LWN.net Weekly Edition for December 18, 2008
Debian goes to the polls
It is general resolution season at the Debian Project. As was discussed here in October, Debian seeks to resolve two questions: one regarding types of developers in the project, and one being the perennial firmware debate. As of this writing, the first vote is done, while the second remains open. But it has become clear that, regardless of the outcome of the firmware vote, this issue has stressed the Debian community, perhaps to the breaking point.Taking the easier subject first: Joerg Jaspert's proposal to create new classes of Debian developers was always going to be controversial. The real purpose of the associated general resolution was to put the brake on those changes. That purpose was fulfilled; the winning choice in that (low-turnout) vote was "Invite the DAM to further discuss until vote or consensus, leading to a new proposal." So the project will go back to doing one of the things it excels at: talking. What form the membership proposal will have when it re-emerges from discussion - if it ever does - is unclear.
The other vote - open until December 21 - is essentially about whether the upcoming "Lenny" release will be delayed until all known violations of the Debian Free Software Guidelines have been resolved - and whether firmware blobs in the kernel count as such violations. The question being asked is not so simple, though; in fact, Debian developers have no less than seven different options to vote upon. The nature of this ballot, how it was constructed, and how it will be decided has led to significant acrimony within the project.
It is worth looking at what the seven options are (with the actual ballot text in bold):
- Reaffirm the Social Contract. The titling of this option is
somewhat controversial - all Debian developers committed to supporting
the Social Contract before gaining their status. What this option
really means is "delay the Lenny release until all DFSG violations
known on November 1, 2008 have been resolved."
- Allow Lenny to release with proprietary firmware. This option
allows the Lenny release to happen, as long as no new firmware blobs
make their way into the distribution. The language here is quite
similar to what has been found in the resolutions allowing the Sarge
and Etch releases to happen despite ongoing firmware concerns. This
option has been deemed by project secretary Manoj Srivastava to
require a three-to-one supermajority vote to pass.
- Allow Lenny to release with DFSG violations. This choice, also
requiring a supermajority, has almost the same effect as
option 2.
- Empower the release team to decide about allowing DFSG
violations. Here, the project (again, with a supermajority) would
say that it trusts the release team to make the right decisions. The
team is currently working toward a release which includes firmware,
so, again, the end result would be about the same: allow the Lenny
release process to go ahead.
- Assume blobs comply with GPL unless proven otherwise. The
actual text of this choice does not mention the GPL at all; in fact,
it reads very much like options 2 and 3. However, this one
was not deemed to require a supermajority vote.
- Exclude source requirements for firmware. This option (which
requires a supermajority) says that, for all practical purposes,
firmware is not software and, thus, a corresponding source
distribution is not required.
- Further discussion. This outcome seems inevitable regardless of how the developers vote. If it were to win, though, then the outcome of this general resolution would be to decide nothing.
See this posting for the full text of all seven options.
So why are many Debian developers unhappy with this ballot? There would appear to be a few reasons, the first of which being the long list of options. Some developers would have rather seen a simple "can Lenny release or not?" vote, with related issues being handled in a separate resolution.
The titles given to some of the choices are seen by some as deceptive. "Reaffirm the Social Contract" really means "delay Lenny," and "Assume blobs comply with GPL" goes with a resolution that never mentions the GPL at all. Developers who are unhappy with a long, messy ballot are even less happy with option titles which seem confusing at best, or deceptive at worst.
Then, there is the matter of the supermajority requirements. Some developers wonder why option 2 requires a three-to-one vote, while an almost identical resolution for Etch did not require a supermajority in 2006. The decision on majority requirements is made entirely by the project secretary, who has the task of determining whether a given resolution "overrides a foundation document" or not. A few developers have made the claim that Manoj's decisions are based less on clear understanding of what really "overrides a foundation document" and more with the goal of ensuring that his own favored outcome wins.
That last is, needless to say, a strong charge. As it happens, Manoj is the proposer of the "assume blobs comply with GPL" option; he also seconded options 1 and 2. Two of the options he has publicly supported do not have the supermajority requirement attached to them, so, perhaps, one could argue that Manoj is, indeed, trying to rig the vote. On the other hand, those two options conflict with each other: one would delay Lenny indefinitely, the other would wave the firmware problem away. So if this is an attempt to steal an election, it is one with a highly uncertain outcome, even if it is successful. The more straightforward interpretation - that a long-serving project secretary is interpreting the project's constitution to the best of his understanding, ability, and good faith - would seem to be the more likely alternative.
Still, that has not prevented a discussion involving statements like this:
Other, more reasoned - but still unhappy - voices are pondering the replacement of the project secretary. It turns out that how to do that is not entirely clear, though. Some others have asked project leader Steve McIntyre - who has been conspicuously quiet in this whole discussion - to intervene. He finally responded this way:
What "following through" means remains unclear. The Debian project leader does not command vast powers which can be brought to bear on a problem like this. Debian is an exceptional project in that it operates in a democratic mode under a formal constitution. Unlike many other projects, Debian lacks a benevolent dictator or a backing corporation with the ability to force a decision. So we do not know what Steve will be able to do to resolve this issue.
What we do know is that quite a few developers are going to be unhappy with this vote regardless of how it comes out. Talk of "constitutional crisis" is almost certainly overblown; Debian has muddled its way through no end of strong disagreements in the past. But that still leaves a lot of room for public conflict which further diminishes Debian's reputation and further delays the Lenny release. What one can hope is that, somehow, the project will manage to muddle through to an understanding on firmware that can prevent all this from happening yet again when the next major release cycle comes near to completion.
Hv3 and the art of minimalist web-browsing
Even if you appreciate full-featured applications like OpenOffice.org, Firefox, or GNOME, minimalist replacements have a fascination all their own. Not only are minimalist applications a throwback to the original traditions of Unix-like operating systems, but their emphasis on efficiency at the expense of extra features can force you to re-evaluate your computing needs. A case in point is Hv3, a web browser written in Tcl/Tk. Although currently in alpha and paying more attention to developers' needs than those of end users, Hv3 is already highly suitable for basic web-browsing, with a design philosophy all its own -- and, quite possibly, the fastest performance of any free software browser.
Hv3 is available for both GNU/Linux and Windows. Packages of nightly builds are available for Puppy Linux, but the users of most distributions must fall back on statically-linked tarballs, following the instructions on the download page to obtain the latest build with wget, then de-compress it and change the permissions. You can also download the source code, as well as Tkhtml3, a development tool for embedding standards-compliant HTML/CSS implementation in applications that Hv3 uses.
When you start Hv3, you also have the option of install hv3_polipo, a small web cache, in the same directory. You can run Hv3 without hv3_polipo -- at the expense of clicking through the same dialog each time you start the application -- but, if you are end-user, there is no reason not to install hv3_polipo. In fact, there is every reason to do so, since it increases Hv3's speed by at least 25%.
Using Hv3
Hv3 opens on a gun metal gray window with four top-level menus, a
toolbar consisting of five basic navigation choices, and the URL entry field
(as well as debugging tools that are, presumably, temporary). At the bottom
is a status bar that gives instructions for toggling between modes, but
![[H3v screenshot]](https://static.lwn.net/images/ns/h3v-sm.png)
apparently does nothing yet. Both bookmarks and downloads open in separate
tabs, rather than in a menu or a floating window, which makes for a less
cluttered appearance than in most browsers, but does result in each new tab
opening by displaying bookmarks. This default occasionally comes in handy,
but is more often an annoying preliminary step to what you really want to
do.
Two unusual features in the Hv3 window are the ability to hide the menus and toolbar to maximize display space, and a tree view of the page's HTML source. Both are available from the right-click menu for a link. The tree view is especially welcome, since it is quicker to navigate than the plain text file of markup you get in most browsers. The difference, I suspect, is that the Hv3 assumes that users are actively interested in looking through the markup and using it as efficiently as possible, so that the view is not just an after-thought.
So far, at least, search capacity is minimal in Hv3, differing little from Firefox's except in the fact that searches of both the web and the current page are grouped together and given prominence by a top-level search menu. Again, the impression is that Hv3 developers are thinking of what might be convenient for those who make regular use of the feature.
You can configure Hv3 from the Options menu, choosing the icon set to use in the toolbar, and the size (but not the typeface) to use for the widgets and on web pages. For some reason, you have three choices for font size on web pages: The page zoom, the font scale (a percentage), and the font size table (a description). You also have the option of disabling the display of images for greater speed, and for turning off support for ECMAScript, which provides support for what is commonly referred to as JavaScript.
Bookmarks
As you explore Hv3, you will probably want to start by opening the Bookmark tab. For one thing, Hv3 seems to have paid most attention to bookmarks among the most common browser features. Because bookmarks in Hv3 open in a separate tab, they display a tree-view list on the left, and the actual page on the right, making them easy to learn.
More importantly, the default bookmarks include a short but adequate page explaining the features of Hv3. An especially noteworthy feature is the distinction between regular bookmarks, which open directly on the page, and snapshots, an archived version of a bookmark that can be used to work off-line. You can tell a regular bookmark because it is indicated in the tree view by having a cyan colored circle for an icon, while a snapshot has an icon resembling a page.
There is also a third type of bookmark that is a snapshot that retains a link to the original. You tell this type of icon by clicking on it and watching it toggle back and forth between the other two, a distinction that seems all too easy to miss.
Another reason for turning early to the Bookmarks tab is to use the Import Data button to import bookmarks from Firefox. The process lasts less than ten seconds, and is almost formidably efficient: Not only your personal bookmarks, but the default bookmarks for your distribution and Firefox's default bookmarks are added to the tree view -- regardless of whether they still appear on your personal toolbox in Firefox or not.
Speed vs.Geekiness
Many of Hv3's features suggest an effort to rethink functionality that you can easily take for granted in your daily browsing. However, what interests many people about minimalist web browsers is their speed. In this category, Hv3 is in a class by itself. Without hv3_polipo installed (see above), Hv3 loads pages roughly 50% faster than Firefox, and about the same speed as Dillo, perhaps the best known minimalist browser. However, with hv3_polipo installed, Hv3 loads pages nearly twice as quickly as Firefox, and about 50% faster than Dillo.
Moreover, Hv3 has the advantage over Dillo of supporting JavaScript, which means that it displays more pages correctly than Dillo does -- although, if you are watching, you will see any text-only alternative pages display before Hv3 renders a JavaScript page. If Hv3 would only include a Flash plugin, possibly using Gnash, the free Flash replacement, then its users would have few basic reasons to envy the users of heavyweight browsers like Firefox except the absence of an active extensions-building community.
In its current release, Hv3 pays little attention to usability. Not only are the debugging tools prominently displayed, but some of the options, such as "GUI fonts" or "Force CSS metrics" seem pitched at the understanding of developers more than that of everyday users. However, the interface names are not that hard to figure out, particularly since they are relatively few. Presumably, too, the Hv3 team is more concerned with performance right now than finishing details, and will get around to such concerns closer to the first full release.
For now, the lack of polish seems a small price to pay for the speed and simplicity of Hv3 -- to say nothing of the reminder that useful and thoughtful alternatives exist to well-known applications.
The FSF raises the stakes for Cisco
On December 11, the Free Software Foundation announced the filing of a GPL-infringement lawsuit against Cisco. This action represents another step in a long series of license-compliance issues involving Cisco and its subsidiaries. It may look like just another licensing lawsuit, but it represents an interesting step in the evolution of attitudes toward compliance with the GPL. The eventual outcome is fairly predictable, but the process is still worth watching.Cisco does look like a serial offender with regard to the GPL. Most of its problems in this area were actually acquired with its purchase of Linksys; routers made by Linksys have been been followed by GPL issues since at least 2003. Over those years, a fairly consistent pattern has developed: a new Linksys product is released which, upon inspection, is determined to be running GPL-licensed software. There is no corresponding source release, which is a clear violation of the GPL. After a series of contacts and negotiations, some of the copyright holders involved succeed in getting a source release - though that release is not always as complete as it should be. The problem appears to be solved - until the next product comes out.
The sad part is that there is almost certainly no real desire on the part of Cisco or Linksys to violate the GPL. The company is being set up for trouble by its suppliers - the firms based in the far east which actually make the hardware sold under the Linksys name. Those suppliers feel, perhaps with good reason, that they need not concern themselves with the details of license compliance. There is not, after all, much of a history of successful license enforcement in that part of the world. So they deliver an infringing product which Cisco then resells; it could well be that Cisco honestly has no idea that those products incorporate software in violation of its license. Of course, it could also be that Cisco does not really want to know about such problems.
Nameless original equipment manufacturers in China are a difficult target for those who would enforce the GPL; a high-profile American company is clearly easier game. Beyond that, though, Cisco is a legitimate target for a lawsuit: the company is distributing GPL-licensed software without making the source available. It is also an appealing target because Cisco is in a position to apply pressure on those nameless suppliers: if a company of that size refuses to resell equipment which does not come with fully-licensed software (whether free or proprietary), its suppliers will learn to pay attention. The FSF is arguing, in essence, that it is Cisco's responsibility to put a program in place to ensure that its suppliers are delivering properly-licensed software. It is Cisco which should be finding licensing problems in its products, not the owners of the code it is using.
The complaint
[PDF] describes a long series of meetings with Cisco. Several times,
the complaint says, "Defendant corresponded with Plaintiff
repeatedly regarding the matter and Plaintiff believed in good faith that a
satisfactory resolution of its concerns could be reached.
" But then
more problems always turned up. So, after a few years, the FSF has given
up:
The complaint alleges that Cisco is guilty of copyright infringement. The
court is asked to provide injunctive relief - taking the offending products
off the market. The FSF is also asking for damages, attorney's fees, and
"all profits derived by Defendant from its unlawful acts
".
All this would be a heavy price for Cisco to pay. And it could well be that a court would go along with most of these requests. The fact of the matter, though, is that things are unlikely to get that far. Unlike, say, SCO, Cisco has not made any statements about the validity of the GPL. It is an active contributor to GPL-licensed projects, including the Linux kernel. Cisco's behavior looks more like negligence than malice. This suit will probably get the attention of people in very high levels of management at Cisco; they, in turn, will almost certainly come to the table and find a way to make the FSF go away. There is no value for them in any other course of action.
So this episode will blow over, probably within a few months. But there are still a couple of interesting things to note here. One is that the Linux kernel is not involved in this suit at all, and neither is Busybox. Those two projects have been at the center of most GPL-enforcement actions thus far. The FSF, though, is focusing on projects that it owns: glibc, GCC, coreutils, binutils, gdb, and wget. That widens the scope somewhat, showing that GPL compliance is not just required for a small number of programs.
Incidentally, all of the code at issue in this suit is licensed under GPLv2; version 3 of the license is not part of this action.
This suit also marks a bit of a change for the FSF, which, traditionally, has strongly favored quiet resolution of GPL-compliance issues. It seems that even the FSF has a point where its patience runs out. It may also be that the influence of the Software Freedom Law Center, which appears to be rather more willing to go to court, is being felt at the FSF. In any case, it is reasonable to expect that the FSF might find itself involved in more legal actions in the future.
This lawsuit will doubtless be used by people to show how use of GPL-licensed software can create risks for companies. The truth is more straightforward, though. Use of any copyrighted material without an accompanying license is generally against the law; incorporating such material into products will always be a risky thing to do. There is nothing special about the GPL in that regard.
Security
"Vishing" advisory targets Asterisk
A light-on-details warning—issued late on a Friday no less—had users of the Asterisk telephony platform scrambling recently. It was issued by a US government group that includes the FBI, which tends to attract attention, and warned of unspecified vulnerabilities that would allow "vishing" attacks using subverted Asterisk systems. Vishing is a relatively new scam that uses phone calls in phishing expeditions (the name comes from combining 'voice' with 'phishing'), but typically using systems that are owned and run by the scammers.
Evidently, the FBI received word that Asterisk systems were being subverted
by way of a vulnerability (AST-2008-003)
reported last March. Systems were
then used to make "thousands of vishing telephone calls [...]
within one hour
" trying to elicit
personal information—generally credit card numbers—from victims.
By using caller ID spoofing techniques those calls
could appear to be coming from the credit card company itself.
Typically, a
pre-recorded message would give the user another number to call, where they
would be prompted to enter the information via an interactive voice
response (IVR) interface.
Asterisk is a multi-purpose free software suite that can act as a public private branch
exchange (PBX), handle VoIP traffic, do IVR, and more. Because it provides
such a general purpose platform, it does make an attractive target.
It is probably also enticing to control such a device that is being run
by—and can be traced to—someone else. But the folks at
Digium—original developers and primary maintainers of
Asterisk—don't
really think the
problem is as bad as was indicated.
The original problem was fixed months ago, so it clearly irks the Digium folks that it has been fingered now. In addition, the original advisory didn't even point to the vulnerability so users and Digium were left to guess what exactly was being exploited. The advisory was updated to include information about AST-2008-003, but there is still some skepticism about the potential for exploitation. On Digium's blog, community manager John Todd thinks the problem was overstated:
While it may well be that this particular vulnerability is difficult to exploit, there will likely be others down the road that are less so. While some users may be getting a little more wary about phishing and email-based scams in general, phone calls have generally been considered more trustworthy. But it is no longer true that phone numbers are definitely traceable back to a physical location with a billed party known by the telephone company. Much of this information can be spoofed or re-routed in ways that make detection more difficult.
Phones have certainly been used in scams over the years, but the advent of caller ID has tended to put an undeserved stamp of authenticity on certain calls. If a pre-recorded message purports to come from GiantCompany and the caller ID entry has that name, it is easy to conclude that the call is genuine. Much of the same effort that has gone into educating the public about phishing will also need to be applied to vishing.
This is certainly not the first instance of PBX systems being abused either. Subverting PBXs for free long distance calls is a longstanding trick in the "phreaking" community. But Asterisk provides a much more capable platform, thus a much more useful tool, both for those that run them and those that subvert them. Asterisk users need to keep that in mind when security issues come to light.
Brief items
Google's Browser Security Handbook
Google has posted a Browser Security Handbook, written by Michal Zalewski. "This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities." It is thick and detailed enough to make it clear that no web application developer can ever hope to understand all of the relevant details.
New vulnerabilities
aview: insecure tmp file usage
| Package(s): | aview | CVE #(s): | CVE-2008-4935 | ||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||
| Description: | From the Gentoo advisory: Dmitry E. Oboukhov reported that aview uses the "/tmp/aview$$.pgm" file in an insecure manner when processing files. A local attacker could perform symlink attacks to overwrite arbitrary files on the system with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
dovecot: improper permissions
| Package(s): | dovecot | CVE #(s): | CVE-2008-4870 | ||||||||||||
| Created: | December 15, 2008 | Updated: | January 20, 2009 | ||||||||||||
| Description: | From the Gentoo advisory: The dovecot.conf is world-readable, providing improper protection for the ssl_key_password setting (CVE-2008-4870) | ||||||||||||||
| Alerts: |
| ||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | |||||||||||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||||||||||
| Description: | What little information there is comes from the Drupal security announcement: Cross site request forgery: The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database. Cross site scripting: When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier. | ||||||||||||||
| Alerts: |
| ||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CVE-2008-5078 | ||||||||||||
| Created: | December 15, 2008 | Updated: | March 2, 2009 | ||||||||||||
| Description: | From the Red Hat advisory: Several buffer overflow flaws were found in GNU enscript. An attacker could craft an ASCII file in such a way that it could execute arbitrary commands if the file was opened with enscript with the "special escapes" option (-e or --escapes) enabled. (CVE-2008-3863, CVE-2008-4306, CVE-2008-5078) | ||||||||||||||
| Alerts: |
| ||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-5505 CVE-2008-5510 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2008 | Updated: | January 16, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way Firefox stored attributes in XML User Interface Language (XUL) elements. A web site could use this flaw to track users across browser sessions, even if users did not allow the site to store cookies in the victim's browser. (CVE-2008-5505) A flaw was found in Firefox's CSS parser. A malicious web page could inject NULL characters into a CSS input string, possibly bypassing an application's script sanitization routines. (CVE-2008-5510) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
freeradius: symlink attacks
| Package(s): | freeradius | CVE #(s): | CVE-2008-4474 | ||||
| Created: | December 16, 2008 | Updated: | December 17, 2008 | ||||
| Description: | From the SUSE advisory: freeradius-dialupadmin was prone to symlink attacks via temporary files. | ||||||
| Alerts: |
| ||||||
honeyd: insecure tmp file usage
| Package(s): | honeyd | CVE #(s): | CVE-2008-3928 | ||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||
| Description: | From the Gentoo advisory: Dmitry E. Oboukhov reported an insecure temporary file usage within the "test.sh" script. A local attacker could perform symlink attacks and overwrite arbitrary files with the privileges of the user running the application. | ||||||
| Alerts: |
| ||||||
jasper: multiple vulnerabilities
| Package(s): | jasper netpbm ghostscript | CVE #(s): | CVE-2008-3520 CVE-2008-3522 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2008 | Updated: | January 4, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Gentoo advisory: Marc Espie and Christian Weisgerber have discovered multiple vulnerabilities in JasPer: * Multiple integer overflows might allow for insufficient memory allocation, leading to heap-based buffer overflows (CVE-2008-3520). * The jas_stream_printf() function in libjasper/base/jas_stream.c uses vsprintf() to write user-provided data to a static to a buffer, leading to an overflow (CVE-2008-3522). Remote attackers could entice a user or automated system to process specially crafted jpeg2k files with an application using JasPer, possibly leading to the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
no-ip: arbitrary code execution
| Package(s): | no-ip | CVE #(s): | CVE-2008-5297 | ||||||||
| Created: | December 15, 2008 | Updated: | January 19, 2009 | ||||||||
| Description: | From the Debian advisory: A buffer overflow has been discovered in the HTTP parser of the No-IP.com Dynamic DNS update client, which may result in the execution of arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
phpMyAdmin: sql injection via cross-site request forgery
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2007-0095 | ||||||||||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||||||||||
| Description: | Some information can be found in the phpMyAdmin security announcement: A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter. | ||||||||||||||
| Alerts: |
| ||||||||||||||
povray: arbitrary code execution
| Package(s): | povray | CVE #(s): | CVE-2008-3964 CVE-2004-0768 | ||||||||||||
| Created: | December 15, 2008 | Updated: | March 6, 2009 | ||||||||||||
| Description: | From the Gentoo advisory: POV-Ray uses a statically linked copy of libpng to view and output PNG files. The version shipped with POV-Ray is vulnerable to CVE-2008-3964, CVE-2008-1382, CVE-2006-3334, CVE-2006-0481, CVE-2004-0768. A bug in POV-Ray's build system caused it to load the old version when your installed copy of libpng was >=media-libs/libpng-1.2.10. An attacker could entice a user to load a specially crafted PNG file as a texture, resulting in the execution of arbitrary code with the permissions of the user running the application. | ||||||||||||||
| Alerts: |
| ||||||||||||||
roundcubemail: code injection
| Package(s): | roundcubemail | CVE #(s): | |||||||||||||
| Created: | December 15, 2008 | Updated: | December 17, 2008 | ||||||||||||
| Description: | From the Red Hat bugzilla entry: A remotely exploitable code injection vulnerability has been found in the RoundCube Webmail browser-based multilingual IMAP client due to insufficient sanitization of certain HTML tags. A remote attacker could use this flaw to potentially inject and execute arbitrary code via HTML POST form request with specially-crafted HTML tags. | ||||||||||||||
| Alerts: |
| ||||||||||||||
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey | CVE #(s): | CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5503 CVE-2008-5504 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 17, 2008 | Updated: | January 16, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause SeaMonkey to crash or, potentially, execute arbitrary code as the user running SeaMonkey. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5504, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could potentially trick a SeaMonkey user into surrendering sensitive information. (CVE-2008-5503, CVE-2008-5506, CVE-2008-5507) A flaw was found in the way malformed URLs were processed by SeaMonkey. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
tshark, wireshark: denial of service
| Package(s): | tshark | CVE #(s): | CVE-2008-5285 | ||||||||||||||||||||||||
| Created: | December 12, 2008 | Updated: | June 30, 2009 | ||||||||||||||||||||||||
| Description: | From the CVE entry: Wireshark 1.0.4 and earlier allows remote attackers to cause a denial of service via a long SMTP request, which triggers an infinite loop. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
uw-imap: buffer overflows, null pointer dereference
| Package(s): | uw-imap | CVE #(s): | CVE-2008-5005 CVE-2008-5006 | ||||||||||||||||||||||||||||||||||||
| Created: | December 12, 2008 | Updated: | December 29, 2009 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
It was discovered that several buffer overflows can be triggered via a long folder extension argument to the tmail or dmail program. This could lead to arbitrary code execution (CVE-2008-5005). It was discovered that a NULL pointer dereference could be triggered by a malicious response to the QUIT command leading to a denial of service (CVE-2008-5006). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current 2.6 development kernel remains 2.6.28-rc8; no 2.6.28 prepatches have been released over the last week. The trickle of changes into the mainline git repository continues, with 46 changes (as of this writing) merged since -rc8.The question of when the final 2.6.28 release will happen remains open. Linus seems to be leaning toward a pre-holiday release, mostly because he wants to get the merge window out of the way before the beginning of linux.conf.au in January. The regression list is quite short at this point, so it seems that a release at just about any time would be justified.
The current 2.6 stable kernel is 2.6.27.9, released with a long list of fixes on December 13. Meanwhile, the 2.6.27.10 stable release, containing another 22 patches, is in the review process as of this writing; it will likely be released on December 18.
Kernel development news
Quotes of the week
Once things have stabilised and it's usable and performs respectably, start thinking about features again.
Do NOT fall into the trap of adding more and more and more stuff to an out-of-tree project. It just makes it harder and harder to get it merged. There are many examples of this.
System calls and 64-bit architectures
Adding a system call to the kernel is never done lightly. It is important to get it right before it gets merged because, once that happens, it must be maintained as part of the kernel's binary interface forever. The proposal to add preadv() and pwritev() system calls provides an excellent example of the kinds of concerns that need to be addressed when adding to the kernel ABI.
The two system calls themselves are quite straightforward. Essentially, they combine the existing pread() and readv() calls (along with the write variants of course) into a way to do scatter/gather I/O at a particular offset in the file. Like pread(), the current file position is unaffected. The calls, which are available on various BSD systems, can be used to avoid races between an lseek() call and a read or write. Currently, applications must do some kind of locking to prevent multiple threads from stepping on each other when doing this kind of I/O.
The prototypes for the functions look much like readv/writev, simply adding the offset as the final parameter:
ssize_t preadv(int d, const struct iovec *iov, int iovcnt, off_t offset);
ssize_t pwritev(int d, const struct iovec *iov, int iovcnt, off_t offset);
But, because off_t is a 64-bit quantity, this causes problems on
some architectures due to the way system call arguments are
passed. After Gerd Hoffmann posted version 2
of the patchset, Matthew Wilcox was quick to point out a problem:
Several other architectures (ARM, PowerPC, s390, ...) have similar
constraints. Because the offset is the fourth argument, it gets placed in
the r3 and r4 32-bit registers, but some architectures need it in either
r2/r3 or r4/r5. This led some to advocate reordering the
parameters, putting the offset before iovcnt to avoid the
problem. As long as that change doesn't bubble out to user space, Hoffmann
is amenable to making the change:
"I'd *really* hate it to have the same system call with different
argument ordering on different systems though
".
Most seemed to agree that the user-space interface as presented by glibc should match what the BSDs provide. It causes too many headaches for folks trying to write standards or portable code otherwise. To fix the alignment problem, the system call itself has the reordered version of the arguments. That led to Hoffmann's third version of the patchset, which still didn't solve the whole problem.
There are multiple architectures that have both 32 and 64-bit versions and
the 64-bit kernel must support system calls from 32-bit user-space
programs. Those programs will put 64-bit arguments into two registers,
but the 64-bit kernel will expect that argument in a single register.
Because of this, Arnd Bergmann recommended
splitting the offset into two arguments, one for the high 32 bits and
one for the low: "This is the only way I can see that lets us use a
shared compat_sys_preadv/pwritev across all 64 bit architectures
".
When a 32-bit user-space program makes a system call on a 64-bit system, the compat_sys_* version is used to handle differences in the data sizes. If a pointer to a structure is passed to a system call, and that structure has a different representation in 32-bits than it does in 64-bits, the compat layer makes the translation. Because different 64-bit architectures do things differently in terms of calling conventions and alignment requirements, the only way to share compat code is to remove the 64-bit quantity from the system call interface entirely.
That just leaves one final problem to overcome: endian-ness. As Ralf Baechle notes, MIPS can be either little or big-endian, so the compat_sys_preadv/pwritev() needs to put the two 32-bit offset values together in the proper way. He recommended moving the MIPS-specific merge_64() macro into a common compat.h include file, which could then be used by the common compat routines. So far, version 4 of the patchset has not emerged, but one suspects that the offset argument splitting and use of merge_64() will be part of it.
The implementation of the operation of preadv() and pwritev() is very obvious, certainly in comparison to the intricacies of passing its arguments. The VFS implementations of readv()/writev() already take an offset argument, so it was simply a matter of calling those. It is interesting to note that as part of the review, Christoph Hellwig spotted a bug in the existing compat_sys_readv/writev() implementations which would lead to accounting information not being updated for those calls.
This is not the first time these system calls have been proposed; way back in 2005, we looked at some patches from Badari Pulavarty that added them. Other than a brief appearance in the -mm tree, they seem to have faded away. Even if this edition of preadv() and pwritev() do not make it into the mainline—so far there are no indications that they won't—the code review surrounding it was certainly useful. Getting a glimpse of the complexities around 64-bit quantities being passed to system calls was quite informative as well.
Followups: performance counters, ksplice, and fsnotify
There's been progress in a few areas which LWN has covered in the past. Here's a quick followup on where things stand now.
Performance monitors
In last week's episode, a new, out-of-the-blue performance monitoring patch had stirred up discussion and a certain amount of opposition. The simplicity of the new approach by Ingo Molnar and Thomas Gleixner had some appeal, but it is far from clear that this approach is sufficiently powerful to meet the needs of the wider performance monitoring community.
Since then, version 3 and version 4 of the patch have been posted. A look at the changelogs shows that work on this code is progressing quickly. A number of change have been made, including:
- The addition of virtual performance counters for tracking clock time,
page faults, context switches, and CPU migrations.
- A new "performance counter group" functionality. This feature is
meant to address criticism that the original interface would not allow
multiple counters to be read simultaneously, making it hard to
correlate different counter values. Counters can now be associated
into multiple groups which allow them to be manipulated as a unit.
There's also a new mechanism allowing all counters to be turned on or
off with a single system call.
- The system call interface has been reworked; see the version 3
announcement for description of the new API.
- The kerneltop utility has been enhanced to work with performance
counter groups.
- "Performance counter inheritance" is now supported; essentially, this
allows a performance monitoring utility to follow a process through a
fork() and monitor the child process(es) as well.
- The new "timec" utility runs a process under performance monitoring, outputting a whole set of statistics on how the process ran.
There are still concerns about this new approach to performance monitoring, naturally. Developers worry that users may not be able to get the information they need, and it still seems like it may be necessary to put a huge amount of hardware-specific programming information into the kernel. But, to your editor's eye, this patch set also seems to be gaining a bit of the sense of inevitability which usually attaches itself to patches from Ingo and company. It will probably be some time, though, before a decision is made here.
Ksplice
In November, we looked at a new version of the Ksplice code, which allows patches to be put into a running kernel. The Ksplice developers would like to see their work go into the mainline, so they recently poked Andrew Morton to see what the status was. His response was:
I'd have _thought_ that distros and their high-end customers would be interested in it, but I haven't noticed anything from them. Not that this means much - our processes for gathering this sort of information are rudimentary at best.
The response on the list, such as it was, indicated that the distributors are, in fact, not greatly interested in this feature. Dave Jones commented:
If distros can't get security updates out in a reasonable time, fix the process instead of adding mechanism that does an end-run around it. Which just leaves the "we can't afford downtime" argument, which leads me to question how well reviewed runtime patches are. Having seen some of the non-ksplice runtime patches that appear in the wake of a new security hole, I can't say I have a lot of faith.
The Ksplice developers agree that the writing of custom code to fit patches into a running kernel is a scary proposition; that is why, they say, they've gone out of their way to make such code unnecessary most of the time.
This discussion leaves Ksplice in a bit of a difficult position; in the absence of clear demand, the kernel developers are unlikely to be willing to merge a patch of this nature. If this is a feature that users really want, they should probably be communicating that fact to their distributors, who can then consider supporting it and working to get it into the mainline.
fsnotify
The file scanning mechanism known as TALPA got off to a rough start with the kernel development community. Many developers have a dim view of the malware scanning industry in general, and they did not like the implementation that was posted. It is clear, though, that the desire for this kind of functionality is not going away. So developer Eric Paris has been working toward an implementation which will pass review.
His latest attempt can be seen in the form of the fsnotify patch set. This code
does not, itself, support the malware scanning functionality, but, says
Eric, "you better know it's coming.
" What it does, instead,
is to create a new, low-level notification mechanism for filesystem events.
At a first look, that may seem like an even more problematic approach than was taken before. Linux already has two separate file event notifiers: dnotify and inotify. Kernel developers tend to express their dissatisfaction with those interfaces, but there has not been a whole lot of outcry for somebody to add a third alternative. So why would fsnotify make sense?
Eric's idea seems to be to make something that so clearly improves the kernel that people will lose the will to complain about the malware scanning functionality. So fsnotify has been written - employing a lot of input from filesystem developers - to be a better-thought-out, more supportable notification subsystem. Then the existing dnotify and inotify code is ripped out and reimplemented on top of fsnotify. The end result is that the impact on the rest of the VFS code is actually reduced; there is now only one set of notifier calls where, previously, there were two. And, despite that, the notification mechanism has become more general, being able to support functionality which was not there in the past.
And, to top it off, Eric has managed to make the size of the in-core
inode structure smaller. Given that there can be thousands of
those structures in a running system, even a small size reduction in their
size can make a big difference. So, claims Eric, "That's
right, my code is smaller and faster. Eat that.
"
What this code needs now is detailed review from the core VFS developers. Those developers tend to be a highly-contended resource, so it's not clear when they will be able to take a close look at fsnotify. But, sooner or later, it seems likely that this feature will find its way into the mainline.
SLQB - and then there were four
The Linux kernel does not lack for low-level memory managers. The venerable slab allocator has been the engine behind functions like kmalloc() and kmem_cache_alloc() for many years. More recently, SLOB was added as a pared-down allocator suitable for systems which do not have a whole lot of memory to manage in the first place. Even more recently, SLUB went in as a proposed replacement for slab which, while being designed with very large systems in mind, was meant to be applicable to smaller systems as well. The consensus for the last year or so has been that at least one of these allocators is surplus to requirements and should go. Typically, slab is seen as the odd allocator out, but nagging doubts about SLUB (and some performance regressions in specific situations) have kept slab in the game.Given this situation, one would not necessarily think that the kernel needs yet another allocator. But Nick Piggin thinks that, despite the surfeit of low-level memory managers, there is always room for one more. To that end, he has developed the SLQB allocator which he hopes to eventually see merged into the mainline. According to Nick:
Like the other slab-like allocators, SLQB sits on top of the page allocator and provides for allocation of fixed-sized objects. It has been designed with an eye toward scalability on high-end systems; it also makes a real effort to avoid the allocation of compound pages whenever possible. Avoidance of higher-order (compound page) allocations can improve reliability significantly when memory gets tight.
While there is a fair amount of tricky code in SLQB, the core algorithms are not that hard to understand. Like the other slab-like allocators, it implements the abstraction of a "slab cache" - a lookaside cache from which memory objects of a fixed size can be allocated. Slab caches are used directly when memory is allocated with kmem_cache_alloc(), or indirectly through functions like kmalloc(). In SLQB, a slab cache is represented by a data structure which looks very approximately like the following:
![[SLQB slab data structure]](https://static.lwn.net/images/ns/kernel/slqb.png)
(Note that, to simplify the diagram, a number of things have been glossed over).
The main kmem_cache structure contains the expected global parameters - the size of the objects being allocated, the order of page allocations, the name of the cache, etc. But scalability means separating processors from each other, so the bulk of the kmem_cache data structure is stored in per-CPU form. In particular, there is one kmem_cache_cpu structure for each processor on the system.
Within that per-CPU structure one will find a number of lists of objects. One of those (freelist) contains a list of available objects; when a request is made to allocate an object, the free list will be consulted first. When objects are freed, they are returned to this list. Since this list is part of a per-CPU data structure, objects normally remain on the same processor, minimizing cache line bouncing. More importantly, the allocation decisions are all done per-CPU, with no bad cache behavior and no locking required beyond the disabling of interrupts. The free list is managed as a stack, so allocation requests will return the most recently freed objects; again, this approach is taken in an attempt to optimize memory cache behavior.
SLQB gets its memory in the form of full pages from the page allocator. When an allocation request is made and the free list is empty, SLQB will allocate a new page and return an object from that page. The remaining space on the page is organized into a per-page free list (assuming the objects are small enough to pack more than one onto a page, of course), and the page is added to the partial list. The other objects on the page will be handed out in response to allocation requests, but only when the free list is empty. When the final object on a page is allocated, SLQB will forget about the page - temporarily, at least.
Objects are, when freed, added to freelist. It is easy to foresee that this list could grow to be quite large after a burst of system activity. Allowing freelist to grow without bound would risk tying up a lot of system memory doing nothing while it is possibly needed elsewhere. So, once the size of the free list passes a watermark (or when the page allocator starts asking for help freeing memory), objects in the free list will be flushed back to their containing pages. Any partial pages which are completely filled with freed objects will then be returned back to the page allocator for use elsewhere.
There is an interesting situation which arises here, though: remember that SLQB is fundamentally a per-CPU allocator. But there is nothing that requires objects to be freed on the same CPU which allocated them. Indeed, for suitably long-lived objects on a system with many processors, it becomes probable that objects will be freed on a different CPU. That processor does not know anything about the partial pages those objects were allocated from, and, thus, cannot free them. So a different approach has to be taken.
That approach involves the maintenance of two more object lists, called rlist and remote_free. When the allocator tries to flush a "remote" object (one allocated on a different CPU) from its local freelist, it will simply move that object over to rlist. Occasionally, the allocator will reach across CPUs to take the objects from its local rlist and put them on remote_free list of the CPU which initially allocated those objects. That CPU can then choose to reuse the objects or free them back to their containing pages.
The cross-CPU list operation clearly requires locking, so a spinlock protects remote_free. Working with the remote_free lists too often would thus risk cache line bouncing and lock contention, both of which are not helpful when scalability is a goal. That is why processors accumulate a group of objects in their local rlist before adding the entire list, in a single operation, to the appropriate remote_free list. On top of that, the allocator does not often check for objects in its local remote_free list. Instead, objects are allowed to accumulate there until a watermark is exceeded, at which point whichever processor added the final objects will set the remote_free_check flag. The processor owning the remote_free list will only check that list when this flag is set, with the result that the management of the remote_free list can be done with little in the way of lock or cache line contention.
The SLQB code is relatively new, and is likely to need a considerable amount of work before it may find its way into the mainline. Nick claims benchmark results which are roughly comparable with those obtained using the other allocators. But "roughly comparable" will not, by itself, be enough to motivate the addition of yet another memory allocator. So pushing SLQB beyond comparable and toward "clearly better" is likely to be Nick's next task.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Security-related
Virtualization and containers
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Localization under a government umbrella
In an era of wider governmental adoption of free software, the Serbian authorities decided to take a different approach toward the affirmation of GNU/Linux and free software in the business sector and the general public. Instead of direct adoption of free software and open standards, Serbian authorities decided to fund several localization projects with the goal of helping to improve the competitiveness of free software on the Serbian IT market.The first information about the government's plans to help the localization of Free Software appeared in December 2007, when several of the Serbian media reported about the issue. Shortly after the news was revealed, the official press release (Google cached page, since the site was changed with no resources in English at the moment) from the Serbian Ministry of Telecommunications and Information Society was published, giving all the details that were available to the public at the moment.
In short, February was set as a deadline for the first results, which meant localized versions of Ubuntu, Fedora, Mozilla Firefox, Thunderbird and OpenOffice.org. The projects were funded by the ministry and delegated to the several Serbian computer science faculties for organization and implementation. All of them, except the Ubuntu localization team, showed their first results in March at a presentation organized by the ministry. Ubuntu was late since the localized version was planned for the LTS (Long term support) release which came out in April. Shortly after Ubuntu 8.04 was released localized Ubuntu ISOs appeared on project servers.
Ubuntu was known as a distribution which didn't have a localized installer
or characteristic Ubuntu software translated in Serbian. In order to
provide better localization, people from Faculty of Electrical engineering
in Belgrade forked Ubuntu and named the new distribution
cp6Linux. Cp6Linux was recognized as
symbolic way to write "SerbLinux" since cp6 can be understood as "Serb" in
something that might be considered as Cyrillic "leatspeak". The
development team never confirmed this though. "Linux for human
beings who speak (only) Serbian
" is packaged in three flavors: Home,
School and Business. Beside this way of packaging, the cp6 development
team customized visual identity and adopted a user interface to make it
more friendly for users coming from Windows.
The most important task and the purpose of cp6's existence is not entirely completed, but the situation compared to a vanilla Ubuntu installation is a lot better. The live disk bootstrap interface and the live system installer are translated into Serbian. System tools and package managers are also localized, but translations of package descriptions and configuration messages are missing. The graphical configuration tools shipped with Ubuntu, like restricted-manager, are translated too, so it seems that cp6 2008 (which is the first and so far the only version) is basically targeting localization of the GUI applications and tools. The cp6 team produced a 52-page Creative Commons licensed User manual (CC-NC-SA), covering the most important features in using and installing cp6Linux 2008.
The Fedora localization team (Google translation) took different strategy and decided to produce localized flavors of Fedora, with no forks and branding. The Serbian Fedora localization community was quite well organized and productive before, so the first thing that people for Faculty of Organization Sciences in Belgrade did was getting in touch with translators who already worked on Fedora. According to them, 19416 of 32480 strings in total were localized already, and they've localized 98% of 19500 unlocalized strings, which leads us to the total score of 99% localized strings.
Almost 100% of localization strings in real life mean localized configuration tools, package management GUIs and installation interface. YUM and package descriptions, similar to cp6Linux, remain untranslated. Most of the work was done on Fedora 8, which is available for download from project servers, with Serbian localization and settings out of the box. There is no information about ISOs or localization details for Fedora 9 or 10 on the project website.
Mozilla products were localized by the people from Electronic Faculty in Niš. As in the case of Fedora, project organizations continued existing efforts. The final result, for GNU/Linux and Windows, are Cyrillic and Latin versions available for download from the project website (Firefox 2.0.0.12 and Thunderbird 2.0.0.9).
Back in Belgrade, localization of OpenOffice.org was delegated to The Faculty of Mathematics. Again, the project continued existing efforts and took over the coordination of the official Serbian translation team. The first steps toward a localized OpenOffice.org dated back to 2001 when a group of Serbian free software users got together for a big translation marathon organized by ICT Tower, a local OSS oriented software company. Sadly, without any external support, they failed to keep interest in the project and translations were never updated. The second big push was in the summer of 2005 when Novell gave some money to the "prevod.org" group for improving Serbian localization in SUSE. Following the OpenOffice release 2 "prevod.org" members returned to keeping up with GNOME translations, and once again the OpenOffice.org translation was left unmaintained.
"In December 2008 the Ministry of telecommunications and information
society Republic of Serbia started four projects for free software
localization.
" explains Goran Rakic, Serbian OpenOffice.org native
language project lead. According to Rakic, the biggest achievements of the
project are localized releases of 2.4, 2.4.1 and 3.0 with
continuity. "We did large QA and localization quality is better then
ever
", he states. Project statistics show distribution of more than
30,000 localized installations via the project site and more than 3000 in
just one week after the 3.0 release. Rakic reveals that localized OOo is
used inside government too, with some large deployments and many more to
go. Rakic looks into the future saying that the "Ministry and Faculty
of Mathematics in Belgrade signed contract for three years with option to
extend and we are just one year in it. I can say that future looks bright
for all current and new OpenOffice.org users in Serbia.
"
It is very hard to give a general conclusion about the implementation and impact of these projects. First of all, the public was never informed of any study related to the use of localized versions of any software in Serbia. So it's impossible to predict how many users might directly benefit from those activities. The only numbers that we can use for any sort of analysis are download statistics, which doesn't necessarily reflect the real amount of acceptance or everyday use of localized programs and distributions.
Contributions and translations from the Faculty of Organization Sciences have gone upstream, and cooperation with the Fedora translation team seems to be established and functioning according to the information on the Serbian team page. On the contrary, it seems that the Cp6Linux translations didn't go upstream, since there are no noted contributions on Launchpad. As in the case of Fedora, communication and cooperation is managed on the Serbian Mozilla localization team wiki. OpenOffice is the only project that actually took over coordination of the localization team, at least officially. Speaking of distributions, in both cases GNOME is being used as the default desktop environment, which has a strong and devoted localization community whose work was packaged in cp6Linux and Fedora in Serbian. GNOME translation is not a part of government funded activities, though.
In the meantime, the Faculty of Technical Sciences from Novi Sad started to work on Alfresco localization, and the results are available on the Alfresco Forge page.
This non-typical approach to free software from the government was motivated by the expectation that localization will become another recommendation for the Free Software adoption in Serbia. According to Mr. Nebojša Vasiljevic, assistant of the Minister of Telecommunications and Information Society for Information society, in his interview for GNUzilla magazine (issue 36). He also said that those project are not part of any strategy involving switching to free software in governmental institutions.
New Releases
Slackware 12.2 has been announced
Version 12.2 of Slackware has been announced. "Among the many program updates and distribution enhancements, you'll find two of the most advanced desktop environments available today: Xfce 4.4.3, a fast and lightweight but visually appealing and easy to use desktop environment, and KDE 3.5.10, the final 3.x version of the award-winning K Desktop Environment. We have added to Slackware support for HAL (the Hardware Abstraction Layer) which allows the system administrator to add users to the cdrom and plugdev groups." (Thanks to Alan Hicks).
Linux Mint 6 "Felicia" released
The Linux Mint team has announced the release of v6 "Felicia". "Congratulations and thanks to all the people who contributed to this release, to all the translators, to the upstream developers and projects which made this possible and above all to the development team for their continuous support." Linux Mint is a fork of Ubuntu.
Announcing Omega 10
Omega 10 is a Fedora Remix in an installable live CD format. "It is a installable Live CD for regular PC (i686 architecture) systems. It has all the features of Fedora 10 and a number of additional multimedia players and codecs. You can play any multimedia including MP3 music or commercial DVD's out of the box."
Distribution News
Debian GNU/Linux
Release Update: d-i RC2 and deep freeze; handling of remaining RC bugs; *-reports and release notes
The Debian release team has an update on Debian 5.0 lenny. A second release candidate for the lenny installer is available for testing. "Currently, the only extra piece we need to declare the Lenny puzzle ready is a final version of the installer. The -boot people are about to deliver a second release candidate, which will be final unless something critical pops up."
Official results for Project membership procedures
The Debian project had a vote recently looking at a change in membership procedures. The project voted for further discussion. Click below for the bloody details of the vote.
Fedora
Instructions from Fedora on fixing the dbus problem
Some Fedora 10 users have come to understand very well the problems that resulted from the recent, ill-advised dbus update. For those who are trying to repair their systems, the project has published a recipe for getting around the problem - it comes down to running "yum update" in a terminal window. "Using our open mailing lists, the community is currently discussing ways to improve Fedora's update processes, to minimize the chances of this sort of situation recurring."
Fedora Outage Notification: Koji, Wiki, Smolt, Transifex
Fedora has an unplanned outage which began at 2008-12-16 08:10 UTC. There is currently no ETA for resolving the issues which are disk related. Services affected are Koji, Wiki, Smolt and Transifex.
SUSE Linux and openSUSE
Sneak Peeks at openSUSE 11.1: Improved Installation, Easier Administration
openSUSE 11.1 is due to be released December 18th. Here are sneak peeks at openSUSE 11.1. "openSUSE's installation has long been regarded as one of the best in the Linux world. Never before has that compliment been more accurate than in openSUSE 11.1. We started by building on the great base built in openSUSE 11.0 this past summer: a sleek new look, and a simpler installation process."
Sneak Peeks at openSUSE 11.1: The Latest GNOME Desktop
In the continuing series of Sneak Peeks at openSUSE 11.1, is this introduction to the newest version of the GNOME desktop into openSUSE. "openSUSE 11.1 will contain the latest version of the GNOME desktop, GNOME 2.24. Not only does this new version bring with it great new features, but as always the GNOME developers in the openSUSE Project have added our own unique polish to make a truly unique, polished desktop experience."
openSUSE 10.2 has reached End of Life
openSUSE 10.2 has reached its End of Life with a squirrelmail update. openSUSE 10.2 was released on December 7 2006.Discussing openSUSE 11.2 schedule
With the release of openSUSE 11.1, it's time to discuss the schedule for openSUSE 11.2. "One of the things that we want to do as a project is to have more community involvement in major decisions, like the release schedule. Right now, we're discussing the proposed 11.2 release schedule on the openSUSE-Project mailing list. Yes, 11.1 is not out the door yet, and we're already talking about the 11.2 release."
New Distributions
cp6Linux
As mentioned in today's feature article, cp6Linux or SerbLinux is a fork of Ubuntu localized into Serbian. "Linux for human beings who speak (only) Serbian" is packaged in three flavors: Home, School and Business. cp6 has been added to the Country-specific: Serbia section of the list.Hackable:1 - a new distribution for mobile devices
The second version of Hackable:1, a distribution for the OpenMoko Neo and other mobile devices, has been released. "The important part is that hackable:1 is not only open to community contributions but we are actively encouraging them and we do the full development in public on IRC channels and mailing lists - no decisions behind closed doors, no sudden changes of directions. We want to produce a stable, linearly evoluting platform."
TurnKey Linux for software appliances
TurnKey Linux. provides a variety of software appliances, currently as an ISO image, of integrated systems, built on an Ubuntu 8.04.1 base. "TurnKey Linux, a new opensource project that develops a family of lightweight installable live CDs optimized for various server-type tasks including LAMP, Ruby on Rails, Django, Joomla, Drupal, MediaWiki, and others." TurnKey PostgreSQL was recently released as an installable live CD that can run of real hardware or most types of virtual machines.
Distribution Newsletters
Ubuntu Weekly Newsletter #121
The Ubuntu Weekly Newsletter for December 13, 2008 covers: 4,000 people attend Ubuntu-fr Release Party, Ubuntu Developer Summit: Jaunty, Hall of Fame: Albero Milone, Interview with (huats), Leader of the Ubuntu-fr Team, MOTU, New York team Asterisk demonstration, Software Freedom Day Nicaragua, Launchpad Drupal modules, Launchpad in twitter and identi.ca, Launchpad off-line Dec. 17th, OpenSolaris tackles Ubuntu dominance, and much more.The Mint Newsletter - issue 69
This issue of The Mint Newsletter looks at the final release of Felicia and several other topics.openSUSE Weekly News, Issue 50
This issue for the openSUSE Weekly News contains: Pre-order openSUSE 11.1, Wanted: Tester from SUSE Studio, Password Protect for GRUB, KDE4-Repository changes, and SELinux in openSUSE 11.1. Click below for links to several translations.Fedora Weekly News # 156
The December 15th issues of the Fedora Weekly news is out. "This week's issue features an exciting discount for Fedora community members in Australia and New Zealand on Red Hat certification training and exams. Coverage of Fedora Planet includes event reports from a FOSS event in India and a Parisian Fedora install fest, along with a nifty XO Exchange Registry. Another flamewar eruption is covered on the Developments beat, along with updates on the D-Bus in Fedora and discussion on making 'updates-testing' more useful. Fedora websites are now available in Russian and Bulgarian, as reported in this issue's Translations beat. The Artwork beat reports on the Fedora Art Team's re-envisioning discussion as well as using the Fedora branding in the OLPC Sugar interface. The security advisory beat updates us on Fedora 9 and 10 updates, along with reminders of Fedora 8 end of life, January 7, 2009. In virtualization news, details of the latest libvert in RHEL and CentOS 5.2. All this and more in this week's FWN!"
DistroWatch Weekly, Issue 282
The DistroWatch Weekly for December 15, 2008 is out. "This week's feature article shows keen Linux users how to make the most of their computer by performing a custom install for a leaner and faster system - in this case we build a custom Ubuntu 8.10. In the news section, openSUSE prepares for the imminent release of version 11.1, Debian announces the upcoming second and final release candidate of the Debian installer, the Unofficial Fedora FAQ updates its HOWTOs for the recently released Fedora 10, the University of Glasgow settles on Slackware Linux for its log-in server, Spain's Trisquel is added to GNU's free distribution list, and Chile's Educalibre gets Tuquito Linux running on Intel Classmate netbooks. We also have links to two interesting interviews - one with Timothy Cramer from OpenSolaris and the other with Warren Woodford of MEPIS Linux. Finally, if you are still searching for that elusive minimalist Linux system that would run smoothly on any old computer, take a look at Tiny Core Linux - a desktop distro in 11 MB. Happy reading!"
Distribution meetings
Second call for talks for the Debian Developers' room at FOSDEM 2009
There is a call for talks in the Debian Developers' room at FOSDEM 2009. "If you're interested in holding a talk, but are not sure yet whether you can make it interesting, or don't yet know whether you'll be able to make it to FOSDEM, it would still be interesting if you'd let me know sooner rather than later, so that I know what might be coming."
Newsletters and articles of interest
Screencast: How to Build a Fedora 10 Remix (Montana Linux)
Scott Dowdle has a two-part screencast over at Montana Linux that shows how to build a remix of Fedora 10, along with reasons why you might want to. "The Fedora folks usually fill up a single CD but how about a LiveDVD with additional desktop environments, a slew of window managers, a ton of application software, and multimedia apps that Fedora won't include in the distro? That's what I make during the screencast... a custom LiveDVD with all of the updates applied and all of the additional software I want in a LiveDVD with a painless, quick install-to-hard-drive if desired." The videos are available in both Flash and Ogg Theora formats.
Page editor: Rebecca Sobol
Development
Profiling the Power Usage of a Desktop PC
Reducing the power usage of a desktop computer can bring about a number of benefits. Whether your goal is to save money on your power bill, reduce your carbon footprint or eliminate unwanted heat and noise from your office, a bit of effort can produce a more power-efficient computer. Effort spent reducing power can have an even larger effect on servers and other machines that run 24 hours a day compared to machines that are only on during work hours. This work was done on a nearly ten year old PC, but the process still applies to more modern hardware.
The test setup consisted of an opened-up desktop PC, a P3 International Kill-a-watt meter and a collection of peripheral cards and disk drives. The Kill-a-watt has a 1W resolution, if a reading alternated between 2 values such as 8 and 9 Watts, the estimated value was called 8.5 Watts. Some of the measurements made were small enough that they were "in the noise". Other variables included devices with inconsistent power usage and inconsistent line voltage. The resulting measurements were actual power used by the power supply, this may vary from the DC power used by the tested components. Lastly, the Kill-a-watt meter also shows power factor; a fairly consistent value of 0.67 was read.
![[PC Power Test]](https://static.lwn.net/images/ns/PCPowerTest-small.png)
The tests were performed on the machine while it was in a number of different software states. Many of the tests were done while at the BIOS prompt, disk drive and network adapter tests were done while the machine was running Linux (Ubuntu 8.10). Power consumed by external devices such as the LCD video monitor and amplified speakers was not taken into account. When a peripheral such as a disk drive was removed for a test, the drive was disconnected from power and the interface cable was removed to eliminate possible power consumption by bus termination resistors.
The tested computer used a fairly old, but still adequate Asus A7V333 motherboard with an AMD Athlon 1700 processor clocked at 1466 Mhz. The RAID option was not present on the motherboard. A pair of 256MB PC2700 DIMMs were used for the memory. The power supply was a 300W Antec PP-303X. Initially, the machine was loaded down with two hard drives, both CDR and DVD-RW drives, a floppy drive, an AGP video card with an ATI Radeon 8500 GPU, and both wired and wireless 802.11 networking cards.
The machine was shut down, all of the PCI and AGP cards were removed and the disks were disconnected. The first power test involved the PC2700 memory DIMMs. With no memory, power consumption was 72 Watts. Adding one DIMM caused the power to drop to 67 Watts. Your author guesses that with no memory, the CPU runs in some kind of power-consuming loop. Interestingly, the two DIMMs had significantly different power usage. The Kensington Value Ram with Hynix chips caused the machine to use 73 Watts versus 67 Watts with the generic Chinese RAM with unbranded chips. With both DIMMS installed, power consumption as 75 Watts. We can deduce that the Kensington RAM used 8 Watts while the Chinese RAM used 2 Watts. Sufficient RAM is critical for good system performance, the brand seems to be significant in the area of power usage. Tests with additional brands of memory seem to be in order.
Fans consume a fair amount of power. A quick unplugging of the noisy CPU fan caused the power to go from 75 Watts to 72 Watts, the CPU would melt down without this 3 Watt component, so it was left in place. It may be possible to find a more efficient CPU fan. The case had a front-mounted "push fan". This consumed around 2 Watts of power. The power supply's built-in fan provides plenty of air circulation so the front fan was disconnected. This also made the machine a bit quieter.
The floppy drive is virtually useless now that 4GB USB memory sticks can be purchased for under $10. The floppy drive consumes about one half Watt of power, so the savings are small. But big savings can come from many small cuts, so the device was left unplugged. The Asus CD-S500/A CDR drive was tested, it consumed about 1 Watt of power. The Sony CRX320E DVD-RW drive was tested, it consumed about 2 Watts of power. Most people can get by with a single removable media drive, or none at all. The DVD-RW drive would be the obvious choice for a single-drive system. If one can put up with the occasional inconvenience of rebooting, it should be possible to put a DPDT power switch on the back of the machine to allow shutting off the +5V and +12V lines to the removable media drive. All together, the floppy and two optical drives consumed around 3.5W when idle.
The Radeon 8200 video card was somewhat of a power hog, it consumed around 8 Watts of power with no built-in fan. A lower performance ATI-S3 AGP video card consumed 4 Watts. If high performance video operation is not critical, example: running Google Earth, the S3 card should be sufficient. As with sufficient memory, this sacrifice may not be worth the power savings.
The next part of the power test involved the fixed disk drives. The main boot device was a Western Digital WD600 60GB PATA disk. It consumed about 7 Watts of power at the BIOS prompt, power went up by about 5 Watts when the system was running Linux and the drive was active. Some of this power is likely being consumed by the CPU and memory and some is used to power the disk's head actuator motor. An auxiliary Western Digital WD2500 250GB SATA drive and associated SATA PCI adapter card consumed around 9 Watts of power when idle and also about 5 watts more when active. Interestingly, as the machine was more heavily loaded with drives and peripherals, system usage became less of a variable to overall power consumption. Hard drives are one of the more power hungry devices in a system, putting all of your data on a single drive is a good way to save power.
A generic-brand 10/100 Ethernet controller with an Intel chip consumed about 1 Watt of power at the BIOS level. Running Linux and moving a lot of data across the card caused the power consumption to jump by about 8 Watts, as with the disk drive test, a lot of that increase is likely caused by CPU and memory use. A Hawking Technology HWP54G 802.11 wireless Ethernet card also consumed about 1 Watt when idle and a few watts more when busy.
The fully loaded system with 512MB of RAM, two hard drives, two optical drives, two network adapters, the Radeon video the floppy disk drive and the front fan consumed about 108 Watts of power when idle and a similar amount when busy. When the machine was stripped down to one hard drive, no optical or floppy drives, the lower performance S3 video card and no front fan, its power dropped to 80 Watts idle and 88 Watts when busy, or between 74 and 81 percent of the original power consumption. This is enough of a reduction in power usage to justify the effort of testing.
Don't forget that even when it is completely powered down, the computer may still act as a phantom load, this system consumed a full 3 Watts when it was off. An easy remedy to that problem is to route the power plugs for the CPU, video monitor and speaker through a switched power strip.
System Applications
Audio Projects
Rivendell 1.2.0 released
Version 1.2.0 of Rivendell has been announced. "Rivendell is a full-featured radio automation system targeted for use in professional broadcast environments. It is available under the GNU General Public License."
Database Software
PostgreSQL Weekly News
The December 14, 2008 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Interoperability
Fuse: 0.10.0.1 released (SourceForge)
Version 0.10.0.1 of Fuse has been announced. "The Free Unix Spectrum Emulator (Fuse): an emulator of the 1980s home computer and various clones for Unix, Mac OS X and Windows. Fuse 0.10.0.1 has been released. This is a bug-fix release for 0.10.0, which fixes some critical issues: * Fuse: overwriting a file would lead to a corrupt file if the new file were shorter than the old file (thanks, Matthew Westcott) * Fuse and fuse-utils: ensure all necessary header files are distributed."
Samba 3.2.6 and 3.3.0rc2 released
The Samba project has announced the release of Samba 3.2.6, a stable bug fix release, and Samba 3.3.0 rc2, a new release candidate of Samba 3.3.0.
Mail Software
DavMail: 2.0.0 released with Calendar and Directory support (SourceForge)
Version 2.0.0 of DavMail has been announced. "Ever wanted to get rid of Outlook ? DavMail is a POP/SMTP/Caldav/LDAP gateway allowing users to use any mail/calendar client with Exchange, even from the internet through Outlook Web Access on any platform: java based, tested on Linux and Windows. This is a major release with exciting new features".
Networking Tools
libnetfilter_conntrack 0.0.99 released
Version 0.0.99 of libnetfilter_conntrack has been announced. "libnetfilter_conntrack is a userspace library providing a programming interface (API) to the in-kernel connection tracking state table. This library requires a linux kernel >= 2.6.18. This release includes a couple of minor fixes."
multi-resolver: 21 Released (SourceForge)
Version 21 of multi-resolver has been announced. "multi-resolver is a parallel DNS resolver utilizing the POE framework. It is a single PERL script, which reads query tuples from <STDIN> and prints RDF triplets to <STDOUT>. This is a second iteration of this solution. It used to be a self-contained recursive script. Now it implements a data-flow architecture, where an external program implements the program recursion logic."
Printing
CUPS 1.4b2 released
Version 1.4b2 of CUPS, the Common Unix Printing System, has been announced. "The second beta release of CUPS 1.4 fixes several localization, scheduler, and utility issues, improves the performance of several key CUPS APIs, and adds a Spanish localization." There was also a call for translators for CUPS 1.4.
Virtualization Software
VirtualBox 2.1.0 released
VirtualBox 2.1.0 - a major release - is out. VirtualBox is a virtualizer for x86 hardware. Changes include improved 64-bit support, experimental 3D acceleration support, full support for various virtual hard disk formats, better networking, and more. See the changelog for details.
Web Site Development
Apache 2.2.11 released
Version 2.2.11 of the Apache web server has been announced. "This version of Apache is principally a bug fix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade."
Midgard 8.09.3RC released
Version 8.09.3RC of the Midgard web development platform has been announced. "The Midgard Project has released a release candidate for the third maintenance release of Midgard 8.09 Ragnaroek LTS. Ragnaroek LTS is a Long Term Support version of the free software content management framework. The 8.09.3 release focuses on API and architecture cleanups in order to ease transition from Midgard 1.x series API to Midgard 2.x APIs."
Plone 3.2rc1 released
Version 3.2rc1 of the Plone web development platform has been announced. "We are closing in on the first all egg-based Plone release: Plone 3.2rc1 was tagged and uploaded to pypi today. At this point we only have a source release. Windows, OSX and universal installers will be available from plone.org soon. Unless critical bugs are found we will release Plone 3.2 without further changes in two weeks."
XPanel: Version 2.0.0 has been released. (SourceForge)
Version 2.0.0 of XPanel has been announced. "XPanel is a web hosting control panel allows you to give your visitors a free web site on your server. XPanel is currently in use by many free web hosting providers (allow users to create websites on their servers in exchange for advertising space. Available for Fedora 9 and 10".
Desktop Applications
Audio Applications
Ardour 2.X enters feature-freeze
The 2.X series of Ardour, a multi-track audio recording system, has entered feature-freeze. "Ardour 2.X has now entered feature-freeze. No new features will be added to this version of Ardour (a few exceptions are noted below), and all development activity will shift to version 3.0. The release of 3.0 (which supports MIDI recording, playback and editing) has been delayed for a long time due to efforts to continue to improve 2.X and in particular to get the OS X native version into reasonable shape. It is now time for Ardour developers (and soon our alpha-testers) to focus on 3.0."
dssi-vst 0.8 available
Version 0.8 of dssi-vst has been announced. "dssi-vst is an adapter that allows users of Linux audio software to take VST and VSTi audio effects and instrument plugins compiled for Windows, and load them into native LADSPA or DSSI plugin hosts. dssi-vst can also be used to run 32-bit Windows VST plugins in a 64-bit Linux host."
Sonic Annotator - a batch utility for audio feature extraction
The initial release of Sonic Annotator is available. "Sonic Annotator is a utility program for batch feature extraction from audio files. It runs Vamp audio analysis plugins on audio files and can write the result features in a selection of formats, in particular as RDF using the Audio Features and Event ontologies."
Sonic Visualiser v1.4 now available
Version 1.4 of Sonic Visualiser has been announced. "This is a feature release, containing several new features and a number of bug fixes over the previous 1.3 release."
Vamp plugin SDK v2.0 now available
Version 2.0 of Vamp plugin SDK has been announced. "Vamp is a plugin API for audio analysis and feature extraction plugins written in C or C++. Its SDK features an easy-to-use set of C++ classes for plugin and host developers, a reference host implementation, example plugins, and documentation. It is supported across Linux, OS/X and Windows."
Data Visualization
rrdtool 1.3.5 released
Version 1.3.5 of rrdtool, a data logging and graphing system for time series data, has been announced. "Features: - a second axis can now be displayed in rrd_graph. look for documentation on second-axis. feature was sponsored by VoltWerk." Some bug fixes are included as well.
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- cairo 1.8.6 (bug and build fixes)
- Cheese 2.25.3 (bug fixes and translation work)
- Deskbar-Applet 2.25.3 (new feature)
- Empathy 2.25.3 (new features, bug fixes and translation work)
- Eye of GNOME 2.25.3 (new features, bug fixes and translation work)
- GCalctool 5.25.3 (bug fixes)
- GDM 2.20.9 (bug fixes, documentation and translation work)
- Glade 3.5.3 (new features and bug fixes)
- Glade 3.5.4 (new features and bug fixes)
- GLib 2.19.3 (bug fixes and translation work)
- glibmm 2.19.1 (bug fix)
- Glom 1.8.4 (new features and bug fixes)
- GNOME DVB daemon 0.1.1 (new features and translation work)
- gnome-games 2.25.3 (new features, bug fixes and translation work)
- gnome-keyring 2.25.2 (new features, bug fixes and translation work)
- GNOME Nettool 2.25.3 (bug fixes and translation work)
- gnoMint 0.9.0 (new features)
- GnuCash 2.2.8 (bug fixes)
- GTK+ 2.14.6 (bug fixes)
- Orca 2.25.3 (bug fixes and translation work)
- Paperbox 0.4.1 (bug fix and translation work)
- PiTiVi 0.11.3 (new features and bug fixes)
- Vala 0.5.3 (new features and bug fixes)
KDE Software Announcements
The following new KDE software has been announced this week:- digiKam 0.9.5-beta2 (new features and bug fixes)
- digiKam and kipi-plugins release for KDE3 (bug fixes and translation work)
- KBandwidthNG 1.0 (unspecified)
- KCheckGMail 0.5.7.7 (bug fixes and translation work)
- Kipi-Plugins 0.2.0-beta5 (new features and bug fixes)
- kopcat 0.1.1 (bug fixes)
- modmaker 0.1 (initial release)
- 'Q' DVD-Author 1.6.1 (new feature and bug fixes)
- Service Menu Manager 0.1 (initial release)
- sMovieDB beta0.30 (new features, bug fixes and translation work)
- sMovieDB beta0.32 (bug fix)
- Twittco 1.0 (unspecified)
- VariCAD 2008 3.04 (new features)
Xorg Software Announcements
The following new Xorg software has been announced this week:- libxcb 1.1.93 (new features and bug fixes)
- libXrandr 1.2.99.3 (new features)
- radeonhd 1.2.4 (new features and bug fixes)
- randrproto 1.2.99.3 (new features)
- xcb-proto 1.3 (new features and bug fixes)
- xcb-util 0.3.2 (bug fixes)
- xf86-input-synaptics 0.99.3 (bug fixes)
- xf86-video-geode 2.11.0 (new features and bug fixes)
- xf86-video-intel 2.5.99.1 (new features and bug fixes)
- xrandr 1.2.99.3 (new features and bug fixes)
- util-macros 1.2.1 (bug fixes and documentation work)
Desktop Publishing
LyX 1.6.1 released
Version 1.6.1 of LyX, a graphical front-end to the TeX typesetter, has been announced. "This is the first maintenance release in the brand-new 1.6.x series, and as such, it mainly focuses on bug fixes. We have ironed out some major problems that slipped into the application in the wake of the new features. All users of LyX 1.6.0 are encouraged to upgrade to this version."
Electronics
The gEDA Project partners with Linux Fund to boost gEDA/PCB usability
The gEDA Project has announced a partnership with the Linux Fund. "The gEDA Project is pleased to announce that it has partnered with Linux Fund in a fundraising effort targeted to expedite development of gEDA's flagship PCB layout program "PCB". Within this partnership, expert gEDA/PCB developer DJ Delorie has agreed to implement a set of enhancements designed to upgrade PCB's usability and utility for electronics designers, making it an attractive open source alternative to commercial PCB design tools. With this project, gEDA/PCB joins the VectorSection DWG interpreter project as part of Linux Fund's growing open engineering and hardware initiative."
Geographical Software
GpsMid: Release 0.4.51 (SourceForge)
Version 0.4.51 of GpsMid has been announced. GpsMid is a: "java Midlet to use OpenStreetMap Data on a J2ME ready Mobile. Display a moving map using a BT SIRF GPS binary, NMEA or jsr179 decoder, show the street name on witch you are. Navigation exists in a first experimantal version."
Graphics
Irrlicht: 1.5 released (SourceForge)
Version 1.5 of Irrlicht has been announced. "The Irrlicht Engine is an open source, high performance, realtime, cross-platform 3D engine written and usable in C++. The Irrlicht dev team is happy to announce the release of the next major version of the 3d engine, Irrlicht version 1.5. Among many bugfixes, we also provide lots of new exciting features".
pycairo release 1.8.0 is available
Version 1.8.0 of pycairo, the Python bindings for the cairo 2D graphics library, has been announced. Changes include new methods, new constants, API changes, bug fixes and documentation work.
Multimedia
Elisa Media Center 0.5.22 released
Version 0.5.22 of Elisa Media Center has been announced. "The main new feature is a set of generic RSS models and a controller that allow plugin developers to very easily integrate media RSS feeds in their plugins. Expect new cool plugins that make use of this very soon!"
Office Suites
KOffice 2.0 Beta 4 released
Version2.0 Beta 4 of KOffice has been announced. "This fourth beta brings significant bug fixes, improved stability, improved usability following the discution that have happened at the Berlin KOffice Sprint. The goal of this beta is to allow testers and users to stay up-to-date with the work of the developers and keep providing usefull bug reports. KOffice is in beta because the development team wants to receive feedback and bugreports from actual users. Since the last beta release a significant set of improvements and speedups have been integrated for all applications and this release shows the continuous focus on bug fixes until 2.0 is released."
Science
ETS 3.1.0 released
Version 3.1.0 of ETS has been announced. "The Enthought Tool Suite (ETS) is a collection of projects developed by members of the OSS community, including Enthought employees, which we use every day to construct custom scientific applications. It includes a wide variety of components, including: * an extensible application framework * application building blocks * 2-D and 3-D graphics libraries * scientific and math libraries * developer tools The cornerstone on which these tools rest is the Traits project, which provides explicit type declarations in Python".
Video Applications
WebcamStudio v0.37 is out (SourceForge)
Version 0.37 of WebcamStudio has been announced, several new features have been added. "WebcamStudio helps you create a virtual webcam that can show: - Your webcam that won't work with Flash site - Your desktop with your webcam in overlay - Your desktop/webcam with several video effects - You in all your glory! Compatible with Flash sites!"
Web Browsers
Firefox 3.0.5 and 2.0.0.19 released
The Firefox 3.0.5 and 2.0.0.19 updates are out. They fix the usual array of scary security problems, and, for 3.0.5, add some new translations and improve accessibility. Also noted in the release notes: "Replaced the End-User License Agreement with a new 'Know Your Rights' info bar on initial install."
This appears to be the last 2.x update. The "phishing protection" feature is also being shut down for Firefox 2; clearly, the folks at Mozilla think it is time for the remaining users to upgrade to Firefox 3.
Miscellaneous
AsciiDoc 8.3.1 released
Version 8.3.1 of AsciiDoc has been announced. "This release fixes a couple of regression bugs in the initial version 8.3 release along with some minor additions. AsciiDoc is an uncomplicated text document format for writing articles, short documents, books and UNIX man pages."
Languages and Tools
Caml
Caml Weekly News
The December 16, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.
Java
OpenSwing: 1.8.7 released (SourceForge)
Version 1.8.7 of OpenSwing has been announced, it adds some new capabilities and bug fixes. "OpenSwing is a component library that provides a rich set of advanced graphics components and a framework for developing java applications based on Swing front-end. It can be applied both to rich client applications and Rich Internet Applications."
Perl
Parrot 0.8.2 released
Version 0.8.2 of Parrot has been announced, it includes many new capabilities and bug fixes. "On behalf of the Parrot team, I'm proud to announce Parrot 0.8.2 "Feliz Loro." Parrot (http://parrotcode.org/) is a virtual machine aimed at running all dynamic languages."
Perl 5.8.9 released
The Perl 5.8.9 release is now available; it consists mostly of bug fixes and optimization work. "We have only limited volunteer labour, and the maintenance burden is getting increasingly complex. Hence this will be the last significant release of the 5.8.x series. Any future releases of 5.8.x will likely only be to deal with security issues, and platform build failures. Therefore you should look to migrating to 5.10.x, if you have not started already."
Python
decorator 3.0 released
Version 3.0 of decorator has been announced. "The decorator module goal is to simplify your life with decorators. Version 3 is available on PyPI and you can install it with $ easy_install decorator".
Hypy 0.8.1 released
The initial public release of Hypy, version 0.8.1, is out. "Hypy is a fulltext search interface for Python applications. Use it to index and search your documents from Python code. Hypy is based on the estraiernative bindings by Yusuke Yoshida."
Sphinx 0.5.1 released
Version 0.5.1 of Sphinx is out with bug fixes. "Sphinx is a tool that makes it easy to create intelligent and beautiful documentation for Python projects (or other documents consisting of multiple reStructuredText source files)."
Python-URL! - weekly Python news and links
The December 16, 2008 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk
Tcl-URL! - weekly Tcl news and links
The December 11, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.Tcl-URL! - weekly Tcl news and links
The December 16, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Libraries
MPFR 2.4.0 release candidate announced
A release candidate of MPFR 2.4.0, a multi-precision floating point library, has been announced. "The release of MPFR 2.4.0 ("andouillette sauce moutarde") is imminent. Please help to make this release as good as possible by downloading and testing this release candidate".
The Universal Library Project: 0.2.1 is out (SourceForge)
Version 0.2.1 of the Universal Library Project has been announced. "libul collects LGPLed highly reuseable platform-independent functions besides ANSI C/POSIX/XPG standard, including: common data structure, math library/string handling/IO function extension, etc. We encourage you to adopt/donate code segments from/to us."
Version Control
Hatta wiki engine version 1.2.0 released
Version 1.2.0 of Hatta wiki engine has been announced. "Hatta is a wiki engine that lives in your Mercurial repository. It can run both locally and hosted, and lets you work on the documentation of your project. All pages are stored as text files and you can pull/push, clone, merge and edit with any editor. This version has internationalization support, together with a few translations: Arabic, Danish and Polish. The indexed search can now properly index Japanese words."
Miscellaneous
dfu-programmer: 0.5.1 Released (SourceForge)
Version 0.5.1 of dfu-programmer has been announced. The software is: "A linux based command-line programmer for Atmel (8051 & AVR) chips with a USB bootloader supporting ISP. This is a mostly Device Firmware Update (DFU) 1.0 compliant user-space application. Release 0.5.1 follows release 0.5.0. A command line option was added to support the AVR32 trampoline (so dfu-programmer ignores any code that might exist in the bootloader code space)."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Can Open Source Help the Economy? (PCWorld)
There have been a number of reports about the current economic downturn (meltdown, depression, what have you ...) with respect to free software. Over at PCWorld, former New York Stock Exchange CTO Roger Burkhardt, looks at the issue relative to the last downturn in 2001-2002 and sees good things for those turning to free software—not just from a cost perspective. "During the last economic downturn in 2001-2002, open-source usage and adoption was on an upward curve. Red Hat, for example, began winning large customer accounts that are now the backbone of their customer base. CIOs and CTOs were on the lookout for innovative ways to save costs both from a technology and people perspective, and open source was a great solution. Just like it is today."
Small is beautiful (The Economist)
Interesting to see advice on choosing a netbook in a mainstream publication like The Economist. Perhaps even more interesting is their advice to stick with the Linux shipped on the device rather than try to run Windows. "Much advice on offer online suggests souping up the specification of a netbook so it can run Microsofts Windows XP operating system, rather than the free, open-source Linux system that is offered as standard on many netbooks. [...] Yet increasing the specification only makes sense for people who want to run (and to pay for) Windows and specific Windows-based applications. The extra hardware and software costs start to push the price of a netbook towards that of a standard laptop, which will invariably be better because it has a bigger processor and superior graphics. For many users, the basic, free software shipped with a netbook will be quite enough."
Companies
HP puts Linux on business PCs (The Register)
The Register reports that HP has started selling Linux-based PCs. "With the economies of the globe heading south - and Linux getting its first real crack at newbie end users not familiar with open source thanks to the burgeoning netbook market, maybe now is the time to start rethinking the use of Linux on commercial desktops. That could be what Hewlett-Packard was thinking as it began shipping its Compaq dx2390 desktop PC with Novell's SUSE Linux Enterprise Desktop 10 operating system preinstalled on the box."
Jaspersoft Gets $12.5 Million, Red Hat An Investor (InformationWeek)
InformationWeek reports that Red Hat has joined the Chicago venture capital firm Adams Street Partners recently to invest in Jaspersoft, a company that produces reporting and business intelligence software. "In June Red Hat announced it was embedding Jaspersoft's Business Intelligence Suite into its Red Hat Network, which manages a business' Linux distributions, automatically provisioning end users, updating them or applying subscription renewals. The Jaspersoft suite will be used in the Satellite version of Red Hat Network, the one that's installed on premises and behind the firewall of a company using Red Hat Enterprise Linux."
Interviews
"Ubuntu has the strongest chance to take Linux mainstream" (TechRadar)
TechRadar has an interview with Samba hacker Jeremy Allison covering a few different topics, including some strong opinions about Ubuntu. While that opinion gets the headline, others, such as his take on Samba development, are also interesting. "We couldn't have done this if we'd tried to do it in a proprietary way — it simply wouldn't be what it is. You watch people who've tried to do stuff like Samba in a proprietary way, and all those products failed. Had we not invented Samba, somebody else would've invented it and they would've put us out of business."
Interview with Sjoerd Simons of Empathy (GnomeDesktop)
GnomeDesktop presents the third interview in a series of interviews about open source multimedia. This interview is with Sjoerd Simons, who works on the Empathy client. "For those not familiar with Empathy, what type of application is it and what are its features? Empathy is an instant messaging client build on top of Telepathy. Currently it supports presence, chatting (both p2p and chatrooms), voice and video calling for a variety of protocols, including but not limited to XMPP, link-local XMPP, MSN, SIP, Yahoo, ICQ etc.."
An interview with Warren Woodford
The "How Software Is Built" site has posted a lengthy interview with Warren Woodford, the founder of the Mepis distribution. "Some people call me a whiner about the GPL, while from my point of view they are the whiners. The GPL deserves to be scrutinized closely and to be debated, as does any legal document that restricts peoples rights. Calling a person a whiner because they care enough to challenge, question, or state positions about something is itself whining."
Reviews
The LTSP adds thin-client support to a Linux server (Heise)
Heise has a detailed look at the Linux Terminal Server Project. "Since 2005 the LTSP team has been working closely with the Ubuntu community, and is using Ubuntu as a basis for its future versions. The code has been completely rewritten so that LTSP can be simply integrated into any distribution. So far, there are implementations for Debian, Ubuntu, Fedora, OpenSuse and Gentoo. The motivation behind the redesign is to create a framework that allows simple and cost-effective thin client functions to be installed in every existing distribution, without interfering with its structures."
Review: Shuttle X27D dual-core Atom desktop PC (The Register)
The Register reviews the small and quiet Shuttle X27D desktop PC. "With the launch of Atom 330, weve got our hands on a Shuttle X27D - D for 'dual core' - which is very similar to the Intel D945GCLF motherboard that we originally reviewed. The only significant difference is the move from the one cored Atom 320 to the two-core 330 and yes, we are aware that Atom uses Hyper Threading to double up the number of virtual cores. Shuttle has finished production of the X27 and has switched over to the X27D without changing the price from £199 for a barebones - which we think is jolly civil of it."
Miscellaneous
Two articles from Dag Wieers
Dag Wieers finds problems in bug tracking systems. Dag was looking for bug reports in Launchpad, for tools he had written. What he found were a few bug reports for new issues for which he had not been informed. "Not only is this a lost opportunity, it is a bad service to both upstream and the user itself. Without a bugtracking system, users would directly contact upstream. Now with Launchpad users report their bugs and nothing is done with them. Not by the maintainer and not by (unaware) upstream. And they are not being send to Debian (their upstream) either. And this is not specific to Launchpad per se, I have similar remarks for Fedora's bugzilla or OpenSUSE." In a followup article he proposes a Google index for Red Hat bugzilla.
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Free Software Foundation files suit against Cisco for GPL violations
The Free Software Foundation has announced the filing of a copyright infringement lawsuit against Cisco. "The FSF's complaint alleges that in the course of distributing various products under the Linksys brand Cisco has violated the licenses of many programs on which the FSF holds copyright, including GCC, binutils, and the GNU C Library. In doing so, Cisco has denied its users their right to share and modify the software."
FSFE adds Fellowship representation to General Assembly
The Free Software Foundation Europe has announced the addition of two Fellowship seats to the FSFE's General Assembly. "Today FSFE is announcing its revised constitution, adding two Fellowship Seats to its General Assembly. This will give Fellows of FSFE a direct representation in FSFE's strategic decision making body. The Fellowship is FSFE's larger community. Launched in 2005, it provides a meeting place with regular online and offline activities, a framework for activity and cooperation, a migration path into the organisation, and one of the most important ways of supporting FSFE's work in all areas, providing both resources and political support. Now the Fellowship also provides a path into the General Assembly."
Changes to the GNOME board
Jeff Waugh is leaving the GNOME board. "The GNOME Foundation Board regretfully announces that Jeff Waugh will be stepping down from the board in order to focus on work and other projects. The board thanks Jeff for his years of service to the board and the community, and wishes him success in his future work both inside and outside of GNOME. Jeff leaves big shoes to fill. Diego Escalante Urrelo will be joining the board as a new member for the remainder of this term."
Linux Fund partners with the gEDA and Gnash projects
The Linux Fund has announced support for the Gnash flash player project and the gEDA electronics design project. "Linux Fund is pleased to announce that it has begun fundraising to enable Gnash project developer Sandro Santilli to bring Real Time Messaging Protocol support to this open source Flash player. This project will enable users to enjoy streaming video from a number of popular web sites and the open source Red5, Cygnal and Dimdim servers. The Gnash/RTMP project joins the LiVES video editing project as part of Linux Fund's growing open media initiative."
Booking.com donates $50,000 to TPF (use Perl)
use Perl has announced a donation of $50K from Booking.com to The Perl Foundation. "Booking.com has donated $50,000 to The Perl Foundation, to aid in the further development and maintenance of the Perl programming language in general, and Perl 5.10 in particular. Booking.com is also donating hardware and sysadmin time to provide the servers for the new git master for Perl 5, which will go live in the next few days."
Upcoming X.org annual election
The X.org annual election has been announced. "The X.Org Foundation annual elections will begin in January 2009. We have chosen to shedule the election at the beginning of the calendar year to avoid some conflicts that resulted with the end-of-the-year elections held previously."
Commercial announcements
WIN Enterprises announces Intel Core 2 Duo Mini ITX motherboard
WIN Enterprises has announced a new Intel Core 2 Duo Mini ITX motherboard. "An IntelR Socket 479 CoreTM 2 Duo processor is supported by the Intel 965GME and ICH8M express chipsets. The IntelR 965GME mobile chipset (GMA X3100) supports dual independent display such CRT + LVDS, CRT+DVI. Through an IntelR 82573L Ethernet controller, the board supports two GbE LAN ports and the IEEE 802.3u standard for network connectivity. The onboard ICH8M chipset supports HD audio with mic in, line in and line out."
Wing IDE 3.1.6 released
Version 3.1.6 of Wing IDE, a cross-platform commercial Python IDE, has been announced. "Wingware has released version 3.1.6 of Wing IDE, a bugfix release for all three product levels of Wing IDE."
New Books
Advanced Software Testing, Vol. 2--New from Rocky Nook
Rocky Nook has published the book Advanced Software Testing, Vol. 2 by Rex Black.CMMI--New from Rocky Nook
Rocky Nook has published the book CMMI: Improving Software and Systems Development Processes Using Capability Maturity Model Integration by Ralf Kneuper.Using Drupal - New from O'Reilly
O'Reilly has published the book Using Drupal by Angela Byron, Addison Berry, Nathan Huag, Jeff Eaton, James Walker, and Jeff Robbins.Designing Gestural Interfaces - New from O'Reilly
O'Reilly has published the book Designing Gestural Interfaces by Dan Saffer.Real World Haskell - New from O'Reilly
O'Reilly has published the book Real World Haskell by Bryan O'Sullivan, John Goerzen, and Don Stewart.Universal Design for Web Applications - New from O'Reilly
O'Reilly has published the book Universal Design for Web Applications by Wendy Chisholm and Matt May.
Resources
Linux Foundation Newsletter
The December, 2008 edition of the Linux Foundation Newsletter has been published. "In this month's Linux Foundation newsletter: * IPv6 Workgroup Certifies Major Distros Compliant with DoD Mandates * Technical Advisory Board Elects New Members * Linux Foundation, Open Invention Network Co-Sponsor 'Linux Defenders' Program * Linux Foundation in the News * 2009 Linux Foundation Calendar of Events * Linux Foundation Sponsors FreedomHEC * Linux Foundation Holds Japan Symposium".
Education and Certification
OpenLogic launches training services for open-source software
OpenLogic has announced the launch of new open-source software training services. "OpenLogic, Inc., a provider of enterprise open source software solutions encompassing hundreds of open source packages, is launching a new series of open source training services that will help enterprises accelerate migration projects and new development using lower cost open source technologies. OpenLogic's customized, on-site classes provide expert training and advice based on proven industry best practices and years of experience working in mid sized and global 2000 companies."
Meeting Minutes
Perl 6 Design Meeting Minutes (use Perl)
The minutes from the December 3, 2008 Perl 6 Design Meeting have been published. "The Perl 6 design team met by phone on 03 December 2008. Allison, Patrick, Jerry, Jesse, and chromatic attended."
Calls for Presentations
EuroPython 2009 Call for Participation
A call for participation has gone out for EuroPython 2009. "On behalf of the EuroPython 2009 organisation it is my privilege and honour to announce the 'Call for Participation' for EuroPython 2009! EuroPython is the conference for the communities around Python, including the Django, Zope and Plone communities. This year's conference will be held in Birmingham, UK from Monday 29th June to Saturday 4th July 2009." The submission deadline is April 5.
O'Reilly OSCON Opens Call for Participation
A call for participation has gone out for the 2009 O'Reilly OSCON. "New times demand new ideas, and OSCON, the O'Reilly Open Source Convention, has opened its call for innovation. O'Reilly Media and program chairs Allison Randal and Edd Dumbill invite proposals for tutorials, sessions, and panels for OSCON, happening July 20 - 24, 2009, in San Jose, CA." Submissions are due by February 3.
Upcoming Events
FSFE announces 4 weeks of translation sprint
The Free Software Foundation Europe has announced a translation sprint from December 15 through January 11. "The aim of this sprint is to provide information about Free Software and FSFE's work in as many languages as possible. As one of its most important means of communication with the public, FSFE hosts a web site at http://www.fsfeurope.org/. Translating the texts and making them available for people with different native languages has always been important, and thanks to the untiring work of dozens of volunteers all around Europe, the pages are available in up to 26 different languages."
O'Reilly Money:Tech speaker schedule announced
The speaker schedule for the 2009 O'Reilly Money:Tech Conference has been announced. The event takes place on February 4-6, 2009 in New York City.Save-the-Date: VMworld 2009
VMware has announced VMworld 2009. The event will take place in San Francisco, CA on September 1-4, 2009.Events: December 25, 2008 to February 23, 2009
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| December 27 December 30 |
Chaos Communication Congress | Berlin, Germany |
| January 8 January 11 |
Consumer Electronics Show | Las Vegas, NV, USA |
| January 9 January 11 |
Fedora User and Developer Conference | Boston, USA |
| January 15 January 16 |
Foundations of Open Media Software 2009 | Hobart, Tasmania, Australia |
| January 17 January 23 |
Camp KDE 2009 | Negril, Jamaica |
| January 19 January 24 |
linux.conf.au - penguins march south | Hobart, Australia |
| January 25 January 29 |
Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, GA, USA |
| January 25 January 28 |
GCC Research Opportunities | Paphos, Cyprus |
| January 31 | Greater London Linux Users Group meeting | London, UK |
| January 31 February 3 |
Black Hat Briefings DC | Arlington, VA, USA |
| February 4 February 5 |
DC BSDCon 2009 | Washington, D.C., USA |
| February 4 February 6 |
Money:Tech 2009 | New York, NY, USA |
| February 5 February 9 |
German Perl Workshop | Frankfurt, Germany |
| February 7 | Frozen Perl 2009 | Minneapolis, MN., USA |
| February 7 February 8 |
FOSDEM 2009 | Brussels, Belgium |
| February 9 February 11 |
O'Reilly Tools of Change for Publishing | New York, NY, USA |
| February 15 | Free Software Awards 2009 Deadline | Soissons, France |
| February 16 February 18 |
Open Source Singapore Pacific-Asia Conference | Singapore, Singapore |
| February 16 February 19 |
Black Hat DC Briefings 2009 | Washington, D.C., USA |
| February 20 | Demonstrating Open-Source Health Care Solutions | Los Angeles, CA, USA |
| February 20 February 22 |
Southern California Linux Expo | Los Angeles, CA, USA |
If your event does not appear here, please tell us about it.
Page editor: Forrest Cook