LWN.net Weekly Edition for December 11, 2008
Python 3 is out - now what?
For some years now, the Python development community has been talking about "Python 3000," the far-future release which would allow a complete rethinking of the language to fix the various annoyances which had built up over time. On December 3, that talk came to fruition with the Python 3.0 release. This release is the end result of a great deal of thought and development; it represents the vision Guido van Rossum and company have for the language into the indefinite future. Now that it's out, the Python community as a whole appears to have stopped for a "now what?" moment.The wider Python development community appears to be split into three camps on Python 3.0; the situation amusingly resembles the classic folk tale "Goldilocks and the three bears." One set (the "too large" crowd) seems to think that an incompatible version of Python should never have been released, that languages should stay compatible forever. Another group ("too small") can handle the idea of an incompatible transition, but thinks that the Python community should have added more shiny features to the language while they were at it. And, of course, there's a "just right" crowd taking the position that the changes in Python 3 are just about as they should be. See this discussion by James Bennett for a well-argued description of the "just right" position.
Time will tell which position is closest to reality. If the "too large" group is right, Python 3 (or Python in general) will fade away as developers, unhappy with the break, move to a language they like better. If Python 3 is too small, there will be strong pressure for a Python 4 in the too-near future. Your editor, though, thinks that the Python community has come pretty close to getting it right. Things that truly needed to be fixed got fixed, but the Python developers resisted the temptation to try to do too much. They watched, from a safe distance, what happened with the Mozilla rewrite and Perl 6, and wisely concluded that their lives - and the lives of those who use Python - would be better if they avoided a similar experience. So they limited their goals and were able to get the job done in a reasonable amount of time.
Except, of course, that the job is not really done. To begin with, the presence of a few difficulties with the 3.0 release should not surprise anybody. The developers forgot to remove the deprecated cmp() function, with the result that newly-converted code may come to depend on it. There are some performance issues. A couple of other features are not working quite right. Getting Unicode truly straightened out may take a while yet - a problem which is certainly not unique to Python. The list seems to be quite short given that this is a major release of a complex programming language, but there are still things to fix. So there will almost certainly be a 3.0.1 release before the end of the year, and a 3.0.2 in (approximately) February.
Meanwhile, the Python hackers have made it clear that the 2.x version of the language will be supported for some years yet. Version 2.6, available now, includes a number of features aimed at making the eventual port to 3.0 easier. As the porting projects get serious, other ways to help that process will become clear; there will be an eventual 2.7 release which incorporates those lessons wherever possible. A 2.8 release further down the road has not been ruled out. The current plan seems to be to maintain Python 2.x for at least the next three years.
[PULL QUOTE: For many Python developers, it is not yet really time to make the jump to 3.0. END QUOTE] That is good because, for many Python developers, it is not yet really time to make the jump to 3.0. The core language appears to be in reasonably good shape, but a language like Python involves much more than the core. Most non-trivial code makes heavy use of the wide variety of Python libraries, and, at this point, many or most of those libraries do not support Python 3. So, now is a good time for library maintainers to be looking at moving to 3.0, but application developers who try to port their code now are likely to run into frustration. Porting smaller programs or subsystems as an exercise in learning the new language may make sense, but complex application porting probably cannot happen for a little while yet.
What distributors should be doing is another question. So far, it would appear that only Fedora is having a (public) discussion on how to handle the Python 3 transition - see this thread - and they don't really know what they are going to do yet. Fedora's maintainers, it seems, would prefer to stay with Python 2 for the indefinite future; the chances of Python 3 making an appearance in Fedora 11 are quite small. There is a strong wish to avoid maintaining both 2.x and 3.x on the same distribution release; they would rather make a clean switch.
Your editor suspects that the flag-day approach to the language transition is not going to work. There are a lot of packages which need to be ported, and many of the people doing the porting would appreciate support from their distributor. Red Hat dragged its feet for a long time on the transition to Python 2, with the result that many users had to build and install the newer version of the language themselves. For Fedora to do the same with Python 3 is a sure path toward user frustration.
That said, keeping both versions of the language around is not a task for the faint of heart. Installing a different version of Python itself is quite easy. Keeping a whole set of modules for multiple versions is distinctly less so. This will be especially true for Fedora; some other distributions (especially the Debian-derived ones) have better mechanisms for (and experience in) maintaining multiple versions of core system tools. So the reluctance on the part of the Fedora developers to take on this work is thus unsurprising. Perhaps this would be a good opportunity for offers of help from the wider Fedora community.
It may well take a couple of years, but this transition will eventually be made and people will eventually wonder what all the fuss was about. And, when it's done, we'll have a cleaner, more maintainable, more Unicode-rational version of an important programming language to work with. That, one hopes, will be worth the short-term pain involved in getting there.
(For more information, see the Python3000 FAQ, currently under development).
A look at KOffice 2.0 Beta 3
The KDE office application suite, KOffice is getting closer to its 2.0 release. Beta 3 was announced November 19, with another beta due any day. The final release is expected early next year, so it seems like a good time to take it for a spin.
The beta releases are available for Kubuntu Intrepid Ibex (8.10), making it relatively easy to try out. There are also openSUSE and Debian packages available as well as source code (of course). The author didn't look forward to trying to build KOffice on his normal Fedora 9 desktop, so borrowing an Intrepid laptop from the wife was in order; after that enabling the "Unsupported Updates" and installing the koffice-kde4 package (which didn't seem to work through the GUI, but apt-get worked just fine) is all that it took.
![[KPresenter]](https://static.lwn.net/images/koffice2/kpresenter_sm.png)
The initial impression was a bit rocky as most of the small handful of ODF files that were opened caused KOffice to crash. It is a beta, though, so some of that is to be expected. Trying again with the imminent Beta 4 and filing bugs for failures should be high on the author's list. The one presentation file that successfully opened in KPresenter seemed to have lost much of the formatting that was present in the original, which was also disheartening.
It should be noted that the author is hardly an office suite "power user". Normally, OpenOffice.org is used for minimal business documents (invoices mainly), simple spreadsheets (expense reports, football pools), and boring, bullet-list slides for presentations (as anyone who has been to one will attest). By and large, these simple needs are met by OpenOffice, with the added bonus of being mostly able to open the various Microsoft-format documents that unfortunately cross the desktop. Any other office suite with similar capabilities would serve just as well.
![[KPresenter]](https://static.lwn.net/images/koffice2/kwordstart_sm.png)
Opening spreadsheets in KSpread provided the most reliable experience when opening existing documents, but there were still a number of problems. Formulas did not calculate automatically regardless of the auto-recalculate setting, but the data was there, unlike some of the other document types. KWord seemed to be unable to open any of the ODF documents tried, crashing in all cases. One "handy" .doc file opened, but the formatting and contents were mangled; OpenOffice can reproduce the formatting of that document pretty well. KWord also crashed on exit from that document. Perhaps betas are not the place to try opening existing files.
There clearly are many new features in KOffice 2.0, but the major ones, porting to KDE4/Qt4 and using the Flake object library throughout, are infrastructural in nature—they aren't obvious to users. Much like KDE 4.0, it would appear that KOffice 2.0 is a launching pad for subsequent releases.
![[KPresenter]](https://static.lwn.net/images/koffice2/kspread_sm.png)
There is an emphasis on a consistent user interface between the various applications which does stand out when using KOffice. For better or worse, the OpenOffice interface is fairly consistent between applications as well, but seems more cluttered, or more poorly organized somehow. Using Flake everywhere will be a boon to those who are power users as it treats everything as a "shape" that can be transformed (via scale, rotate, skew) and moved between any of the separate applications. Vector graphics can cohabitate with raster graphics and text easily.
Using KOffice 2.0 is fairly straightforward for simple tasks. It is noticeably slower than OpenOffice on the same hardware. Opening files, even empty documents seems to take an inordinate amount of time. Even moving around within KSpread or KWord seemed sluggish. Presumably these are things that will be fixed, whether that will be in the next few months or for KOffice 2.1 remains to be seen. This beta gives the impression of great promise, but not yet a very usable tool.
![[KPresenter2]](https://static.lwn.net/images/koffice2/kpresenter2_sm.png)
Of course, there is more to KOffice than just the three applications mentioned. The database application Kexi is not yet part of the KOffice 2.0 release, nor is the Visio-like flowchart program Kivio. Two drawing applications, Karbon14 for vectors and Krita for raster graphics have been released with the beta. Other than a quick startup to see if the interface was consistent with the rest of the suite—it was—the author didn't try them. The same goes for KPlato, the project management and planning application, though it has a rather different look—no toolboxes on the right hand side—likely because of its very different needs.
Perhaps unfairly, the author expected a bit more from this beta release. It would seem there is still a fair amount of work to do before the final 2.0 version, but there are still a few months left. For whatever reason, previous attempts to use KOffice had always caused the author to quickly switch back to OpenOffice. Even though there were so many problems, this KOffice—or more likely 2.1—somehow seems more plausible to switch to. Another look in a few more months is likely called for.
Interview: Vernor Vinge
Science fiction writer Vernor Vinge is best-known for novels like A Fire Upon the Deep and Rainbows End, as well as the concept of The Singularity -- the idea that, in the next couple of decades, humans will become or create a super-human intelligence. What is less well-known is that Vinge has been a free software supporter since the earliest days of the Free Software Foundation (FSF). He has served several times on the jury for the FSF Awards and spoke at an FSF-sponsored event held last month in San Diego to coincide with the LISA conference. As someone who deals regularly with large scale speculations, Vinge places free software in a larger historical context. He even speculates that free software may be one of the factors that will shortly bring about the Singularity.
Part of Vinge's interest in free software is personal. A mathematician and computer scientist, he quickly found that the rise of proprietary software greatly increased the difficulties of teaching.
"When I looked at contracts and user-agreements,
" he
recalls, "the legalese was extraordinarily intimidating, not just
because it was complicated, but because it actually seemed to restrict
things to the point where it was really difficult to imagine how a student
could follow the agreement and still do a project. So the openness that was
in the GNU General Public License (GPL) was really very, very
welcome.
" Vinge soon got into the habit of giving students "a
little spiel about the GPL
" and encouraging them to license their
projects under the GPL.
"If they did that,
" he says, "that would mean I would be
able to use their stuff in later projects with other students. And a very
large percentage of students in most classes though it was a cool enough
idea that they actually did use [the GPL] in their projects.
"
The historical trend to cooperative infrastructure
However, as important as free software may have been to Vinge in his teaching, what seems to interest him the most is placing free software in a broader historical context. Early on, Vinge came to view free software -- and, later on the Internet and social networking applications that it was instrumental in creating -- as part of a historical trend towards creating an increasingly elaborate "infrastructure of trust and cooperation" that increases the rate of technological advance.
Vinge says: "There are business inventions of the last 2000 years
like the widespread use of loans and credit, the use of insurance, the use
of limited liability corporations, all of which involve at least at the
beginning, a leap of trust.
" To Vinge, free software, the Internet and
social networking are simply the latest extensions to the infrastructure
created from such institutions. What these institutions all have in common
is that they allow people to interact in more creative and productive
ways.
More specifically, he sees free software as the natural and more logical
extension of the insight that had produced the shareware culture a few
years before the start of the GNU Project and the FSF. With
the emergence of the personal computer, entrepreneurs were finding that
"the barriers to entry were so low that you didn't need a lot of the
overhead that was involved in commercial stuff, and you might just be able
to get away with trusting people to pay you. There was much blind feeling
around the concept of producing stuff in some sort of context that was
different from cars.
"
According to Vinge, what the GPL and the software and institutions that
have grown up around it have produced is "a platform for experimenting with
social invention. In the 20th and 19th century, if you wanted to experiment
with a new infrastructure for people to interact in, in most cases, like
with the railroads, you needed enormous effort. And now -- we can actually
do social experiments -- cooperative experiments -- much more cheaply, and
you can design ways for people to interact based on just the software
guiding what the interactions are like.
"
Vinge acknowledges that the consequences have not always been beneficial.
"One thing the last ten years have proved is that we seem to be very
bad at thinking how stuff can be abused,
" he says, no doubt thinking
of such phenomenon as crackers and online predators. "Any time you
can make something a hundred or a thousand times cheaper than it was
before, there are probably side-effects. But there's a tendency when
something works really, really well to push it hard and deliberately avoid
thinking about side-effects.
"
Still, the main change has been beneficial overall in Vinge's view. In
particular, he says: "One nice thing is that the price of failure is
a lot lower than what you might imagine in the 19th century. Say someone
spent ten million 1850 dollars, to make steam-powered dirigibles. Now, it
doesn't work, and you've just spent a lot of money, and you don't have
anything except a lot of ruined effort. Now, there's still ruined effort if
something doesn't work out, but you can retarget or repurpose much more
easily, and you can justify taking much larger leaps of faith than you
could in 1850.
" The result is that more experimentation, and more and
quicker development becomes possible.
In this view, free software represents the currently most-advanced
realization of the possibilities inherent in computer technology. "It's an
interesting, science-fictiony, parallel-world story to imagine what would
have happened if Richard Stallman hadn't come along with the GPL,
" says
Vinge. "Without Richard Stallman's insight, I think we would have
eventually got something like what we got with free software, but it would
have been a very interesting muddle. [The process] could have gone for
years, and it could easily have gone on so many years that it impacted the
era in which really large stuff can be built in the free model. So,
overall, I think we would have got something, but, even now, the low
overhead involved and even the insight that comes from the GPL would not be
with us.
"
In other words, the GPL and modern computer structures are all "in
the tradition of the last few centuries. They're taking the traditions that
we saw with the industrial revolution and adding several layers of
magnitude to that flexibility.
"
Bringing on The Singularity
Although speculation is part of Vinge's stock in trade as an SF novelist,
he is cautious about predicting the future. "I always rush to say,
'Terrible things could happen!'" he says. "A giant meteor could hit the
earth, or a civil war could happen.
"
However, caution aside, Vinge does concede that "we have the tools to
keep running along the same lines for some time. And, in the absence of
disaster, it quickly runs to the point where you're talking about stuff
that's of the same significance as the rise of the human race within the
animal kingdom.
" In other words, the Singularity arrives.
Vinge does not offer a map of exactly how free software and its
infrastructure will lead to the Singularity. But, given the probable
inability of humans to understand super-human intelligence, he
should not be expected to do so. "It's easy to imagine,
" he says, "but you
run out of adjectives and high-sounding words that could mean anything to
someone like us.
" All that can really be said is that, as the latest
manifestation of the historical trend to increasingly complex cooperative
infrastructures, free software plays a large role in creating a future in
which the Singularity becomes increasingly inevitable.
"I think that's going to happen in the relatively near historical
future,
" says Vinge. "And these sorts of trends are all
consistent with that possibility.
"
Meanwhile, Vinge is personally content with the improvements that have come
to free software in the last couple of years. He is particularly pleased
that you can download and install a stable and easy to use operating system
in an afternoon. "If you look back over the last ten years, you see how
easy it's become to do things,
" he says. "It's silly to put number to this,
but it's ten or a hundred times easier now. I can remember spending days
getting PPP to work. And now, you just plug this cable into that socket,
and it works. I feel much more able to do what I have to do without having
to worry very much, without having Catch-22s nibble me to death. Things
have really come together in a coherent and useful way.
"
Security
Fedora and CAPP
Removing the ability for regular users to execute "system" programs has a certain appeal, but does it really provide any extra security? A thread on the fedora-devel mailing list explores that question in the context of usermod (and other, similar tools), which had their permissions changed more than two years ago in an effort to meet security certification requirements. Whether these changes, and at some level the certifications themselves, actually increase the security of the system is the open question.
Callum Lerwick noticed that running usermod no longer worked as a regular user. He has a habit of doing that to get a quick overview of the command syntax and options from the help page, but unless he uses sudo, that doesn't work. That was done on purpose as Steve Grubb describes:
LSPP and CAPP are two protection profiles that are used for Common Criteria
security certifications (such as EAL3) that Red Hat Enterprise Linux (RHEL) has
earned. Because these tools can modify trusted databases
(e.g. /etc/shadow), attempts to run them by untrusted users must
be added to the audit log in order to comply with the certifications. But
adding audit events requires the CAP_AUDIT_WRITE capability bit; in today's
systems that effectively means setuid(0). As Grubb puts it: "IOW, if we open the
permissions, we need to make these become setuid root so
that we send audit events saying they failed.
"
Leaving aside the idea that only processes with root permissions are allowed to generate auditable events—which seems a bit bizarre—there is still the question of how much protection is provided by changing the file permissions. Seth Vidal asks:
Allowing users to download binaries "takes the
system out of the certified configuration
", according to Grubb, "So, if you need to
be in the CAPP
certified configuration, don't let users do this.
" This fairly
clearly demonstrates the dubious nature of the security afforded by the
current certifications. For the most part, the protection profiles
define away nearly all of the interesting threats that most systems face
today.
To a large extent, CAPP/LSPP certifications are the kinds of things listed in marketing materials for "enterprise" operating systems rather than serious attempts to address the real security needs of the vast majority of network connected systems. Grubb provides an excellent overview of some of the requirements of CAPP, along with how they are implemented in Fedora as part of the discussion. The CAPP information page gives the full story, however:
But CAPP does require that all attempts to modify trusted databases like the shadow password file generate an audit trail, so there is a lower-level audit rule set up for that file. Any access to /etc/shadow, for example, is logged as Grubb describes in his overview. That, though, begs other questions as Lerwick points out:
The answer is that auditing execution of usermod by non-root users gains exactly one thing: CAPP compliance. It requires that binaries which modify trusted databases leave an audit trail. Even though any actual attempt to access the underlying file will be logged, just accessing the binary that could modify the file is also something that must be logged.
Part of the dismay displayed in the thread comes from the fact that Fedora will probably never be certified with CAPP for any number of reasons. So taking away longstanding user abilities, though there are reasonable alternatives like man usermod, for a certification that won't be done, doesn't sit well with some in the Fedora community. Though, as Jef Spaleta notes, there might be a use for the certification in a Fedora spin:
There is always going to be tension between the security needs of an "enterprise" distribution like RHEL and a more user/desktop-oriented distribution like Fedora. While the specific reduced functionality in this case is fairly minimal, the discussion increased the visibility of the auditing required for certification as well as what that means for both distributions. The original decision was made back in the Fedora Core days when there was much less visibility and community input into the process. Discussions like this will only help continue the process of opening up Fedora while also exposing some of the inadequacies of security certifications.
Brief items
PHP 5.2.7 withdrawn
The PHP 5.2.7 release has been withdrawn because it introduced a security hole. PHP users are advised to drop back to version 5.2.6 until the developers can put together a 5.2.8 update.Update: PHP 5.2.8 is now available.
New vulnerabilities
Archive::Tar: directory traversal
| Package(s): | Archive-Tar | CVE #(s): | CVE-2007-4829 | ||||||||||||||||||||||||||||||||
| Created: | December 10, 2008 | Updated: | July 22, 2010 | ||||||||||||||||||||||||||||||||
| Description: | The Archive::Tar perl module, prior to version 1.40, suffers from a directory traversal vulnerability exploitable via a specially-crafted tar file. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
awstats: fix incomplete fix for CVE-2008-3714
| Package(s): | awstats | CVE #(s): | CVE-2008-5080 | ||||||||||||||||
| Created: | December 8, 2008 | Updated: | October 13, 2009 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry: It was discovered that the upstream patch for cross-site scripting (XSS) issue in awstats known as CVE-2008-3714 does not completely resolve the problem and it still allows injection of quote characters. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2008-5314 | ||||||||||||||||||||
| Created: | December 4, 2008 | Updated: | December 24, 2008 | ||||||||||||||||||||
| Description: | clamav has a denial of service vulnerability. From the Debian advisory: Ilja van Sprundel discovered that ClamAV contains a denial of service condition in its JPEG file processing because it does not limit the recursion depth when processing JPEG thumbnails (CVE-2008-5314). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
compiz-plugins: illegal access to desktop
| Package(s): | compiz-plugins | CVE #(s): | |||||
| Created: | December 9, 2008 | Updated: | December 10, 2008 | ||||
| Description: | From the Ubuntu advisory: It was discovered that the Expo plugin for Compiz did not correctly restrict the screensaver window from being moved with the mouse. A local attacker could use the mouse to move the screensaver off the screen and gain access to the locked desktop session underneath. Default installs of Ubuntu were not vulnerable as Expo does not come pre-configured with mouse bindings. | ||||||
| Alerts: |
| ||||||
dbus: security bypass
| Package(s): | dbus | CVE #(s): | CVE-2008-4311 | ||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | April 21, 2009 | ||||||||||||||||||||
| Description: | From the freedesktop.org advisory Joachim Breitner discovered a mistake in the default configuration for the system bus (system.conf) which made the default policy for both sent and received messages effectively *allow*, and not deny as intended. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
java: arbitrary code execution
| Package(s): | java | CVE #(s): | CVE-2008-2086 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 4, 2008 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Java has an arbitrary code execution vulnerability. From the Red Hat alert: A vulnerability was found in in Java Web Start. If a user visits a malicious website, an attacker could misuse this flaw to execute arbitrary code. (CVE-2008-2086) | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
java-1.6.0-openjdk: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk | CVE #(s): | CVE-2008-5350 CVE-2008-5349 CVE-2008-5347 CVE-2008-5348 CVE-2008-5360 CVE-2008-5359 CVE-2008-5351 CVE-2008-5356 CVE-2008-5352 CVE-2008-5358 CVE-2008-5353 CVE-2008-5354 CVE-2008-5357 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory:
[ 1 ] Bug #472201 - CVE-2008-5350 OpenJDK allows to list files within the user home directory
(6484091)
https://bugzilla.redhat.com/show_bug.cgi?id=472201 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: buffer overflow
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-5134 | ||||||||||||||||
| Created: | December 5, 2008 | Updated: | February 4, 2009 | ||||||||||||||||
| Description: | The Kernel has a buffer overflow vulnerability. From the national vulnerability database entry: Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem in the Linux kernel before 2.6.27.5 allows remote attackers to have an unknown impact via an "invalid beacon/probe response." | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: denial of service
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-5300 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 5, 2008 | Updated: | November 4, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a denial of service vulnerability. From the national vulnerability database entry: Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | linux-2.6.24 | CVE #(s): | CVE-2008-5182 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 5, 2008 | Updated: | February 25, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a privilege escalation vulnerability. From the national vulnerability database entry: The inotify functionality in Linux kernel 2.6 before 2.6.28-rc5 might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-5079 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 9, 2008 | Updated: | October 5, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8 and earlier allows local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lcms: buffer overflows
| Package(s): | lcms | CVE #(s): | CVE-2008-5316 CVE-2008-5317 | ||||||||||||||||
| Created: | December 10, 2008 | Updated: | January 8, 2009 | ||||||||||||||||
| Description: | The lcms color management utility suffers from a couple of buffer overflow vulnerabilities which could be exploited via a specially-crafted image file. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mgetty: insecure use of tmp file
| Package(s): | mgetty | CVE #(s): | CVE-2008-4936 | ||||
| Created: | December 8, 2008 | Updated: | December 10, 2008 | ||||
| Description: | From the Gentoo advisory: Dmitry E. Oboukhov reported that the "spooldir" directory in fax/faxspool.in is created in an insecure manner. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-6420 CVE-2008-2364 CVE-2008-2939 | ||||||||||||||||||||||||
| Created: | December 5, 2008 | Updated: | December 7, 2009 | ||||||||||||||||||||||||
| Description: | The Apache web server has multiple vulnerabilities.
From the Red Hat vulnerability report:
A flaw was found in the mod_proxy module. An attacker who has control of a web server to which requests are being proxied could cause a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp module. Where Apache is configured to support ftp-over-httpd proxying, a remote attacker could perform a cross-site scripting attack. (CVE-2008-2939) A cross-site request forgery issue was found in the mod_proxy_balancer module. A remote attacker could cause a denial of service if mod_proxy_balancer is enabled and an authenticated user is targeted. (CVE-2007-6420) | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ruby: denial of service
| Package(s): | ruby | CVE #(s): | CVE-2008-4310 | ||||
| Created: | December 5, 2008 | Updated: | December 10, 2008 | ||||
| Description: | ruby has a denial of service vulnerability. From the Red Hat security advisory: Vincent Danen reported, that Red Hat Security Advisory RHSA-2008:0897 did not properly address a denial of service flaw in the WEBrick (Ruby HTTP server toolkit), known as CVE-2008-3656. This flaw allowed a remote attacker to send a specially-crafted HTTP request to a WEBrick server that would cause the server to use excessive CPU time. This update properly addresses this flaw. (CVE-2008-4310) | ||||||
| Alerts: |
| ||||||
squirrelmail: cross-site scripting
| Package(s): | squirrelmail | CVE #(s): | CVE-2008-2379 | ||||||||||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | May 13, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Ivan Markovic discovered that SquirrelMail, a webmail application, did not sufficiently sanitise incoming HTML email, allowing an attacker to perform cross site scripting through sending a malicious HTML email. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
syslog-ng: chroot jail escape
| Package(s): | syslog-ng | CVE #(s): | CVE-2008-5110 | ||||||||||||||||
| Created: | December 8, 2008 | Updated: | July 13, 2009 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry: syslog-ng does not call chdir before it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
vim: information exposure
| Package(s): | vim | CVE #(s): | CVE-2008-4677 | ||||||||||||
| Created: | December 4, 2008 | Updated: | March 24, 2009 | ||||||||||||
| Description: | The vim editor has an information exposure vulnerability. From the Mandriva alert: A vulnerability was found in certain versions of netrw.vim where it would send FTP credentials stored for an FTP session to subsequent FTP sessions to servers on different hosts, exposing FTP credentials to remote hosts (CVE-2008-4677). | ||||||||||||||
| Alerts: |
| ||||||||||||||
vinagre: format string flaw
| Package(s): | vinagre | CVE #(s): | |||||||||||||||||||||
| Created: | December 8, 2008 | Updated: | December 11, 2008 | ||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Alfredo Ortega discovered a flaw in Vinagre's use of format strings. A remote attacker could exploit this vulnerability if they tricked a user into connecting to a malicious VNC server, or opening a specially crafted URI with Vinagre. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current 2.6 development kernel is 2.6.28-rc8, released on December 10. 2.6.28-rc8 contains another fairly long list of fixes, including some for fairly important regressions.Linus also notes (in the 2.6.28-rc8 announcement) that he's trying to figure out whether to release 2.6.28 before or after the holidays. He asks for suggestions, of which, one assumes, he will get plenty.
The current stable 2.6 kernel is 2.6.27.8, released on December 5. This is a large update with fixes for a wide variety of problems.
Kernel development news
Quotes of the week - all about documentation
I wish it could work, but it doesn't across the board. So unless we have dedicated monkeys scouring over every single patch that goes into the tree and doing the necessary kerneldoc updates, kerneldoc will be chronically wrong somewhere.
That leads to confusion and lost developer time. Because if the kerneldoc bits are wrong, it's worthless.
Speakers needed for the linux.conf.au Kernel Miniconf
The Kernel Miniconf at linux.conf.au next January is looking for a speaker or two to fill out the schedule. "Presentations do not have to be limited to a slide deck. If you have an idea for a 50-minute session that follows a non-traditional format, it will be considered."
A new realtime tree
It has been just over four years, now, since the realtime discussion got serious and the realtime preemption patch set got its start. During that time, your editor has heard many predictions for when the bulk of the realtime work would be merged; generally, the guess has been "within about a year." While a lot of realtime work has been merged, some of the core components of the realtime tree remain outside of the mainline. Beyond that, the realtime developers have been relatively quiet over the last year - at least on the realtime front. Having taken on some little side tasks - unifying the x86 architecture and maintaining it going forward, for example - some of those developers have been just a little bit distracted recently.The realtime patch set has not gone away, though. If nothing else, the fact that a number of distributors are shipping this code is enough to ensure continued interest in its development. So your editor noted with interest the recent announcement of a new -rt tree with an updated set of realtime patches. This tree will be of interest for anybody wanting to look at the realtime work in the context of the 2.6.28 kernel or beyond.
One of the core technologies in the realtime tree is a change to how spinlocks work. Spinlocks in the mainline will busy-wait until the required lock becomes available; they thus occupy the processor to no useful end when acquiring a contended lock. Holding a spinlock will also prevent a thread from being preempted. This behavior is generally best for system throughput; it also makes it easier to write correct code. But anything which prevents a CPU from immediately servicing the highest-priority process runs counter to the chief design goal of a realtime operating system: providing deterministic response times in all situations. So, for the realtime patches, classic spinlocks had to go.
The solution was to turn most spinlocks into a form of mutex with priority inheritance. A process which attempts to acquire a contended "spinlock" will no longer spin; instead, it goes to sleep and waits for the lock to become free, making the processor available to another thread. Code which holds one of these non-spinlocks is no longer immune to preemption; a higher-priority thread can always push it out of the way. By changing spinlocks in this way, the realtime hackers were able to eliminate one of the largest sources of latency in the mainline kernel. Much of that work found its way into the mainline some time ago in the form of the mutex API, but spinlocks themselves have not been changed in the mainline.
To minimize the pain of maintaining the realtime patches, the developers simply redefined the spinlock_t type to be the new mutex type instead. Except that, as it turns out, some spinlocks in low-level parts of the kernel really do need to be spinlocks still. So those were switched to a new raw_spinlock_t type - but without changing the various spin_lock() calls. Instead, some truly frightening macro trickery was introduced to cause the spinlock API to do the right thing when passed either of two entirely different mutual exclusion primitives. This bit of macro magic was always going to be an impediment to mainline inclusion, so the realtime developers never really expected to merge the lock code in that form.
The new realtime tree now shows how the realtime developers think this work might get into the mainline. It involves a more explicit separation of the two types of "spinlocks" - and a lot of code churn. In the realtime tree, most locks of type spinlock_t are changed to a new lock_t type. There is a new set of operations for this type:
#include <linux/lock.h>
lock_t lock;
acquire_lock(&lock);
release_lock(&lock);
For a normal, non-realtime kernel build, lock_t will be the same as spinlock_t, and things will work as they always have. On realtime kernels, instead, lock_t will be a mutex type. The other variants of the spinlock API will be represented in the new API (there is an acquire_lock_irqsave(), for example), but none of them will actually disable interrupts in a realtime kernel. Meanwhile, spinlock_t will remain a true spinlock type.
This change gets rid of the tricky macros, but at the cost of changing the declarations of and operations on almost all spinlocks in the kernel. That is a lot of code changes: a quick grep turns up over 20,000 spin_lock*() calls in the upcoming 2.6.28 kernel. That will make for some pain if and when this change is merged. But in the mean time, it can only make for a lot of pain for the people who have to maintain this patch out of tree. To make their lives a little easier, the realtime developers have created a couple of scripts to do the bulk of the work. First, all spinlocks in a pristine kernel are converted to lock_t, then the few locks which truly must be spinlocks are switched back. This work is kept in a separate branch which is regenerated when needed; in this way, the realtime developers avoid the need to do nasty merges to keep up with current kernels.
Your editor has heard talk of another locking change which does not, yet, appear in this tree. One problem with the realtime patch set is that it requires distributors to create yet another kernel build - something they hate doing - if they want to support realtime operation. In an effort to make life easier for distributors, the realtime developers are working on a scheme whereby a kernel would determine at run time whether it should be running in a realtime mode. If so, spinlocks will be changed to sleeping locks by patching the kernel binary as it boots. Kernels built this way will be able to run efficiently in either mode.
The branches of the realtime tree provide a quick guide to the other parts of the realtime work which remain outside of the mainline. The threaded interrupt handler code is one example; that change could be proposed (again) for merging in the near future. The priority workqueue mechanism sits in another branch, as do patches aimed at Java support, filesystem changes, memory management changes, and more. Then, there's a branch for stuff which will never be merged; for example, there is this patch which gives Java programs direct access to physical memory - not something which strikes most kernel developers as a good idea. All told, there is a great deal of work sitting in the realtime patch set; this work is finally being organized into a proper git tree.
The "upstream first" policy says that vendors should merge their code upstream before shipping it to customers. The 2.6.x development model is built on the idea that no change is too fundamental to be accepted into a regular, 3-month development cycle. The realtime patches would appear to be an exception to both rules. It has taken over four years to get to a point where some of the fundamental realtime technologies are close to ready for the mainline, but distributors have been shipping it for at least three of those years. It has, in other words, been one of the biggest forks of the Linux kernel, ever. The plan has always been to join this fork back with the mainline, though; perhaps, finally, that goal is getting closer. With luck, it will happen within about a year.
Tracking down a "runaway loop"
The Linux boot process, at least as provided by distributions, depends on help from user space, with drivers being loaded as required from the initial filesystem (initramfs/initrd). Loading drivers requires using tools built into initramfs and if those tools break, the kernel won't boot. But when a working kernel configuration and initramfs are used with a new kernel, the result is expected to be a kernel that successfully boots. When that doesn't happen, bugs are filed regarding kernel regressions but, as a recent example shows, the actual problem may be elsewhere.
The original report was made in late October, but no progress was made until Evgeniy Polyakov saw it again in early December. The symptom was a kernel that hangs after printing:
request_module: runaway loop modprobe char-major-5-1
four times on the console. Since nothing in the user space (initramfs)
or kernel configuration had changed, it seemed to clearly point to
something in the
kernel itself.
It turns out that the "runaway loop" message is meant to indicate that the request_module() function has been invoked recursively. So in an effort to load the driver for the character device with major/minor numbers 5/1—which corresponds to /dev/console—request_module() was invoked again. The code in kernel/kmod.c:
if (atomic_read(&kmod_concurrent) > max_modprobes) {
/* We may be blaming an innocent here, but unlikely */
if (kmod_loop_msg++ < 5)
printk(KERN_ERR
"request_module: runaway loop modprobe %s\n",
module_name);
atomic_dec(&kmod_concurrent);
return -ENOMEM;
}
only allows that message to be printed four times, but the invoker should
recognize the ENOMEM and handle it appropriately.
The root cause was that something in the kernel was trying to access /dev/console before that device was registered in the kernel. This led the kernel to try and load a module to handle /dev/console, which will fail. Because of the failure, something in the user space modprobe then tries to access /dev/console, presumably to output an error message, which repeats the kernel module loading process. And so on. After that recurses enough to exceed the max_modprobes limit, request_module() will produce the runaway loop message and return ENOMEM which should put a stop to the whole process.
In an acrimonious thread—and kernel bug report—Alan Cox, Kay Sievers, and Polyakov tried to determine where the problem came from and what to do about it. It didn't help matters that they were using different distribution's initramfs so that they saw different behavior. Polyakov/Sievers were using Debian user space while Cox was using Fedora. Something in the Debian version was continuing to try to open /dev/console even after getting ENOMEM. This leads to an infinite loop, thus a kernel hang.
Sievers eventually tracked it to the kernel cryptographic API:
This modprobe process does try to log an error, accesses /dev/console, which is not initialized in the kernel at that time, and the kernel module loader tries the load a module to support dev_t 5:1, which again runs modprobe, and ...
Setting CONFIG_CRYPTO_MANAGER=y makes it disappear.
It turns out that the crypto layer attempts to load the cryptomgr module as part of its algorithm testing infrastructure. If cryptomgr fails to load, the algorithm registration code can continue without it. It is optional, but modprobe wants to put out a message when it fails to load it, which leads to the runaway loop. As Herbert Xu points out, though, the problem is not crypto-specific at all:
It is this potential pitfall that Sievers and Polyakov would like to see removed. In general, user-space programs are not required to be concerned with the availability of /dev/console—except when they are run from early kernel initialization. But Cox points out that user-space helpers must concern themselves with avoiding loops because there are multiple possible ways to cause that to happen. As an example, he notes that if UNIX-domain sockets (AF_UNIX) are in a module and syslog() is called before the module is loaded, a similar loop will occur.
In an effort to "step back" from the arguments that were going back and forth, Ted Ts'o offers his analysis of the problem along with a suggested course of action:
[...] So I would think the best thing to do is to figure out what Debian's initrd is doing that is evading the recursion detection. Fixing that is going to make things much more robust.
Clearly the recursion detector is working to some extent, or the runaway
loop messages would not be seen, but on Debian, at least, that detection
doesn't stop the problem. Ts'o's theory is that something outside of
directly invoked helper is actually the culprit: "I'm guessing why
it isn't working given Debian's initrd setup is that whatever is
ultimately opening /dev/console isn't being called until after the
helper script has exited.
" That seems worth tracking down as Ts'o
points out in a later message:
The exact cause of the problem and why Debian and Fedora behave differently is still not known. Digging into Debian's initrd to figure that out, as Ts'o suggests, is clearly the right starting point. That answer will likely lead to sensible fixes, either in user space or the kernel—possibly both. Bickering about where and how to fix the problem before it is fully understood seems counter-productive at best.
Dueling performance monitors
Low-level optimization of performance-critical code can be a challenging task. At this point, one assumes, the potential for algorithmic improvements in the targeted code has been realized; what is left is trying to locate and address problems like cache misses, mis-predicted branches, and so on. Such problems can be impossible to find by just looking at the code; one needs support from the hardware. The good news is that contemporary hardware provides that support; most processors can collect a wide range of performance data for analysis. The bad news is that, despite the fact that processors have been able to collect that data for many years, there has never been support for this kind of performance monitoring in the mainline kernel. That situation may be about to change, but, first, the development community will have to make a choice between a venerable out-of-tree implementation and an unexpected competitor.The "perfmon" patch set has been under development for some years, but, for a number of reasons, it has never found its way into the mainline kernel. The most recent version of the patch was posted for review by Stéphane Eranian in late November. The perfmon patches show the signs of all those years of development work and usage experience; they offer a wide set of features and extensive user-space support. The full perfmon patch adds twelve system calls to the kernel; the posted version, though, trims that count back to five in the hope that a narrower interface will have a better chance of getting into the mainline. The additional system calls, one assumes, will be proposed for inclusion sometime after the perfmon core is merged. The reduced interface is described in the patch set; briefly, an application hooks into the performance monitoring subsystem with a call to:
int pfm_create(int flags, pfarg_sinfo_t *regs);
This system call returns a file descriptor to identify the performance monitoring session. The regs parameter is used to return a list of performance monitoring registers available on the current system; flags is currently unused.
Specific performance counter registers can be manipulated with:
int pfm_write(int fd, int flags, int type, void *d, size_t sz);
int pfm_read(int fd, int flags, int type, void *d, size_t sz);
These system calls can be used to write values into registers (thus programming the performance monitoring hardware) and to read counter and configuration information from those registers.
Actually doing some performance monitoring requires a couple more calls:
int pfm_attach(int fd, int flags, int target);
int pfm_set_state(int fd, int flags, int state);
A call to pfm_attach() specifies which process is to be monitored; pfm_set_state() then turns monitoring on and off.
There are a couple of distinctive aspects to the perfmon interface. One is that it knows almost nothing about the specific performance monitoring registers; that information, instead, is expected to live in user space. As a result, the bare perfmon system call interface is probably not something that most monitoring applications would use; instead, those system calls are hidden behind a user-space library which knows how to program different types of processors for the desired results. Beyond that, perfmon uses the ptrace() mechanism to stop the monitored process while performance counters are being queried; as a result, the monitoring process must have the right to trace the target process.
On December 4, Thomas Gleixner and Ingo Molnar posted a surprise announcement of a new performance counter subsystem. The announcement states:
This is not the first time that these developers have shown up with an out-of-the-blue reimplementation of somebody else's subsystem; other examples include the CFS scheduler, high-resolution timers, dynamic tick, and realtime preemption. Most of the time, the new code quickly supplants the older version - an occurrence which is not always pleasing to the original developers - but the situation does not seem quite as straightforward this time.
The proposed interface is much simpler, adding a single system call:
int perf_counter_open(u32 hw_event_type, u32 hw_event_period,
u32 record_type, pid_t pid, int cpu);
This call will return a file descriptor corresponding to a single hardware counter. A call to read() will then return the current value of the counter. The hw_event_period can be used to block reads until the counter overflows the given value, allowing, for example, events to be queried in batches of 1000. The pid parameter can be used to target a specific process, and cpu can restrict monitoring to a specific processor.
There are a few advantages claimed for the new implementation. The simplicity of the system call interface is one of those; it is possible to write a very simple application to perform monitoring tasks, with no additional libraries required. The second version of the patch includes a simple "kerneltop" utility which can display a constantly-updated profile of anything the performance counting hardware can monitor. Another advantage is the avoidance of ptrace(); this reduces the amount of privilege needed by the monitoring process and avoids perturbing the monitored process by stopping and restarting it. The management of counters is said to be more flexible, with facilities for sharing counters between processes and reserving them for administrative access. The low-level hardware interface is said to be simpler as well.
Those claimed advantages notwithstanding, a number of complaints have been raised with regard to the new performance monitoring code. Two of those seem to be at the top of the list: the single counter per file descriptor API, and programming the hardware performance monitoring unit inside the kernel. On the API side, the biggest concern is that putting each counter behind its own file descriptor makes it very hard to correlate two or more counters. Reading two counters requires two independent read() system calls; as is always the case, just about anything could happen between those two calls. So it's hard to tell how two different counter values relate to each other. But that sort of correlation is exactly what developers doing performance optimization want to do. Paul Mackerras says:
In response, Ingo argues that the loss of precision caused by independent read() calls is small - much smaller than the muddying of the results caused by stopping the target process so that all of the counters can be read at the same time. That argument does not appear to have convinced the detractors, though.
The other complaint is that moving the counter programming task into the kernel requires that the kernel know about the complexities of every possible performance monitoring unit it may encounter. This hardware sits at the core of the most performance-critical CPU subsystems, so its design parameters value non-interference above features or a straightforward programming interface. So programming it can be a complex business, involving sizeable tables describing how various operations interact with each other. The perfmon code keeps those tables in a user-space library, but the alternative implementation won't allow that. Quoting Paul again:
Your API condemns us to adding all that bloat to the kernel, plus the code to use those tables.
Paul (and others) argue that this information - which can add up to hundreds of kilobytes - is better kept in user space.
There also seems to be a bit of concern over the fact that Stéphane had clearly never heard about this work before it was posted for review. It must, indeed, be a shock to work on a subsystem for years, then find a proposed replacement sitting in one's mailbox. As David Miller put it:
So, at this point, what will happen with performance monitoring is unclear at best. Perhaps, though, this discussion will have the effect of raising the profile of performance monitoring, which has been without proper kernel support for many years. The merging of either solution - or, perhaps, a combination of both - seems like it has to be an improvement over having no support at all.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Security-related
Virtualization and containers
Benchmarks and bugs
Page editor: Jake Edge
Distributions
News and Editorials
Problems with Fedora 10
LWN has received several emails regarding bugs in Fedora. These are serious bugs that can prevent you from installing new updates, or new packages of any kind. Fedora users may want to be aware of the following and, perhaps, wait until things settle down a bit.The start things off, bug #475068 was reported for Fedora 9 with x86_64. This bug is present in Fedora 10 and also affects x86 systems. There was a workaround for this bug, for Fedora 10 users, involving using yumdownloader to install an older version of dbus. Unfortunately the older packages won't show up on all mirrors. It is still possible to recover from this bug by manually editing /etc/dbus-1/system.conf and rebooting the system. Fedora 9 users will need this version of PackageKit. For Fedora 10 you'll want this version of PackageKit.
Bug
#475069 covers a dbus access problem with bluez. If you are seeing the
error message: "Agent registration failed: A security policy in place
prevents this sender from sending this message to this recipient, see
message bus configuration file (rejected message had interface
"org.bluez.Adapter" member "RegisterAgent" error name "(unset)" destination
"org.bluez").
", this may
help. Fedora 9 users will want bluez-utils-3.36-3.fc9.
Fedora 10 users should grab bluez-4.22-2.fc10.
If you are still running Fedora 8 the proper package to get is bluez-utils-3.35-5.fc8.
Another bug that may be troubling you is bug #469434, in which subnetmask settings are not saved. For some people this has been fixed. That fix did not seem to work for everyone though. The system-config-network-1.5.94-2.fc10 update does seem to work.
If you run into the error "PackageKit failed to get a TID" you will want to see this forum thread which affected several people on December 7, 2008. So far, no fix seems to be forthcoming.
Bugs in PackageKit are especially troubling for some, since you can't
install an update using the GUI tools. Your editor completed a fresh
install of Fedora 10 last weekend on an aging Thinkpad laptop. After the
usual update she could no longer find or update any packages. A manual
yum update did not help. It would appear that bug #475656
addresses the error "failed to get a TID: A security policy in place
prevents this sender from sending this message to this
recipient...
". No doubt a SELinux expert could edit the offending
policy. The rest of us will have to wait for a fix.
Editors note: as noted in the comment below, this is a DBus security problem and has nothing to do with SELinux. This last bug was reported December 9, and by December 10 a fix was already being tested.
New Releases
Omega 10 Preview Release
Omega is a Fedora remix suitable for desktop and laptop users. It is a installable Live CD for regular PC (i686 architecture) systems. It has all the features of Fedora 10 and a number of additional multimedia players and codecs by default. You can play any multimedia content (including MP3) or commercial DVD's out of the box. The preview release is available for download.Ubuntu 8.10 Intrepid Optimized for XO Laptop
Ubuntu 8.10 (Intrepid Ibex) has been optimized for the XO laptop. This version uses the kernel from OLPC release 8.2.0. USB boot fix in ramdisk is the only change that was applied to OLPC-distributed files. There are many other optimizations to make Ubuntu work on this OLPC laptop.
Distribution News
Debian GNU/Linux
New ftpteam member
Debian has a new FTP team member, Frank Lichtenheld. That should help with that particular bottleneck. "Ok, now, stop hating us and go on, fix RC bugs and help Lenny please. :)"
Fedora
Fedora 11 release schedule set
The Fedora project has approved the Fedora 11 release schedule. It appears that the proposal to lengthen this development cycle was adopted in the end; Fedora 11 is currently scheduled for release on May 26, 2009. Work has begun on the proposed feature list, but that list can be expected to grow considerably over the next month or two.Unofficial Fedora FAQ Updated for Fedora 10!
The Unofficial Fedora FAQ has been updated for Fedora 10. There are lots of new changes and additions. "With the combination of Fedora 10 and the new RPMFusion repository, there doesn't need to be a special fedorafaq.org yum configuration anymore! There are still instructions in the FAQ on how to configure yum to access rpmfusion, though."
Fedora Board appointment and voting information
Elections are underway for several seats in the Fedora Advisory Board, Fedora Ambassadors and the Fedora Engineering Steering Committee. The closing date for voting is December 20, 2008. "The two appointed seats on the Board are nominated by Red Hat and chosen by the FPL. One appointment is held back until after the elections so that the Board's composition can be balanced as needed. The balance of the appointments are announced before elections." Chris Aillon will return to the Board as an appointee. See this post for more voting information.
Gentoo Linux
Gentoo 2008 open seat election
Gentoo had an open seat on the council. Tiziano Müller (dev-zero) was chosen to join the current Gentoo Council for term 2008/2009.
SUSE Linux and openSUSE
openSUSE 11.1 status
It is now possible to pre-order the openSUSE 11.1 release, currently scheduled for December 18. But interested parties may also want to look at this status report posted to the mailing list. "The status of 11.1 is pretty short: it's cursed." It seems that the release managers have been running into some difficulties and will be scrambling to make that release date.
Wanted: Participants for usability tests of SUSE Studio
If you are in the Nuremberg (Nürnberg) area and interested in testing SUSE Studio click below for more information.
New Distributions
Ubuntu Privacy Remix
Ubuntu Privacy Remix (UPR) is a modified live CD based on Ubuntu 8.04 LTS. UPR is not designed for installation on a hard drive, instead it provides an environment where private data can be dealt with safely and securely. "The risk of theft of such private data arises not only from "conventional" criminals, trojans. rootkits, keyloggers etc. In many countries, measures are taken or being prepared aiming at spying and monitoring its citizens. Ubuntu Privacy Remix is a tool to protect your data against unsolicited access." UPR 8.04 r1 was released December 4, 2008. This is the first stable version and features a new kernel, minor bugfixes and the DTP program Scribus.
Distribution Newsletters
DistroWatch Weekly, Issue 281
The DistroWatch Weekly for December 8, 2008 is out. "This week's feature story takes a first look at VectorLinux 6.0 beta 2. Following up on last week's feature story about the impact of the global financial crisis on Linux distributions, Mandriva CEO Hervé Yahi responds to the community regarding the recent dismissals at the Paris-based distribution while Novell posts mixed sales results for SUSE Linux. In other news, Phoronix publishes the results of benchmark tests comparing the performance of the newly released OpenSolaris 2008.11 with the previous version, 2008.05, Ars Technica names Foresight Linux and openSUSE as its distributions of the year, and DragonFly BSD gets a closer look. Finally, we get progress updates on Linux Mint 6 and a preview release of Fedora-based Omega 10 Desktop."
Misc. Debian developer news (#11)
This issue of the Developer News includes CD/DVD images for Lenny, License AGPL v3.0 is suitable for main, Building CD/DVD images made easier, Mono 2.0 transition in progress, SOAP interface to the PTS, Tracking GCC 4.4 related build errors, and Mirror of git repositories on Alioth.Fedora Weekly News #155
The Fedora Weekly News for December 7, 2008 is out. "FWN is pleased to announce the return of the Planet Fedora beat. Among other items Adam Batkin lists some "Howtos and Tips" gleaned from blogs. In Announcements the "Fedora 11" naming scheme is discussed. In Developments "The PATH to CAPP" exposes disquiet with some security infrastructure. Translation provides updates on the cancellation of FLSCo elections. Artwork is again bursting at the seems with a "T-Shirt Logo Design Tool" and "Improved Document Templates". SecurityAdvisories lists this week's essential updates. Finally Virtualization continues to race the shocking pace of developments including the "Release of libvirt 0.5.0 and 0.5.1" There's plenty more a mere mouse click away!"
Gentoo Monthly Newsletter
The November edition of the Gentoo Monthly Newsletter is out, with the latest Gentoo news.openSUSE Weekly News, Issue 49
This issue of the openSUSE Weekly News covers: Andreas Jaeger: openSUSE 11.1 Goes RC2, Joe Brockmeier: Mounting remote directories using FUSE and sshfs on openSUSE, Henne Vogelsang: What's Working Well and What To Do With It, RedDwarf: Check your multimedia problem in ten steps, arstechnica.com: Distro(s) of the Year: OpenSUSE and Foresight, and several other topics. Click below for links to several translations.Ubuntu Weekly Newsletter #120
The Ubuntu Weekly Newsletter for December 6, 2008 covers: Ubuntu Free Culture Showcase, Jono Bacon on UDS, MOTU, Tamil Team - Intrepid introduced at Udhagamandalam, Ubuntu Zimbabwe, Launchpod #13, Meet Henning Eggers, Launchpad hiring bug tracker, Ubuntu Podcast #14, Vibuntu 1.0, Lazy Linux: 10 essential tricks for admins., Ilumina TV runs on Ubuntu, George Wright responds to backstage questions(Video), and much more.
Distribution reviews
Protecting networks with SmoothWall Express (Linux.com)
Linux.com reviews Smoothwall Express. "SmoothWall Express 3.0, from August 2007, is an open source firewall distribution released under the GNU General Public License (GPL). It provides all the features commonly found in a modern system, but also a few that you might not expect. Stateful inspection, dynamic and static NAT, egress controls, demilitarized zone (DMZ) segmentation, and a Dynamic Host Configuration Protocol (DHCP) server are de rigueur in today's world. However, this package adds a selection of proxy servers for the Web (content filtering is available in the commercial editions), POP3 mail, Session Initiation Protocol (SIP), Domain Name System (DNS), and instant messaging. You can configure the proxies to further protect networks with antivirus scanning and forensic logging, and Snort intrusion-detection software is built in for logging suspicious events. However, real-time alerting via email or SMS text messages is not available on the Express version. SmoothWall also features a simple quality of service (QoS) management that business and home users alike should find valuable."
Page editor: Rebecca Sobol
Development
Create and Manage Gantt Charts with GanttProject
GanttProject is an open-source cross-platform Java application that can be used to generate Gantt charts for the management of projects. Different components of GanttProject have been released under the GPL and Apache licenses. The project is described:
The learn about document explains more of the project's features and some screen shots show some examples of what an older version of GanttProject looks like. Version 2.0.8 of GanttProject was recently announced:
![[GanttProject]](https://static.lwn.net/images/ns/GanttProjectLogo.png)
Installation of GanttProject 2.0.8 on an Ubuntu 8.04 system was fairly straightforward. The software was downloaded and unzipped. The prerequisite Sun Java Runtime Environment was downloaded and installed. The ganttproject.sh startup file was given execute status and run, the application started up as expected.
GanttProject is easy to figure out. There are top-level tabs for creating charts and resources (people). Tasks can be added, assigned date ranges and a variety of other attributes. Tasks can be tied to other prececessor tasks and assigned to people. It only took a few minutes of poking around the software to create a new project, produce a simple Gantt chart and output a PostScript file that was suitable for printing.
GanttProject is not alone in its ability to generate Gantt charts under Linux. Planner is a project management tool for the GNOME desktop environment and TaskJuggler is yet another project management tool. Both of these applications have a broader project management scope. If your needs only require generating Gantt charts, GanttProject is a straightforward application that can be used to easily produce professional looking results.
System Applications
Database Software
MySQL 6.0.8 Alpha has been released
Version 6.0.8 Alpha of the MySQL DBMS has been announced. "MySQL 6.0 includes two new storage engines: the transactional Falcon engine, and the crash-safe Maria engine."
PostgreSQL Weekly News
The December 7, 2008 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.SQLObject 0.9.9 announced
Version 0.9.9 of SQLObject, an object-relational mapper, has been announced. "I'm pleased to announce version 0.9.10, a minor bugfix release of 0.9 branch of SQLObject."
SQLObject 0.10.4 announced
Version 0.10.4 of SQLObject, an object-relational mapper, has been announced. "I'm pleased to announce version 0.10.4, a minor bugfix release of 0.10 branch of SQLObject."
Talk: Josh Berkus on MySQL and PostgreSQL
Fossbazaar has posted slides and audio (MP3) from a talk by Josh Berkus comparing MySQL and PostgreSQL. Josh, of course, is a PostgreSQL hacker, and that shows through, but it seems like a good talk regardless.
Interoperability
Samba 3.3.0rc1 is available
Version 3.3.0rc1 of Samba has been announced. "This is the first release candidate of Samba 3.3.0. This is *not* intended for production environments and is designed for testing purposes only."
Security
Nebula: 0.2.3 released (SourceForge)
Version 0.2.3 of Nebula has been announced. "Nebula automatically generates intrusion signatures from attack traces. It runs as a daemon accepting attack submissions from honeypots. This release of the nebula intrusion signature generator introduces several bugfixes and improvements."
Miscellaneous
Octopussy Perl/XML Logs: 0.9.8.8 released (SourceForge)
Version 0.9.8.8 of Octopussy has been announced. "Logs Analyzer, Alerter & Reporter with a Web Interface * Major bugfix on octo_dispatcher ! (Bug ID: 2343806) * Bugfix the apache2 restart bug (Bug ID: 2304276) * You can now limit the number of minutes to search for restricted users * Minor WebUI improvements".
Desktop Applications
Audio Applications
Amarok 2.0 released
Version 2.0 of the Amarok music manager has been released. "We thought about how to best design a program that would allow us to stay at the cutting edge of digital music management. We also sought to distinguish Amarok in an increasingly saturated market of music players. To achieve this we took the best ideas from the 1.x series, and brainstormed what else we could do to help our users 'rediscover music'. And then we started developing." There's a lot of new features and a completely redesigned user interface; see the announcement for details and screenshots.
Ardour 2.7.1 released
Version 2.7.1 of Ardour, a multi-track audio editor, has been announced. "Its been a busy two weeks since 2.7 was released. Not only has there finally been a working new release of JACK, but Ardour has also seen several major bug fixes, a useful collection of new features, and many smaller fixes that correct annoying behaviour."
JACK 0.116.1 + D-Bus announced
Version 0.116.1 of the JACK Audio Connection Kit patched with D-Bus support has been announced. "D-Bus modifications add optional autodetected support for the D-Bus based server control system. D-Bus is object model that provides IPC mechanism. D-Bus supports autoactivation of objects, thus making it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed."
QjackCtl 0.3.4 released
Version 0.3.4 of QjackCtl, a GUI control panel for the JACK Audio Connection Kit, has been announced. "At last, after years of retarded procrastination, the old infamous patchbay snapshot feature has been the subject of a almost complete rewrite and it does try to give a way better mapping of all actual and current running client/port connections, both JACK (audio, MIDI) and ALSA MIDI, of course ;)..."
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Chronojump 0.8 (new features, bug fixes and translation work)
- GNOME Scan 0.6.1 (new feature and bug fixes)
- gtk-engines 2.17.2 (bug fixes)
- Sysprof Linux Profiler 1.0.12 (bug fix)
- Task Coach 0.71.4 (new feature and bug fixes)
KDE Software Announcements
The following new KDE software has been announced this week:- eric4 4.2.4 (bug fixes)
- eric4 4.2.4a (bug fixes)
- Firewall Builder 3.0.3 (new features and bug fixes)
- FlashQard 0.9.1 (unspecified)
- FlashQard 0.10.0 (new features, bug fixes and translation work)
- Fresh Memory 0.4-beta (unspecified)
- kopcat 0.1 (initial release)
- KsirK 4.1.82 (new features and bug fixes)
- Kvkbd 0.6 (KDE 4 release)
- luckyBackup 0.1.2 (unspecified)
- Minimum Profit 5.1.1 (unspecified)
- NoteFinder 0.4 (new features)
- sMovieDB beta0.20 (new feature)
- sMovieDB beta0.20-5 (bug fix)
Xorg Software Announcements
The following new Xorg software has been announced this week:- xf86-input-synaptics 0.99.2 (bug fixes)
- xorg-server 1.5.99.3 (new features and bug fixes)
Educational Software
TCExam: 7.0.007 was released (SourceForge)
Version 7.0.007 of TCExam has been announced. "TCExam is a CBA (Computer-Based Assessment) system (e-exam, CBT - Computer Based Testing) for universities, schools and companies, that enables educators and trainers to author, schedule, deliver, and report on surveys, quizzes, tests and exams."
Games
Ember 0.5.5 released (WorldForge)
The WorldForge game project has announced the availability of Ember 0.5.5. "Ember is a 3d client for the WorldForge project. It uses the Ogre 3d graphics library for presentation and CEGUI for its GUI system. This release introduces a new combined minimap and compass widget, many improvements to the entity creator and an upgrade to the cutting edge Ogre 1.6 3d library."
Interoperability
Wine 1.1.10 announced
Version 1.1.10 of Wine has been announced. "What's new in this release (see below for details): - Support for virtual memory write watches. - Workarounds for the WINAPI compiler bug on Mac OS. - Several fixes for the 64-bit build. - Some more GdiPlus functions. - Various bug fixes."
Mail Clients
SquirrelMail 1.4.17 released
Version 1.4.17 of SquirrelMail, a standards-based webmail package written in PHP, has been announced. "The SquirrelMail team is happy to announce the release of version 1.4.17. The most notable change is a security fix that prevents certain specially-crafted hyperlinks within messages from executing cross-site scripting attacks. For other details, see the ReleaseNotes file included in this release. We advise all users of SquirrelMail software to upgrade."
Multimedia
Elisa Media Center 0.5.21 released
Version 0.5.21 of Elisa Media Center has been announced. "New features include: - A new mechanism to update the media database so as to reflect gstreamer's improvements at media detection and typefinding - Ability to publish unstable plugins in the plugin repository and offer them for testing to advanced users As usual, a bunch of bugs were fixed".
GPAC: 0.4.5 is out (SourceForge)
Version 0.4.5 of GPAC has been announced. "Multimedia Framework for MPEG-4, VRML, X3D, SVG, LASeR ... New version of GPAC is out with many improvements and fixes - try it out!"
Music Applications
Strasheela 0.9.8 released
Version 0.9.8 of Strasheela has been announced, it features bug fixes and an improved tutorial. "Strasheela is a highly expressive constraint-based music composition system. Users declaratively state a music theory and the computer generates music which complies with this theory. A theory is formulated as a constraint satisfaction problem (CSP) by a set of rules (constraints) applied to a music representation in which some aspects are expressed by variables (unknowns)."
Office Suites
Group-Office groupware: 3.0 released (SourceForge)
Version 3.0 of Group-Office has been announced. "Take your office online with Group-Office groupware. Share projects, calendars, files and e-mail online with co-workers and clients. Easy to use and fully customizable, Group-Office takes online collaboration to the next level. After more then one and a half year of development time and testing it's finally there! We are proud to present Group-Office 3.0, Group-Office needed to be modernised. New web techniques have been developed and are ready to use in a professional platform such as Group-Office. We completely rewrote the interface of Group-Office. It feels much more like a desktop application now with drag and drop features, flexible information panels and much more!"
Web Browsers
Firefox 3.1 Beta 2 is now available
Version 3.1 Beta 2 of the Firefox web browser has been announced. "Firefox 3.1 Beta 2 is now available for download. This milestone is focused on testing the core functionality provided by many new features and changes to the platform scheduled for Firefox 3.1." See the MozillaZine announcement for more information.
Languages and Tools
C
GCC 4.4.0 Status Report
The November 27, 2008 edition of the GCC 4.4.0 Status Report has been published. "The trunk remains Stage 4, so only fixes for regressions (and changes to documentation) are allowed. As stated previously, the GCC 4.4 branch will be created when there are no open P1s and the total number of P1, P2, and P3 regressions is under 100. We're close -- there are 5 P1s, and 105 total regressions."
Caml
Caml Weekly News
The December 9, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.
Java
Project Jigsaw (Mark Reinholds Blog)
Java developer Mark Reinhold blogs about the idea of modularizing JDK and other Java components. "The JDK is bigand hence it ought to be modularized. Doing so would enable significant improvements to the key performance metrics of download size, startup time, and memory footprint. Java libraries and applications can also benefit from modularization. Truly modular Java components could leverage the performance-improvement techniques applicable to the JDK and also be easy to publish in the form of familiar native packages for many operating systems. Finally, in order to realize the full potential of a modularized JDK and of modularized applications the Java Platform itself should also be modularized." (Thanks to Nicolas Mailhot).
JSP
ZK: 3.5.2 released (SourceForge)
Version 3.5.2 of ZK has been announced. "ZK is Ajax Java framework without JavaScript. With direct RIA, 200+ Ajax components and markup languages, developing Ajax/RIA as simple as desktop apps and HTML/XUL pages. Support JSF/JSP/JavaEE/Hibernate/.., and Ajax script in Java/Ruby/Groovy/Python/.. Over 10 new features and 36 bugs fixed. It enables better integration between MVC pattern and data-binding, template page supported. Moreover, ZK Demo is much enhanced, more test cases, easier way of searching, and usability."
Perl
Perl 5.8.9 RC2 released (use Perl)
Version 5.8.9 RC2 of Perl has been announced. "This is a maintenance release for perl 5.8.x, providing bug fixes and integrating module updates from CPAN."
PHP
PHP 5.2.8 released
Version 5.2.8 of PHP has been announced. "The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 inregard to the magic_quotes functionality, that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini."
Python
Python 3.0 released
Python 3.0 is out. "Python 3.0 (a.k.a. 'Python 3000' or 'Py3k') represents a major milestone in Python's history, and was nearly three years in the making. This is a new version of the language that is incompatible with the 2.x line of releases, while remaining true to BDFL Guido van Rossum's vision." See Guido's what's new in 3.0 document for an overview of the major changes.
Let's talk about Python 3.0
For those who are questioning the value of Python 3.0: James Bennett has posted an interesting discussion on why it is worthwhile. "It's rare that any large/established software project manages to overcome this inertia and actually take stock, figure out whether 'the way we've always done it' is still a good way to do it, and then make changes in response. This week Python 3.0 was released, and it represents one of those rare instances: Python 3.0 was designed to clear up a lot of now-inertial legacy issues with the Python language and figure out good ways to do things now instead of unquestioningly sticking with what seemed like good ways (or, more often, the least painful ways) to do things five or ten years ago."
Python 2.6.1 released
Version 2.6.1 of Python has been announced. "Hot on the heals of Python 3.0 comes the Python 2.6.1 bug-fix release. This is the latest production-ready version in the Python 2.6 family. Dozens of issues have fixed since Python 2.6 final was released in October."
Python-URL! - weekly Python news and links
The December 8, 2008 edition of the Python-URL! is online with a new collection of Python article links.PyBindGen 0.10 released
Version 0.10 of PyBindGen has been announced, it adds new capabilities and bug fixes. "PyBindGen is a Python module that is geared to generating C/C++ code that binds a C/C++ library for Python. It does so without extensive use of either C++ templates or C pre-processor macros. It has modular handling of C/C++ types, and can be easily extended with Python plugins. The generated code is almost as clean as what a human programmer would write."
Shed Skin 0.0.30 announced
Version 0.0.30 of Shed Skin has been announced. "I have just released version 0.0.30 of Shed Skin, an experimental (restricted) Python-to-C++ compiler. Most importantly, this release adds (efficient) support for user-defined classes in generated extension modules, which should make it much easier to integrate compiled code within larger projects. More specifically, compiled classes can now be instantiated on the CPython side, and instances can be passed freely between CPython and Shed Skin without any conversion taking place."
Test Suites
STAF: V3.3.2 and STAX V3.3.5 are now available (SourceForge)
New versions of STAF and STAX have been announced. "The Software Testing Automation Framework (STAF) is a framework designed to improve the level of reuse and automation in test cases and test environments. The goal of STAF is to provide a complete end-to-end automation solution for testers."
Version Control
Bazaar 1.10 released
Version 1.10 of the Bazaar distributed version control system has been announced. "Bazaar 1.10 has several performance improvements for copying revisions (especially for small updates to large projects). There has also been a significant amount of effort in polishing stacked branches. The commands ``shelve`` and ``unshelve`` have become core commands, with an improved implementation."
GIT 1.6.0.5 released
Version 1.6.0.5 of the GIT distributed version control system has been announced. "Although we are into 1.6.1-rc cycle, we have accumulated enough fixes to warrant a new maintenance release, so here it is."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Villa: The Linux desktop's change problem
Luis Villa has put up a thoughtful post on the difficulties of innovating on the Linux desktop. "Discussion in this bug about the Sugar filesystem is fairly typical of what happens when you try to implement radical change- people used to the old system focus intensely on the transition costs (it doesn't work RIGHT NOW and my old system WORKS RIGHT NOW DAMMIT) and give varying levels of thought (usually little) to the potential upside of the change- maybe tagging and search really have vastly more potential than hierarchies now that our computers have more capabilities than they did in the time of Aristotle. Kudos to the Sugar folks for persisting despite that resistance."
Serious Error in Diebold Voting Software Caused Lost Ballots in California County (Wired)
This Wired article is about Diebold's proprietary vote-counting software, but it is an interesting example of how added visibility into a system can help to find fatal bugs. "Parke Bostrom, one of the Transparency Project volunteers, wrote in a blog post about the issue, 'This means the audit log is not truly a 'log' in the classical computer program sense, but is rather a 're-imagining' of what GEMS would like the audit log to be, based on whatever information GEMS happens to remember at the end of the vote counting process.'" Worth a read. (Via Felten).
Cycles and Simplicities (Linux Journal)
Doc Searls writes about the tendency for companies to become mired in the tracks of their own success. "It's strange to think of Google and Facebook as old, but Dave's right. They are. Search is old. Advertising is old. Online social communities in a big walled garden is old. You can look at it this way: Google fixed Lycos's problem. (And Infoseek's, and Hotbot's, and AltaVista's.) And then it fixed the yellow pages' and classified advertising's problems. And it used the proceeds from both to start fixing many other problems too."
Companies
Novell reports leap in Linux revenues (ZDNet)
ZDNet examines the latest financial report from Novell. "Novell's Linux business grew by 33 percent over the fourth quarter last year, according to the company's latest financial figures. Identity and access management revenues were up 11 percent compared to the same period last year, and systems and resource management revenues climbed 15 percent. The quarterly results, released on Friday, show that just two areas declined. Novell's Workgroup business fell by nine percent, while its services business plunged by 26 percent."
Linux at Work
The "Roboat": Solar and Linux-Powered Sailboat (CleanTechnica.com)
CleanTechnica.com has a quick look at an autonomous solar-powered sailboat that is controlled by Linux. Known as the "Roboat", it won the first World Robotic Sailing Championship. "The boat also features sensors that track position and speed over ground, speed through water, ultrasonic wind speed, and more. When a destination is set, the Roboats chain-driven motors adjust the mainsail, jib, rudder, and boom."
Legal
A no-fly zone to protect Linux from patent trolls (Legal Pad)
Over at Legal Pad (a Fortune magazine sponsored weblog), Roger Parloff examines plans for Linux Defenders, an initiative aimed at protecting free software from software patents and patent trolls. The initiative, which is going to be announced on December 9, is being led by the Open Invention Network (OIN) and is co-sponsored by the Linux Foundation and Software Freedom Law Center. "Linux Defenders will then also see to it that the publication, duly attributing authorship of the invention to the developer who submitted it, is filed on the IP.com Web site, a database used by the U.S. Patent and Trademark Office and other patent examiners throughout the world when they are trying to determine whether a proposed patent is truly novel, as any patentable invention is supposed to be."
Interviews
Interview with Totem maintainer Bastien Nocera (GnomeDesktop)
GnomeDesktop has the second in its series of interviews about Linux multimedia, this time with Totem developer Bastien Nocera. Totem is the GNOME movie player. "I was already well chuffed years ago when distributions started adopting Totem as their default movie player. Even though I'm happy to see it mentioned next to such a venerable institution as the BBC, its selection really has more to do with Totem's position as the GNOME movie player, and all the work being done on that desktop (and the underlying frameworks) by all the contributors, rather than just being 'another movie player'."
Resources
Storing Files/Directories In Memory With tmpfs
HowtoForge takes a look at storing files in memory, instead of on a hard drive. "You probably know that reading from RAM is a lot of faster than reading files from the hard drive, and reduces your disk I/O. This article shows how you can store files and directories in memory instead of on the hard drive with the help of tmpfs (a file system for creating memory devices). This is ideal for file caches and other temporary data (such as PHP's session files if you are using session.save_handler = files) because the data is lost when you power down or reboot the system."
Reviews
Safer than ActiveX: a look at Google's Native Client plugin (ars technica)
Here's a look at Google's Native Client plugin on ars technica. "Native Client provides a sandboxed web-embeddable runtime environment for portable x86 binaries. It also provides a bridge to facilitate communication between JavaScript and Native Client executables. This makes it possible for complex web applications to seamlessly leverage native code for processor-intensive computations." The code is BSD-licensed and available from the Native Client page on Google Code.
KDE 4.2 beta 1 on Gentoo
Kevin Bowling takes a look at KDE 4.2 on a Gentoo Linux box. KDE 4.2 is currently in beta, set for release on January 27. "Much needed features such as changing the panel height, auto-hide, and screen edge selection have been added. The task bar is highly configurable in typical KDE fashion, allowing you to define task grouping, sorting, filtering based on current desktop or screen or minimized windows only, as well as allowing manual grouping. The system tray also now allows hiding of unwanted tray icons."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
EFF: Jewelry company quest to expand trademark law could quash internet commerce
The Electronic Frontier Foundation discusses the legal implications of a case between Tiffany and eBay. "The Electronic Frontier Foundation (EFF) along with Public Citizen and Public Knowledge urged a U.S. court of appeals Wednesday to reject jewelry-maker Tiffany's attempt to rewrite trademark law and create new barriers for online commerce and communication. Tiffany sued the online marketplace eBay, claiming that eBay should be held liable for trademark infringement when sellers offer counterfeit Tiffany goods on the eBay site. The evidence in the case showed that eBay quickly takes down listings when Tiffany sends notice that it believes a specific item is not genuine. However, Tiffany wants eBay to police listings on its own and to be held responsible for any counterfeit items it missed."
Announcing the 2008 Perl Advent Calendar (use Perl)
The 2008 Perl Advent Calendar has been announced. "Did anybody yet mention that the Perl Advent Calendar 2008 is live? Take a look: one article a introducing a module that is not as well known as it deserves, per day, until Christmas." Also, the Catalyst web framework Advent Calendar is online with daily tips.
Commercial announcements
Appcelerator brings Web Applications to the desktop with Titanium
Appcelerator, Inc. has announced the public preview release of their Appcelerator Titanium web technology platform. "Titanium allows developers to use standard Web technologies such as HTML, CSS and JavaScript to quickly and easily develop applications that can be deployed to multiple platforms, including the desktop, the browser or the mobile device. Unlike traditional Web applications, which are limited to operating within the browser, Titanium desktop applications are able to read and write local data on the desktop and interact with the operating system."
IBM's new Ubuntu-based desktop offering
IBM has announced the availability of a new desktop offering based on Ubuntu Linux. "This solution runs open standards-based email, word processing, spreadsheets, unified communication, social networking and other software to any laptop, browser, or mobile device from a virtual desktop login on a Linux-based server configuration." Only $49/user in quantities of 1,000.
Redpill Linpro releases thin client management tool source code
Redpill Linpro has announced the release of Multiframe version 5 under a GPL license. "Redpill Linpro, a leading Nordic vendor of Open Source products and services, have released the source code for its industry-leading thin client management tool - Multiframe. The availability of the source code for Multiframe version 5 encourages the Open Source community to build new features and applications to enhance the capabilities of the software package."
Renoise 2.0 - Release Candidate 1 announced
Release Candidate 1 of Renoise 2.0 is available. "Renoise has a different approach to making music compared to conventional sequencers, called Tracking. Tracking comes from the demoscene that pushes technical limits to show off coding skills, art, and music beyond what is thought possible." The software is not open-source, but the free demo is fun.
New Books
New Book: Programming in Python 3
Mark Summerfield has announced his new book Programming in Python 3.Learning Rails--New from O'Reilly
O'Reilly has published the book Learning Rails by Simon St. Laurent and Edd Dumbill.Wicked Cool Ruby Scripts--New from No Starch Press
No Starch Press has published the book Wicked Cool Ruby Scripts by Steve Pugh.Announcing the Scribus Official Manual
An Official Manual for the Scribus desktop publishing system has been announced. "The long-awaited Scribus Official Manual is in its final stages of production, and we now have a site open for pre-publishing sales. For those who are not already aware, the manual began about one year ago as a collaborative effort. The lead authors, Gregory Pittman and Christoph Schäfer, worked with a number of other contributors on this important project. The manual represents the most comprehensive source of information about using Scribus, and includes other useful information about DTP, fonts, color management, and more."
Resources
FSFE Analysis on conflicts between patents and standards
The Free Software Foundation Europe analyzes the conflicts between patents and standards. "Following up on the European Commission's "IPR in ICT Standardisation" workshop two weeks ago in Brussels, FSFE president Georg Greve analysed the conflicts between patents and standards. The resulting paper is about the most harmful effects of patents on standards, the effectiveness of current remedies, and potential future remedies."
A guide to reporting and fixing license violations
The Free Software Foundation Europe's Freedom Task Force and GPL-Violations.org have teamed up to produce a guide to reporting and fixing license violations. The guide looks at steps to take as well as resources available for reporting a violation, handling a violation report, and avoiding violations to begin with. "Be careful when reporting a violation. Accusations and suspicions voiced on public mailing lists create uncertainty and do little to solve violations. By checking your facts you can help experts resolve violations quickly." Click below for the press release announcing the guide.
The Open World Forum FLOSS Roadmap
Open World Forum has announced the availability of the 2020 FLOSS Roadmap, a 78-page PDF file describing this group's vision of where free software is going. "This is a prospective Roadmap, and a projection of the influences that will affect FLOSS between now (2008) and 2020, with descriptions of all FLOSS-related trends as anticipated by OWF contributors over this period of time. It also highlights all sectors that will, potentially, be impacted by FLOSS, from the economy to the Information Society."
Calls for Presentations
SCALE registration opens, speaker positions are still available
Registration is open for SCALE 7x, the Southern California Linux Exposition. SCALE will be held on February 20-22, 2009 in Los Angeles, CA. "Due to the holidays the Calls For Proposals for SCALE 7x have been extended until December 10th, 2008. The Beginner and Developer tracks are almost full; there are still available spots in the three general audience speaker tracks. But if you're considering submitting a proposal, don't delay; the window of opportunity is closing! OSSIE, the Open Source Software in Education seminar and WIOS, the Women in Open Source seminar still have open speaker spots in their Friday tracks. Their Calls for Papers close December 31st."
Upcoming Events
Events: December 18, 2008 to February 16, 2009
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| December 27 December 30 |
Chaos Communication Congress | Berlin, Germany |
| January 8 January 11 |
Consumer Electronics Show | Las Vegas, NV, USA |
| January 9 January 11 |
Fedora User and Developer Conference | Boston, USA |
| January 15 January 16 |
Foundations of Open Media Software 2009 | Hobart, Tasmania, Australia |
| January 17 January 23 |
Camp KDE 2009 | Negril, Jamaica |
| January 19 January 24 |
linux.conf.au - penguins march south | Hobart, Australia |
| January 25 January 29 |
Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, GA, USA |
| January 25 January 28 |
GCC Research Opportunities | Paphos, Cyprus |
| January 31 | Greater London Linux Users Group meeting | London, UK |
| January 31 February 3 |
Black Hat Briefings DC | Arlington, VA, USA |
| February 4 February 5 |
DC BSDCon 2009 | Washington, D.C., USA |
| February 4 February 6 |
Money:Tech 2009 | New York, NY, USA |
| February 5 February 9 |
German Perl Workshop | Frankfurt, Germany |
| February 7 | Frozen Perl 2009 | Minneapolis, MN., USA |
| February 7 February 8 |
FOSDEM 2009 | Brussels, Belgium |
| February 9 February 11 |
O'Reilly Tools of Change for Publishing | New York, NY, USA |
| February 15 | Free Software Awards 2009 Deadline | Soissons, France |
If your event does not appear here, please tell us about it.
Mailing Lists
Announcing a new python-porting mailing list
A new python-porting mailing list has been announced. "Hi all, to facilitate discussion about porting Python code between different versions (mainly of course from 2.x to 3.x), we've created a new mailing list python-porting@python.org It is a public mailing list open to everyone. We expect active participation of many people porting their libraries/programs, and hope that the list can be a help to all wanting to go this (not always smooth :-) way."
Page editor: Forrest Cook