) interface is planned. The ibverb interface may not be the best choice in an abstract sense, but it exists and supports OpenMPI, so the new driver should implement it as well.

Two types of virtqueue implementations are envisioned, one for memory-mapped I/O (MMIO) and the other for a DMA-based virtqueue. The MMIO would be the most basic virtqueue implementation, with a local read of a remote write. Read access on PCIe is much slower than write because a read must flush all writes then wait for data reception. Data and signaling information would have separate areas so that data ordering guarantees could be relaxed on the data area for better performance, while strict data ordering would be set for the signalling area.

The DMA engine virtqueue implementation would be highly hardware-specific to incorporate performance and other limitations of the underlying engine. In some cases, for example, it is not worth setting up a DMA for transfers of less than 2K, so copying via MMIO should be used instead. DMA would be used for transferring payload data, but signaling would still be handled via MMIO. Bergmann noted that the kernel DMA abstraction may not provide all that is needed so enhancements to that interface may be required as well.

Bergmann did not provide any kind of time frame in which this work might make its way into the kernel as it is a work in progress. There is much still to be done, but his presentation laid out a roadmap of where he thinks it is headed.

In a post-talk email exchange, Bergmann points to his triblade-2.6.27 branch for those interested in looking at the current state of affairs, while noting that it "is only mildly related to what I think we should be doing". He also mentioned a patch by Ira Snyder that implements virtual ethernet over PCI, which "is more likely to go into the kernel in the near future". Bergmann and Snyder have to agreed to join forces down the road to add more functionality along the lines that were outlined in the talk.

Comments (5 posted)

Tbench troubles II

LWN has previously covered concerns over slowly deteriorating performance by current Linux systems on the network- and scheduler-heavy tbench benchmark. Tbench runs have been getting worse since roughly 2.6.22. At the end of the last episode, attention had been directed toward the CFS scheduler as the presumptive culprit. That article concluded with the suggestion that, now that attention had been focused on the scheduler's role in the tbench performance regression, fixes would be relatively quick in coming. One month later, it would appear that those fixes have indeed come, and that developers looking for better tbench results will need to cast their gaze beyond the scheduler.

The discussion resumed after a routine weekly posting of the post-2.6.26 regression list; one entry in that list is the tbench performance issue. Ingo Molnar responded to that posting with a pointer to an extensive set of benchmark runs done by Mike Galbraith. The conclusion Ingo draws from all those runs is that the CFS scheduler is now faster than the old O(1) scheduler, and that "all scheduler components of this regression have been eliminated." Beyond that:

This improvement is not something that just happened; it is the result of a focused effort on the part of the scheduler developers. Quite a few changes have been merged; they all seem like small tweaks, but, together, they add up to substantial improvements in scheduler performance. One change fixes a spot where the scheduler code disabled interrupts needlessly. Some others (here and here) adjust the scheduler's "wakeup buddy" mechanism, a feature which ties processes together in the scheduler's view. As an example, consider a process which wakes up a second process, then runs out of its allocated time on the CPU. The wakeup buddy system will cause the scheduler to bias its selection mechanism to favor the just-waked process, on the theory that said process will be consuming cache-warm data created by the waking process. By allowing cooperating processes like this to run slightly ahead of what a strictly fair scheduling algorithm would provide, the scheduler gets better performance out of the system as a whole.

The recent changes add a "backward buddy" concept. If there is no recently-waked process to switch to, the scheduler will, instead, bias the selection toward the process which was preempted to enable the outgoing process to run. Chances are relatively good that the preempted process might (1) be cooperating with the outgoing process or (2) have some data still in cache - or both. So running that process next is likely to yield better performance overall.

A number of other small changes have been merged, to the point that the scheduler developers think that the tbench regressions are no longer their problem. Networking maintainer David Miller has disagreed with this assessment, though, claiming that performance problems still exist in the scheduler. Ingo responded in a couple of ways, starting with the posting of some profiling results which show very little scheduler overhead. Interestingly, it turns out that the networking developers get different results from their profiling runs than the scheduler developers do. And that, in turn, is a result of the different hardware that they are using for their work. Ingo has a bleeding-edge Intel processor to play with; the networking folks have processors which are not quite so new. David Miller tends to run on SPARC processors, which may be adding unique problems of their own.

The other thing Ingo did was, for all practical purposes, to profile the entire kernel code path involved in a tbench run, then to disassemble the executable and examine the profile results on a per-instruction basis. The postings that resulted (example) point out a number of potential problem spots, most of which are in the networking code. Some of those have already been fixed, while others are being disputed. It is, in the end, a large amount of raw data which is likely to inspire discussion for a while.

To an outsider, this whole affair can have the look of an ongoing finger-pointing exercise. And, perhaps, that's what it is. But it's highly-technical finger-pointing which has increased the understanding of how the kernel responds to a specific type of stress while also demonstrating the limits of some of our measurement tools and the performance differences exhibited by various types of hardware. The end result will be a faster, more tightly-tuned kernel - and better tbench numbers too.

Comments (11 posted)

UKUUG: The right way to port Linux

Arnd Bergmann pulled double duty at the recent UKUUG Linux 2008 conference by giving a talk on each day of the event. His talk on Saturday, entitled "Porting Linux to a new architecture, the right way", looked at various problems with recent architecture ports along with a project he has been working on to simplify that process. By creating a generic template for architectures, some of the mistakes of the past can be avoided.

This is one of Bergmann's pet projects, that "I like to do for fun, when I am hacking on the kernel, but not for IBM". The project and talk were inspired by a few new architectures that were merged—or were submitted for merging—in the last few years. In particular, the Blackfin and MicroBlaze architectures were inspiring, with the latter architecture still not merged, perhaps due to Bergmann's comments. He is hoping to help that situation get better.

The biggest problem with architecture ports tends to be code duplication because people start by copying all of the files from an existing architecture. In addition, "most people who don't know what they are doing copy from x86, which in my opinion is a big mistake". According to Bergmann, architecture porters seem to "first copy the header files and then change the whitespace", which makes it difficult to immediately spot duplicated code.

He points to termbits.h as an example of an include file that is duplicated in multiple architectures unnecessarily as the code is the same in most cases. He also notes there is "incorrect code duplication", pointing to new architectures that implement the sys_ipc() system call, resulting in "brand new architectures supporting a broken interface for x86 UNIX from the 80s". That call is a de-multiplexer for System V IPC calls that has the comment—dutifully duplicated into other architectures—"This is really horribly ugly".

Then there are problems with "code duplication by clueless people" which includes a sembuf.h implementation that puts the padding in the wrong place because of 64 vs. 32-bit confusion. In addition, because code is duplicated in multiple locations, bug fixes that are made for one architecture don't propagate to all the places that need the fix. As an example he noted a bug fix made by Sparc maintainer David Miller in the x86 tree that didn't make it into the Sparc tree. Finally, there are ABIs that are being needlessly propagated in new architecture ports: system calls that are implemented in terms of newer calls are still present in new ports even though it could all be handled in libc.

The "obvious" solution is to create a generic architecture implementation that can be used as a starting point for new ports. Bergmann has been working on that, resulting in a 3000 line patch that "should make it very easy for people to port to new architectures". To start with, it defines a canonical ABI that is a list of all of the system calls that need to be implemented for a new architecture. It puts all of the required include files into the asm-generic directory that new ports can just include—or copy if they need to modify them.

Unfortunately, things are not quite that simple of course, there are a number of problem areas. There are "lots of things you simply cannot do in a generic way". Most of these things are fairly hardware-specific areas like MMU support, atomics, interrupts, task switching, byte order, signal contexts, hardware probing and the like.

Bergmann decided to go ahead by defining away some of these problems in his example architecture. So, there is no SMP or MMU support with the asm-generic/atomic.h and asm-generic/mmu_context.h include files being appropriately modified. Many of the architecture-specific functions have been stubbed out in arch/example/kernel/dummy.c so that he can compile the template architecture.

The example architecture uses an Open Firmware device tree to describe the hardware that is available at boot time. Open Firmware "is a bit like what you have with the new Intel EFI firmware, but it's a lot nicer". A flattened device tree data structure is passed to the kernel at boot time by the bootloader, so Bergmann will be able make it to the next step: making it boot.

As one might guess, there is still more work to be done. There are eight header files that are needed from the asm-example directory, but Bergmann hopes to reduce that some. He notes that there are other architecture-specific areas that need work. For example, every single architecture has its own implementation of TCP checksums in assembly language, which may not be optimal

Bergmann pointed attendees at the ukuug2008 branch of his kernel.org playground git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arnd/playground.git to see the current state of his example architecture. It looks to be a nice addition to the kernel that will likely result in better architecture ports down the road.

Comments (3 posted)

Blending Debian

Last week we introduced Debian Pure Blends, and now this week we'd like to look a bit deeper into the concept, the white paper and how this idea compares to similar ideas.

To begin with, the Pure Debian Blend is not a new idea. It's a new name for an existing concept that goes back to early 2004. Discussions probably started earlier, but April 2004 is when a mailing list was opened for this topic.

At DebConf5, held in Helsinki, Finland in July of 2005, there were talks about Debian Derivatives and Custom Debian Distributions. Custom Debian Distributions (CDD) was the previous name for Debian Pure Blends and the derivatives are now forks.

A white paper, available in PDF or HTML, was originally written in 2004 to describe the the CDD concept. It has been recently modified for the new name of Debian Pure Blends.

There are a few places in the white paper where its age shows. These are mostly references to distributions other than Debian. You'll find some mention of Mandrake, for example. The combined Mandrakesoft and Conectiva forming the new entity Mandriva was finalized later in 2004. Debian 3.0 (Woody) appears to have been the stable version when the document was new. Since then Debian has released 3.1 (Sarge) and 4.0 (etch), and is nearing the 5.0 release (Lenny).

While the dates are old, the whole stands as a definition of what is a Pure Blend and what is a fork. The Pure Blend is based on Debian stable (currently etch). It contains only packages found in the stable repository. A Pure Blend must retain 100% compatibility with the stable repository. A system administrator using a pure blend could easily install additional packages from Debian's sizeable repository. It is not uncommon for one or more developers of a Pure Blend to also be Debian Developers who are able to maintain the packages needed by the Blend within the Debian archive. The document is also a valuable resource for anyone who wishes to create their own Pure Blend.

The list of forks in section 5.1.1 could use some attention, although this is not really important to the overall topic. Currently listed are Linspire, Xandros and Libranet. Libranet died in 2006 following the death of it's founder Jon Danzig. Linspire was acquired by Xandros earlier this year and what was Linspire is now part of Xandros. The free version of Linspire, called Freespire, is still around. Roughly speaking, Freespire is to Xandros as Fedora is to Red Hat. A community project to test drive new technologies which may find their way into the enterprise distribution.

Whether Freespire is a fork or something more pure remains to be seen. Freespire 5.0 is not finalized yet. It appears that Freespire will wait for the official Debian 5.0 (Lenny) release before its final 5.0 stable release.

Another fork that might be mentioned here is Ubuntu. This popular distribution didn't exist when this document was originally created. The first Ubuntu release was 4.10 preview (Warty Warthog), dated September 2004. Ubuntu is clearly a fork though, based on Debian's unstable branch, known as sid. Packages from Debian's stable repository might work on Ubuntu, but that is by no means a sure thing.

So how does this compare to other distributions? At this time Debian remains the most popular base, whether the spinoff is Pure or a fork. This is largely due to the size of Debian's repository. There are simply more packages to chose from. Fedora's repository has about half the number of packages, but it continues to grow. Fedora would like to become more widely used as a base. The project is still working on a draft of trademark guidelines, where a "Spin" is much like a Pure Blend and a "Remix" is more of a fork. Spin maintainers are welcome to become Fedora contributors and package the free software needed by the Spin.

Red Hat addressed this issue some years ago, when Red Hat Enterprise spinoffs flourished following the demise of the old Red Hat Linux distribution. Red Hat made separate packages with its logos and trademark so that spinoffs could more easily take the free software, without the commercial baggage. At first separating the logos from the free software was a difficult process. Debian has an official logo and an unofficial logo, for other projects to use. Fedora is coming up with its own rules, with the draft trademark guidelines. The terminology for spinoffs varies as well. A Fedora Spin is mostly equivalent to a Debian Pure Blend. A Fedora Remix is more of a fork.

Regardless of what they are called, these spinoff distributions make the free software landscape a richer and more diverse place.

Comments (3 posted)

Debian Installer lenny RC 1

The first release candidate for the Debian lenny (v5.0) installer is available for testing. So take the installer for a test drive by installing Lenny. Then take Lenny for a test drive. Please report your bugs.

Full Story (comments: none)

debxo 0.4 release

DebXO is a Debian based system for the XO laptop. The 0.4 release is out. "This release looks much much nicer, thanks to a new Xorg driver. There's also a jffs2 fix which should make bootup from NAND quite a bit faster." Click below for more information.

Full Story (comments: none)

Development Release: openSUSE 11.1 Beta 5 Now Available

The fifth beta of openSUSE 11.1 is available for testing. "We all want openSUSE 11.1 to be the best release yet, and we need your help to get there. This release is ready for widespread testing, and we're encouraging everyone to download and test the beta releases." Beta 5.1 is available for PowerPC.

Full Story (comments: none)

Fixstars launches Yellow Dog Linux 6.1

Fixstars has announced the release of Yellow Dog Linux 6.1 for the Apple G4/G5, Sony PLAYSTATION3, PowerStation, and IBM Power Systems platforms. "Built upon the CentOS foundation, a derivative of Red Hat Enterprise Linux, YDL v6.1 offers several end-user and development tool improvements over the previous v6.0. "This marks the final release of Yellow Dog Linux by Terra Soft and the first by Fixstars," states Owen Stampflee, Fixstars Solutions' Director of Engineering, "In the past five years we have made incremental improvements with each release, always pressing for a higher quality end user experience."

Full Story (comments: none)

Tracking GCC 4.4 related build errors

Martin Michlmayr has been building the Debian archive with GCC 4.4 to look for bugs and report build errors. "I've completed the archive build now and reported about 220 bugs (the majority with patches). There are roughly 30 build failures left that I haven't analyzed yet. There are also about 35 packages that fail because the boost headers don't work with GCC 4.4. I'll try to build them when the boost headers get fixed."

Full Story (comments: none)

screenshots.debian.net

screenshots.debian.net is a new web site with screenshots of some of the many packages available for Debian users. "a picture is worth a thousand words. And thanks to screenshots.debian.net[0] this finally comes true for Debian packages. Several people have proposed a service to provide screenshots for them. So after getting other developers' opinions and suggestions I sat down and crafted a web application that allows to upload and provide screenshots."

Full Story (comments: none)

Fedora Board Recap

The Fedora Advisory Board met on November 11, 2008. Click below for a recap of the meeting. Topics include Personal Trademark Usage and Extending Updates for EOL Releases.

Full Story (comments: none)

FESCo Meeting Summary

Click below for a summary of the Fedora Engineering Steering Commitee meeting of November 12, 2008. Topics include FESCo approved policy changes and the upcoming FESCo election.

Full Story (comments: none)

Canonical announces Ubuntu for the ARM platform

Canonical has announced a plan to put Ubuntu onto the ARM architecture. "ARM and Canonical Ltd, the commercial sponsor of Ubuntu, today announced that they will bring the full Ubuntu® Desktop operating system to the ARMv7 processor architecture to address demand from device manufacturers. The addition of the new operating system will enable new netbooks and hybrid computers, targeting energy-efficient ARM® technology-based SoCs, to deliver a rich, always-connected, mobile computing experience, without compromising battery life."

Comments (33 posted)

New Tracker for isos.rocklinux.org

Rock Linux, one of the early source based distributions, has a new tracker.

Full Story (comments: none)

Ulteo unveils first corporate Open Source virtual desktop infrastructure system

Ulteo has unveiled its virtual desktop. "The Ulteo Open Virtual Desktop is a great solution for corporations who want to reduce the Total Costs of Ownership of the end user desktop, a cost that cripples IT budgets. Moreover, the Ulteo open source business model remove the typical upfront licence fee and replace it with a much more affordable subscription support plan instead. "With Ulteo businesses save money even in the first year of virtual desktops deployment and that counts in the current economic environment" says Thierry Koehrlen, CEO and co-founder of the company."

Full Story (comments: none)

DistroWatch Weekly, Issue 278

The DistroWatch Weekly for November 17, 2008 will be the last of the regular weeklies. "DistroWatch Weekly was first published in June 2003 as a publication summarising the happenings in the distribution world on a weekly basis. Now, 5 1/2 years and 278 issues later, an era is about to end. The publication that has been growing in stature and influence, needs a new editor, a person (or two) with fresh ideas, eager for new challenges, ready to report about the latest technologies in an unbiased manner. If you think you can fulfil the criteria, please read below for the official "position vacant" notice. In the meantime, please accept our apologies for missing an issue last week. We hope to bring you more quality articles, authoritative news summaries, and all the usual goodies you've come to expect from your DistroWatch Weekly in the future. Happy reading and thank you all for your continued support!"

Comments (none posted)

Fedora Weekly News 152

This week's issue features extensive coverage of a Server SIG formation in the Developments beat, along with clarifications from the Fedora Engineering leadership on feature freeze policies. In announcements, reminders of this Tuesday's public Fedora Board meeting on #fedora-board-meeting at irc.freenode.net. The Translation beat features various Fedora 10 milestones and an introduction of three new members to the translation team. In Artwork, some history on the genesis of the Fedora infinity bubble is saved, and more feedback on Fedora 10 themes. Virtualization includes updates of dom0 support in the upstream kernel, and a RFC on including greater detail in domain events. Finally, Fedora 9 and 8 updates for the week in Security Advisories. These are but a few highlights in this week's Fedora Weekly News.

Full Story (comments: none)

openSUSE Weekly News, Issue 46

This issue of the openSUSE Weekly News covers: openSUSE 11.1 Beta 5 Released, Updated Build Service Roadmap, KDE's Compositing in openSUSE 11.1, SLES Now Easy for Users of RHEL and CentOS, YaST Preview and more. Click below for links to several translations.

Full Story (comments: none)

Ubuntu Weekly Newsletter #117

The Ubuntu Weekly Newsletter for November 15, 2008 covers: New Theme for help.ubuntu.com, Dell Mini 9 testing, Ubuntu Community Interview: Nathan Grubb, Jaunty Alpha 1 freeze ahead, Tamil Team Release Party, Ubuntu Peru gives Ubuntu presentation, Launchpad plugin for Eclipse, Launchpod: Episode #12, Launchpad offline Movember 19th, 2 new Launchpad interviews, Ubuntu Tweak 0.4.2 released, Ubuntero gets inked: Ubuntu Style, LoCo Council Meeting, Edubuntu Meeting, Server Team Meeting, and much more.

Full Story (comments: none)

The libferris virtual filesystem

The Unix mantra "everything is a file" gives you great flexibility over where you store your data and how information is manipulated and replicated. Unfortunately, many things in Unix and Linux are not files, or ones that you might want to interact with anyway. For example, a PostgreSQL database is ultimately stored in a collection of binary files though you probably wouldn't want to interact with those files directly. Instead of storing settings in a collection of tiny files, many applications use XML to store settings in a single file but then have to deal with parsing XML instead of just reading little files. libferris lets you mount both PostgreSQL and XML and provides you with a useful way to interact with the data contained in both as a virtual filesystem.

Other operating systems like Plan 9 pushed the envelope further than Unix, making more things "just a file". Unfortunately, to use Plan 9 you had to abandon your trusty old Unix roots and jump to an entirely new operating system.

I started the libferris virtual filesystem project back in 2001 to push the "everything is a file" concept further, it was all implemented on a Linux base. Libferris is a virtual filesystem implemented as a shared library with FUSE bindings. Because FUSE is already in the Linux kernel you don't have to do any kernel patching to use libferris. Because libferris is a shared library and not in the kernel, it can use other libraries to help it mount data sources like XML, relational databases and Emacs to name a few. And as an upshot of being out of kernel, I can work on letting libferris mount anything I like no matter how strange it might be without any third party approval.

There are actually two ways to use libferris -- through a native C++ interface and using the normal Unix APIs with FUSE. The FUSE interface is very useful if you want to rsync(1) some structured information from an XML file into a PostgreSQL database. Just mount them both with FUSE and rsync away. Another few interesting things you can do with the FUSE interface is expose data as a virtual office document using XSLT stylesheets that libferris processes for you as well as geotagging with Google Earth.

The design of libferris revolves around two primitives: exposing file contents as C++ std::iostreams, and rich metadata support through an interface similar to Extended Attributes (EA) attr_get(3). Since then libferris has gained sophisticated support for indexing both the full text contents of files as well as their metadata. Libferris is written in C++ and aims to take full advantage of the language. Interfaces are designed to be as easy to pickup for C++ programmers as possible, for example, displaying a directory can be done using iterators, find(), begin() to end() etc.

Both the types of things that libferris can provide as virtual filesystems and the metadata handling are done through a plugin interface. The handling of metadata is done through the Extended Attributes (EA) interface. This EA interface is also virtualized -- if you write an attribute to file:///foo/bar and the kernel filesystem supports extended attributes, then the value will be saved in a kernel level EA using attr_set(3). On the other hand if file:///foo/bar happens to exist on a network filesystem that does not support EA, then your value is saved in RDF by libferris. In both cases the value can be read again using an identical interface.

Looking at filesystems in an abstract way -- a hierarchy of files, file contents, and metadata associated with files and directories as key-value pairs -- there is somewhat of a resemblance to the data model of XML. Although there are obvious differences: XML elements can have multiple text nodes as contents, an XML element does not need to have specific unique names for each child XML element and so on. In many cases it can be advantageous to smooth over the differences and view a filesystem as XML and vice versa. Over the years libferris has gained the ability to interact with it's virtual filesystems as virtual Document Object Models (DOM)s. The reverse is also true, you can take an xerces-c DOM and interact with it as a virtual filesystem. Using virtual DOMs makes it easy to create a view of a filesystem using a browser and XSLT. See xml.com for information on using XQuery against a libferris virtual filesystem.

The ability to mount XML and Berkeley db4 data as filesystems has long been a part of libferris. If you want to store a filesystem inside a platform independent format, then using XML is great, whereas the speed of individual file look up in a Berkeley db4 database of many many file records can come in handy. Each format has its advantages, but they are all just virtual filesystems as far as libferris is concerned.

When a filesystem can offer what it likes through key-value pairs (EA) associated with files, relational databases can also be viewed as a virtual filesystem. Databases, views, tables and result sets become directories, tuples become files named by the value of their primary key, and the individual values of tuples are exposed as Extended Attributes on their tuple file. Again, PostgreSQL appears just like another virtual filesystem. For relational data there are a few caveats, for example, to create a new "file" in a table you must supply at least the primary key EA as well as any EA which are explicitly marked "not null" in the database.

Libferris will automatically mount many filesystems for the user. For example, if you try to read an XML file as though it is a directory then libferris will implicitly mount it as one for you. This does blur the lines between what is a directory and what is a file in the system. There is some additional metadata that libferris makes available if you would like to avoid the automatic mounting. For example, if you wish not to descend into XML files then read the is-file metadata and if it is true do not attempt to descend into the file.

One of the motivations for creating libferris as a project of its own was to be able to expose anything that I felt could be interacted with in an interesting manner as a filesystem as one. So libferris can mount some things that folks might not think of as filesystems -- including Firefox, Emacs, DBus, LDAP, Evolution, Amarok, klipper, xmms, X Window System and gphoto2.

The metadata plugins for libferris currently support extracting information from file formats automatically, for example, EXIF, XMP and ID3 tags. Metadata overlays are also supported, so you can see what tags you have associated with an image in f-spot through extended attributes in libferris. I use the term overlays because a central repository of tag data (in this case from f-spot) is scattered over an entire filesystem in libferris. The lower level metadata plugins handle more standard extended attributes usage, for example using attr_set(3) to store values or saving them in RDF.

Many of the standard utilities have been rewritten to use the native libferris API and take advantage of extra features it offers. Things like ls, cp, mv, rm, cat, io-redirection, touch, head and tail all have native libferris versions which are shipped with the main tarball. These all also serve as code samples for how to use the libferris API. Extensions to the normal clients include the ability to output directory listings in XML for ferrisls, ferriscp has the ability to use memory mapped IO as well as the more standard open(), read() and write() calls to perform the copy. Using memory mapped IO this way also uses the madvise(2) MADV_SEQUENTIAL call to let the kernel correctly select caching policy.

The indexing support in libferris is also handled using plugins. Two different indexing plugin types exist; full text and metadata. There are two types of plugin, because the strategy for how to create an index can be quite different depending on if you are performing a search for some words in a document text or if you wish to find files with certain metadata values. Using inverted files can be great for resolving a ranked full text query for "alice wonderland" but finding all files in either my home directory or /pictures that have been modified in December 2008 can be solved in a number of ways.

There are currently indexing plugins for CLucene, Lucene, LDAP, Federations of other libferris indexes, ODBC, PostgreSQL, Redland (RDF), Xapian, Beagle, Strigi and some custom designs. There are likely to be more index plugins explicitly designed to work on NAND Flash in the future. Those interested in indexing and libferris should see this article.

A major advantage of closely combining the index and search operations into the virtual filesystem is that anything the virtual filesystem can see can be indexed. When searches are performed you should also be able to interact with any of the results as a virtual filesystem. This avoids the issue where a discrete search library might return a URL that the client can not do anything with.

So, what does it look like to code using libferris? Most objects in ferris are smart pointers, many using intrusive reference counting. The type for such objects is prefixed with "fh_" to indicate a ferris handle. The notion of files and directories is amalgamated into a single "Context" abstraction. To get a smart pointer to a filesystem path the Resolve() function is used. So without further ado, to get a file and its metadata with libferris:

fh_context c  = Resolve( "~/myfile" );
{
  // let the scope close it for me
  fh_istream ss = c->getIOStream( ios::trunc );
  ss << "Bah!" << endl;
}
// std::string getStrAttr( fh_context, eaname, default-value, ... )
string filename = getStrAttr( c, "name", "" );
string md5sum   = getStrAttr( c, "md5", "" );
cout << "the filename should be myfile:" << filename << endl;
cout << "the md5 checksum is:" << md5sum << endl;
setStrAttr( c, "foo", "bar" );
fh_attribute a = c->getAttribute("foo");
fh_istream ass = a->getIStream();
cout << "Getting the metadata again:";
copy( istreambuf_iterator<char>(ass),
      istreambuf_iterator<char>(),
      ostreambuf_iterator<char>(cout));
cout << endl;

Libferris is steadily gaining commercial interest. Currently I provide things like custom builds of libferris, explicit support for new test cases in the core regression test suite that are important to clients and of course extensions to libferris to perform a specific task that might be desired.

There are packages available for both 32 and 64-bit Fedora 8, 9 and Ubuntu 7.10 gusty as well as 32bit packages for openSUSE 10.3. Unfortunately there is currently a bug in building 64bit stldb4 on openSUSE. Install the libferris-suite package to pull in all the dependencies.

Feel free to email the witme-feris mailing list or add comments to this article suggesting any weird and wonderful (and obscure) filesystems you have experienced in the past. Though my libferris.TODO file always grows more than it shrinks, I'm always happy to add new and exciting suggestions near the top of it.

Comments (6 posted)

Firebird 2.0.5 Release Candidate 1 is out

Version 2.0.5 Release Candidate 1 of the Firebird DBMS has been announced. "This sub-release introduces some more bug fixes and vulnerability closures backported from V.2.1.2 development. It does not add any new functionality to the database engine. One fix of note is that DummyPacketInterval behaviour, broken since v.2.0, has been fixed."

Comments (none posted)

PostgreSQL Weekly News

The November 16, 2008 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

DeviceKit 002 announced

Version 002 of DeviceKit has been announced. "DeviceKit is an abstraction for enumerating devices and listening to device events. Any application on the system can access the org.freedesktop.DeviceKit service via the system message bus. On GNU/Linux, DeviceKit can be considered a simple D-Bus frontend to udev(7)."

Full Story (comments: none)

Clonezila live: 1.2.1-17 (stable) released. (SourceForge)

Stable version 1.2.1-17 of Clonezila, a live-disk partition management and disk cloning utility, has been announced. "This release is based on Debian Lenny with Kernel 2.6.26-8. A Simplified Chinese interface was added. An option to reboot or shutdown after clone is finished was added. Hardware and software info will be saved in a clonezilla image. An option to generate MD5 or SHA1 checksums after an image was saved was added. Running on serial console ttyS0 is supported. Some more info will be saved in image dir. Some bugs were fixed."

Comments (none posted)

Announcing Monkeysphere - a mechanism to use PGP keys with SSH

The Monkeysphere project has been launched. "The Monkeysphere enables you to use the OpenPGP web of trust to verify ssh connections. SSH key-based authentication is tried-and-true, but it lacks a true Public Key Infrastructure for key certification, revocation and expiration. Monkeysphere is a framework that uses the OpenPGP web of trust for these PKI functions. It can be used in both directions: for users to get validated host keys, and for hosts to authenticate users."

Full Story (comments: none)

Metasploit Framework 3.2 released

Version 3.2 of Metasploit Framework has been announced, it adds some new capabilities. "The Metasploit Project announced today the free, world-wide availability of version 3.2 of their exploit development and attack framework. The latest version is provided under a true open source software license (BSD) and is backed by a community-based development team."

Full Story (comments: none)

Patent hassles for OpenMoko

On November 12, the OpenMoko project announced that all of its system images had been removed from the download server. When users asked about what was going on, the answer that came back was: "The short story is that we are in a protracted battle with some patent trolls. Google for Sisvel. In order to get ourselves in a stronger position, we want to make sure no copies/instances/whatever of patent-infested technologies like MP2 and MP3 exist on our servers. Our phones never shipped with end-user MP3 playback features, but we want to use this opportunity to make sure it's not even in some remote place somewhere." The OpenMoko project did not need to run into this particular hassle.

Comments (23 posted)

Django 1.0.1 released

Version 1.0.1 of the Django web development platform has been announced. "Following the previously-announced schedule, today the Django team has released Django 1.0.1. This is a bugfix-only release containing fixes and improvements to the Django 1.0 codebase, and is a recommended upgrade for anyone using or targeting Django 1.0."

Comments (none posted)

Hatta 1.0.0 wiki engine released

Version 1.0.0 of Hatta has been announced. "Hatta is a small wiki engine designed to run locally or via WSGI inside a directory in a Mercurial repository. All the pages are normal text or binary (for images and such) files, also editable from outside of the wiki -- the page history is taken from the repository."

Full Story (comments: none)

systemtap 0.8 release

Version 0.8 of systemtap has been announced, it includes new features and bug fixes. "SystemTap provides free software (GPL) infrastructure to simplify the gathering of information about the running Linux system. This assists diagnosis of a performance or functional problem. SystemTap eliminates the need for the developer to go through the tedious and disruptive instrument, recompile, install, and reboot sequence that may be otherwise required to collect data."

Full Story (comments: none)

Zenoss: 2.3 Now Available (SourceForge)

Version 2.3 of Zenoss, an enterprise network and systems management application written in Python/Zope, has been announced. "Zenoss 2.3 includes improvements in Windows and Java application monitoring as well as native VMware management for Zenoss Enterprise Edition. We are also taking the opportunity to highlight over 30 new ZenPacks developed by the Zenoss community for expert monitoring of Asterisk PBX, Brocade Switches, Cisco Security Appliance, and many more."

Comments (none posted)

LV2 Revision 3 announced

Revision 3 of LV2 has been announced. "LV2 is a standard for plugins and matching host applications, mainly targeted at audio processing and generation. LV2 is a simple but extensible successor of LADSPA, intended to address the limitations of LADSPA which many applications have outgrown. This revision changes the data portion of the specification only (i.e. lv2.h is unchanged)."

Full Story (comments: none)

SLV2 0.6.1 announced

Version 0.6.1 of SLV2 has been announced. "SLV2 is a library to make the use of LV2 plugins as simple as possible for applications. Changes this release: - I18N support, courtesy Lars Luthman - New functions: slv2_port_get_value, slv2_instance_get_extension_data - Fix slv2_plugin_get_supported_features - Fancy new build system - Some Mac portability stuff I think? Probably some other stuff too".

Full Story (comments: none)

YaMA 1.5 released

Version 1.5 of Yet Another Meeting Assistant (YaMA) has been announced. "Whats New in version 1.5 : 1. Evaluate suitability of Action Items for Export 2. Ability to specify custom meeting type 3. Ability to Parse Actions from previous Minutes 4. Display TimeZone"

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

• GNOME Power Manager 2.24.2 (bug fixes and translation work)
• gnome-speech 0.4.22 (bug fix)
• gnoMint 0.6.0 (new features and bug fixes)
• GTask 0.1.2 (initial release)

You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Commit-Digest (KDE.News)

The October 12, 2008 edition of the KDE Commit-Digest has been announced. The content summary says: "More improvements in KBruch as part of a Brazilian student projects initiative. Ability to search by "HD Catalog Number" in KStars. Initial Kross support in the Rocs educational tool. Multiple projection support in the Marble Plasmoid. Preliminary support for editors in Klotz (formerly KLDraw). Ability to change the alignment of the window title in the Oxygen window decoration..."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week:

• cpdu 0.3.3b (new feature and bug fixes)
• cpdu 0.3.31b (new feature and bug fixes)
• Hyper Video Converter 0.4.1 (mostly cosmetic changes)
• kdesvn 1.2.2 (kde4 port release)
• K Menu Gnome 0.8.1 (new features and translation work)
• KRadioRipper 0.4.5 (new features, bug fixes and code cleanup)
• ktikz 0.7 (new features and bug fixes)
• KTorrent 3.1.5 (bug fixes)
• KTorrent 3.2beta1 (new features and code cleanup)
• MadWin 0.04 SE (unspecified)
• Opeke 0.3 (new features and code cleanup)
• pacsermen 1.0 (initial release)
• Simple Root Actions Menu 1.4.1 (new feature and translation work)
• Simple Root Actions Menu 1.4.2 (bug fix and translation work)
• SMILE 0.8.8 (bug fix and translation work)
• SMPlayer 0.6.5 (new features)
• Soitin 1.0 (unspecified)
• Soitin 1.1 (new features and bug fixes)
• Soitin 1.1.1 (new features and bug fixes)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xfce 4.6 Beta 2 released

Version 4.6 Beta 2 of Xfce, a light weight desktop environment, has been announced. "The second Beta was delayed for 2 weeks, but it was worth it. every feature we made a freeze-exception for has made it into this release. This means a lot of bugs have been fixed this time as well".

Comments (none posted)

X server 1.6 release schedule announced

The release schedule for X server version 1.6 has been announced by Keith Packard. "I volunteered to manage an X server 1.6 release, tentatively scheduled for the end of the year (yes, this year, 2008). This release will include DRI2 and RandR 1.3 support. I'd like to know how much of the new Xinput stuff will be ready in time."

Full Story (comments: none)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• libXi 1.1.4 (bug fixes and code cleanup)
• xf86-input-evdev 2.0.8 (bug fix)
• xf86-input-evdev 2.1.0 (bug fixes)
• xf86-input-synaptics 0.99.1 (new features, bug fixes and documentation work)
• xf86-input-vmmouse 12.6.2 (code cleanup)
• xf86-video-intel 2.4.3 (bug fixes and code cleanup)
• xf86-video-intel 2.5.1 (new features, bug fixes and code cleanup)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

LyX 1.5.7 is released

Version 1.5.7 of LyX, a GUI front-end to the TeX typesetter, has been announced. "This is the sixth maintenance release in the 1.5.x cycle and it is expected to be the final release in this series, since a new series of stable releases has just been introduced by our new major release, LyX 1.6.0. Besides the obligatory bug fixes, the main feature of this release is the ability to read files created by LyX 1.6.0 (this feature requires python 2.3.4 or newer). All users who intend to stick with the 1.5.x series for the time being are encouraged to upgrade to this version."

Full Story (comments: none)

Tryton ERP 1.0 released

Version 1.0 of Tryton ERP has been announced. "This is the first release of Tryton, a fork of OpenERP (formally known as TinyERP). This release is the result of 8 months of intensive work which consist of the rewrite of all modules (including contact, sale, purchase, invoice, analytic and general account and inventory management) and some parts of the core features. It is available in four languages (English, French, German and Spanish)."

Full Story (comments: 1)

Shoot Out: Linux source demo released (SourceForge)

A demo release of Shoot Out has been announced. "Shoot out is a arcade shooter similar to galaga or space invaders using SDL. The demo for ShootOut is finally release. The download is the linux tarball at the moment."

Comments (none posted)

WFMath 0.3.8 released

Version 0.3.8 of WFMath has been announced. "WFMath, or the WorldForge Math library’s main focus is geometric objects, and it has classes for several shapes as well as the basic math objects, points, vectors, matrices and quaternions. It is required by all WorldForge components. This release is aimed at all developers. Changes in this version: * The source has been updated to build cleanly on modern compilers. * The build files have been updated to work better with modern tools."

Comments (none posted)

odf-converter-integrator: version 0.2.0 released (SourceForge)

Version 0.2.0 of odf-converter-integrator has been announced. "odf-converter-integrator is an easy way to open Microsoft Office 2007 files (also called Office Open XML, .docx, .xlsx, and .pptx) with a high-quality conversion on any Linux or Windows system in any OpenOffice.org. The odf-converter-integrator releases 0.2.0. Highlights in this release are OdfConverter 2.0 which improves the performance and accuracy of file conversions. Also changes in the integration improve the compatibility with Linux distributions."

Comments (none posted)

Sylph-Searcher 1.1.0 released

Version 1.1.0 of Sylph-Searcher has been announced. "Sylph-Searcher is a program that enables fast full-text search of messages stored in mailboxes of Sylpheed, or normal MH folders."

Comments (none posted)

Open Source Ultrasound System from South of France (LinuxMedNews)

LinuxMedNews reports on an open-source ultrasound system. "As Vincent reported in his post "Medical GNOME", the French company Supersonic Imagine (founded in 2005) just announced its next-generation ultrasound system for breast lesion imaging that will come with mostly Open Source software components. The new system is called Aixplorer™."

Comments (none posted)

Elisa Media Center 0.5.18 released

Version 0.5.18 of Elisa Media Center has been announced. "The release cycle for this version was exceptionally two weeks instead of one to fit a lot of important changes (some of which are visible, some not but nonetheless important). This release brings its usual lot of bug fixes and exciting new features.."

Full Story (comments: none)

Tapeutape 0.1.1 and Tranches 0.1.1 announced

Versions 0.1.1 of Tapeutape and Tranches has been announced. "I've released new versions of Tapeutape (virtual sampler) and Tranches (beatrepeat/redirect/rearrange). There are also tutorials for both of them."

Full Story (comments: none)

pyspread 0.0.10 released

Version 0.0.10 of pyspread has been announced, it features a code rewrite and bug fixes. "Pyspread is a 3D spreadsheet application. Each cell accepts a Python expression and returns an accessible object. Python modules are usable from the spreadsheet table without external scripts."

Full Story (comments: none)

Firefox 3.0.4 and 2.0.0.18 now available for download

Versions 3.0.4 and 2.0.0.18 of the Firefox browser have been announced. "As part of Mozilla Corporation's ongoing stability and security update process, Firefox 3.0.4 and Firefox 2.0.0.18 are now available for Windows, Mac, and Linux as free downloads".

Full Story (comments: none)

GCC 4.4.0 Status Report

The November 17, 2008 edition of the GCC 4.4.0 Status Report has been published. "We are now in regression and documentation fixes only mode. When the number of P1 bugs drops to zero and the number of P1, P2 and P3 bugs reaches 100, we'll branch 4.4.0 and open 4.5 stage 1."

Full Story (comments: none)

pcc seeks contributions to reach 1.0 milestone

pcc, the portable C compiler, has teamed up with the BSD Fund to try to attract donations to fund the completion of a "usable" 1.0 release. The BSD folks have long been dissatisfied with GCC, but Linux developers have eyed pcc (and others) as well. LWN looked at pcc a little over a year ago. (Thanks to Brian Plummer).

Comments (45 posted)

Caml Weekly News

The November 18, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

OpenSwing: 1.8.3 released (SourceForge)

Version of OpenSwing has been announced, it features a number of new capabilities. "OpenSwing is a component library that provides a rich set of advanced graphics components and a framework for developing java applications based on Swing front-end. It can be applied both to rich client applications and Rich Internet Applications."

Comments (none posted)

OpenXava: 3.1beta3 released (SourceForge)

Version 3.1beta3 of OpenXava has been announced. "OpenXava is a framework to develop AJAX Java Enterprise/J2EE applications rapidly and easily. Allows you to define applications just with POJOs, JPA and Java 5 annotations. Feature rich and flexible since it's used for years to create business applications with Java. OpenXava 3.1beta3 has all functionality of 3.0.3 but it generates an AJAX application. Just update to OX3.1 and your OX (3.x, 2.x, or 1.x) application will be AJAX without touching a single line of code. In this new 3.1beta3 we have rounded the edges a lot, so it's near to a production ready version."

Comments (none posted)

Parrot 0.8.1 released

Version 0.8.1 of Parrot, a virtual machine for running dynamic languages, has been announced.

Full Story (comments: none)

This Week on perl5-porters (use Perl)

The October 27 - November 2, 2008 edition of This Week on perl5-porters is out with the latest Perl 5 news.

Comments (none posted)

TCPDF: 4.2.009 was released. (SourceForge)

Version 4.2.009 of TCPDF has been announced. "TCPDF is a Free Libre Open Source PHP class for generating PDF documents without requiring external extensions.TCPDF Supports UTF-8, Unicode, RTL languages and (x)HTML. TCPDF project was started in 2002 and now it is freely used all over the world by millions of people."

Comments (none posted)

Python-URL! - weekly Python news and links

The November 17, 2008 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl-URL! - weekly Tcl news and links

The November 19, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

gdb/python integration

Tom Tromey blogs about a gdb/python integration effort. "I’m hoping we can ship a Python-enabled gdb in F11. Hopefully that will boost adoption. I’m also planning to ship a suite of libstdc++ pretty-printers in F11, so even if you don’t write any Python yourself, you can still benefit. (For those not following the progress, we have a feature that lets you write custom visualizers based on type; this makes printing a std::vector, or whatever, much simpler.)" (Thanks to Mark Wielaard).

Comments (none posted)

cairo release 1.8.4 now available

Version 1.8.4 of the Cairo graphics library has been announced. "This is the second update to cairo's stable 1.8 series and contains a small number of bug fixes, (in particular a few fixes for build failures of cairo 1.8.2 on various systems). This is being released just over two weeks after cairo 1.8.2."

Full Story (comments: none)

PyTables 2.1rc2 is ready for testing

Version 2.1rc2 of PyTables has been announced. "PyTables is a library for managing hierarchical datasets and designed to efficiently cope with extremely large amounts of data with support for full 64-bit file addressing. PyTables runs on top of the HDF5 library and NumPy package for achieving maximum throughput and convenient use. This is the second release candidate for 2.1, and I have decided to release it because many bugs have been fixed and some enhancements have been added since 2.1rc1."

Full Story (comments: none)

The Green Penguin - Where Does Your E-Waste Go? (Linux Journal)

Linux Journal takes a look at the E-Stewards certification program for electronic waste recyclers. "That old CRT monitor the size of a small fridge. The original Apple Newton that kicked the bucket and never woke up. The early-vintage musty VA Linux box - what happens to all of this e-junk after it, if ever, leaves your basement? Ideally e-junk lands at a reputable e-recycler with the equipment to safely recycle and/or dispose of these items that are very difficult to process. What happens frequently is that a less-than-reputable outfit will pack your e-junk onto a container and ship it off to a developing country with lax environmental and labor laws, where it will wreak havoc on the environment and poor people."

Comments (3 posted)

The Microsoft-Novell Linux deal: Two years later (InfoWorld)

InfoWorld takes a look the Novell-Microsoft deal. "Whatever the implications for the greater Linux and open source worlds, Novell says the Microsoft deal has been good for its Suse Linux and for IT shops that use both Suse and Windows. Customers wanted a "bridge between Microsoft Windows and Linux," says Microsoft's Hauser. Customers also wanted peace of mind over potential intellectual property disputes, since those can take products off the market or result in additional licensing fees. About 100 customers are covered by the Novell-Microsoft agreement, she notes."

Comments (15 posted)

Authenticate Linux Clients with Active Directory (Technet)

Microsoft's Technet Magazine has a lengthy article on authenticating Linux clients with Active Directory. "Originally, Linux (and the GNU tools and libraries that run on it) was not built with a single authentication mechanism in mind. As a result of this, Linux application developers generally took to creating their own authentication scheme. They managed to accomplish this by either looking up names and password hashes in /etc/passwd (the traditional text file containing Linux user credentials) or providing an entirely different (and separate) mechanism."

Comments (37 posted)

An Introduction To OSC (Linux Journal)

Dave Phillips introduces OpenSound Control (OSC) in a Linux Journal article. "The history of OSC begins with the history of MIDI. When the major hardware synthesizer manufacturers adopted MIDI as a standard for interdevice communications it was widely and justly hailed as a breakthrough in music technology. Armed with a computer, the appropriate software, and a few synthesizers a single musician could write, record, and produce an entire piece with no other assistance. MIDI revolutionized the music industry, and its continued use is a good measure of the success of the standard. However, MIDI is far from perfect, and many musical purposes are not served well or at all by MIDI software and hardware. As a result, alternative protocols have been advanced."

Comments (none posted)

Linux distros and Apple beat Microsoft's homepage uptime (Royal Pingdom)

The folks over at the Royal Pingdom blog have a comparison of uptimes and home page load times for the web sites of multiple Linux distributions along with Microsoft and Apple. Overall, the results of this month-long monitoring effort reflect quite well on Linux, but the authors are quick to caution that these numbers only reflect a particular point in time. Longer term monitoring is ongoing as well. "It is interesting to see that even with limited resources, many of the teams behind the various Linux distributions are managing a better homepage uptime and load time than Microsoft does, at least during this time period."

Comments (7 posted)

Things that go Clang in the night: LLVM 2.4 released (ars technica)

Here's a look at the LLVM 2.4 release on ars technica. "One very significant part of the LLVM effort is the Clang project, which aims to build a completely new LLVM front-end - one that can be used in place of the current GCC-based front-ends - for C-like languages. Clang is progressing rapidly and is already capable of compiling some C applications. Clang offers a lot of really compelling advantages over GCC. Some early benchmarks show that it delivers insanely fast compilation and much lower memory overhead. In some real-world tests, Clang is 2.5 times faster than GCC and uses five times less memory. It also uses less disk space during the compilation process."

Comments (68 posted)

Linux on the iPhone

A blog series from user planetbeing describes an ongoing effort to put Linux on the iPhone. The Why iPhone Linux? posting explains: "Porting Linux to the iPhone is an arduous project. We will be trying to develop an entire suite of device drivers for undocumented hardware and then attempt to run a full-fledged operating system on it. This thread speculates "10 days" or "3 hours" as the amount of time it'd take to get Linux up and running on the iPhone. Perhaps this figure would be accurate on a x86 platform, or other platforms with hardware for which device drivers are already written or for which at least documentation is available, but we have no such luck on the iPhone." (Thanks to Mattias Mattsson).

Comments (none posted)

EFF: Bogus IP Claims Quash Debate Over Future of NYC Landmark

The Electronic Frontier Foundation has sent out a press release concerning Bogus IP Claims. "The Electronic Frontier Foundation (EFF) is representing Savitri Durkee, an activist concerned with preserving the character of Union Square and Union Square Park. As one part of her education campaign, Durkee created a website parodying the official website of Union Square Partnership (USP), a group backing extensive redevelopment of the area. In response, USP sent Durkee's Internet service provider a notice pursuant to the Digital Millennium Copyright Act improperly asserting that her parody site infringed USP's copyright, leading to the shutdown of the site. USP then filed a copyright lawsuit against Durkee and later filed a claim with the World Intellectual Property Organization (WIPO) seeking to take control of the parody site's domain name."

Full Story (comments: none)

GNU PDF is looking for hackers

The GNU PDF project has announced a call for help. "We need hackers with a good background in C for the development of GNU PDF. No previous knowledge in the PDF format is required." The project also needs help writing manuals and doing web design.

Comments (1 posted)

Give 1 Get 1 2008 Started in Europe and USA! (OLPC News)

The folks over at One Laptop Per Child News have information on this year's edition of the Give One Get One program. For $399, one can get an XO for some lucky child as well as donate one to a child in the developing world. This year, Amazon is handling the fulfillment which will hopefully alleviate many of the problems seen last year. Interested people should visit Amazon's XO site.

Comments (14 posted)

OpenLiberty.org releases ArisID

OpenLiberty.org has announced the release of its ArisID, open-source Liberty Identity Governance Framework (IGF) software. "The ArisID API provides enterprise developers and system architects with a library for building enterprise-grade identity-enabled applications using multiple identity protocols, and lays the groundwork for allowing enterprises to manage and audit the identity requirements of business applications based on declarative IGF policy specifications."

Full Story (comments: none)

ActiveState announces ActivePython 2.6.0.0

ActiveState has released ActivePython 2.6.0.0 "ActivePython is ActiveState's binary distribution of Python. Builds for Windows, Mac OS X, Linux, HP-UX and AIX are made freely available. ActivePython includes the Python core and the many core extensions: zlib and bzip2 for data compression, the SQLite (sqlite3) database libraries, OpenSSL bindings for HTTPS support, the Tix GUI widgets for Tkinter, ElementTree for XML processing, ctypes (on supported platforms) for low-level library access, and others."

Full Story (comments: none)

Adobe releases 64-bit Flash player alpha for Linux

Adobe has released an alpha version of a 64-bit Flash player 10 for Linux, ahead of either Windows or OS X versions. Users of 64-bit systems have had to deal with various workarounds for Flash support, so this is welcome news for some. More info can be found in the FAQ. (Thanks to Adam Gundy.)

Comments (26 posted)

Coverity announces new Coverity Architecture Analyzer tool

Coverity has announced the availability of the Coverity Architecture Analyzer tool. "Coverity, Inc., the leader in improving software quality and security automatically, today announced the availability of Coverity Architecture Analyzer. This new version of Coverity's architecture product incorporates the company's patented Software DNA Map analysis system to provide development teams with the ability to ensure the integrity of application architecture across development teams, analyse the complexity and dependencies of software systems, and identify errors that can create crash causing defects or security vulnerabilities."

Full Story (comments: none)

Cray CX1 Taps Clustercorp's Rocks+ for Linux

Cray has announced the availability of the Cray CX1 deskside supercomputer preloaded with Rocks+ 5, the commercial version of the Rocks Cluster Distribution for Linux users. "Rocks+ is the commercial version of the Rocks Cluster Distribution -- an end-to-end HPCC software stack, which includes the operating system, cluster management middleware, libraries, and compilers; with enterprise class commercial support from Clustercorp, which was founded by the leaders in the Rocks community. Available Rocks+Rolls include the Intel(R) Roll, PGI(R) Roll, OFED Roll, TotalView(R) Roll and Moab(R) Roll (Rocks+MOAB). Clustercorp also supports open source Rolls including the Torque Roll and SGE (Sun Grid Engine) Roll."

Comments (none posted)

eGenix announces mxODBC Connect 0.9.3 (beta)

eGenix has announced the release of their mxODBC Connect 0.9.3 (beta) Python Database Interface. "The mxODBC Connect Database Interface for Python allows users to easily connect Python applications to all major databases on the market today in a highly portable and convenient way. Unlike our mxODBC Python extension, mxODBC Connect is designed as client-server application, so you no longer need to find production quality ODBC drivers for all the platforms you target with your Python application."

Full Story (comments: none)

Ingres Database 9.2 launched

Version 9.2 of Ingres Database has been announced. "Ingres Corporation, a leading provider of open source database software and support services, announced today the availability of Ingres Database 9.2, the leading open source database that helps organizations develop and manage business critical applications at an affordable cost. Ingres Database 9.2 is flexible, simple, secure, reliable, and scalable to cope with even the most complex, multi-language requirements including business intelligence, content management, data warehousing, enterprise resource planning (ERP), and logistics management."

Full Story (comments: none)

Mandriva reports its 3rd Quarter results

Mandriva has reported its financial and operating results for the 3rd quarter 2008. "Turnover for the quarter is 0.83 million Euros, trading revenue is 1.04 million Euros, costs are 1.67 million Euros and the operating loss is 0.64 million Euros. Turnover and operating results, compared with the 3rd quarter 2007, were 29 per cent down, costs fell by 5 per cent."

Full Story (comments: 24)

Packt Publishes Apache OfBiz Development: The Beginner's Tutorial

Packt Publishing has published the book Apache OFBiz Development: The Beginner's Tutorial by Jonathon Wong and Rupert Howell .

Full Story (comments: none)

Linux Foundation Newsletter

The November 2008 edition of the Linux Foundation Newsletter is online. "In this month's Linux Foundation newsletter: * Linux Foundation publishes guide to participating in Linux community * Linux valued at $10b by new Linux Foundation white paper * Linux Foundation holds successful first End User Summit * The flagship LSB portability tool Linux Application Checker is released * The Linux Foundation launches Linux Developer Network beta * CME Group, Nokia, and Canonical among many making membership moves * Linux Fast Boot Developments "

Full Story (comments: none)

November 2008 Web Server Survey

Netcraft has published the November 2008 Web Server Survey. "The November 2008 survey shows worldwide monthly growth of nearly three million websites, with responses now being received from a total of 185,167,897 sites. Apache once again tops this month's growth, gaining 1.3 million sites to 93 million, but Microsoft-IIS follows closely gaining 1.1 million extra sites to reach 64 million. Google has grown by 509 thousand this month to approach the 11 million mark."

Comments (none posted)

ACM selects Motama's software as Open Source competition winner

NMM software has won an ACM Multimedia conference award. "The ACM Multimedia is the premier annual multimedia conference, covering all aspects of multimedia computing. The program committee of ACM Multimedia selected Motama's key software technology - called Network-Integrated Multimedia Middleware (NMM) - to be presented at this year's Open Source competition. An international jury of experts in the field then chose NMM to be the final winner of the competition."

Full Story (comments: none)

2008 October-November Linux kernel hacking challenge

Digital Armaments has announced a contest to exploit the Linux Kernel. "For the October-November Challenge, Digital Armaments will give a prize of 5000$ for each submission that results in a Exploitable Vulnerability or Working Exploit for Linux Kernel Local. This should include example and documentation. The submission must be sent during the October/November months and be received by midnight EST on November 30, 2008. The 5,000$ prize will be an extra added to the normal vulnerability payment."

Comments (none posted)

TPF announces grant to David Mitchell (use Perl)

use Perl has announced a $5000 grant award for David Mitchell. "It is with considerable pleasure that TPF announces today a Perl development grant to David Mitchell for the release of Perl 5.10.1. David's work through this grant will be: * The vetting and application of 400+ outstanding patches to the Perl 5.10 codebase; * A rework of the "smart match" feature semantics to address known issues; * Packaging of a Perl 5.10.1 release distribution."

Comments (none posted)

Black Hat November News - calls for papers

The Black Hat November News report has been published. Topics include a Black Hat webcast on November 20 about Clickjacking, a call for papers for the February, 2009 Black Hat DC conference, a call for papers for the April, 2009 Black Hat Europe, and more.

Full Story (comments: none)

Embedded Linux Conference 2009 - Call for sessions

The CE Linux Forum is sponsoring the Embedded Linux Conference to be held in San Francisco, April 6-8, 2009. The conference will be held in conjunction with the Linux Foundation Spring Collaboration Summit and is looking for interested folks to submit a presentation proposal. The deadline for submissions is January 16, 2009. More information including topic areas of interest can be found by clicking below.

Full Story (comments: none)

O'Reilly Velocity 2009 Conference opens Call for Participation

A Call for Participation has gone out for the O'Reilly Velocity 2009 Conference. "Want to make your websites fast, scalable, efficient, and reliable? O'Reilly's Velocity, the Web Performance and Operations Conference on June 22-24, 2009, at the Fairmont in San Jose, CA, shows how to develop those traits. Dedicated to helping people build better infrastructures, Velocity offers developers and engineers the key for crossing over from cool Web 2.0 features to sustainable websites. Program chairs Jesse Robbins and Steve Souders have opened the call for participation and invite proposals for conference sessions, panels, and a newly added full day of tutorials at Velocity 2009." The submission deadline is January 5.

Full Story (comments: none)

Events: November 27, 2008 to January 26, 2009

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
November 25 November 29	FOSS.IN 2008	Bangalore, India
November 25 November 30	make art 2008	Poitiers, France
November 28	Informazione geografica aperta e libera	Pontedera (PI), Italy
November 28 November 29	WhyFLOSS La Plata - Argentina	La Plata, Argentina
November 29	LinuxDay in Vorarlberg (Deutschland, Schweiz, Liechtenstein und Österreich)	Dornbirn, Austria
December 1	First Nuxeo Developer Day	Paris, France
December 1 December 2	Open World Forum	Paris, France
December 2 December 5	Open Source Developers' Conference 2008	Sydney, NSW, Australia
December 4 December 7	PIKSEL08 - code dreams	Bergen, Norway
December 5 December 6	FOSSCamp	Mountain View, CA, USA
December 5 December 13	International Joint Conferences on Computer, Information, and Systems Sciences, and Engineering	Online
December 7 December 12	Computer Measurement Group Conference 2008	Las Vegas, NV, USA
December 8 December 12	Ubuntu Developer Summit	Mountain View, CA, USA
December 8	Forum PHP Paris 2008	Paris, France
December 10 December 11	First Workshop on I/O Virtualization	San Diego, CA, USA
December 13	NLLGG meeting/BSD Community Day	Utrecht, The Netherlands
December 27 December 30	Chaos Communication Congress	Berlin, Germany
January 8 January 11	Consumer Electronics Show	Las Vegas, NV, USA
January 9 January 11	Fedora User and Developer Conference	Boston, USA
January 15 January 16	Foundations of Open Media Software 2009	Hobart, Tasmania, Australia
January 17 January 23	Camp KDE 2009	Negril, Jamaica
January 19 January 24	linux.conf.au - penguins march south	Hobart, Australia
January 25 January 29	Ruby on Rails Bootcamp with Charles B. Quinn	Atlanta, GA, USA
January 25 January 28	GCC Research Opportunities	Paphos, Cyprus

If your event does not appear here, please tell us about it.

openDesktop.org Launches Job Board (KDE.News)

KDE.News reports on the launch of a new openDesktop.org Job Board. "Last week we launched a free job board on KDE-Look.org, KDE-Apps.org and the other websites of the openDesktop.org network. I know quite a few people who found a nice full time or freelance job by showing their work on our websites. I also know a few free software projects and companies who are looking for new projects, members or employees. So I had the idea to build a job board where companies, projects, developers and artist can get in contact. Specialised for open source and IT jobs."

Comments (none posted)