User: Password:
Subscribe / Log in / New account Weekly Edition for January 8, 2009

The Grumpy Editor's guide to 2009

By Jonathan Corbet
January 7, 2009
Author Charles Stross recently lamented that times have gotten sufficiently interesting that the writing of near-future science fiction is currently impossible. Too much is changing, in too many interesting and unpredictable ways, for anybody to make projections of the future that don't look ridiculous long before that future arrives. Your editor can certainly understand that concern. But, then, your editor's predictions have always looked ridiculous in short order. So there's no reason not to continue with business as usual. Here's a set of wild guesses as to what we might see this year. Woe unto anybody who takes any of this seriously.


The net is full of guesses about what the currently-unfolding financial crisis will mean for free software; many of those are wildly optimistic. Your editor is a bit more guarded: the free software community will emerge from this mess stronger than ever, but it may well be a difficult ride. Much of the commercial Linux industry draws a fair amount of its income from the financial industry, and many players in that industry - there should still be one or two left - are likely to be looking to cut their expenses somewhat. So money for little things like critical infrastructure may be a little short until the bonus pool can be brought back to a satisfactory level. Other parts of the economy will be suffering similar pain. All told, economic trouble will make life harder for a number of free software companies - and the people they employ.

Still, the lower cost of free software, along with its flexibility, can only serve to make it more appealing to companies which are trying to develop a successful business strategy for difficult times. The commercial ecosystem around free software should continue to grow, but it may go through some interesting changes along the way.

One thing that will help is that open embedded systems will grow in appeal and become more successful. The iPhone showed what can be done with an interesting hardware platform; at the same time, it has spawned a steady industry devoted to opening up the device. Android-based platforms are quickly showing that it's possible to make an equally (or almost equally) nice device without locking it down in the same way. Awareness of the value of open gadgets will grow, and there will be more of them on the market by the end of 2009. These gadgets may not be as completely open as many LWN readers would like, but they will be a big step in the right direction.

As that happens, your editor thinks that Android will grow in popularity, perhaps to the point where it eclipses other Linux-based handset platforms. Android has no shortage of flaws, but it is a sufficiently well thought-out and developed system that it should be able to attract a real development community - especially if Google opens up its processes sufficiently. And if Google maintains an overly-firm hand on Android, we may well see forked versions aimed at the hardware devices which can run them.


The pace of GPL enforcement actions will drop as a result of two independent developments: more companies will figure out that free software licensing matters, and developers will decide that they do not want to be part of a high-profile lawsuit. That said, there will be some significant actions on this front in 2009. Meanwhile, the FSF's GPL-infringement lawsuit against Cisco will be settled in a flurry of "win-win" press releases.

GPLv3 migrations will slow, especially among projects that people have actually heard of.

A formerly friendly company may pull an SCO. The sad fact is that failing companies have a certain tendency to look toward their "IP portfolio" as a last-ditch source of revenue. 2009 is likely to see more than the usual number of failing companies; do not be surprised if one of them grasps at this particular straw.


Debian Lenny will be released. Now that the ritual firmware flame war and general resolution obligations have been satisfied, it looks like even Debian would be hard put to not get a release out this year. Debian will also make a serious attempt to avoid a repeat of the recent general resolution mess. There will be changes to how resolutions find their way to a vote, and the scripture-like authority of the "foundation documents" may be eroded somewhat.

We still won't know about Fedora's "infrastructure issues". But they'll promise to fill us in as soon as they possibly can. In the mean time, Fedora will crank out two more solid releases, one of which will eventually show up (somewhat transformed) as the next RHEL release.

openSUSE will make it easier for outside developers to maintain packages in an attempt to bolster its relevance in the development community.


The 2.6.33 kernel will be released. In other words, the kernel development cycle will continue at its fast pace, and the numbering scheme will not be changed.

The realtime patch set will be mostly merged by the end of the year. It really has to happen this time. What could possibly go wrong?

After many years of effort, 3D graphics will be a solved problem on Linux systems. We will no longer be second to other systems with regard to functionality or performance - at least, if you buy your video hardware from cooperative companies. Some of the code may still be working its way through the distribution system, but the work will be done.

It will be a make-or-break year for Perl. If the Perl developers cannot either bring new life to Perl 5 or turn Perl 6 into something real, this language will, by the end of the year, have moved well down the road to "legacy" status.

By the end of the year, KDE 4 will have stabilized, and most users will have forgotten what all of the flames were about. Meanwhile, the first pieces of GNOME 3 may be out, but they are likely to be received without great enthusiasm.

The distributed version control system debates will continue in full force through the year. A number of major projects will make the jump to a DVCS, and most of them will go to git. But Mercurial and Bzr (at least) will remain strong contenders.

As a result of declining contributions from Sun and frustration felt by outside developers, will be forked. The new project is likely to have some initial troubles - is a big program - but it will eventually become the focus of a much more dynamic, community-oriented system.


This article would not be complete without a prediction that free software will be stronger than ever at the end of 2009. Some predictions are easy to make; that has been the trend for many years, after all. Still, it is going to be interesting to see what we will be able to accomplish over the next twelve months. As always, it is going to be fun.

Finally, it will be a hard year for Linux-related media; we have already seen a foreshadowing of the situation with Groklaw's shift into maintenance mode and the recent demises of and It is a hard time to be in the media business in general, and the free software realm offers challenges of its own even in the best of times. That said, LWN appears to be holding steady so far, thanks to thousands of readers who feel that this enterprise is worth supporting. So your editor is able to confidently predict that we'll still be here for the traditional mocking of these predictions in December.

Comments (51 posted)

Debates on the future of Compiz

January 7, 2009

This article was contributed by Bruce Byfield

Is Compiz dying? Possibly not, but the consensus among developers of the compositing window manager seems to be that the project is in serious need of reorganization if it is going to survive.

Founded three years ago, Compiz quickly gained recognition as one of the first projects to deliver 3-D graphical effects on the desktop. Probably its best-known effect is the presentation of multiple workspaces on a rotating cube. The current state of the project dates from the merger of Compiz and Beryl, a fork of Compiz, at the end of March 2007.

Since then, development has been divided into two projects: Compiz, which includes the core functionality and basic plugins, and Compiz Fusion, which includes utilities and more plugins. In theory, the two projects were supposed to merge, but in practice, that has never happened. The projects still maintain separate web sites, mailing lists, and bug trackers, despite the fact that most developers of one project also work on the other.

The community appears to lack both organization and direction, with many developers working on their own branches of Compiz in secret rather than face endless discussion about their goals. Still other developers have drifted away from the project. Under these circumstances, the community has not only been unable to manage a 1.0 release, but, 18 months after the last stable release, is still struggling to complete version 0.8.

More recently, the community has been affected by the withdrawal of Compiz project leader David Reveman. Reveman's departure, apparently made without any official announcement, has led to a lack of leadership, since no experienced Compiz developer appears willing to assume the role of community organizer. Just as importantly, Reveman's refusal to respond to emails after his withdrawal has caused practical difficulties for other developers because much of the Compiz code base is undocumented.

The result is that Compiz, once seen as an exciting, leading-edge project is now being openly denigrated in some circles. For instance, one commenter on a recent Compiz video on YouTube wrote:

Dramatically ugly, unusable, slow, badly animated and unconsistent. Open source development without a serious, expert maintainers can result in chaotic growth of the project and waste of human resources into pointless code. The Compiz-Fusion project is certainly the most representative example of all this.

The situation came to a head in late December when developer Dennis Kasprzyk announced the creation of a new compiz++ code branch. This new branch is written in C++ as opposed to the C programming language of the main branch, and would require numerous changes in the behavior of plugins. A few days later, Kasprzyk's announcement motivated Kristian Lyngstol, another developer, to begin a thread on the Compiz mailing list on "The Future of Compiz." This thread was echoed in an article called "Compiz is dying and we need to fix it" by Kevin Lange. Since then, discussions about the state of Compiz have emerged on numerous other mailing lists, especially those dedicated to specific distributions.

According to Lyngstol, "there has been the equivalent of no progress since the merger. We've basically been in maintenance mode. The reason for this, from my point of view, is a complete lack of direction and leadership."

Lyngstol sees several reasons for the current state of Compiz. To start with, he suggests that project members have been waiting too long for "something that will change everything," and the result has been too many code branches, many of which are incompatible with each other. "The reality is that all these branches are counter-productive, regardless of how fun or flashy they are," Lyngstol writes. He continues:

If we are to have a healthy development environment, and any hope of bringing Compiz out of a constant alpha-stage, we need to have clear development goals and a way to cooperate. Before somebody puts 6+ months of development into their work then present it as a final solution.

Next, Lyngstol notes that the community remains small, with less than 20 people contributing code, if the subscription list for Compiz-Fusion Planet is an indication. In fact, Lyngstol writes, "Unless I'm missing something obvious, we haven't seen a single new core developer that contributes significantly to [the main branch] since the merge. We have, however, lost a few."

Lyngstol goes on to suggest the reasons for the lack of developers. Because the project has no direction, he writes, "all development and design is done as a solo race. There's no way to know whether you can work on something without losing your work because some obscure branch gets merged."

Even worse, the merge of Compiz and Compiz-Fusion that was supposed to happen never has, resulting in a duplication of effort that Lyngstol describes as "messy." Much the same state of chaos exists in the code, which is both "undocumented" and "not particularly pretty." Moreover, when new code is added, its functions "do more than C functions should do." But the basic problem, according to Lyngstol, is that "Compiz is a research project," in a constant state of change and is not focused on producing a stable release.

To solve this situation, Lyngstol suggests a merger of the various code branches — or perhaps, an agreement that some or all are forks — and some serious attention paid to project management. "We should have clear goals for every major release," he writes, "and finding those goals should be the top priority after a stable release. For each point-release in a development series, we should also have a clear goal. This will make it easier to predict releases and for developers to help."

Perhaps the greatest indicator of the state of the Compiz community is not Lyngstol's critique, but the polite agreement with which it has been greeted so far. Perhaps the greatest indicator of the state of the Compiz community is not Lyngstol's critique, but the polite agreement with which it has been greeted so far. To date, those who have responded to Lyngstol's posting have quibbled over the details of some of his points while not seriously contesting his overall observations or his suggested solutions.

Another, more unfortunate indicator is that, while posters have agreed that leadership and direction are needed, so far none of them have come forward to offer it. Instead, Lyngstol and several other active developers have gone out of their way to state that, while they would support change, they were unwilling or unable to take on any leadership role.

So far, no one has suggested possible external reasons for the diminishment of Compiz. But it may be that, now that the novelty of 3-D special effects have worn off, few reasons exist to develop them; the few practical effects, such as zooms, are too slight to encourage the majority to move away from standard 2-D desktops.

Another possible factor is that 3-D video drivers that are both stable and released under a free license are taking longer to arrive than anyone anticipated, and their lack reduced users' interest in projects like Compiz that require them.

Still another suggestion was made in an anonymous comment on Lange's article: Perhaps Compiz has served its purpose by proving that the free desktop could surpass Windows or OS X in eye candy. However, not everyone would agree — developer Quinn Storm, for example, posted a comment to the Compiz mailing list in which she makes clear that she thinks that Compiz has that goal, but has yet to reach it.

Whatever the reasons and whatever happens, one consolation is that, in free and open source software, nothing is really lost. But, as things stand now, with no one willing to assume the leadership of the project, a very strong possibility exists that the the Compiz will continue to diminish, with its members aware of the situation but unable or unwilling to change it.

Comments (18 posted)

The Android Dev Phone 1

By Jonathan Corbet
December 29, 2008
Your editor's long-suffering spouse will attest that gadgets are never in short supply in the house. Many of them pass below her interest, but a new one has come in which has attracted attention throughout the household: an Android Dev Phone, otherwise known as the fully unlocked version of the G1 phone offered by T-Mobile. This phone is certainly a fun toy, but it has the potential to be a lot more than that.

The details of this device have been well publicized for a while now. It includes a nice touchscreen display, QWERTY keyboard, GPS receiver, accelerometer, 3.2 megapixel camera, and more. The whole thing is powered by Google's Linux-based Android platform. The Dev Phone is essentially the same device as that sold by T-Mobile, but with a crucially important difference: it is unlocked in all senses. This means not just that it can be used with any mobile carrier's SIM, but also that the base operating software has not been locked down. This is a phone for which the entire system can be rebuilt and replaced at will.

The Dev Phone thus joins the OpenMoko Neo Freerunner on the very short list of truly open mobile handsets. This device, though, has the advantage of being a bit more of a finished product with what appears to be a rather stronger software development team behind it. It also, for what it's worth, has some nice hardware capabilities that the Neo lacks: quad-band GSM, 3G (though not on the bands used by your editor's carrier, alas), keyboard, etc. Your editor believes that it will be a successful product.

Over the course of the next few months, your editor plans to dig into this device and report on what he finds. How open is the device really? What does it take to put a new kernel onto it? What might it take to put a different operating system onto it altogether? And, in general, how does this whole Android thing work? Assuming that he does not brick the device early on, your editor hopes to get a real sense for what can be done with this device, how close its software is to what we normally think of as Linux, and where it might go into the future. It should be a fun project.

First, though, one has to get through the stage of simply playing with the new toy. So the rest of this article will be a user-level review of sorts.

[Phone] The hardware: it feels generally solid. The device is larger and heavier than handsets your editor has used in the past, but that is to be expected. The keyboard works better than one might think given its size; even your relatively fat-fingered editor is able to type with reasonable speed and accuracy. The vibrator lacks strength. The camera seems to take nice photos (for a phone camera), but it is exceedingly slow. As with most color-screen devices, the display is entirely unreadable when the backlight is off. A nice touch with this phone is an indicator LED which blinks when the phone has something to tell you - an unread text message, for example - but the use of the LED seems to be somewhat inconsistent.

Your editor has yet to get a sense for what the battery life would be in the absence of children playing with the device all day long. Complaints about battery life can be found on the net, but it appears that the phone should be able to get through two or three days of moderate usage where the GPS receiver is off most of the time. On the other hand, if you let your kids use it to mess around on video sites, the battery runs down relatively quickly.

On the software side, this phone gets off to a bit of a rough start. It first requires the user to configure the phone to access data service from the carrier, a process which must be done by hand if that carrier is not T-Mobile. Your editor's last new phone recognized the carrier from the SIM and handled this task automatically. More annoying, though, is that the phone requires the creation of a Gmail account as part of its setup process. The fact that one does not have - and does not want - such an account is not relevant. So now your editor has an entry in the Gmail account database which will never be used.

That, of course, ties in to why Google has gotten into this exercise in the first place. There are many features of the Android platform which are designed to tie the user in more closely to services provided by Google. Some features, such as the calendar, are really just an extension of the online offerings. The phone wants to sync the contacts list to...somewhere...and turning the feature off leads to unpleasant behavior. It is possible to use many of the features of the device without connecting back to the Google mother ship, but it's not the natural mode of operation.

Another example is email handling. There is a separate icon for Gmail which just works; that application offers the features (such as threading) provided by that service. One can run a different mail application to connect to a POP or IMAP account somewhere, but it's a separate setup process. Later, with luck, one discovers the improved K9 client, which must be installed separately and which requires one to go through the setup process again. Even with K9, the non-Gmail mail client is not what it should be. There is no threading of messages, many basic commands (refiling messages, for example) are missing, etc. Then there's little problems like refusing to connect to a server if it doesn't think it can trust the SSL certificate and failing to authenticate if the user's password contains special characters. One assumes that this client will improve, or that other clients will be ported to the platform, but, for now, it doesn't seem to be a priority for the Android developers.

More generally, though, the Android software is pretty slick. A fair amount of thought has been given to how interaction should work on this kind of device. Once one gets used to a few specific differences (holding a finger on an item on the screen for a few seconds often brings up otherwise hidden options, for example), navigating through applications comes fairly naturally. Only in some cases do inconsistencies pop up - some applications have different notions for how to zoom in and out than others is one that your editor has noticed. As a whole, the interface comes across as polished and attractive.

That said, use of the display could be improved. On a small display, there will always be a certain tension between getting enough information on-screen and avoiding the creation of headaches through severe eye strain. Different users will do better with small fonts than others. But if Android offers an option to configure default font sizes, your editor cannot find it. So it becomes necessary to manually zoom almost every web page, almost every email, etc. to get a sufficient amount of information onto the screen. That gets a little tiresome after a while.

The "Android Market" offers a wealth of applications, most of which are available as free software or, at least, in a free-beer mode. When browsing applications, one runs into the Android security model, which is oriented around a long set of capabilities which can be granted to applications. A program which needs do things like access the net, obtain location data, change hardware settings, etc. must declare the capabilities it needs; these are then presented to the user at installation time. Most users will probably just say "yes," but it is worth taking a closer look. Your editor decided to decline the installation of a Mahjongg game after being unable to figure out why it was asking for full network access.

Beyond the inevitable games (including one of the worst Tetris implementations seen in a while), there is a wide variety of available applications. The "Locale" tool makes up for the (surprising) lack of the sort of "profile" feature found on almost every handset your editor has ever seen; it performs tricks like using the GPS [Bubble level] receiver to automatically change profiles when the phone enters the office or a theater. The "bubble" application (shown on the left) turns the handset into a portable level. There's no shortage of "smart shopper" applications, most of which can read a barcode using the camera and look up prices for items. There is a "power manager" which attempts to configure the device for optimal power use in a number of situations; it provides a basic profile functionality as well, though the user should be prepared to spend some time configuring the options into a workable form. There's plenty of travel-oriented applications which will fetch weather reports, currency rates, or call a taxi.

One notable omission, with both the base phone and the available applications, is voice over IP functionality. This handset should be able to do VOIP beautifully, but almost no such functionality is available. There appears to be a tool for Skype users, but that's about it.

There are a couple of applications that are of particular interest to your editor. ConnectBot is an SSH client which works surprisingly well; the developers are clearly working toward the creation of a tool useful for people logging into Linux-like systems. And the terminal emulator provides that all-important feature: a shell prompt on the device. Even more fun, on the Dev Phone, a simple "su" with no password will yield a root shell.

Playing around on the device, your editor sees that the ARM processor provides a mighty 383 bogomips. It appears to have a little over 100MB of usable memory. It's running a 2.6.25 kernel (known to be heavily modified) with a single loadable module called "wlan." And so on. As useful as the keyboard is, trying to use it to type commands at a shell which lacks a history mechanism gets painful after a while. Time to go looking for an SSH server.

There are other useful applications, of course, such as the one which actually makes phone calls. Like the others, it lacks perfection, but one can only assume that, on a platform driven by free software, that imperfect applications will be improved or replaced. How easy it is to do such things is part of what your editor intends to find out in the coming months. Stay tuned.

Comments (37 posted)

Page editor: Jonathan Corbet


Filesystem capabilities in Fedora 10

By Jake Edge
January 7, 2009

Linux capabilities have been around for a long time, but they are finally starting to get to the point where they can actually be used. There are still no mainstream distributions that make use of them, but Fedora 10 has all of the requisite functionality available, as Ulrich Drepper recently pointed out in a blog posting. There are now systems available for administrators to begin to try out capabilities to see what advantages they offer.

Note that this article concerns Linux/POSIX capabilities and not the other security approach of the same name.

The canonical test program for capabilities seems to be ping; that is what Drepper used, as did Chris Friedhoff in his capabilities documentation. Currently in Fedora 10, ping is a setuid-root program as it needs privileges that normal users do not have. Removing the setuid bit with

    chmod u-s /bin/ping 
results in normal users getting the following error:
    ping: icmp open socket: Operation not permitted
But, ping can be left without the setuid bit, by proper application of capabilities.

By using the setcap command, a root user can give the required capabilities to the ping program. These get stored as extended attributes (xattrs) in the filesystem and queried by the kernel when filesystem capabilities are enabled. It should be noted that not all filesystems support xattrs, but for those that do, setcap will add the "capability" attribute with a 20-byte value representing the capability information.

The capability required by ping is CAP_NET_RAW, so an administrator who wants to have a non-setuid-root ping must do:

    setcap cap_net_raw=ep /bin/ping
This sets the CAP_NET_RAW bit in both the "effective" (e) and "permitted" (p) capability sets. These two sets, along with the "inheritable" set, govern the capabilities that a process has or can set. Serge Hallyn's developerWorks article is a good reference for how those sets interact.

But, how does one find out what capabilities a particular program needs? In some ways similar to the audit2allow method sometimes used to determine SELinux policies, one can look for permission denied errors as Friedhoff describes:

    $ strace ping localhost 2>&1 | grep EPERM
    socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
In this case, ping tried to open a raw socket which requires CAP_NET_RAW. Hallyn's article also has code for a capable_probe kernel module that can be used to see what capabilities are requested. As with the SELinux method, one must be careful that the capabilities requested are actually reasonable for the program's task before granting them.

Now that capabilities are available, folks have started to wonder when things like ping will have their setuid bit removed in standard distributions. Panu Matilainen asked on fedora-devel: "Are we ready to start considering moving away from SUID bits to capabilities, in Fedora 11 maybe?" The answer in the resulting thread seems to be "no", mostly because there is concern about folks building their own kernel without support for capabilities. It is a bit of a weak argument because Fedora depends on any number of kernel options. Drepper is characteristically blunt: "That's nonsense since there are many other options we rely on and which can be compiled out."

Other distributions may handle things differently, though, so we may see Linux-capability-based systems elsewhere. For now, administrators can turn off setuid and instead set capabilities on programs in Fedora 10, "unfortunately you have to do it every time the program is updated again," Drepper notes. Capabilities were originally added to Linux in the 2.1 kernel series, around ten years ago, so it is nice to see them finally getting to the point of usability for regular users and administrators. It will be interesting to see where things go from here.

Comments (15 posted)

Brief items

25C3: MD5 collisions crack CA certificate (heise online)

Researchers presenting at the 25th Chaos Communication Congress (25C3) have used MD5 collisions to generate bogus, but trusted, SSL certificates as reported by heise online. This would allow nefarious web sites to generate a certificate purporting to be from any other site—greatly increasing the reach of phishing and other scams. "Using a weakness in the MD5 cryptographic hash function, which allows different messages to generate the same MD5 hash – known as an MD5 'collision', the international team of Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molinar, Dag Arne Osvik and Benne De Weger, have used one attack scenario to create a certificate which will be trusted by all browsers because it appears to be signed by one of the root CAs that browsers trust by default. The certificate can also be used to sign other certificates, which could allow attackers to carry out 'practically undetectable phishing attacks'."

Comments (47 posted)

New vulnerabilities

OpenSSL: certificate verification flaw

Package(s):OpenSSL CVE #(s):CVE-2008-5077
Created:January 7, 2009 Updated:July 27, 2011
Description: From the Red Hat advisory: the Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation.
SUSE SUSE-SU-2011:0847-1 compat-openssl097g 2011-07-27
openSUSE openSUSE-SU-2011:0845-1 compat-openssl097g 2011-07-27
Gentoo 200904-05 ntp 2009-04-05
Mandriva MDVSA-2009:271 libnasl 2009-10-12
Mandriva MDVSA-2009:037 bind 2008-02-16
Gentoo 200902-02 openssl 2009-02-12
Slackware SSA:2009-014-01 openssl 2009-01-15
Fedora FEDORA-2009-0419 tqsllib 2009-01-14
Fedora FEDORA-2009-0543 tqsllib 2009-01-14
SuSE SUSE-SA:2009:006 openssl 2009-01-23
rPath rPSA-2009-0008-1 openssl 2009-01-20
Slackware SSA:2009-014-03 ntp 2009-01-15
CentOS CESA-2009:0004 OpenSSL 2009-01-07
Debian DSA-1701-1 openssl 2009-01-12
Fedora FEDORA-2009-0331 openssl 2009-01-08
Red Hat RHSA-2009:0004-01 OpenSSL 2009-01-07
Fedora FEDORA-2009-0544 ntp 2009-01-14
Fedora FEDORA-2009-0547 ntp 2009-01-14
Slackware SSA:2009-014-02 bind 2009-01-15
Fedora FEDORA-2009-0325 openssl 2009-01-08
Ubuntu USN-704-1 openssl 2009-01-07

Comments (none posted)

p7zip: unknown vulnerability

Package(s):p7zip CVE #(s):
Created:January 7, 2009 Updated:January 7, 2009
Description: The p7zip file archiver suffers from "archives formats issues." Such information as is available can be found in this bugzilla entry.
Fedora FEDORA-2008-11868 p7zip 2008-12-30
Fedora FEDORA-2008-11891 p7zip 2008-12-30
Fedora FEDORA-2008-11843 p7zip 2008-12-30

Comments (none posted)

php-xajax: cross-site scripting

Package(s):php-xajax CVE #(s):CVE-2007-2739
Created:December 29, 2008 Updated:January 7, 2009

From the Debian advisory:

It was discovered that php-xajax, a library to develop Ajax applications, did not sufficiently sanitise URLs, which allows attackers to perform cross-site scripting attacks by using malicious URLs.

Debian DSA-1692-1 php-xajax 2008-12-27

Comments (none posted)

samba: privilege escalation

Package(s):samba CVE #(s):CVE-2009-0022
Created:January 6, 2009 Updated:October 5, 2009
Description: From the Ubuntu advisory: Gunter Höckel discovered that Samba with registry shares enabled did not properly validate share names. An authenticated user could gain access to the root filesystem by using an older version of smbclient and specifying an empty string as a share name. This is only an issue if registry shares are enabled on the server by setting "registry shares = yes", "include = registry", or "config backend = registry", which is not the default.
Fedora FEDORA-2009-10172 samba 2009-10-03
Mandriva MDVSA-2009:042 samba 2009-02-18
Fedora FEDORA-2009-0160 samba 2009-01-07
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12
Fedora FEDORA-2009-0268 samba 2009-01-07
Slackware SSA:2009-005-01 samba 2009-01-06
Ubuntu USN-702-1 samba 2009-01-05

Comments (none posted)

xen: DOS and symlink vulnerabilities

Package(s):xen CVE #(s):CVE-2008-4405 CVE-2008-4993
Created:January 7, 2009 Updated:September 15, 2009
Description: The Xen package, as shipped by Red Hat (at least), contains a pair of vulnerabilities. Unprivileged DomU domains are able to overwrite "xenstore values," enabling the killing of arbitrary processes. And the qemu-dm.debug script has a symbolic link vulnerability exploitable by a local attacker.
SuSE SUSE-SR:2009:015 OpenOffice_org, OpenOffice_org-math, dnsmasq, gnutls, ia32el, ib-bonding-kmp-rt/kernel-rt, libxml, opera, perl-IO-Socket-SSL, xen 2009-09-15
Mandriva MDVSA-2009:016 xen 2009-01-16
CentOS CESA-2009:0003 xen 2009-01-08
Red Hat RHSA-2009:0003-01 xen 2009-01-07

Comments (none posted)

xterm: arbitrary code execution

Package(s):xterm CVE #(s):CVE-2008-2383 CVE-2008-7236
Created:January 5, 2009 Updated:March 11, 2009

From the Debian advisory:

Paul Szabo discovered that xterm, a terminal emulator for the X Window System, places arbitrary characters into the input buffer when displaying certain crafted escape sequences.

Slackware SSA:2009-069-03 xterm 2009-03-11
Gentoo 200902-04 xterm 2009-02-12
Debian DSA-1694-1 xterm 2009-01-02
Fedora FEDORA-2009-0059 xterm 2009-01-07
Fedora FEDORA-2009-0154 xterm 2009-01-07
Fedora FEDORA-2009-0091 xterm 2009-01-07
CentOS CESA-2009:0018 xterm 2009-01-07
Mandriva MDVSA-2009:005 xterm 2009-01-11
Red Hat RHSA-2009:0019-01 hanterm-xf 2009-01-07
Red Hat RHSA-2009:0018-01 xterm 2009-01-07
SuSE SUSE-SR:2009:003 boinc-client, xrdp, phpMyAdmin, libnasl, moodle, net-snmp, audiofile, xterm, amarok, libpng, sudo, avahi 2009-02-02
SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19
Ubuntu USN-703-1 xterm 2009-01-06
Debian DSA-1694-2 xterm 2009-01-06

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The 2.6.29 merge window is open, so there is no development kernel release as of this writing. Quite a bit of work has been merged for 2.6.29; see the separate article below for details.

The current stable 2.6 kernel is 2.6.28, released by Linus on December 24. Some of the highlights of this kernel are the addition of the GEM GPU memory manager, the ext4 filesystem is no longer "experimental", scalability improvements in memory management via the reworked vmap() and pageout scalability patches, moving the -staging drivers into the mainline, and much more. See the excellent KernelNewbies summary for lots more details about 2.6.28. Says Linus: "In fact, even _if_ you have friends or family, leave them to their endless toil over that christmas ham or turkey, and during the night, when they're asleep, you can give them that magical present of a newly updated computer. When they wake up tomorrow morning, tell them how you saw Santa crawl down the chimney with his USB stick in hand, updating the OS of all good boys and girls."

Comments (none posted)

Kernel development news

Quotes of the week

The software design moral: Everything is shit and will attempt to kill you when you're not looking.
-- Matthew Garrett

I don't believe "auto-destroy my music collection" is a sane default.
-- Alan Cox

BTW, the current influx of higher-complexity filesystems certainly worries me a little.
-- Christoph Hellwig

Can you post the patch, so that we can see if we can find some silly error that we can ridicule you over?
-- Linus Torvalds (Thanks to Jeff Schroeder)

There's a lot of stuff here, as can be seen by the final diffstat number:
779 files changed, 472695 insertions(+), 26479 deletions(-)
and yes, it's all crap :)
-- Greg Kroah-Hartman

I will just note wryly that it used to be that I could compile 0.9x kernels on a 40 MHz 386 machine in 10 minutes. Some 15 years later, it still takes roughly the same amount of time to compile a kernel, even though computers have gotten vastly faster since then. Something seems wrong with that....
-- Ted Ts'o

Comments (11 posted)

2.6.29 merge window, part 1

By Jonathan Corbet
January 7, 2009
As of this writing, some 6500 non-merge changesets have been accepted for the 2.6.29 development cycle. There is the usual set of new device drivers, combined with a number of important core kernel changes.

As of this writing, user-visible changes include:

  • New drivers for for SH-2A FPU based SH7201 processors, Palm T|X, T5 and LifeDrive audio devices, Gumstix Overo audio devices, Marvell Zylonite audio devices, Wolfson Micro TWL4030, UDA134x, WM8350 AudioPlus, and WM8728 codecs, Texas Instruments SDP3430 audio devices, OMAP3 Pandora audio devices, Intel G45 integrated HDMI audio codecs, Broadcom BCM50610 network PHYs, LSI ET1011C PHYs, KS8695 Ethernet devices, SMSC LAN9420 PCI Ethernet adapters, SMSC LAN911x and LAN921x embedded Ethernet controllers, Solarflare 10Xpress SFT9001 network controllers, Atheros AR9285 chipsets, Solos ADSL2+ PCI Multiport cards, Nuvoton W90X900 CPUs, LG ATSC lgdt3304 video capture devices, Sharp s921 ISDB-T devices, ST Microelectronics STB6100 silicon tuners and STB0899 multistandard frontend devices, ST STV06XX-based cameras, TDA8261 8PSK/QPSK tuners, OmniVision ov772x cameras, Conexant CX24113/CX24128 tuners, Texas Instruments TVP514x video decoders, OMAP2 camera devices (as seen in Nokia Internet tablets), NXP TEA5764 I2C FM radio devices, Chelsio T3 ASIC based iSCSI adapters, Wolfson Microelectronics WM8350 power management units, Dialog DA9030 battery chargers, DaVinci DM355 EVM microcontrollers, Intel 5400 (Seaburg) memory controller chipsets, Walkera WK-0701 RC transmitters, Wacom W8001 penabled serial touchscreens, Dialog Semiconductor DA9034 touchscreens, TSC2007 based touchscreens, PXA930 trackball mice, and PXA930/PXA935 enhanced rotary controllers.

  • A number of new drivers have also entered the kernel via the staging tree; these include drivers for Sensoray 2250/2251 video capture devices, Airgo AGNX00 wireless chips, a wide variety of data acquisition devices via the Comedi framework, ASUS laptop OLED displays, Ralink 2860 and 2870 wireless wireless interfaces ("This is the Ralink RT2860 driver from the company that does horrible things like reading a config file from /etc."), RealTek RTL8187SE Wireless LAN NICs, HD44780 or KS-0074 parallel port LCD panels, ServerEngines BladeEngine (EC 3210) network interfaces, Princeton Instruments USB cameras, Mimio Xi interactive whiteboards, the openPOWERLINK network stack, Frontier Tranzport and Alphatrack devices, and several families of Meilhaus data acquisition boards. Also added, seemingly without help from Google, is a set of drivers for the Android platform, including support for the /dev/binder IPC mechanism, timed GPIO operations, the RAM buffer console, a special "low memory killer" device, and the logger device.

    Remember that "staging" drivers are not considered to be up to normal kernel code quality drivers; they are merged in the hope that developers will help to make them better. Quite a few improvements to these drivers were merged via the staging tree this time around, so this tree may be working as intended.

  • The long-deprecated eepro100 driver has finally been removed; the e100 driver should be used instead.

  • The SCSI layer has acquired support for Fibre Channel over Ethernet (FCoE) devices.

  • The GEM layer used for memory management in graphical processor unit (GPU) driver code has seen a number of improvements. The big news in this area, though, is that the kernel mode setting code has finally been merged. This change paves the way for the removal of a great deal of scary user-space code, better support for features like fast user switching, and the ability to run the X server without root privilege. Kernel mode setting is still in an early state, though, and most people will not want to enable it unless they are sure they have a properly-prepared user space.

  • Support for HP iPAQ h5000 systems, Samsung S3C64XX series based systems, and Pandora game consoles has been added to the ARM architecture code.

  • The SuperH architecture has gained support for the ftrace tracing framework.

  • There is a new no_file_caps= boot option which can be used to disable file capabilities on kernels which have that feature enabled. From the changelog: "This allows distributions to ship a kernel with file capabilities compiled in, without forcing users to use (and understand and trust) them."

  • The CIFS filesystem supports a new forcemand mount option; when present, it causes CIFS to use mandatory locks rather than POSIX-style advisory locks.

  • The CUBIC 2.3 TCP congestion control algorithm and the "backward congestion notification" feature are now supported in the networking layer.

  • The network code has support for the "deficit round robin" packet scheduling algorithm, said to produce highly fair scheduling with minimal cost.

  • A vast set of network namespace patches has been merged. The namespace hackers have, so far, refrained from saying that this feature is ready for general use, but it must be getting closer.

  • The devpts filesystem now supports the creation of multiple instances in different namespaces.

  • The wireless regulatory domain code has been extended to provide 802.11d support.

  • The Tree RCU patch set, which should provide improved scalability on systems with "more than a few hundred CPUs," has been merged.

  • Users of huge pages can now look in /proc/pid/smaps for a new KernelPageSize value giving the actual size of the pages in use. Among other things, this information can be used to verify that a process is actually using large pages where expected.

  • The eCryptfs filesystem now supports the encrypting of file names as well as their contents.

  • The FUSE user-space filesystem mechanism can now support ioctl() and poll() calls.

  • Support for unlabeled networks and hosts has been added to the SMACK security module.

Changes visible to kernel developers include:

  • There is a new synchronous hash interface called "shash." It simplifies the use of synchronous hash operations while allowing the same tfm to be used simultaneously in different threads. All in-tree users have been switched to the new API.

  • The massive task credentials patch set has been merged. This code reorganizes the handling of process credentials (user ID, capabilities, etc.). One of the immediate implications of this change is direct references to credential-oriented fields in the task structure need to be changed; for example, current->user->uid becomes current_uid(). See Documentation/credentials.txt for a description of the new API.

  • The ftrace code has seen a lot of internal changes. The function tracing feature has seen a number of improvements, and the developers have added mechanisms to profile the behavior of if statements, provide function call graphs, obtain user-space stack traces, and follow CPU power-state transitions.

  • Most of the callback functions/methods associated with the net_device structure have been moved out of that structure and into the new struct net_device_ops. In-tree drivers have been converted to the new API.

  • The priv field has been removed from struct net_device; drivers should use netdev_priv() instead.

  • The generic PHY layer now has power management support. To that end, two new methods - suspend() and resume() - have been added to struct phy_driver.

  • The networking layer now supports large receive offload (or "generic receive offload") operation.

  • The NAPI API has been cleaned up somewhat; in particular, functions like netif_rx_schedule(), netif_rx_schedule_prep(), and netif_rx_complete() have lost the unneeded struct net_device parameter.

  • The hrtimer code has been simplified with the removal of variable modes for callback functions. All processing is now done in hardirq context.

  • A new set of LSM hooks has been added; these support pathname-based security operations. With the merging of these hooks, one major obstacle to the inclusion of security modules like AppArmor and TOMOYO has been removed.

  • The kernel will now refuse to build with GCC 4.1.0 or 4.1.1; those versions have unfortunate bugs which prevent the building of a working kernel. Versions 3.0 and 3.1 have also been deemed to be too old and will not be supported in 2.6.29.

  • Video4Linux drivers now use a separate v4l2_file_operations structure to hold their VFS-like callbacks. The prototypes of a number of these functions have been changed to remove the inode argument.

  • Video4Linux2 has also acquired a new "subdevice" concept, meant to reflect the fact that video "devices" tend to be, in reality, a set of cooperating devices. See the new document for a description of how this mechanism works.

  • Two new functions - stop_machine_create() and stop_machine_destroy() - allow the independent creation of the threads used by stop_machine(). That, in turn, lets those threads be created before trying to actually stop the machine, making that operation more resistant to failure.

  • The poll() file operation is now allowed to sleep; see this article for more information on this change.

  • The CPU mask mechanism, used to represent sets of processors in the system, is in the middle of being massively reworked. The problem is that CPU masks were often put on the stack, but, as the number of processors grows, the stack lacks room for the mask. The new API is designed to get these masks off the stack, and to guard against anybody ever trying to put one back. See this posting by Rusty Russell for details on this work.

The merge window opened on December 28; if the usual two-week pattern holds, changes should be accepted through January 11. Tune in next week for an update on the final patches merged for the 2.6.29 kernel.

Comments (5 posted)

The future for grsecurity

By Jake Edge
January 7, 2009

Using an out-of-tree kernel patch has several downsides but, as long as the patch is maintained and updated with the kernel, it is workable. If the developers lose interest—or funding—it suddenly becomes a much bigger problem for users. That scenario may be about to play out for users of the grsecurity tool as a recent release comes with a warning that it could be the last.

Users of grsecurity are, unsurprisingly, worried about the future of the security tool, but calls for its inclusion in the mainline are not likely to be successful. Over time, largely because of the efforts of others outside of the grsecurity project, various pieces of grsecurity (and the associated PaX project) have been added to the kernel. But, there are a number of reasons that the full grsecurity patch is not in the mainline; the most basic is that the developers seem unwilling or uninterested in following the normal path to inclusion.

The grsecurity patch implements a number of security features that are useful, particularly for web servers or servers that provide shell access to untrusted users. One of the major features is role-based access control (RBAC), which is an alternative to the traditional UNIX discretionary access control (DAC) or the more recent mandatory access control (MAC) provided by SELinux and Smack. The aim of RBAC is create a "least privilege" system, where users and processes have only the minimum necessary privilege to accomplish their task. grsecurity also includes hardening of the chroot() system call, to eliminate privilege escalation and other vulnerabilities from within a "chroot jail". In addition, there are a number of other miscellaneous features like auditing and restricting /proc information, all of which are listed on the grsecurity features page.

Another major component of grsecurity is the PaX code, which restricts memory use so that various exploits, such as buffer overflows and other code execution vulnerabilities, are blunted or eliminated. It does this by making data pages non-executable using—or emulating—the "no execute" (or NX) bit. PaX restricts mprotect() to not allow pages that are both writable and executable to avoid code injection as well. PaX also adds much more aggressive address space layout randomization (ASLR) than is currently used by Linux. PaX is developed separately from grsecurity, by the anonymous "PaX Team", then incorporated into grsecurity by developer Brad Spengler.

The project has been around for a long time; grsecurity started in 2001, while PaX began in 2000. There are numerous satisfied users and grsecurity has been used in distributions such as NetSecL and Hardened Gentoo, but it has never made it into the mainline. Gabor Micsko recently posted a request on linux-kernel for Linus Torvalds to reconsider grsecurity:

The common opinion of the developers of grsecurity, PaX and their users is that acceptance of the code into the kernel would be the best solution for saving the project, beside finding another long-term sponsor.

Torvalds replied that much of what was in grsecurity and PaX was "insane and very annoying and invasive code." He then went on to explain some of the history:

The apparent inability (and perhaps more importantly - total unwilling[n]ess) from the PaX team to be able to see what makes sense in a long-term general kernel and what does not, and split things up and try to push the sensible things up (and know which things are too ugly or too specialized to make sense), caused many PaX features to never be merged.

Much of it did get merged over the years (mostly because some people spent the time to separate things out), but no, we're not going to suddenly start merging code like that just because the project is in trouble. None of the basic issues have been solved.

A perfect example of the unwillingness to work with the kernel hackers is embodied in the decision not to implement RBAC as a Linux Security Module (LSM). For better or worse, LSM is the mechanism used to implement access control in the kernel. Conceptually, it is a good fit for the grsecurity RBAC code. It might require additional LSM hooks, but working on getting those hooks added is the right approach. There was some uncertainty about LSM at one time, but it clearly is the way forward today.

There may also be an issue with the PaX code, in that anonymous contributions to the kernel are not allowed. Presumably Spengler, or some other interested hacker, could sign off on that code, but it cannot be accepted directly from "PaX Team".

To the extent grsecurity and PaX have been proposed for inclusion, they have always been presented as a single monolithic patch. There has never been an attempt to break the patch up into logical chunks that can be accepted or rejected on their individual merits. So far, that has not occurred even after the project lost its sponsor. But waiting until the last minute is not going to work. As Robert Hancock puts it:

Saying to the kernel developers "here, throw this huge blob of code into your kernel because otherwise we're taking our ball and going home" is not how it works.

If there is value in the existing code, interested users and developers need to work within the kernel process to get it accepted. To do that, one must identify the useful pieces and proceed from there. Valdis Kletnieks suggests:

Probably the best way to proceed would be for the stakeholders to come to some agreement on which parts are the "sane stuff" (which could be an interesting food fight), split those parts out, and submit them for inclusion as standalone separate patches.

This is yet another example of the perils of out-of-tree code. By all accounts, there are satisfied grsecurity users who may well be left behind if the grsecurity project fails to find sponsors by the end of March. They can, of course, continue running the grsecurity-enhanced kernels they currently have, but may not be able to take advantage of upcoming kernel advances.

Perhaps the stakeholders will gather together and continue updating grsecurity for newer kernels, but that still leaves the underlying problem. They would be better served spending at least part of their time working with the kernel hackers to get as much of grsecurity and PaX as possible merged into the mainline.

Comments (2 posted)

Btrfs aims for the mainline

By Jonathan Corbet
January 7, 2009
The Btrfs filesystem has been under development for the last year or so; for much of that time, it has been widely regarded as the most likely "next generation filesystem" for Linux. But, before it can claim that title, Btrfs must stabilize and find its way into the mainline kernel. Btrfs developer Chris Mason has been saying for a while that he thinks the code will come together more quickly if it is merged relatively soon, even if it is not yet truly ready for production use. General experience with kernel development tends to support this position: in-tree code gets more review, testing, and fixes than out-of-tree code. So the development community as a whole has been reasonably supportive of a relatively early Btrfs merge.

In our last Btrfs episode, Andrew Morton suggested that a 2.6.29 merge be targeted. Chris would like that happen; to that end, he has posted a version of Btrfs for consideration. Unsurprisingly, that posting has already increased the amount of attention being paid to this code, with the result that Chris quickly got a list of things to fix. Most of those have now been addressed, but there are a few remaining issues which could still impede the merging of Btrfs in this development cycle. This article will look at the potential roadblocks.

One of those is the user-space API. Btrfs brings with it a whole set of new ioctl() calls, none of which have been seriously reviewed or even documented. These calls perform functions like creating snapshots, initiating defragmentation, creating or resizing subvolumes, adding devices to the volume set, etc. Interestingly, there has been no real complaint about the volume-management features of Btrfs in general. But the interface to features like that needs close scrutiny; normally, user-space APIs cannot be broken once they are merged into the mainline. There has been some talk of making an exception for Btrfs, since there is little chance of systems becoming dependent on a specific interface before Btrfs is production-ready.

Still, once distributions start shipping Btrfs tools - to help testers if nothing else - an API change would cause pain. Any potential for this kind of pain would make API changes very hard to do. So Linux may well end up being stuck with the early Btrfs API. Given that at least one developer thinks that this API needs a serious rework, this issue could turn out to be a serious roadblock indeed.

Then, there is the issue of the special-purpose locking primitives used in Btrfs. To understand this discussion, it's worth looking at the locking function used within Btrfs:

    int btrfs_tree_lock(struct extent_buffer *eb)
	int i;

	if (mutex_trylock(&eb->mutex))
	    return 0;
	for (i = 0; i < 512; i++) {
	    if (mutex_trylock(&eb->mutex))
		return 0;
	mutex_lock_nested(&eb->mutex, BTRFS_MAX_LEVEL - btrfs_header_level(eb));
	return 0;

The lock in question is a mutex, but it is being acquired in an interesting way. If the lock is held by another process, this function will poll it up to 512 times, without sleeping, in the hope that it will become available quickly. Should that happen, the lock can be acquired without sleeping at all. After 512 unsuccessful attempts, the function will finally give up and go to sleep.

Chris justifies this behavior this way:

Btrfs is using mutexes to protect the btree blocks, and btree searching often hits hot nodes that are always in cache. For these nodes, the spinning is much faster, but btrfs also needs to be able to sleep with the locks held so it can read from the disk and do other complex operations.

For btrfs, dbench 50 performance doubles with the unconditional spin, mostly because that workload is almost all in ram. For 50 procs creating 4k files in parallel, the spin is 30-50% faster. This workload is a mixture of disk bound and CPU bound.

That kind of performance increase seems worth going for. In fact, it reflects a phenomenon which has been observed in other situations as well: even when sleeping locks are used, performance often improves if a processor spins for a while in the hope that a contended lock will become available. If the lock can be acquired without sleeping, then the overhead associated with putting the process to sleep and waking it up can be avoided. Beyond that, though, there is the fact that the process seeking to acquire the lock is probably well represented in the CPU's cache. Allowing that process to continue to run will, if the lock can be acquired quickly, almost certainly lead to better system performance.

For this reason, the adaptive realtime locks patch was developed last year, though it never found its way into the mainline. In response to the Btrfs discussion, Peter Zijlstra proposed a spinning mutex patch which is intended to provide the same benefits as the special Btrfs locking function, but for more general use and without the addition of magic constants. In Peter's patch, an attempt to acquire a contended lock will spin for as long as the process holding that lock is actually running on a CPU. If the lock holder goes to sleep, any process trying to acquire the lock also goes to sleep. The heuristic seems to make sense, though detailed benchmarks have not been posted. The patch was received reasonably well, though Linus has insisted that some changes be made.

So a more general spinning mutex may well find its way into the mainline. Whether it will go in for 2.6.29 is not clear, though. Developers tend to like their core locking primitives to be reasonably well tested; merging something which was developed toward the end of the merge window could be a hard sell. Until something like that happens, Chris is uninterested in removing his special locking function:

But, if anyone working on adaptive mutexes is looking for a coder, tester, use case, or benchmark for their locking scheme, my hand is up. Until then, this is my for loop, there are many like it, but this one is mine.

Finally, there is the question of the name. Some reviewers have suggested that the filesystem should be merged with a name which makes it clear that it's not meant for production use - "btrfsdev," for example. Chris is resistant to that idea, noting that, unlike existing filesystems, Btrfs is known to be new and has no reputation for stability. He has stated his willingness to make the change, though, if it is truly considered to be necessary. Bruce Fields pointed out that calling it "Btrfs" from the beginning could possibly burn future developers who boot an old kernel (with a non-production Btrfs) after switching to a newer, production-ready version of the filesystem.

All of this adds up to an uncertain fate for Btrfs in 2.6.29; there are a fair number of open issues and it's late in the merge window. Of course, Btrfs could be merged after 2.6.29-rc1; since it is a completely new subsystem, it won't cause regressions. But if Linus concludes that there are enough loose ends in the current Btrfs code, he may just decide to give it one more development cycle before bringing it into the mainline. So, while nobody seems to doubt that Btrfs will go in, the question of when remains open.

(With any luck, we hope to have an authoritative article on Btrfs for this page in the near future, once the author - you know who you are! - gets it written. Stay tuned.)

Comments (36 posted)

Patches and updates

Kernel trees


Build system

Core kernel code

  • Casey Dahlin: waitfd. (January 7, 2009)

Development tools

Device drivers

  • Dave Airlie: drm. (January 5, 2009)

Filesystems and block I/O

Memory management



Virtualization and containers


Page editor: Jonathan Corbet


News and Editorials

Social networking and the Linux distribution

By Rebecca Sobol
January 7, 2009
Last August a friend of mine invited me to join Facebook, a social networking site. I was skeptical. After all, when you spend hours every day working on a computer, spending more hours networking with friends seems less than attractive.

Lately though, I've been seeing mention of various distributions on Facebook, so I thought I'd take a look for other Linux groups. The first I found in my search is the GNU Linux group, with over 24,000 members.

There are around 500 groups of various distribution fans. Any member can join a group, if the group is open. Look for the groups Debian GNU/Linux and Gentoo Linux Users (motto: if it moves compile it). Also SuSE Linux Users and openSUSE Linux. There's BackTrack Linux, an unofficial Ubuntu Linux group, Arch Linux, Pardus Linux Users, Mandriva Linux Users, Linux Mint, Fedora - Linux, and many more. I only looked at 40 of 500 groups.

There are many individuals with Linux in their names. As individuals you can only find out more about them if you become friends. Most seem to be fans of one distribution or another. There are many instances of Ubuntu Linux or Linux Ubuntu, Fedora Linux or Linux Fedora, plus fans of Linux Unbuntu, Linux Suse, Debian Gnu Linux, Redhat Linux, Linux Barrera, Mandriva Linux, Apollokk Arch-Linux, Linux Centos, Dell Linux, Linux Asianux, Mk Linux, Intel Linux, Comunidad Linux, Linux Latin America, Knoppix Linux, Maghreb Linux in Morocco, Sabayon Linux, Tito Linux in Egypt, Linux Galore in India, Zune Linux and Tux Linux. The spellings and capitalization are copied directly from Facebook. Other obvious fans include Unix Linux from Morocco, Linux Torvaldo, Linus Linux, and Linus Linux Torvalds from France.

You can find local user groups, Linux forums, Python fans, more distribution fan groups, and if you can't find what you are looking for you can start your own group, if you are a Facebook member of course. even has an unofficial fan site, so stop by for a visit.

All this research was done on Facebook. I have yet to join MySpace, Twitter or any of the growing number of other social networking sites.

Comments (1 posted)

New Releases

Fedora Unity F9 20081217 respins

The Fedora Unity Project has new respins of Fedora 9, with all errata as of December 17, 2008.

Full Story (comments: none)

FreeBSD 7.1-RELEASE Available

The FreeBSD Release Engineering Team has announced the availability of FreeBSD 7.1-RELEASE. This is the second release from the 7-STABLE branch which improves on the functionality of FreeBSD 7.0 and introduces some new features.

Full Story (comments: none)

GNUmed Live CD 0.3.8 released (LinuxMedNews)

LinuxMedNews announced the release of the GNUmed Live CD version 0.3.8. "With the help of this CD one can testdrive GNUmed without altering the currently running environment. No installation neccessary. Just download the CD image and either burn it to a CD or set up the CD image as a virtual CD drive. GNUmed client 0.3.8 is included and configured to connect to. No setup needed !"

Comments (none posted)

Lunar Linux 1.6.4 (i686 & x86-64) ISO's released

The Lunar team has announced the final release of Lunar Linux 1.6.4 codename 'Lacus Autumni'. "After almost two years since the last stable release it's finally here, Lunar Linux 1.6.4. We've reached a new milestone, 1.6.4 is our most polished release to date. Our hope is that everyone will enjoy it as much as we've done making it. The effort of improving our installer and iso will of course continue. Stay tuned next year for some exciting new features that are in store for Lunar!"

Full Story (comments: none)

Tin Hat 20081229 released

Tin Hat Linux has released v20081229. "I'd like to make the list aware that there is a new release of Tin Hat out. For those unfamiliar, Tin Hat is a fully featured Linux desktop based on Hardened Gentoo which runs purely in RAM. It aims to be very secure, stable, and fast. Thanks to the dedicated Gentoo developers, our group continues to put together a tightly knit hardened destkop environment."

Full Story (comments: none)

Distribution News

Debian GNU/Linux

Debian votes to move forward with Lenny release

The results of the Lenny general resolution vote for Debian are in. The project has chosen to "Assume blobs comply with GPL unless proven otherwise" which will allow the Lenny (5.0) release to proceed. The basic problem is one that recurs each time a release is imminent in that kernel firmware does not meet the Debian Free Software Guidelines. We looked at this contentious vote a few weeks back; since that time project secretary Manoj Srivastava has resigned and Bdale Garbee has stepped in as acting secretary. It would appear that the outcome was decided shortly after the vote ended on December 27, but we somehow missed the announcement until now.

[ Update: The announcement email is now available: "Since the election concluded, several developers have asked for some statement from the DPL and/or Secretary as to what this result really means. Steve and I have discussed it, and we think it's pretty clear. This result means that the Debian Lenny release can proceed as the release team has intended, with the kernel packages currently in the archive." ]

Comments (4 posted)

Temporary suspension of testing security support after release of 5.0 (lenny)

When Debian 5.0 is released the testing repository will known as squeeze (it's now lenny). Security support for squeeze will be suspended for a few weeks after the release. "due to the experiences we made after the last stable Debian release, the Testing Security Team believes that it will be impossible to provide proper security support for the new testing (Debian "squeeze") in the weeks following the release of Debian 5.0 (lenny). Therefore we will temporarily suspend security support for Debian testing after the release."

Full Story (comments: none)

Bits from the Debian CD team

The Debian CD team has implemented some late improvements of the CD and DVD images available for Lenny. Click below for a list to see what's new in the Debian 5.0/Lenny CDs and DVDs.

Full Story (comments: none)

Distribution Newsletters

Ubuntu Weekly Newsletter #123

The Ubuntu Weekly Newsletter for January 3, 2008 covers: Notification, indicators and alerts, Making LoCo Teams Rock, Planet Ubuntu and Corporate Blogs, Ubuntu live on TV, Ubuntu Berlin review of 2008, Tunisian Team Events in December, 12 days of Launchpad, Full Circle Magazine #20, Meeting Summaries, and much more.

Full Story (comments: none)

openSUSE Weekly News, Issue 52

The January 1st issue of the openSUSE Weekly News is out. "In this week's issue: openSUSE Education available SLE10 and 11.1, Zimbra Mail Server Training in Indonesia, Q&A with Joe Brockmeier, Forums: Getting VMware to run on openSUSE 11.1, Best of Newsletter 2008"

Comments (none posted)

OpenSUSE Weekly News, Issue 53

This issue of the OpenSUSE Weekly News covers: Masim Sugianto: First Hackfest for Indonesian openSUSE Community, How to Make openSUSE 11.1 LiveUSB, Joe Brockmeier: openSUSE - One of the 10 coolest of 2008, Marek Stopka: Fatrat - Nice download manager in OBS..., Howto-How to compile the new Kernel 2.6.28?

Comments (none posted)

The Mint Newsletter - issue 70

The Mint Newsletter published January 4, 2009 is out. "Merlwiz and Exploder are happy to release LinuxMint-6-XFCE as an RC. A few things have to be checked and/or added to the repositories and Merlwiz needs to write release notes but it's likely this release will be ready any time now. LinuxMint-6-x64 is ready for testing and will be released soon (at the end of the coming week we hope) After a lot of testing and talking we decided KDE 4.1 wasn't fit for usage and we couldn't release it this way. The decision was made to wait for KDE 4.2 stable (which is planned for the end of this month) and to then design a Mint 6 KDE CE based on Kubuntu 8.10 but with Amarok 2.0 and KDE 4.2. This means there won't be any KDE CE release this month."

Comments (1 posted)

Echo Monthly News

Fedora's Echo Monthly News covering November and December looks at Echo Perspective - Proposed Designs and Proposed Guideline Changes - Bitmap Post-processing in Echo Icons.

Comments (none posted)

DistroWatch Weekly, Issue 284

The DistroWatch Weekly for January 5, 2009 is out. "Perhaps a good way of starting the year is with a look at the 17-year old history of Linux and Linux distributions - from the modest first release of "it won't be as big as GNU" to today's dominance of the free operating system in server rooms, if not yet on the desktop. In the news section, Debian votes to clear the firmware issue prior to the release of "Lenny", Ubuntu proposes a new system-wide notification agent for the desktop, and openSUSE announces preliminary plans for the release of version 11.2. The end of 2008 gives us a good opportunity at taking a look at which were the most visited distribution pages during the past 12 months, while the beginning of the new year means a new donation - US$250 go to the LXDE project."

Comments (none posted)

Distribution meetings

Debian FOSDEM talks!

A third and final call for talks in the the Debian DevRoom at FOSDEM is out. "So people, please, if you have something you think /might/ be interesting to talk about, let me know. Experience taught me that if you think it might be interesting, it usually is interesting enough to have a talk about. And if not, I prefer having an interesting talk on the schedule rather than having nothing but my thumbs to twiddle."

Full Story (comments: none)

Distribution reviews

Linux Mint Review ( has a review of Linux Mint version 6 "Felcia", based on Ubuntu. "The number of Mint-specific additions in this release is impressive. It's good to see that the team isn't just focused on slapping on a different coat of paint and calling it a day. More offshoot distributions should follow this example. Don't just embrace, extend as well!"

Comments (none posted)

The Xubuntu Difference (Linuxlandit)

A blog called Linuxlandit & The Conqueror Worm takes a look at Xubuntu. "By focusing on quality, Xubuntu produces a robust and feature-rich computing environment that is suitable for use in both home, commercial, and educational environments. The project takes the time required to focus on finer details and is able to release a version featuring the latest and greatest of today's software once every 6 months. Xubuntu is available in flavours for the i386 (386/486/Pentium(II/III/IV) and Athlon/Duron/Sempron processors), AMD64 (Athlon64, Opteron, and new 64-bit Intel processors). A community-supported PowerPC (iBook/Powerbook, G4 and G5) architecture architecture is also available."

Comments (none posted)

Page editor: Rebecca Sobol


BleachBit: Does GNU/Linux need the equivalent of a Windows registry cleaner?

January 6, 2009

This article was contributed by Bruce Byfield

On Windows, configuration options are stored in the registry, and are arcane enough that most people use a specialized editor, or cleaner, to remove unnecessary information. Recently, in a blog entry, Andrew Ziem argues that GNU/Linux needs the equivalent of a registry cleaner on Windows. He does so by pointing out examples of files and directories that remain in your home directory even after a package is deleted, and offers his new program BleachBit as a solution. However, while BleachBit -- currently at version 0.2.1 -- is easy enough to use, you have to wonder whether the minimal disk spaced saved or the privacy gained by running it is worth the effort -- especially when such advantages come with the risk of accidentally deleting information.

BleachBit is available as source code, or as packages for various recent versions of CentOS, Debian, Fedora, Mandriva, openSUSE, and Ubuntu, as well as SUSE Linux Enterprise and Red Hat Enterprise Linux. At 16 kilobytes, it downloads almost instantly. It is enough of a standalone program that, if necessary, you can install the different .DEB and .RPM packages on a wide variety of other distributions.

As an application, BleachBit is largely self-explanatory. You select an operation from the left hand pane, reading a brief description of it in the right hand pane if necessary, and click the Preview button to see what will be deleted, then the Delete button to actually remove files and directories. Operations complete in well under 20 seconds, even if you choose all of them.

The list of applications that BleachBit cleans is a long one, and grows with each release. In the current version, the supported applications include Bash, Beagle, Epiphany, Firefox, KDE and BleachBit also supports proprietary applications, such as Flash and Opera, as well as desktop caches and recent document lists. Among those not supported are GNOME and Mozilla Thunderbird -- although, to be fair, BleachBit is in rapid development, and is only likely to increase its support in later releases.


The BleachBit interface is also in development. The descriptions of operations would be more visible with word wrapping, and, although a generic warning that deleted files cannot be recovered appears before anything is deleted, a confirmation specific to your choices -- and, perhaps, suggesting that you preview first -- might also be order.

Even more importantly, you should be aware that BleachBit does not clear your choice of operations after they are complete, even when you close and restart the application. That means that, unless you check carefully, you could easily find yourself performing an unintended operation, all the more so because the list of operations requires scrolling to see every item, even when the BleachBit window is maximized. Similarly, you need to remember that selecting a top-level operation, such as Firefox, selects a number of other operations, not all of which you necessarily want.

Useful, redundant, or dangerous?

The real question about BleachBit is not so much how to use it, but whether it is needed or even advisable to use. Ziem himself admits in his blog entry that "there is no promise your system will run much faster" if you use BleachBit -- and that "much" seems a euphemism for "any," if the results on my test systems are any indication. After all, unlike an unneeded entry in the Windows registry, most unused configuration files on GNU/Linux are simply not accessed, and therefore have no effect on system performance.

True, running BleachBit can free up hard drive space. However, because many configuration files are plain text, in many cases the space freed is measurable in kilobytes. The largest savings is likely to be in browser caches, but the total freed space is unlikely to be more than a gigabyte or two, an amount barely noticeable on recent computers. So, unless you are temporarily in need of more storage space until you can get out and buy an external drive, are on a network where your available space is limited, or take an anal-retentive pleasure in cleaning your system, you may find the saving of hard drive space a less than compelling argument for BleachBit. If you don't miss the space occupied by unnecessary files, then you won't see much need to reclaim it.

Probably the best argument in favor of BleachBit is the ease with which it protects your privacy. Many programs, such as Firefox, have their own controls for clearing associated files, and, if nothing else, you can set a file manager to view hidden files, and cherrypick the ones you want to delete manually. Yet, whether you wish to hide your viewing habits or simply believe in privacy, the convenience and efficiency of cleaning everything in your home directory from a single window is undeniable. By using the Preview, you can even learn from BleachBit the location and name of configuration files, which is more than you can say for many desktop administration utilities.

However, as with any desktop utility, the danger of BleachBit lies in putting power in the hands of users who may not be fully aware of what they are doing. Fortunately, unlike cleaners of the Windows registry, BleachBit does not affect system configuration, so it is not going to leave you with an unusable system if you accidentally delete the wrong file. Still, a mistake made when running BleachBit could mean the loss of valuable information stored in configuration files. After all, the whole point of having a BASH history is so that you don't need to recall or retype a command you have recently used. Similarly, if you miss that Sign ons under Firefox in the operation pane includes bookmarks and recently visited URLs, you could easily lose information that you were counting on being preserved.

Moreover, such mistakes are all the easier to make because of BleachBit's interface deficiencies (see above). Personally, I would be much more assured about BleachBit if these deficiencies were corrected, and actions within the application were hedged with more warnings and reviews of what you are about to do. Some users might complain about such additions, but making an application idiot-proof is a basic requirement if you are going to offer desktop users the power to make sweeping changes. After all, no matter what our experience, we can all be idiots sometimes, especially if tired or rushed.


None of these concerns are necessarily reasons to avoid BleachBit. Personally, I end with mixed feelings about the application. Possibly, BleachBit is an example of how following the Windows analogy too closely can lead to programs of minimal use. Alternatively, perhaps it empowers users to do what is otherwise more difficult and time-consuming, and allows them to protect their privacy without having to learn about their systems. Possibly, both could be true at the same time.

But, perhaps in the long run, the value of an application like BleachBit lies less in any improvements in performance or privacy that it offers than in the discussion of desktop and system design it provokes. Packages should be removing all traces of themselves when they are removed, but, as Ziem observes, many are not. Perhaps what is needed is not a tool like BleachBit, but stricter policies by distributions about the scripts that packages run before they are removed.

Comments (21 posted)

System Applications

Audio Projects

Rivendell 1.2.1 released

Version 1.2.1 of Rivendell, a radio station automation system, has been announced. "This is a maintenance release of Rivendell. The following issues have been corrected: Several errors in handling metadata values in file imports have been corrected, and support for detecting Ogg metadata tags added. Fixed a bug in RDAirPlay that could cause a segfault when loading a log over an existing log."

Full Story (comments: none)

Database Software

Firebird Roadmap 2009

The Firebird DBMS project has published a roadmap for 2009. "The major Firebird version currently in development is v.2.5. Its feature set is being finalized at the moment in preparation for entering the Beta stage of development. The start of the Beta cycle will be accompanied by a "feature freeze" rule. The v.2.5 cycle has presented more challenges than usual in the areas of debugging and testing, due to more significant technological rework in the multi-threading part than we expected. The effect has been some degree of slippage from the original schedule. Once the v.2.5 Beta cycle is under way, we begin the development of the next major version - v.3.0."

Comments (none posted)

PostgreSQL Weekly News

The December 28, 2008 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

PostgreSQL Weekly News

The January 4, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

PyGreSQL 4.0 announced

Version 4.0 of PyGreSQL has been announced. "We are please to announce the release of PyGreSQL 4.0. [T]his is a major release and you should check it carefully before using in existing applications. There may be some incompatibilities. PyGreSQL is a Python module that interfaces to a PostgreSQL database. It embeds the PostgreSQL query library to allow easy use of the powerful PostgreSQL features from a Python script."

Full Story (comments: none)

Device Drivers

AMD Releases Open-Source R600/700 3D Code (Phoronix)

Phoronix has the details on AMD's release of 3D drivers for ATI R600 and R700 graphics processors. "Since earlier this year we have been waiting for AMD to release documentation and/or code on the ATI R600 series concerning 3D acceleration so that the open-source Linux drivers can begin to support the newer ATI graphics processors. It has taken longer than expected for AMD to complete and release this information, but it's now available. AMD has released the fundamental Linux code needed to begin fostering the development of an open-source R600 3D driver. Furthermore, this code also concerns the latest R700 series of graphics processors! The microcode for the newest GPUs has also been released."

Comments (27 posted)

Embedded Systems

BusyBox 1.13.2 and 1.12.4 released

Stable version 1.12.4 and unstable version 1.13.2 of BusyBox, a collection of command line utilities for embedded systems, have been announced. "Bug fix releases. 1.13.2 has fixes for crond, dc, init, ip, printf. 1.12.4 has fixes for ip and printf."

Comments (none posted)


Samba 3.2.7 is available

Version 3.2.7 of Samba has been announced. "This is a security release to address CVE-2009-0022. The original advisory is available online."

Comments (none posted)

Networking Tools

Hosts3D: 0.96 Released (SourceForge)

Version 0.96 of Hosts3D has been announced. "Hosts3D is a 3D real-time network monitor, displaying hosts & packet traffic. Features: multiple sensor support, gather hostnames & services, configurable subnetwork layout, record/replay packet traffic, filter packets by hosts, protocol or port."

Comments (none posted)

Twisted 8.2 released

Version 8.2 of Twisted, an event-driven networking engine, has been announced. "Twisted 8.2 is a major feature release, also including many important bug fixes: * twistd now has a --umask option for specifying the umask * Log observers can now be configured in .tac files * ProcessProtocols can now implement processExited to get reliable notification of a process exiting * FTPClient has many more convenience methods * Twisted.words now has a standalone XMPP router * Twisted.names now supports NAPTR records * Twisted.web can now deal with multi-value headers and supports the Range header in requests for static files".

Full Story (comments: none)

Web Site Development

JW FLV Player: 4.2 (SourceForge)

Version 4.2 of JW FLV Player, a web-embeddable video application, has been announced. "It supports playback of any format the Adobe Flash Player can handle (FLV, MP4, MP3, AAC, JPG, PNG and GIF). It also supports RTMP, HTTP, live streaming, various playlists formats, a wide range of settings and an extensive javascript API. The skinning functionality allows you to completely customize its look and its plugin architecture allows you to easily extend the player with features such as sharing, recommendations, searching, analytics and ad serving."

Comments (1 posted)

Midgard 8.09.3RC3 released

Version 8.09.3RC3 of the Midgard web content management system has been announced. "The Midgard Project has released a third release candidate for the third maintenance release of Midgard 8.09 Ragnaroek LTS. Ragnaroek LTS is a Long Term Support version of the free software content management framework. The 8.09.3 release focuses on API and architecture cleanups in order to ease transition from Midgard 1.x series API to Midgard 2.x APIs."

Full Story (comments: none)

Desktop Applications

Data Visualization

matplotlib released

Version of matplotlib, a 2D plotting library, has been announced. The what's new document has not been updated yet.

Comments (none posted)

Desktop Environments

The GNOME DVCS survey

Elijah Newren has posted a lengthy analysis of the recently-concluded developer survey on distributed version control systems. "It looks like there's a strong preference in the community toward switching, and that git has a strong lead in preference among the community, followed by svn, then bzr, then mercurial."

Comments (22 posted)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at

Comments (none posted)

A pile of KDE Commit-Digests

The last nine issues of the KDE Commit-Digests for 2008 were published this week:

Comments (1 posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week: More information can be found on the X.Org Foundation wiki.

Comments (none posted)


gEDA/gaf 1.4.3-20081231 announced

Stable version 1.4.3-20081231 of gEDA/gaf, a set of electronic CAD tools, has been announced. "I have released the last stable release of gEDA/gaf for this year today (1.4.3-20081231). I'm _really_ hoping that this is the last stable release in the v1.4.x series. The sooner we can get 1.5.2 and 1.6.0 out the door the better. 1.4.3 is a roll up release that picks up a bunch of bug fixes since 1.4.2. Many thanks to everybody who did the cherry picking work (PeterB and PeterC) for this release."

Comments (none posted)

LayoutEditor 20090105 announced

Version 20090105 of LayoutEditor, an integrated circuit design tool, has been announced. Open Collector has the release details: "New features: dialog to manage the layers, mapping layer/datatype on GDS/OASIS import/export possible, shortkey learning with CapsLock key, export of gerber format, barcode generator, add a crop cell function, add a crop sharp angles function, add a convert to mesh function, enhancement of the manual routing, add support of non square vias, editing of circle properties, add SVG+CVS+pixel file formats, ... and many smaller bug fixes."

Comments (none posted)

Financial Applications

SQL-Ledger 2.8.19 announced

Version 2.8.19 of SQL-Ledger, a web-based accounting package, has been announced. Changes include: "added missing localization strings for batch printing module, added query to unlock orders when invoice is removed, added option to generate detailed purchase orders from sales orders, cross-reference consolidated orders; recall original order, shipping address selection; select from previous addresses or enter a new address, added missing lineitem details on ship/receive screen and changed template parser to allow for multiple spaces and inline if statements."

Comments (none posted)


Lepton particle engine 0.7a released

Version 0.7a of Lepton particle engine has been announced. "I'm pleased to announce the 0.7 alpha release of Lepton, a high-performance, pluggable particle engine and API for Python. It is designed for creating graphical special effects for games or other visual applications. The engine is designed to be very flexible and does not rely on any other libraries directly. You can use it either with OpenGL (via pyglet, PyOpenGL, wxPython, etc), or with pygame by selecting the appropriate renderer. Examples are provided using pyglet and pygame. Although this is an alpha release, I think it is stable enough to be useful, and I encourage you to give it a try."

Full Story (comments: none)


Wine 1.1.12 announced

Version 1.1.12 of Wine has been announced. Changes include: "Some simple 64-bit apps should now run. Support for subpixel font rendering. 64-bit code generation in the IDL compiler. New version of the Gecko engine. Various bug fixes."

Comments (none posted)

Music Applications

alsaseq 0.3 announced

Version 0.3 of alsaseq has been announced. "The third version of alsaseq, bindings to the ALSA sequencer has been released. A Makefile with test and install options was added to simplify building and installation; some constants were updated according to recent versions of the ALSA library."

Full Story (comments: none)

Announcing LilyPond 2.12

Version 2.12 of LilyPond, a music typesetting system, has been announced. "Our joy is tinged with sadness, as long-time LilyPond contributor and friend Rune Zedeler passed away on the 2nd of July, 2008. This release is dedicated to him."

Full Story (comments: none)

Office Suites Newsletter

The December, 2008 edition of the Newsletter is out with the latest OO.o office suite articles and events.

Full Story (comments: none)

Video Applications

IMDbPY 3.9 released

Version 3.9 of IMDbPY has been announced. "IMDbPY is a Python package useful to retrieve and manage the data of the IMDb movie database about movies, people, characters and companies. With this release, improved search for series episodes, support for dumping data in CSV files. Many bugs fixed and other minor improvements."

Full Story (comments: none)


BleachBit 0.2.0 released

Version 0.2.0 of BleachBit has been announced. "BleachBit is a registry, Internet history, privacy, and file cleaner for Linux and Python v2.4 - v2.6."

Full Story (comments: none)

TakeNote 0.4.5 announced

Version 0.4.5 of TakeNote has been announced, some new capabilities have been added. "TakeNote is a simple cross-platform note taking program implemented in Python. I have been using it for my research and class notes, but it should be applicable to many note taking situations."

Full Story (comments: none)

Release 0.71.5 of Task Coach

Version 0.71.5 of Task Coach has been announced, it adds one usability enhancement and some bug fixes. "Task Coach is a simple task manager that allows for hierarchical tasks, i.e. tasks in tasks. Task Coach is open source (GPL) and is developed using Python and wxPython."

Full Story (comments: none)

Languages and Tools

Assembly Language

The Linux binutils is released

Version of the Linux binutils has been announced. "This is the beta release of binutils for Linux, which is based on binutils 2009 0106 in CVS on plus various changes. It is purely for Linux. All relevant patches in patches have been applied to the source tree."

Full Story (comments: none)


GCC 4.4.0 Status Report

The January 6, 2009 edition of the GCC 4.4.0 Status Report has been published. "The trunk remains Stage 4, so only fixes for regressions (and changes to documentation) are allowed. As stated previously, the GCC 4.4 branch will be created when there are no open P1s and the total number of P1, P2, and P3 regressions is under 100. One issue that remains is removing the old register allocator."

Full Story (comments: none)


Caml Weekly News

The December 30, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

Caml Weekly News

The January 6, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)


itools 0.50.1 released

Version 0.50.1 of itools, a Python library meta-package, has been announced. "The 'frozendict' class has been added and the 'freeze' function has been finished. The 'is_datatype' function has been deprecated. Various fixes, including #483 and #484."

Full Story (comments: none)

PyYAML-3.08: Now with Python 3 support

Version 3.08 of PyYAML has been announced. "YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for Python. PyYAML features a complete YAML 1.1 parser, Unicode support, pickle support, capable extension API, and sensible error messages. PyYAML supports standard YAML tags and provides Python-specific tags that allow to represent an arbitrary Python object."

Full Story (comments: none)

Python-URL! - weekly Python news and links

The December 29, 2008 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Python-URL! - weekly Python news and links

The January 6, 2009 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)


Tcl-URL! - weekly Tcl news and links

The January 7, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)


RFIDIOt 01.v released

Version 01.v of RFIDIOt has been announced, it adds a new JAVA applet for the JCOP card. "RFIDIOt is an open source python library for exploring RFID devices."

Full Story (comments: none)


Valgrind 3.4.0 is available

Version 3.4.0 of Valgrind has been announced. "Valgrind is an open-source suite of simulation based debugging and profiling tools. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, which avoids hours of frustrating bug-hunting, and makes your code more stable. You can also perform detailed time and space profiling to help speed up and slim down your programs. 3.4.0 brings some significant tool improvements. Memcheck can now report the origin of uninitialised values, the thread checkers Helgrind and Drd are much improved, and we have a new experimental tool, exp-Ptrcheck, which is able to detect overruns of stack and global arrays."

Full Story (comments: none)

Version Control

Mercurial 1.1.2 released

Version 1.1.2 of the Mercurial source control management system has been announced. "This is a minor release including one security fix and two minor bug fixes."

Full Story (comments: none)

monotone 0.42 released

Version 0.42 of monotone has been announced. "Amongst the usual bug fixes, small improvements and speedups in several areas, the outstanding shiny new feature is that you can now handle merge conflicts asynchronously".

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Linux: this year's silver lining? (The Register)

Jim Zemlin, executive director of the Linux Foundation, thinks 2009 will be a good year for Linux. ""Even though 2008 was in recession, the Linux platform did well, and it is growing faster than other platforms," Zemlin told us during an interview. "Linux definitely has critical mass, and you use Linux ten times a day and you don't even know it. So in 2009, we expect to see a bit of growth. It is not going to be a boom year for anybody, but at the end of the day, Linux is positioned to do well.""

Comments (13 posted)

Felten's 2009 predictions

Here's Ed Felten's predictions for 2009. "(6) Questions over the enforceability of free / open source software licenses will move closer to resolution."

Comments (none posted)

A look back at the open source victories of 2008 (ars technica)

Ryan Paul reflects on the best of 2008. "The past year brought some exciting advancements for the Linux operating system and open source software. Open technology continues to become more pervasive and the Linux kernel is now widely used in a multitude of mainstream products ranging from set-top boxes to mobile phones. With 2008 coming to a close, we wanted to take a minute to look at some events of significance to the open source software community."

Comments (none posted)

Linux at Work

Palm needs Nova to shine (San Francisco Chronicle)

The San Francisco Chronicle looks at another entry into the Linux-based mobile phone space. Palm is expected to unveil "Nova" as a replacement for Palm OS on both phones and mobile internet devices. "Palm is poised to make what some analysts are calling its last stand at this week's Consumer Electronics Show, where it is expected to introduce its long-awaited Linux-based operating system. [...] Code-named Nova, it will power a new generation of smart phones and potentially other devices. The move is Palm's best chance to get back into the smart phone market, which it pioneered with its Treo handsets and later ceded to companies such as BlackBerry-maker Research in Motion and Apple with its iPhone."

Comments (8 posted)


Recording the Linux desktop -- the hard way (Computerworld)

Over at Computerworld, Steven J. Vaughan-Nichols tries to find a way to make screen videos in Linux. One of the main issues he ran into was creating videos in a format that Windows and OS X would handle. "After a number of attempts, I finally found my answer in Google Code: WinFF. Despite the name, this is actually an open-source front end to FFmpeg that works with both Linux and Windows. This program, by Matthew Weatherford, solved all my video conversion woes. It's straightforward, easy to use (once you have the appropriate video codex libraries installed) and does the job. Best of all, the program understands all the various flavors of AVI, so converting my OGVs into basic Microsoft-compatible AVIs was a breeze."

Comments (17 posted)

Linux Gazette #158 is out

The January edition of Linux Gazette is out. Articles include Gnuplot in Action, by Philipp K. Janert; Joey's Notes: Sendmail and Dovecot e-mail on RHEL 5, by Joey Prestia; Our monthly column of basic Linux advice and education; Using Hyperestraier to search your stuff, by Karl Vogel; Getting Started with the Exim Mail Server, by Neil Youngman; plus the usual features.

Comments (none posted)


The November Cornucopia: One Month In Linux Audio (Linux Journal)

Dave Phillips looks at audio software for Linux. "This week I'm your straight reporter bringing you news of of updates, upgrades, and new releases in the world of Linux audio software. Development in this world is continuously productive, so I'll present only a selection of the Linux sound and music applications and utilities announced in the month of November in the year 2008."

Comments (none posted)

Social Semantic Sense for the Desktop (MIT Technology Review)

MIT Technology Review takes a look at the NEPOMUK Project. "People naturally group information by topic and remember relationships between important things, like a person and the company where she works. But enabling computers to grasp these same concepts has been the subject of long-standing research. Recently, this has focused on the Semantic Web, but a European endeavor called the Nepomuk Project will soon see the effort take new steps onto the PC in the form of a "semantic desktop."" (Found in KDE.News)

Comments (17 posted)

Everyone's free Linux: DeviceVM's Splashtop (ComputerWorld Blog)

Steven J. Vaughan-Nichols looks at Splashtop. "Splashtop is a mini-desktop Linux distribution that's based on the 2.6.20 Linux kernel. Currently, Splashtop comes pre-installed on pretty much all ASUS motherboards and on netbooks and laptops from ASUS, HP's high-end VoodooPC division and Lenovo. Rumor has it that Splashtop and similar baked-in desktop Linuxes, like Dell's "BlackTop," aka Latitude ON, will soon be appearing from other PC and motherboard vendors. I wouldn't be in the least bit surprised if DeviceVM makes some new partner announcements at this week's CES (Consumer Electronics Show)."

Comments (12 posted)

6 best personal finance apps for Linux (TechRadar)

TechRadar takes a look at personal finance applications for Linux. The article looks at five free applications (GnuCash, KMyMoney, Buddi, Grisbi, and JGnash) as well as the Moneydance 2008 proprietary solution. "This kind of software is all about the data; getting it in, getting it out and doing useful things with it. In terms of getting data into the package, there are three things we need. We want software that makes it easy to add items to the spending side because you'll be less likely to update your ledger if doing so proves annoyingly difficult. [...] We want filters that will import transaction data downloaded from our bank account and allow easy reconciliation between local and remote records. Finally, we want to be able to set up periodic transactions that can be added to the ledger at certain points each month to deal with things such as mortgage payments."

Comments (14 posted)


Android netbook is a possibility (Inquirer)

The Inquirer looks at Google's Android OS on the netbook. "Matthäus Krzykowski and Daniel Hartmann who run an outfit called Mobile-facts claim that it took them just four hours to compile Android so that it works on a Asus EEEPC 1000H."

Comments (49 posted)

Page editor: Forrest Cook


Non-Commercial announcements

DSS, Inc., announces open-source version of vxVistA EHR Framework (LinuxMedNews)

LinuxMedNews reports on a new open-source medical software release. "DSS, Inc. has announced that its vxVistA product a Veterans Affairs VistA distribution that is CCHIT certified will now be open source under the Eclipse Public License (clarification: the EPL'ed version will not be CCHIT certified although they will share much of the same code)".

Comments (none posted)

FSFE announces New Year's Resolution Fellowship campaign

The Free Software Foundation Europe has announced their New Year's Resolution Fellowship campaign. "We're asking people what they can do in 2009 to improve things for themselves and others in the sphere of software freedoms. The best way is to join the successful Fellowship membership strand of our organisation, through which Fellows work for software freedoms - and have fun doing it! The Fellowship will soon have representation on FSFE's General Assembly, enabling a motivated Fellow to make even more of a difference, and represent the views of Fellows worldwide."

Full Story (comments: none)

No preliminary injunction in the Jacobsen case

Last year, the Jacobson/JMRI case produced an appeals court ruling to the effect that free software licenses are truly licenses; that result was seen as big victory for the community. Now the Law & Life: Silicon Valley weblog reports that, back in District Court, a request for a preliminary injunction based on that ruling has been turned down. "The District Court drew on a very recent Supreme Court decision which required a higher standard of proof of damages for the grant of a preliminary injunction: Jacobsen must prove that he is 'likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor and that an injunction is in the public interest'. The Court then noted that Jacobsen had made no showing that he had actually suffered any of these potential harms and that Jacobsen had 'failed to proffer any evidence of any specific and actual harm suffered as a result of the alleged copyright infringement and he has failed to demonstrate that there is any continuing or ongoing conduct that indicates future harm is imminent.'"

Comments (11 posted)

Changes at OLPC

The front page of the OLPC wiki currently has a message from Nicholas Negroponte describing changes which are being made with the project. These include laying off half the staff, pushing development of the generation-2 machine, and "passing on the development of the Sugar Operating System to the community." OLPC is also dedicated to becoming the $0 laptop in developing countries, though how that will happen is not specified. (Thanks to Rahul Sundaram).

Comments (112 posted) has shut down

Bruce Perens's news and comment site has shut down for the second time (it was off the air 2001-2004). A message was left at the site explaining the move: "When it became evident that Technocrat was un-viable as a business, I found that I did not wish to keep supporting the site as a hobby. Certain elements of the community that developed here, unfortunately, creep me out. At the end I faced the decision of asking for donations to keep the site running, or letting it die, and it became clear to me that I'd feel better if it would just die." (thanks to Rick Moen).

Comments (12 posted)

FOSS community mourns the loss of Thiemo Seufer

Longtime free and open source software developer Thiemo Seufer died in a car accident on December 26. Thiemo was involved with a number of different projects in our community including Debian, binutils, MIPS-Linux, and QEMU. An obituary written by Bdale Garbee, Steve McIntyre, Ralf Baechle, Daniel Jacobowitz, Aurelien Jarno, and Thomas Gleixner gives more information about Thiemo and his contributions. Click below for the obituary.

Full Story (comments: 6)


Openmoko: looking forward to 2009

Those who are interested in the Openmoko phone may want to look at this lengthy look forward by founder Sean Moss-Pultz. "Nobody will doubt the value of openness for the mobile industry anymore. This seems like good news at first glance. But what openness are they talking about? Look around and you'll find it's pretty different than what we've been talking about. Yes, the very definition of openness is changing. This troubles me because we cannot influence markets with our words - only our products. And the quality of our products is not world class yet. The bar has been seriously raised. Time is running out. We need to find a way to lead again. I don't believe playing catch up will work. Something fundamental needs to change."

Full Story (comments: 26)

Contests and Awards

MSFXDC: Metasploit eXploits Development Contest

The Metasploit eXploits Development Contest has been announced. "MSFXDC (MetaSploit Framework eXploits Development Contest) is a challenge where the main goal is to code the largest number of new Metasploit Framework exploits modules. Your mission, if you choose to accept it, is to code new exploits modules for the Metasploit Framework (latest 3.x version). Exploits modules must be new regarding the current Metasploit Framework SVN repository content." Submissions are due by February 1, winners will receive a prize of 150 Euros and a VIP Ticket for the FRHACK conference.

Full Story (comments: none)

Education and Certification

OpenEMR HQ announces OpenEMR Certification Program (LinuxMedNews)

LinuxMedNews notes the availability of some new certification programs. "Earlier today, in a weekly conference call with customers and consultants, OpenEMR HQ CEO Anthony Papillion formally announced the launch of the companies OpenEMR Certified Consultant and OpenEMR Gold Certified certification programs for individuals and companies wishing to demonstrate their knowledge of the OpenEMR medical records software product and offer their customers a guaranteed level of service."

Comments (none posted)

UKUUG and O'Reilly Perl tutorials

UKUUG and O'Reilly have teamed up to provide a series of Perl tutorials on February 25-26 in the UK. Day 1 will feature an Introduction to Perl and day 2 will cover Advanced Perl Techniques.

Full Story (comments: none)

Open Technology Group, Inc. announces Python Training

The Open Technology Group has announced several Python Bootcamp courses, they will take place in Morrisville, NC on March 16-20, 2009 and May 11-15, 2009. "Designed for programmers looking to learn or migrate to the Python language, this Python course covers the fundamentals of the Python language in a mix of lecture, demonstration, and hands-on exercises."

Full Story (comments: none)

Python training in Colorado, January 27-30, 2009

A python class will take place in Longmont, CO. "Python author and trainer Mark Lutz will be teaching a 4-day Python class on January 27-30, in Longmont, Colorado. This is a public training session open to individual enrollments, and covers the same topics and hands-on lab work as the onsite sessions that Mark teaches. The class provides an in-depth introduction to both Python and its common applications, and parallels the instructor's popular Python books."

Full Story (comments: none)

Calls for Presentations

Call for audio and software work

A call for audio and software work for an upcoming compilation effort has been announced. "Forwind invites musicians/software developers/artists who write custom audio software to submit both a piece of music created with the software and the software itself for inclusion in an audio and software compilation due to be released mid 2009. This compilation will strive to present both the software and audio on an equal footing. Design of the end package will be in the very capable hands of Paul Finn from Fitzroy & Finn ( The intentions are for this to be a substantial physical release (Book, double CD etc - details have yet to be finalized.)" The submission deadline is March 31.

Full Story (comments: none)

GNOME Devroom at FOSDEM 2009

A call for papers has gone out for the GNOME Devroom at FOSDEM 2009. "As for the last few years, we'll have a GNOME devroom at FOSDEM (7/8 feb in Brussels), and as always, we want *YOU* to give a talk about the cool project you are hacking on in this devroom This year, we'll have half a day dedicated to GNOME specific talks, and on Sunday, we'll share the devroom with people hacking on other desktop environments and have talks about crossdesktop topics or talks about some gnome specific topics, but which can be of interest to the other communities."

Full Story (comments: none)

LAC2009: Holiday time = Paper time

A call for papers has gone out for LAC2009. "The LAC (Linux Audio Conference) is an annual event where developers, users and composers from all around the world come together for 4 days to present current developments, new compositions and other news to the public, listen to concerts, and generally have a good time together. The LAC2009 is taking place at the Casa della Musica in Parma, Italy, from April 16th to 19th, 2009." Submissions are due by January 15.

Full Story (comments: none)

OpenSource World 2009 Call for Papers

A call for papers has gone out for the 2009 OpenSource World Conference & Expo, formerly called LinuxWorld. "The OpenSource World conference presents the latest Linux and open source ideas in a very technical context by industry experts and innovators. OpenSource World focuses on real-world solutions in real-world environments using open source, open standards and open architecture as part of an integrated IT infrastructure. Our key theme this year will be how open source software is helping companies do more with less; proposals with this perspective are especially interesting to us.". The event takes place in San Francisco, CA on August 10-13, 2009. Submissions are due by February 20.

Full Story (comments: none)

Call for papers and trainers - SeacureIT 2009

A call for papers has gone out for SEaCURE.IT, an Italian technical security conference. "The 2009 edition will be held from May 19th to 22nd in the wonderful seaside resort Tanka Village, located in Villasimius, Sardinia, a large and beautiful island in the Mediterranean sea. Besides the main conference, featuring two tracks of top-notch presentations over two intense days, the programme will include two days of advanced trainings, and a set of unique social events (Italian style), in order to foster networking." Submissions are due by February 20.

Full Story (comments: none)

CFP: uCon Security Conference 2009

A call for papers has gone out for the uCon Security Conference 2009. "uCon will be a totally informal and non-profit conference taking place in Recife, Brazil, in 28th of February 2009 -- three days after the best street carnival ever (also known as the rehearsal of the end of the world). The conference aims to bring together academics, hackers and information security enthusiasts to share cutting-edge ideas and thoughts about their latest developments and techniques in the field." Submissions are due by January 25.

Full Story (comments: none)

Upcoming Events

Belgian Perl Workshop (use Perl)

The 2009 Belgian Perl Workshop has been announced, it will be held in Leuven, Belgium on February 28. "Among the invited speakers are Jonathan Worthington, Abigail and Matt Trout. The theme for this year's workshop is "Discovering Perl"."

Comments (none posted)

Invite to KDE for Free and Open Source Nigeria 2009 (KDE.News)

KDE.News has announced the Free and Open Source Nigeria 2009 conference. It will take place at Bayero University Kano Nigeria on March 6-9, 2009. "We want to invite KDE contributors and users including organisations and companies who want to come and give talks or workshops during the event. We are expecting more than 2000 participants from within and outwith the university. We will be glad to receive guests from all over the world, especially people with vast experiences in open source."

Comments (none posted) announces miniconf schedule

The miniconf schedule has been announced. "The miniconf schedule includes 12 miniconfs: Open Source Databases, Linux Kernel, Systems Administration, MythTV, Linuxchix, Mobile Devices, The Business of open Source, Linux Security, Multimedia, Virtualisation and Management, Gaming and Free as in Freedom."

Full Story (comments: 1)

OOoCon 2009 - Call for Location

A call for location has gone out for OOoCon 2009. "The Community is now accepting proposals from Community teams for hosting its next annual international conference, OOoCon 2009. Hosting OOoCon is challenging, rewarding, exhilarating, exhausting ... and can provide a huge publicity boost for in your country. There is no fixed date for OOoCon, although past conferences have been held in the autumn. The deadline for submissions is midnight UTC on February 1st 2009."

Full Story (comments: none)

Events: January 15, 2009 to March 16, 2009

The following event listing is taken from the Calendar.

January 15
January 16
Foundations of Open Media Software 2009 Hobart, Tasmania, Australia
January 17
January 23
Camp KDE 2009 Negril, Jamaica
January 19
January 24 - penguins march south Hobart, Australia
January 25
January 29
Ruby on Rails Bootcamp with Charles B. Quinn Atlanta, GA, USA
January 25
January 28
GCC Research Opportunities Paphos, Cyprus
January 31 Greater London Linux Users Group meeting London, UK
January 31
February 3
Black Hat Briefings DC Arlington, VA, USA
February 4
February 5
DC BSDCon 2009 Washington, D.C., USA
February 4
February 6
Money:Tech 2009 New York, NY, USA
February 5
February 9
German Perl Workshop Frankfurt, Germany
February 7 Frozen Perl 2009 Minneapolis, MN., USA
February 7
February 8
FOSDEM 2009 Brussels, Belgium
February 9
February 11
O'Reilly Tools of Change for Publishing New York, NY, USA
February 15 Free Software Awards 2009 Deadline Soissons, France
February 16
February 18
Open Source Singapore Pacific-Asia Conference Singapore, Singapore
February 16
February 19
Black Hat DC Briefings 2009 Washington, D.C., USA
February 20 Demonstrating Open-Source Health Care Solutions Los Angeles, CA, USA
February 20
February 22
Southern California Linux Expo Los Angeles, CA, USA
February 24
February 26
VMworld Europe 2009 Cannes, France
February 25
February 27
German Perl Workshop Frankfurt Main, Germany
February 27 PHP UK Conference London, UK
February 28 Belgian Perl Workshop Leuven, Belgium
February 28 uCon Security Conference Recife, Brazil
March 1
March 4
Global Ignite week Online
March 3
March 8
CeBIT 2009 Hanover, Germany
March 4
March 7
DrupalCon DC 2009 Washington D.C., USA
March 6 Dutch Perl Workshop Arnhem, The Netherlands
March 7 Ukrainian Perl Workshop 2009 Kiev, Ukraine
March 8
March 11
Bossa Conference 2009 Recife, Brazil
March 9
March 13
Advanced Ruby on Rails Bootcamp with Charles B. Quinn Atlanta, GA, USA
March 9
March 12
O'Reilly Emerging Technology Conference San Jose, CA, USA
March 12
March 15
Pingwinaria 2009 - Polish Linux User Group Conference Spala, Poland
March 14 OpenNMS User Conference (Europe) 2009 Frankfurt Main, Germany
March 14
March 15
Chemnitzer Linux Tage 2009 Chemnitz, Germany

If your event does not appear here, please tell us about it.

Page editor: Forrest Cook

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds