LWN.net Weekly Edition for February 12, 2009
FOSDEM09: "Aggressive" Linux power management
At FOSDEM 2009 (Free and Open Source Software Developers' European Meeting) in Brussels, there were a number of interesting talks about the state of power management in Linux. Matthew Garrett from Red Hat talked at length about aggressive power management for graphics hardware. People tend to forget that graphics hardware is more than a processor: it is not just the GPU that draws power, the graphics card's memory, outputs, and, of course, the displays themselves all draw power as well. Until now, most of the work on power management has focused on the GPU, but if you want really good power management, you have to attack the problem on all these fronts. And that's what Garrett is doing at Red Hat and shared in his FOSDEM presentation.
The power consumption of the GPU can be decreased by two techniques:
clock gating or reclocking. Clock gating means that different bits of the
chip are disconnected from the clock when not in use, and thus less power
is drawn. However, this functionality has to be hardwired in the chip
design and it must be supported in the graphics driver. And that's where
Linux is still lagging behind, according to Garrett: "For a long time
Linux graphics support has focused on getting a picture. We can go further
now, but we just need the documentation to adapt the drivers.
" Clock
gating has no negative effect whatsoever on the performance of the GPU.
Reclocking is another story: when the GPU is running at a frequency of 600 MHz and you reclock/underclock it to 100 MHz, this results in a massive reduction in power usage, but it also means that the performance is reduced accordingly. Garrett cited a difference of 5 W if clock gating and reclocking is combined on Radeon graphics hardware.
The second component that can be optimized is memory: each memory access draws power. So what can we do about power consumption of memory? Read less often (which is essentially reclocking) or read less memory. Reducing the memory clock can save you again around 5 W, but it introduces visual artifacts on the screen if reclocking happens while the screen is being scanned. The other interesting route (read less memory) comes down to compressing the framebuffer. Most recent Intel graphics chipsets implement this by a run length encoding (RLE) of the screen content on a line-by-line basis. Garrett notes that this means your desktop background can make a difference in battery life: vertical gradients compress very well using this scheme, but horizontal gradients do not.
Another interesting consequence of the memory component is that periodic screen updates are really bad for power consumption. According to Garrett, moving the mouse cursor around has an instantaneous increase of power consumption by 15 W. A blinking cursor draws 2 W, and also the display of seconds or a blinking colon in the system tray clock draws unnecessary power. Garrett adds philosophically: "The whole point of a blinking cursor is attracting your attention. But when you're typing, your attention is already going to your text input, and when you're not typing, it doesn't need your attention. So is it really needed to blink the cursor?
"
The third component where power management can make a difference are the outputs. Just powering off an unneeded output port saves around 0.5 W. If you know for sure that you don't need the external output on your laptop, you can safely turn it off and gain a bit of battery time. However, if you need to connect an external monitor or video projector afterward, you will first need to power on the output port explicitly. It all comes down to a tradeoff between functionality and power consumption.
The last (but not least) component of graphics hardware is the displays. This is another place were reclocking can save some watts. For example, the LVDS (Low-voltage differential signaling) link to a laptop's LCD screen uses power at each clock transition. Reducing the refresh rate reduces the power consumption. While CRT screens begin to flicker if the refresh rate is too low, TFT's don't have this problem. According to Garrett, most TFT screens can be driven at 30 Hz, but then they tend to display visual artifacts. Garrett only recommends this LVDS reclocking when the screen is idle, which saves around 0.5 W. If the screen becomes active again, the system should return to a normal refresh rate of 60 Hz. Another solution is DPMS (Display Power Management Signaling): just turn off the screen when it's idle. Even a screensaver drawing a black screen draws power, while DPMS really turns off the output.
So what's the current state of this "aggressive power management"? Dynamic clock gating is implemented in most recent graphic cards. Future developments will implement even more aggressive dynamic state management: graphics hardware will power on functionality when the system needs it and power it off when it's not used. Graphics drivers and the operating system should control this without irritating the user. Garrett stresses that power management has to be as invisible as possible, otherwise the user will not be happy and stop caring about "green" computing. Garrett is now working on the Radeon code to get some prototype functionality. As it stands now, the combination of dynamic GPU and memory reclocking can save 10 to 15 W, and LVDS reclocking can save 0.5 W. For a laptop, this doesn't make a huge difference, but it is still a significant increase in battery life.
Power management in Nokia's next Maemo device
In the embedded track of FOSDEM, Peter De Schrijver of Nokia gave an insightful but very technical talk about advanced power management for OMAP3. This integrated chip platform made by Texas Instruments is based on an ARM Cortex A8 processor and has a GPU, DSP (digital signal processor) and ISP (image signal processor). Because the chip is targeted at mobile devices, some advanced power management functionality is built-in: the chip is divided in different voltage domains, and in each module the interface clock and functional clock can be turned off independently.
Nokia used an OMAP1 chip in the N770 internet tablet, and an OMAP2 chip in the N800 and N810 internet tablets. The devices use Nokia's Maemo platform, based on Debian GNU/Linux. Last year Nokia executive Ari Jaaksi revealed that their next Maemo device would use an OMAP3 chip. De Schrijver talked about the power management architecture of OMAP3, but also about the Linux support Nokia is developing for this functionality.
Power management on the OMAP3 can be subdivided into two types. On the one hand, there is active power management. It's essentially the same principle as reclocking in graphics hardware: with a lower clock frequency, the chip is running on a lower voltage, resulting in less power consumption. With dynamic voltage frequency scaling this can be handled automatically. In Linux, the frequency scaling of the CPU is implemented in the cpufreq driver, while for the core (the interconnects between different blocks of the chip and some peripherals) there is a new API call for drivers, named set_min_bus_tput(), which sets the minimum bus throughput needed by a device.
On the other hand, when the chip is idle, there are solutions such as clock control, which can be implemented in software (by a driver) or hardware (an auto idle function). Moreover, clocks of different modules of the chip can be turned off selectively: if the interface clock is off, the core can sleep; if the functional clock is off, the module can sleep. The implementation of clock control in the OMAP3 chip is done in the clock framework of the linux-omap kernel, and Nokia is adding the patches to linux-arm now.
The OMAP3 chip knows four power states per domain: "on", "inactive", "retention" and "off". In the "inactive" state, the chip works at normal voltage but the clocks are stopped, while in the "retention" state the chip works at a lower voltage. This means that the "inactive" state uses more power than the "retention" state, but has a lower wakeup latency. The shared resource framework (SRF) that determines the power state for each domain of the chip is implemented by Texas Instruments and is hidden from the driver programmer by an API. This API has to be implemented by the power management framework and has to be used by the drivers. The API documentation is not yet released, but De Schrijver said this will be added into the kernel Documentation directory soon.
The "off" mode has some challenges: while the power management framework can handle saving and restoring the state of the cpu, memory controller and other components, each driver has to handle its module. This means: reinitialize the module when the functional clock is enabled and save and restore the context and shadow registers in memory.
In his talk, De Schrijver also gave a status update of the work. The "retention" state works. Basic "off" mode works on most development boards; drivers are being adapted for "off" mode now and will be ready at the end of February. All this code is being merged in the linux-arm kernel tree, but eventually it will be merged in the mainline kernel. According to De Schrijver, all these power management techniques will be used in the next Nokia Maemo device: the long-awaited successor of the N810.
Python ponders release numbering
Release engineering for a large project is always a tricky task. Balancing the needs of new features, removing old cruft, and bug fixing while still producing releases in a timely fashion is difficult. Python is currently struggling with this as it is trying to determine which things go into a 3.0.1 release versus those that belong in 3.1.0. The discussion gives a glimpse into the thinking that must go on as projects decide how, what, and when to release.
It is very common to find bugs shortly after a release that would seem to necessitate a bug fix release. Ofttimes these are bugs that would have been considered show-stopping had they been found before the release. But what about features that were supposed to be dropped, after having been deprecated for several releases, but were mistakenly left in? That is one of the current dilemmas facing Python.
One of the changes made in Python 3.0 was a change to comparisons and, in particular, removing the cmp() function. That function takes two arguments, returning -1, 0, or 1 based on whether the first argument was less than, equal to, or greater than the second. Python 3.0 set out to clean up some of the "warts" of the language; cmp() could be handled in other, more efficient ways. The only problem is: cmp() didn't really get removed from the Python 3.0 release in December.
It was recognized quite quickly (the bug report shows it being
reported three days after the release), but it wasn't exactly clear what to
do about it. There may now exist "valid" Python 3.0 programs that use
cmp() and function correctly. This led Guido van Rossum to say: "Bah. That means
we'll have to start deprecating cmp() in 3.1, and won't
be able to remove it until 3.2 or 3.3. :-)
" He seems to have only
been half-serious, as the smiley might indicate, eventually concluding: "OK, remove it
in 3.0.1, provided that's released this year.
" Unfortunately, the
"this year" he was referring to is 2008.
Because Python 3 was such a major shift in the language, the 2to3 tool was created to help fix old code to work with the new interpreter. But, 2to3 did not change calls to cmp(), so code created using that tool will run in Python 3.0. That makes for a bit of a tangle as van Rossum explains:
As of this writing, Python 3.0.1 is intended for release on February 13 with the removal of cmp(). There seem to be a number of reasons that the release slipped into 2009, not least is the holiday season that tends to eat up a fair chunk of December. But it was also more complicated to remove cmp() than it at first appeared. There were several standard libraries and tests that were still using it as well Python internals that still referred to it. Inevitably, as those things were getting worked out, other problems cropped up.
There are some fairly serious performance problems with the new I/O library, with some experiencing read performance three orders of magnitude slower on Python 3.0. There are also problems with chunked HTTP responses when using urllib. Both of these require fairly extensive fixes, though, which also requires lots of testing. It all adds up to a lot of work, so folks start to wonder if much or all of the work shouldn't get pushed into the 3.1 release which is targeted at an April or May time frame.
There are others who argue that the 3.0 series should be abandoned entirely in the near term. Rather than have a 3.0.1 with substantial changes from 3.0—including the incompatible removal of cmp()—3.1 should be released quickly so that it is the release targeted by developers. As Raymond Hettinger put it:
There are some fairly important new features—notably moving the new I/O to C for performance reasons—that will not make it for a release in February, though. Since a 3.2 release would be quite a ways off, those features would languish for too long. 3.1 release manager Benjamin Peterson would would rather see an immediate 3.0.1 release:
There are also concerns that an immediate release called 3.1 might lead to confusion and unhappiness for users. Martin Löwis voiced those fears to general agreement:
Part of the problem is the "no new features" rule for bug fix
releases—those that are typically numbered by bumping the third digit
of the version number. Python established that rule in the 2.x series, to try to protect
the "most conservative users
" as van Rossum points out. Those users have not moved to
Python 3 yet, so van Rossum argues that the rule can be suspended:
This argument seemed to help crystallize a consensus of sorts. There were some other discussions of exactly which "features" should make an appearance in 3.0.1, but the push for numbering the bug fix release as 3.1 seemed to fade. The 3.0.1 release is currently scheduled for February 13th, while other new features—undoubtedly along with additional fixes—will come with the 3.1 release in April or May.
Part of what was considered in the deliberations was the impact on users and what they will expect from how the releases are numbered. It is a difficult problem, as KDE found out a year ago. Users have certain expectations based on release numbering, which are largely outside of a project's control. But, some kinds of changes, especially those that are not backward compatible, necessitate a "large enough" numeric change to indicate that.
It is a fine line, which is why Python has struggled with it. One hopes that any development for Python 3—a large, incompatible language overhaul itself—avoided using cmp(), and will then be unaffected. If not, the relatively small window in time should keep the number of affected programs to a minimum.
KRunner and GNOME Do: the run command evolves
KRunner and GNOME's Do are both descendants of the Run tools that have been part of desktop environments for years. However, instead of allowing you to enter a single command, both Do and KRunner are rapidly evolving into full-scale application launchers that rival main menus as a tool from which to control the desktop. Both require practice to use well, but, their compactness on the screen may appeal to intermediate to advanced users — especially those who prefer keyboard shortcuts to using the mouse.
A new version of KRunner has just been released along with KDE 4.2, and should be available soon in your distribution's repositories along with the rest of the new version, although some distributions may not include it in the default KDE installation.
By contrast, Do is less tightly integrated into its desktop's development cycles, but version 0.8.0 of Do was released in late January. You can find installation instructions on the Do project site. However, many of the distributions listed do not yet have the latest version in their repositories, so, in many cases, the best option is to compile the source code, after first installing Mono support.
Using KRunner
![[KRunner]](https://static.lwn.net/images/krunner_sm.png)
Like Do, KRunner opens in a small window. To use it, you press Alt+F2 to start the program, then start typing. In response, KRunner displays a list of programs that could complete your input, rather like tab completion in the BASH shell, except in visual form.
In the simplest cases, what you type can be a command. On this level, KRunner differs little from a Run command, aside from the fact that you can tab to a selection or click it with the mouse. However, two dozen plugins that are installed along with the basic program extend KRunner's capabilities far beyond those of a Run command. Provided that the calculator plugin is installed and enabled, you can enter basic calculations in KRunner, using an asterisk (*) for a multiplication sign and a forward slash (/) for division along with the plus and subtraction signs. Similarly, you use KRunner to convert units of measurement, or to open a web site for currency conversion. Other plugins allow you to open a web search or to search bookmarks, contacts, recent documents or your web browser history.
The one catch with many plugins is that you need to learn a simple syntax in order to use them. For example, if you want to do a web search for "LWN" using Google, you would enter "gg:LWN". In much the same way, if you wanted to convert the average human body temperature from the Fahrenheit to the Celsius scale, you would enter "98.8 F. in C.". Fortunately, KRunner is well-documented, so you should have little trouble learning the syntax for your favorite commands.
A small complication is that KRunner includes task-oriented and command-oriented views. But apart from the positioning of suggestions, the difference is chiefly what sort of completions KRunner offers. The main advantage of the different views is that by carefully selecting them and enabling or disabling plugins, you can make the completions more likely to be the ones you want.
In addition to the two views, KRunner also offers a view of currently running processes that you can use to kill misbehaving applications. Short of a link to other system settings, KRunner could hardly be more of a command center for desktop activities.
Using Do
![[GNOME Do]](https://static.lwn.net/images/gnome-do_sm.png)
Do works in approximately the same way as KRunner, differing mostly in the details. To invoke Do one generally uses the "Super + Space" (typically Windows key along with space bar) combination. Like KRunner, Do works on the most basic level by suggesting completions for the shell command, binary, or task that you type. When the completion you want appears, a Run button opens in a right-hand pane that you can navigate to via the Tab key.
One of Do's main differences from KRunner is in some of the plugins you can use. As you would expect, Do uses GNOME applications like Evolution and Rhythmbox to handle requests, while KRunner uses KDE choices such as KMail or Amarok. Besides having thumbnail file previews, Do is also noticeably more web-oriented than KRunner, with plugins for blogging, RSS feeds, and Google Contacts. In fact, if you choose, you can even use Do to write a tweet or short email.
The latest version of Do also includes support for themes. One of the most useful of these themes is Docky, which converts Do into a launchpad with configurable application icons, making it more of a main menu replacement than ever.
Conclusion
Both KRunner and Do are convenient tools, and run almost as well under other desktops as they do on their native ones. Both, too, amount to a centralized control center that is often more convenient than hunting down the individual program in the sub-menus.
All the same, neither is a tool for a beginner. True, both support task completions, so that you can, for instance, write an email without having to remember what program is the default for emails on your desktop. However, I suspect that most users are oriented to programs more than tasks. Since neither of these programs offers a complete list of available programs, new users may find either KRunner or Do hard to use.
While a traditional menu can be cumbersome, it does have the advantage of displaying a complete list of possibilities. By comparison, in KRunner or Do, you need to already know the possibilities. Otherwise, you can hardly begin to enter one or search for it. And, to further complicate matters, some users may not remember the necessary syntax to use certain plugins unless they use the plugins constantly. This limitation affects both KRunner or Do, although Do has a simpler interface.
But for more experienced users, after a brief learning period, programs like KRunner or Do are probably more efficient than menus — not least because you can use them while keeping both hands on the keyboard rather than one straying to the mouse. You might compare the two programs to learning touch-typing: Although neither is immediately accessible, the way that a mouse and a menu are, once you are comfortable, both offer significantly enhanced ease of use and efficiency.
Public data for OpenStreetMap
In recent months, growing recognition for OpenStreetMap has led to an explosion in imports of public and private data. Mapping every street, lake, skiing piste and pizza takeaway in the world might sound like a fun hobby, but being able to pull in your government's basic street network makes the job a whole lot easier. This mix of "crowd sourced" map data from volunteer efforts, private and public donations of data, and commercial developments based on the results, is a classic open source story.
OpenStreetMap was founded by Steve Coast in 2004, borne of a frustration with the prevailing preference for proprietary data in the UK. The Ordnance Survey, which can trace its roots back to 1747, is the part-government funded agency with some of the world's most detailed and best loved maps. Unfortunately they charge you an arm and a leg to get the underlying vector data. So out stepped Coast, equipped with a GPS, notepad and pen, followed by tens of thousands of volunteers all manually gathering the data to enter into OpenStreetMap's database. To get a feel for the explosion of data over the past year, look at this great video.
Thankfully, help for the crowd was at hand from the start. Coast quickly secured an import of GPS traces from a courier company for central London; the donation cost the courier company nothing but was very helpful for OpenStreetMap. Much more impressive imports began more recently, with the US census bureau's TIGER database bringing data for the entire street network for the United States of America in late 2007. The Netherlands appeared in even finer detail around the same time, thanks to a donation by Dutch company AND.
This process has now rapidly accelerated. You can get an idea of the scale of the import activity from these incomplete wiki pages on importing government data, the catalogue of major imports and the enormous list of potential data sources. These imports vary from quite comprehensive -- such as the Canadian Geobase -- to very specific datasets like NAPTAN (UK public transport access points) and UK oil wells. Importing vectors for buildings in addition to roads has been popular, examples include Boston in the USA and Naga City in the Philippines.
Of course, most of these imports have come from governments and public agencies who are empowered or required to release the data into the public domain. Any import needs to be carefully reviewed to ensure that copyrights - and database rights in Europe - aren't infringed. For those of us mapping in countries like the UK, this means more walking and cycling, with only occasional negotiations opening up niche data such as oil wells and bus stops. Politics still holds the project back -- or makes for more fun, depending on your perspective.
Politics was a driving force behind one of the most interesting recent collaborations between volunteers and public / non-governmental agencies. Whilst the world was watching the Israel-Palestine conflict on TV, long-time OpenStreetMap volunteer and geospatial activist Mikel Maron was attempting to produce high quality maps of the Gaza strip. Maron worked with UN and aid agencies to obtain data, gain the funds to buy aerial imagery that volunteers could trace, and locate Palestinian expatriates who could fill in details from memory.
With commercial uses for OpenStreetMap emerging, such as the recently unveiled CloudMade developer products, and free software projects like Marble integrating the maps into their interfaces, OpenStreetMap is gaining clout. In the country that started it all, a government-commissioned study found that there would be more economic benefits for the UK if map data was released into the public domain than under the current proprietary model. Under pressure from a growing campaign, and these compelling examples of the benefits of open collaboration, we might just see the terrain shifting from a few interesting imports to a major change in mainstream attitudes towards public data.
At the very least, you'll have a lot of high quality map data to play with at your leisure in the future.
(Interested in adding data to OpenStreetMap? Tom Chance will be returning in the near future with a look at how that process works.)
Security
Forcing updates
A recent thread on the desktop-architects mailing list touched on a subject that tends to generate strong feelings: automatic, silent updates for security issues. At first blush, it is an attractive idea that might help slow down or stop a fast-moving virus or other malware. It also would help protect users who might otherwise ignore or delay updating their system. On the other hand, there are lots of concerns about whose decision it is to have a "mandatory" update, what else might be contained in such an update, as well as how to ensure that the update doesn't break the user's machine.
Dan Kegel kicks off the discussion by asking:
This goes not just for distros; any ISVs is on the hook for rapid security updates these days, I would think.
While there are attractions, one of the immediate downsides was noted by KDE hacker Aaron Seigo: "distro Q/A resources would have to _significantly_ increase for this to work
reliably. too many updates still break too many systems on too regular a
basis.
" The first time a silently applied "fix" breaks someone's
system, there will be a serious outcry. Microsoft and others have broken
people's systems before with security updates, but that doesn't seem a good
example to follow.
But, even with additional QA, there are plenty of reasons that a user might not want to get an update. GNOME foundation member Dave Neary presents several scenarios:
A kernel reboot or even application restart are definitely problem areas. There are many reasons a user might need to continue using a buggy application or kernel, even if the bug exposes them to an exploit. Some users have enough information to make that kind of determination, but others most definitely do not. How does the distribution or software package determine that? Presumably there will have to be settings to govern the behavior, which then begs the question: what is the default setting?
An additional problem is that users are training themselves—or the
desktops and distributions are training them—to ignore pop-ups of various
sorts. So suggestions like the one made by
Ritesh Raj Sarraf: "For updates with priority 'security', I think it
should just pop-up more
often
" are met with skepticism. Kegel opines:
That provoked a rather boisterous response from Linus Torvalds. His argument is that you can't trust the developers of various projects to determine what fixes should be applied. He is concerned that projects might want to slip other things into a "security" release:
His point is that he, and by extension other sophisticated users, are never
going to turn over their systems to the whims of outsiders. He is
willing to let distributions or even some
software packages make that kind
of decision, but only if things
are not done silently. "There
are programs that I trust to do their auto-updates, and I'm perfectly
happy having firefox check for extensions automatically, for example. But
even in the case of firefox, I want to _know_ when it does so.
"
Any kind of automated, silent upgrade feature from either a particular package or a distribution would be an enormous target for those with a malicious intent. It would be a kind of dream exploit to be able to inject malware into millions of unsuspecting systems—silent and unnoticed. A break-in to a distribution server might lead to an incredible malware outbreak, though the same thing could be accomplished today; it would just take more time.
But, the problem remains that there are lots of systems that are not getting updated and are thus vulnerable to a wide variety of exploits. As part of its Collaboration Summit, the Linux Foundation would like to have a meeting to discuss the issue. It is certainly an area where more thought is needed.
Brief items
Rooting your own phone: android security
Kernel hacker Pavel Machek is looking for kernel security holes, but perhaps not for the reason one would expect. He wants to exploit such a flaw to gain root on his Android G1 phone. He has already tried a few exploits that affect the 2.6.25 kernel, but none successfully to get root. He is looking for help from folks who may know of additional flaws to try. In his message, linked below, he also notes several security relevant issues with Android.How to write a Linux virus in 5 easy steps
Here's a weblog posting by "foobar" describing an attack vector for desktop Linux systems. "When you save an email attachment under Linux, the execute flag is normally NOT set and thus, the file can't be executed just by clicking on it. So, no luck? Not so fast. Modern desktop environments, such as Gnome and KDE, conveniently offer a nice 'workaround' called 'launchers'. Those are small files that describe how something should be started. Just a few lines that specify the name, the icon that should be displayed and the actual command to execute. Conveniently, the syntax of those launcher files is the same for Gnome and KDE. And those launchers don't have to have any execute permissions set on them!" Your editor can't resist pointing out that this problem was covered here back in 2006. (Thanks to David Skoll).
New vulnerabilities
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-5510 CVE-2009-0357 | ||||||||||||||||||||||||
| Created: | February 11, 2009 | Updated: | February 16, 2009 | ||||||||||||||||||||||||
| Description: | Firefox 1.5 (and later) suffers from a pair of vulnerabilities. CVE-2008-5510: escaped null characters are not properly handled, allowing script sanitizing processes to be bypassed. CVE-2009-0357: access to cookies is not properly restricted, creating an information disclosure vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnumeric: untrusted python modules search path
| Package(s): | gnumeric | CVE #(s): | CVE-2009-5983 CVE-2009-0318 | ||||||||||||||||
| Created: | February 5, 2009 | Updated: | April 3, 2009 | ||||||||||||||||
| Description: | gnumeric has an arbitrary code execution vulnerability. From the CVE entry: Untrusted search path vulnerability in the GObject wrapper around Python interpreter allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
gpsdrive: multiple vulnerabilities
| Package(s): | gpsdrive | CVE #(s): | CVE-2008-4959 CVE-2008-5380 CVE-2008-5703 | ||||||||
| Created: | February 5, 2009 | Updated: | February 11, 2009 | ||||||||
| Description: | gpsdrive has multiple vulnerabilities that involve insecure temporary file usage. From the Fedora alert: This update removes several helper scripts: geo-code, geo-nearest, and gpssmswatch, which have been removed upstream due to security issues. | ||||||||||
| Alerts: |
| ||||||||||
gstreamer-plugins: arbitrary code execution
| Package(s): | gstreamer-plugins | CVE #(s): | CVE-2009-0398 | ||||||||||||
| Created: | February 6, 2009 | Updated: | April 6, 2009 | ||||||||||||
| Description: | An array indexing error was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gstreamer-plugins: heap buffer overflow
| Package(s): | gstreamer-plugins | CVE #(s): | CVE-2009-0397 | ||||||||||||||||||||||||||||||||
| Created: | February 6, 2009 | Updated: | July 13, 2009 | ||||||||||||||||||||||||||||||||
| Description: | A heap buffer overflow was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
gstreamer-plugins-good: heap buffer overflows
| Package(s): | gstreamer-plugins-good | CVE #(s): | CVE-2009-0386 CVE-2009-0387 | ||||||||||||||||||||||||||||||||||||
| Created: | February 6, 2009 | Updated: | December 22, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
java-1.6.0-openjdk: privilege escalation
| Package(s): | java-1.6.0-openjdk | CVE #(s): | |||||
| Created: | February 5, 2009 | Updated: | February 11, 2009 | ||||
| Description: | openjdk has a privilege escalation vulnerability. From the Fedora alert: This fixes a default security policy, that allowed unsigned applets to access the gnome-java-bridge, allowing a privilege escalation. | ||||||
| Alerts: |
| ||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-0031 | ||||||||||||||||||||||||||||||||||||
| Created: | February 10, 2009 | Updated: | May 7, 2009 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
mod_auth_mysql: SQL injection
| Package(s): | mod_auth_mysql | CVE #(s): | CVE-2008-2384 | ||||||||||||||||||||||||
| Created: | February 11, 2009 | Updated: | February 11, 2011 | ||||||||||||||||||||||||
| Description: | The mod_auth_mysql module has a flaw in how it escapes multi-byte-encoded strings, enabling SQL injection attacks. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
nss: rogue CA vulnerability
| Package(s): | nss | CVE #(s): | CVE-2004-2761 | ||||||||||||
| Created: | February 5, 2009 | Updated: | March 18, 2009 | ||||||||||||
| Description: | nss has a rogue CA vulnerability. From the Fedora alert: This updates adds protection against rogue CA that was generated as a proof-of- concept of the MD5 collision attacks against X509 signatures. | ||||||||||||||
| Alerts: |
| ||||||||||||||
roundcubemail: cross-site scripting vulnerability
| Package(s): | roundcubemail | CVE #(s): | CVE-2009-0413 | ||||||||
| Created: | February 5, 2009 | Updated: | February 11, 2009 | ||||||||
| Description: | roundcubemail has a cross-site scripting vulnerability. From the CVE entry: Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message. | ||||||||||
| Alerts: |
| ||||||||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2009-0478 | ||||||||||||||||||||||||||||
| Created: | February 10, 2009 | Updated: | March 25, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests. This problem allows any client to perform a denial of service attack on the Squid service. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
wicd: privilege escalation
| Package(s): | wicd/wicd | CVE #(s): | CVE-2009-0489 | ||||||||
| Created: | February 10, 2009 | Updated: | April 10, 2009 | ||||||||
| Description: | From the CVE entry: The DBus configuration file for Wicd before 1.5.9 allows arbitrary users to own org.wicd.daemon, which allows local users to receive messages that were intended for the Wicd daemon, possibly including credentials. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current 2.6 development kernel is 2.6.29-rc4, released on February 8. It contains a long list of fixes merged over the course of a week and a half. The short-form changelog is in the announcement, or see the full changelog for all the details.The current stable 2.6 kernel is 2.6.28.4, released (along with 2.6.27.15) on February 6. Both updates contain a long list of fixes. The 2.6.28.5 and 2.6.27.16 updates - with yet another long list of fixes - are in the review process as of this writing; they will most likely be released on February 12.
Kernel development news
Quotes of the week
On the assumption that it has failed to coerce the spirits of our ancestors to land among us, I'll create a patch to remove it.
How patches get into the mainline
Once upon a time, the way to get a patch into the mainline kernel was to email it to Linus Torvalds. A hopeful developer would then wait for Linus to release a new kernel tree to see whether the patch had been included or not. In the latter case, the more persistent developers would resend the patch. Often, developers had to be persistent indeed if they wanted their code to be merged. The system was, in other words, lossy; we'll never know how much useful code was simply dropped.The use of git (and BitKeeper before it) has brought an end to that era. Once a change gets into somebody's tree, it is relatively unlikely to be lost. It's a much better way of doing things for everybody involved; important fixes no longer get lost, and developers, rather than checking for their patches and resending them, can now devote themselves to the creation of new bugs to be fixed.
Beyond that, though, things have changed in that, for most developers, the way to get a patch into the kernel is no longer to send it to Linus. Instead, they will pass their work through a subsystem tree. This mechanism is reasonably well understood, but, to your editor's knowledge, nobody has taken a hard look at what the flow of patches into the mainline looks like now. With that in mind, your editor set out with the complementary goals of (1) charting the paths patches take on their way to Linus, and (2) figuring out how Graphviz works. A certain amount of success was achieved on both fronts.
Back in the BitKeeper days, your editor asked Larry McVoy if there was any way to track which repositories a specific changeset had passed through; unfortunately, that information was not preserved by BitKeeper. As it turns out, git does a better job of keeping that information around - though it is not a perfect record keeper either. When Linus pulls a tree from some other developer, git will (usually) add a "merge commit" to the repository which indicates where the other tree came from. This commit has (at least) two parent commits; one is whatever was at the tip of Linus's tree prior to the merge, while the other points to the tip of the stream of changesets which came from the pulled tree. Multiple trees can be merged at once; in this case, there will be more than two parent commits.
![[Tree plot]](https://static.lwn.net/images/ns/kernel/2.6.29-treeplot-sm.png)
By following the links from each commit to its parent, one can determine
which tree each commit came from. Merges, too, are propagated up through
pull operations, so it is possible to follow this history back through an
arbitrary number of trees. The gitk tool does a nice job of displaying how
the various paths come together into a given repository; the resulting
graph can be quite complex. What your editor has done is to generate a
statistical view of this process; this view loses information about
specific patches, but provides, instead, an overall view of how patches get
into the mainline.
A piece of the resulting graph can be seen on the right; click on the thumbnail to see the whole thing, which is quite large. It is, arguably, a messy picture, but some interesting things jump out of it. At the top of the list is the fact that the graph is quite shallow: it shows 107 trees, almost all of which feed directly into the mainline. For the 2.6.29 development cycle, only a handful of trees are pulled into a separate subsystem tree before going to Linus, and exactly one tree feeds patches through two other layers. For the most part, subsystem maintainers are going straight to Linus without dealing with middle managers.
975 of 11,260 changesets went directly into the mainline without existing in any subsystem tree at all. Some of those are the merge changesets created by Linus as he pulls trees; many of the rest are the patches which go by way of Andrew Morton. Linus wrote a very small number of them himself. And, occasionally, Linus merges a patch sent directly from a developer, but that is a relatively uncommon occurrence.
When interpreting these numbers, there is one important thing which must be kept in mind: by default, git will not record merge information when it is doing a "fast forward" merge. If a developer pulls down the current mainline repository, adds some patches on top, then gets Linus to pull the patches before anything else changes in the mainline, those patches can be added directly to the mainline without the need for a merge commit to hold things together. Fast-forward merges into the mainline are (probably) fairly rare, but they may well happen more often at the subsystem level. So this kind of information, when generated from a git repository, will never be 100% complete; some merges (and the repositories they came from) will be invisible.
For 2.6.29, two networking trees maintained by David Miller were the biggest waypoint for changesets (1910 of them) headed into the mainline; of those, many came from John Linville's wireless tree. After that, the "linux-2.6-tip" tree (the tree maintained by Ingo Molnar and company for a few subsystems, including the x86 architecture and the scheduler) contributed 1270 changesets to this development cycle. Other large sources of changes were the btrfs tree (910 changesets - the entire btrfs development history), the Video4Linux tree, the sound tree, and the ARM architecture tree. At the other end of the scale, twelve trees were the source of five or fewer changes.
For the curious, the statistics are available in text form along with the full names of the relevant git repositories. The code which generated this information is available as part of the gitdm repository at git://git.lwn.net/gitdm.git. An obvious place for future improvement is to track information about branches within repositories; this would increase the resolution of the whole picture. But that's for another development cycle; stay tuned.
Wakelocks and the embedded problem
The relationship between embedded system developers and the kernel community is known for being rough, at best. Kernel developers complain about low-quality work and a lack of contributions from the embedded side; the embedded developers, when they say anything at all, express frustrations that the kernel development process does not really keep their needs in mind. A current discussion involving developers from the Android project gives some insight into where this disconnect comes from.Android, of course, is Google's platform for mobile telephones. The initial Android stack was developed behind closed doors; the code only made it out into the world when the first deployments were already in the works. The Android developers have done a lot of kernel work, but very little code has made made the journey into the mainline. The code which has been merged all went into the staging tree without a whole lot of initiative from the Android side. Now, though, Android developer Arve Hjønnevåg is making an effort to merge a piece of that project's infrastructure through the normal process. It is not proving to be an easy ride.
The most controversial bit of code is a feature known as "wakelocks." In Android-speak, a "wakelock" is a mechanism which can prevent the system from going into a low-power state. In brief, kernel code can set up a wakelock with something like this:
#include <linux/wakelock.h>
wake_lock_init(struct wakelock *lock, int type, const char *name);
The type value describes what kind of wakelock this is; name gives it a name which can be seen in /proc/wakelocks. There are two possibilities for the type: WAKE_LOCK_SUSPEND prevents the system from suspending, while WAKE_LOCK_IDLE prevents going into a low-power idle state which may increase response times. The API for acquiring and releasing these locks is:
void wake_lock(struct wake_lock *lock);
void wake_lock_timeout(struct wake_lock *lock, long timeout);
void wake_unlock(struct wake_lock *lock);
There is also a user-space interface. Writing a name to /sys/power/wake_lock establishes a lock with that name, which can then be written to /sys/power/wake_unlock to release the lock. The current patch set only allows suspend locks to be taken from user space.
This submission has not been received particularly well. It has, instead, drawn comments like this from Ben Herrenschmidt:
or this one from Pavel Machek:
There's no end of reasons to dislike this interface. Much of it duplicates the existing pm_qos (quality of service) API; it seems that pm_qos does not meet Android's needs, but it also seems that no effort was made to fix the problems. The scheme seems over-engineered when all that is really needed is a "do not suspend" flag - or, at most, a counter. The patches disable the existing /sys/power/state interface, which does not play well with wakelocks. There is no way to recover if a user-space process exits while holding a wakelock. The default behavior for the system is to suspend, even if a process is running; keeping a system awake may involve a chain of wakelocks obtained by various software components. And so on.
The end result is that this code will not make it into the mainline kernel. But it has been shipped on large numbers of G1 phones, with many more yet to go. So users of all those phones will be using out-of-tree code which will not be merged, at least not in anything like its current form. Any applications which depend on the wakelock sysfs interface will break if that interface is brought up to proper standards. It's a bit of a mess, but it is a very typical mess for the embedded systems community. Embedded developers operate under a set of constraints which makes proper kernel development hard. For example:
- One of the core rules of kernel development is "post early and often."
Code which is developed behind closed doors gets no feedback from the
development community, so it can easily follow a blind path for a long
time. But embedded system vendors rarely want to let the world know
about what they are doing before the product is ready to ship; they
hope, instead, to keep their competitors in the dark for as long as
possible. So posting early is rarely seen as an option.
- Another fundamental rule is "upstream first": code goes into the
mainline before being shipped to customers. Once again, even if an
embedded vendor wants to send code into the mainline, they rarely want
to begin that process before the product ships. So embedded kernels
are shipped containing out-of-tree code which almost certainly has a number of
problems, unsupportable APIs, and more.
- Kernel developers are expected to work with the goal of improving the kernel for everybody. Embedded developers, instead, are generally solving a highly-specific problem under tight time constraints. So they do not think about, for example, extending the existing quality-of-service API to meet their needs; instead, they bash out something which is quick, dirty, and not subject to upstream review.
One could argue that Google has the time, resources, and in-house kernel development knowledge to avoid all of these problems and do things right. Instead, we have been treated to a fairly classic example of how things can go wrong.
The good news is that Google developers are now engaging with the community and trying to get their code into the mainline. This process could well be long, and require a fair amount of adjustment on the Android side. Even if the idea of wakelocks as a way to prevent the system from suspending is accepted - which is far from certain - the interface will require significant changes. The associated "early suspend" API - essentially a notification mechanism for system state changes - will need to be generalized beyond the specific needs of the G1 phone. It could well be a lot of work.
But if that work gets done, the kernel will be much better placed to handle the power-management needs of handheld devices. That, in turn, can only benefit anybody else working on embedded Linux deployments. And, crucially, it will help the Android developers as they port their code to other devices with differing needs. As the number of Android-based phones grows, the cost of carrying out-of-tree code to support each of them will also grow. It would be far better to generalize that support and get it into the mainline, where it can be maintained and improved by the community.
Most embedded systems vendors, it seems, would be unwilling to do that work; they are too busy trying to put together their next product. So this sort of code tends to languish out of the mainline, and the quality of embedded Linux suffers accordingly. Perhaps this case will be different, though; maybe Google will put the resources into getting its specialized code into shape and merged into the mainline. That effort could help to establish Android as a solid, well-supported platform for mobile use, and that should be good for business. Your editor, ever the optimist, hopes that things will work out this way; it would be a good demonstration of how embedded community can work better with the kernel community, getting a better kernel in return.
DazukoFS: a stackable filesystem for virus scanning
A longstanding out-of-tree kernel feature—used by half-a-dozen or more virus scanners—Dazuko has recently changed its modus operandi in an effort to be included into the mainline. Dazuko, and now DazukoFS, are mechanisms to control access to files, which are generally used to stop Windows viruses from propagating on Linux servers. The goal is similar in many ways to that of fsnotify/fanotify/TALPA, but the DazukoFS implementation as a stackable filesystem is a completely different approach.
The Dazuko project started almost exactly seven years ago as an effort to allow user-space programs—Windows-style anti-virus scanners mostly—to make file access decisions. One of the reasons to have the scanning in user space—aside from the zero probability of getting one added to the kernel—is to keep it vendor-neutral by not favoring any particular anti-virus engine. But the means to that end was system call hooking, which is a technique that is seriously frowned upon by kernel hackers. Dazuko made an abortive move to the LSM API, but ran into various problems, including the inability to stack multiple security modules. Eventually, the project started looking at a stackable filesystem as a solution that would be palatable for moving into the mainline.
Originally suggested for Dazuko by Christoph Hellwig in 2004, a stackable filesystem has a number of advantages over the other solutions. It is a self-contained solution that won't require core kernel code changes if anti-virus developers wish to add new features. It also would add another stackable filesystem to the kernel, which may help foster a more general stackable filesystem framework. But the main reason is that the project sees it as the most likely path into the mainline. Main developer John Ogness explains:
DazukoFS is mounted atop an already-mounted filesystem in order to handle file access decisions for files in the underlying filesystem. For example:
mount -t dazukofs /opt /opt
sets up the /opt filesystem
for checking by user-space processes that open a special /dev
file. All of the scanning application interaction with DazukoFS
is done through /dev files, all of which is
documented in Documentation/filesystems/dazukofs.txt
File access decisions are made by processes or threads which make up a "group". Groups act as a pool of available scanners to allow multiple outstanding file access decisions. Once the pool is fully occupied, file accesses will block until one becomes available. Groups are registered by writing "add=MyGroupName" to /dev/dazukofs.ctrl. A group id will then be assigned, which can be parsed from the output of reading the dazukofs.ctrl file. Group ids are then used to access the proper device for providing access decisions.
Based on the group id (N), a /dev/dazukofs.N file is created. Each process in the group registers itself by opening that device. It should then block in a read of the device waiting for a file access event. Each event has three pieces of information that are read from the device file: an event id, the process id of the accessing program, and the number of an open file descriptor that can be used to read the contents of the file. The scanning process should then perform whatever actions it requires to make the decision whether to allow or deny the access.
Because it gets passed an open file descriptor, the scanning process does not need any special privileges beyond those required to access the /dev/dazukofs* files. Once it has made the decision, the scanning process writes a string indicating the result to the device. It is then responsible for closing the file descriptor for the accessed file.
There are a few additional things that can be done via the user-space API: deleting groups, providing for some crash protection within groups, and handling accesses to protected files from within DazukoFS, all of which are described in the Documentation file.
There is also a major caveat that goes with this release of DazukoFS:
That is done, at least partially, to avoid race conditions where a malicious program overwrites the file contents between the scanning and the actual access. This is a general achilles' heel for virus scanning mechanisms, but silently ignoring writes to mapped files is a rather extreme reaction to that problem. TALPA, which has subsequently become fanotify, defines this problem away as not being a part of the threat model it is handling. Perhaps DazukoFS should do something similar.
It would seem likely that only one of the two proposed solutions for user-space file scanning will end up in the mainline. Ogness mentions fanotify in his patch submission:
So far, there has been no comment on the v2 patch submission, but there were some suggestions to the first submission back in December. The kernel filesystem hackers are pretty busy folks in general, but right now there are numerous filesystems in various states of review: btrfs, POHMELFS, DST, FS-Cache, and others. Those may be using up all of the available review bandwidth. Ogness recently announced that he will be dropping support for the 2.x version of Dazuko—based on system call hooks—to focus on DazukoFS. In it he notes the lack of review:
From the announcement, it seems clear that Ogness has the patience necessary to shepherd DazukoFS through the kernel inclusion process. It would seem that spending some time working with Eric Paris to try to find some common ground between their two solutions might be time well spent as well.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Device drivers
Documentation
Filesystems and block I/O
Networking
Security-related
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
KNOPPIX 6.0
Forget everything you ever knew about KNOPPIX because 6.0 is different from anything you've ever seen before. KNOPPIX was once a complete desktop distribution featuring KDE, lots of applications, and superior hardware detection. It was even one of the first to be delivered as a bootable live CD/DVD. Back then it was one of the most popular distributions available, but with the ease of making live CDs came lots of competition and KNOPPIX lost many of its users to the likes of MEPIS, PCLinuxOS, or Ubuntu. However, KNOPPIX developers are innovating once again, this time with a lightweight distribution offering accommodations to those with visual impairments.
The accessibility goals are being met through ADRIANE, the compilation of programs designed to help those with visual challenges navigate a system by sound-directed keyboard input. With ADRIANE, individuals with diminished visual skills can surf the Internet, read and write emails, text message, listen to music or videos, read and construct office documents, and more.
The Accessibility Interface
The changes are apparent from the start of the CD. The default boot brings the user to a plain text menu with items such as WWW, Multimedia, File Manager, Graphical Programs, and Setup. ADRIANE reads these items in a robotic British voice to the user as the cursor is moved up and down. <Enter> opens various programs such as Links for Web navigation, Mutt for e-mail, or Midnight Commander for file management. Graphical Programs will bring a submenu for OpenOffice, Iceweasel, or start the full LXDE desktop environment.
The screen reader seems to do an admirable job of reading off menus, window titles, bash prompts, key inputs, web pages, documents, or just about anything that appears on screen. It did have some difficulty keeping up with fast typing and at times just cut out all together. It can be customized for several preferences such as default language, function keys, Braille devices, and to start at login.
Using Iceweasel is an exercise in patience as the NoScript plugin output preempted anything on the web page. With today's CMS software, every web site has a ton of headers on every page which is kindly re-read with each click. Same holds true for multicolumn sites whose first column is static and chocked full of links. Due to this there may be only a very few sites that people with visual impairments might find enjoyable.
Menu navigation is confusing at first as well because the screen reader
recites "Menu, Menu-Item, Sub-menu Item, Program, keyboard
shortcut
" for each move of the cursor or highlight. A certain
amount of self training may be required before one can tune out the repetition.
The reader didn't seem to have much difficulty translating text to speech. Some words are pronounced unconventionally, with the accent on the wrong syllable or literal reading of some letter combinations, but very few words were skipped or botched completely. It actually did a very good job on a computer with lots of processing power and memory. It stopped speaking on a machine with lower resources much more often. It was also a bit unstable, especially on the slower machine. Iceweasel crashes and OpenOffice.org freezes were not uncommon and root applications were excluded altogether.
The Desktop and Applications
KNOPPIX is now shipping with the lightweight but capable LXDE. It strives to be a pretty, fast performing, customizable, and energy saving desktop. It is being seen in more and more distributions lately as an alternative GTK+ 2 interface due to its lower system requirements and dependencies.
KNOPPIX isn't just for the visually impaired. It can be used by anyone wanting a light desktop with a few popular applications. GMPlayer resides in the menu for audio and video playback, The GIMP manipulates your images, and GPicView provides basic image viewing. Iceweasel, Icedove, ELinks, and Pidgin network for you and the OpenOffice.org suite puts you back to work. There are a several system accessories such as Leafpad, Xarchiver, and PCMan file manager. A few system configuration tools have made it into this release such as Network card configuration, Wavelan configuration, and Synaptic software manager. Multimedia codecs are present but Flash isn't. Ironically, KNOPPIX also ships with Compiz and Compiz Fusion plugins enabled by default on supporting hardware as well as several nice screensavers. Linux kernel 2.6.28 and Xorg X server 1.4.2 form the foundation and GCC 4.3 is installable.
Missing from this release is the KNOPPIX hard drive installer, although it does have a script for installing onto a USB memory stick. Many tools and utilities that didn't make into this release are being planned for the next and hopefully the installer is on that list. Live CDs are nice, but without a hard drive installer KNOPPIX may not be feasible for daily use.
Hardware Support
Hardware support with this release is very good for devices known to work well with the standard Debian kernel. A basic DHCP network connection is available at boot with supported hardware. Graphics detection and configuration is good, even with an antique 13 inch monitor saved from the refuse pile. Without proprietary drivers, most NVIDIA and ATI/AMD graphic chips will not be able to utilize the Compiz screen effects.
The screen resolution was correctly configured on the 15.4 inch widescreen LCD of an HP Pavilion laptop. However, KNOPPIX doesn't ship with any proprietary drivers or Ndiswrapper, so some wireless network devices may not work such as the one on this laptop. The wired network card worked fine as did most of the other common devices.
Tests here showed that, despite a light desktop environment, the system requirements are a bit higher than one might think. The ADRIANE applications in combination with many of the graphical programs seem to require a recent processor and approximately a gigabyte of RAM. Although KNOPPIX did function on slower machines, more instability surfaced.
Closing Thoughts
This release of KNOPPIX 6.0 "ADRIANE" is an admirable first effort. Although ADRIANE has been in development since 2007 and was included in KNOPPIX 5.3.1, this is the first release to build completely around it. The underlying system has been rebuilt from scratch, so all in all it's shaping up nicely. The ADRIANE components aren't perfect and need a few bugs squashed, but overall it was quite amazing with its accuracy.
However, some of its quirks might keep someone with visual issues from just inserting the CD and working entirely on their own, at least until they have been trained. This would be especially true for someone new to requiring accommodations such as text-to-speech and screen readers. In tests here, our brave blindfolded guinea pig became lost and stuck within a matter of minutes in the graphical environment. On the other hand, everyone in our test lab with unobstructed sight was completely impressed with the ADRIANE technology and appreciate the work done by Klaus Knopper and his lovely wife Adriane.
Overall, it's a great first showing and subsequent releases are bound to be even more exciting. If you know someone with vision impairments, it might be worth their while to give them and walk them through a copy of KNOPPIX ADRIANE.
New Releases
Jaunty Alpha 4 released
The fourth alpha release of Ubuntu's Jaunty Jackalope is available for testing. Jaunty will become 9.04 when its ready. Downloads are available for Ubuntu, Ubuntu Education Edition, Kubuntu, Xubuntu, UbuntuStudio, Ubuntu Netbook Remix, and Ubuntu MID.Ubuntu Customization Kit (UCK): 2.0.8 (SourceForge)
Ubuntu Customization Kit is a tool that helps you customize official Ubuntu Live CDs (including Kubuntu/Xubuntu and Edubuntu) to your needs. You can add any package to the live system, for example language packs, or applications. Version 2.0.8 has been released.
Distribution News
Debian GNU/Linux
Dedicating Lenny to Thiemo: Call for Signatures
Debian is dedicating the upcoming Lenny release (v5.0) to Thiemo Seufer. "The Debian Project has lost an active member of its community. Thiemo Seufer died on December 26th, 2008 in a tragic car accident. Thiemo was involved in Debian in many ways. He maintained several packages and was the main supporter of the Debian ports to the MIPS architecture. He was also a member of our kernel team, as well as a member of the Debian Installer team. His contributions reached far beyond the Debian project: he also worked on the MIPS port of the Linux kernel, the MIPS emulation of qemu, and far too many smaller projects to be named here."
Bits from the ftpteam regarding the release
Debian's ftpteam has some information regarding the Lenny (5.0) release, scheduled for February 14, 2009. Click below for more information.
Fedora
Fedora 11 alpha - and a new community liaison
The Fedora Project has announced the Fedora 11 alpha release, complete with the requisite doggerel poetry. It is definitely early-stage software, but the announcement helpfully notes that it "should boot on the majority of systems." This is a good chance for those who are interested in the upcoming Fedora release to help find bugs.
Fedora has also brought in Adam Williamson
as a community liaison. "I am working for Red Hat as of this Monday. I
have been hired into the Fedora QA team essentially to drive community
involvement in the Fedora QA process. RH - and, to put a more personal
touch on it, Jay Turner, who's responsible for Fedora QA - felt that
Fedora could really benefit from more community involvement in the QA
process, so my role is to try and help develop that.
" Adam
previously did community work for Mandriva.
New Distributions
Jarro Negro
Jarro Negro (English version) hails from Mexico. Its goal is to produce servers of different architectures (including SPARC). Jarro Negro is a 'built from scratch' distribution which recently added support for RPM package management. 2.0.2 is the current version.
Distribution Newsletters
DistroWatch Weekly, Issue 289
The DistroWatch Weekly for February 9, 2009 is out. "The netbook market is not just limited to the Eee PC any more, now every major manufacturer has a netbook of some description. The software arena hasn't stood still either with many custom distributions having been created to accommodate these little machines. Intel sponsors the Moblin project which has just released a new alpha, and we take it for a test run. In the news section, the creator of Puppy Linux explains his new project called Woof, Mandriva finalises the structure for their new Assembly, things heat up in BSD land with new releases on the way, the unofficial Fedora FAQ provides updates to version 10, Fedora causes a stir after disabling the popular 'kill X' feature, and a new online Slackware package finder is made public. Also in this issue are links to two interviews - the first with a KDE developer and the second with the creator of Xfce."
Fedora Weekly News #162
The February 8, 2009 edition of the Fedora Weekly News is out. "This week we're happy to announce the return of several beats: Marketing reports on following Fedora activity via Twitter; Ambassadors tantalizes with some Fedora polo shirts and the news that "North American Ambassadors Take Reins of XO Program"; Infrastructure notes a possible "Public Calendaring System" for the community; SecurityWeek shares an xkcd comic in "Encryption Security". Announcements highlights the K12Linux Fedora 10 Live Server in "Technical Announcements", PlanetFedora rounds up a lot of must-read blogs, Developments clarifies that "Fedora 11 Will Support i586 Instruction Set", Translation links to the "L10n Infrastructure Roadmap Proposal", Artwork suggests some "Context Free Art", SecurityAdvisories lists packages you really, really want, Virtualization defies easy summary but one exciting tidbit is "Merging KVM and Qemu Packages", and finally we have another AskFedora concerning the possibility of a "Standardized Package Format"."
OpenSUSE Weekly News/58
This issue of the OpenSUSE Weekly News looks at Adrian Schröter: More efficient Factory Development, FOSDEM, Larry Finger: Getting Your Wireless to Work, Martin Schlander: Use Oxygen Icons In App Menu, Joe Brockmeier: More FOSS security scare-mongering and several other topics.Ubuntu Weekly Newsletter #128
The Ubuntu Weekly Newsletter for February 7, 2009 covers: Ubuntu Jaunty Alpha 4 released, Rock the Docs: Ubuntu LoCo Docs Day, Hall of Fame Interview: Christophe Sauthier, Fridge Calendar has moved, Ubuntu HugDay, New Contributing Developer, Launchpod Episode #16, Launchpad performance weeks, Full Circle Magazine #21, Ubuntu podcast #19, Toshiba Netbook with Ubuntu Remix, First Ubuntu Event in Monastir Tunisia, Team Meeting Summaries, and much more.
Newsletters and articles of interest
From the archives: the best distros of 2000 (TuxRadar)
TuxRadar has an amusing walk down memory lane for anyone who has been using Linux since 2000 (or before). It is re-running an article from from the first issue of Linux Format magazine that reviewed the top distributions of 2000. "Remember that nine years is a long time in the computing world -- and even more so for Linux. [...] Corel Linux is long dead, despite a high-profile entrance into the distro scene, while Caldera Linux occupied a healthy position (before the SCO shenanigans busted it up). SUSE, Mandrake, Red Hat and Mandriva are still alive in various flavours, while the British Definite distro bought the farm and WinLinux only made it to a 2003 release."
Page editor: Rebecca Sobol
Development
The EeePC as a low-power music player
For a long time, your author has been searching for a low power music playing computer for use in an off-grid solar and wind powered mountain cabin. The desire was to have a player with capabilities that were similar to the grid-powered system used at home. This consists of a library of over 5000 FLAC-encoded audio files that are either randomly or sequentially played by one of several Python scripts. The audio is fed from the computer's sound card to the auxiliary input of a stereo amplifier.
The current off-grid audio system uses a car stereo deck with a built-in CD player driving three stereo speaker sets, all running on 12V DC power. Power consumption is in the range of 5-10 Watts, depending on volume. The car stereo deck has an auxiliary audio input for connecting external sound sources, such as a computer. After one becomes used to a Linux-powered music system with unattended playback of a large music library, manually swapping individual CDs every 45 minutes seems like a lot of trouble.
Initially, a stripped-down desktop computer was considered for the job, but the power consumption was a bit too high for continuous off-grid use, especially when powering the machine equipment through a DC to AC power inverter. A number of mini-ITX systems were considered for the job, but their prices were high, power consumption was still moderate, and an external monitor, with more power consumption, was required.
A laptop computer seemed like a better platform for building such a system. Taking the small system idea one step further, it was decided that a palmtop computer would be a good candidate for the task at hand. The ASUS Eee PC was chosen because it was inexpensive, common, tiny, self-contained and would run on low power. Also, another LWN editor had an Eee PC model 4G (701) that he was willing to part with. This machine uses a solid state flash drive for its primary filesystem.
![[Eee PC music player]](https://static.lwn.net/images/ns/EeePC-player-small.png)
One might ask, why not just get an iPod? In short, your author does not like the sound quality that comes from highly compressed audio formats, and the ability to create custom software was desired. Also, the price of large capacity hard drives has come down enough that high volume storage is no longer an issue.
The newly acquired Eee PC needed a fresh operating system installation. Ubuntu was a logical choice since it was already being used for the home-based music player. Easy Peasy 1.0 (Ubuntu 8.10) was the first Ubuntu-based distribution that was found for the Eee PC platform. The EEEBUNTU distribution also looks like a good candidate for running Ubuntu on the the Eee PC. Installing the operating system on a machine that lacked a CDROM drive involved downloading the appropriate ISO image and installing it on a USB memory stick. Creation of a bootable USB memory stick is explained in this article.
The Easy Peasy installation worked the first time, the only annoyance involved the appearance of the Ubiquity system installation window upon logging in. The Easy Peasy forum had an article on Common issues and fixes that had the solution to that problem, and some additional post-installation suggestions. An article about optimizing Linux on a solid stated drive suggested some additional tricks for improving the life of the solid state memory. The folks who put Easy Peasy together did a good job customizing Ubuntu for the Eee platform, all of the various Eee PC peripherals have worked with no problems.
A Seagate FreeAgent 320GB USB drive was chosen to hold the music collection, it is small, frugal with power and gets its operating power from the USB port. The drive required installation of an EXT3 filesystem. The entire music collection was copied over by installing the new drive on the home system and running an rsync command to populate the filesystem. As the master music archive grows, it will be simple to synchronize it with the USB drive using another rsync operation. The USB drive also provides an off-site backup for the main music collection.
A small amount of software had to be installed on the machine. The Ubuntu vorbis-tools package contains the ogg123 command line FLAC file player. Two custom Python scripts, RandFlacPlay.py and Playflacs.py (available here) use ogg123 to do the rest of the work. The music is organized in a hierarchy of directory trees categorized by genre, artist and recordings. The recordings of CDs, vinyl disks and tapes each get their own directory. RandFlacPlay.py is run with the primary music archive as an argument, it picks random selections and plays them. It can also be run on subsets of the entire collection or on directories full of symbolic links to specific groupings of recordings. Playflacs.py is used to play all of the songs in one particular directory. Both Python scripts can be invoked multiple times inside of a bash script for a wide variety of programmability.
Using the Kill-a-watt meter that was discussed in the aforementioned power consumption article, data was taken for various modes of Eee PC operation. With the USB hard drive connected and the screen on, the worst-case AC power usage was in the 17-21 Watt range while playing music. This is about four times better than the best power consumption achieved with the desktop machine, not counting the desktop video monitor. When the Eee PC screen is closed, power consumption drops by about 2 Watts. Removing the USB hard drive causes the power consumption to drop by around 4 Watts. Running from the AC charger, the Eee PC can play music using only 11-15 Watts. This number can likely be shaved by another 5 watts or so if the machine is powered directly from 12V DC using a car cigar lighter adapter, the AC adapter generates a lot of heat.
In the above example, minimum power usage was achieved with the hard drive disconnected. However, a music player without music isn't of much use. A bit of software solved the problem. The RandFlacPlay.py script was modified so that instead of playing the random music selections, it copies the songs from the hard drive to a specified directory on the flash-based filesystem. Flash space on this system is in short supply, so an external 4GB USB memory stick (1 Watt) was added to the machine. The memory stick can be loaded with many hours of music and the system can play without the hard drive. Since this mode of operation involves no spinning drives, operating the system in a car becomes a practical option. A common iPod FM transmitter would allow the player to be used in an automotive setting where no auxiliary audio input is available.
In all, this project went together rather easily, no major problems were encountered. Audio quality could likely be improved by adding an external USB sound card. A remote control device such as the Wii Remote (covered here) would be a nice addition. The Eee PC features a large amount of hardware capability in a tiny enclosure. It makes an excellent platform for a music player and is capable of much more.
System Applications
Audio Projects
JACK 0.116.2 + D-Bus
Version 0.116.2 of the JACK Audio Connection Kit with D-Bus support has been announced. "D-Bus modifications add optional autodetected support for the D-Bus based server control system. D-Bus is object model that provides IPC mechanism. D-Bus supports autoactivation of objects, thus making it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed."
Database Software
PostgreSQL 2009-02-06 Update Release is available
Update Release 2009-02-06 of several versions of the PostgreSQL DBMS have been announced. "The PostgreSQL Project today released updates to all active branches of the PostgreSQL object-relational database system, including versions 8.3.6, 8.2.12, 8.1.16, 8.0.20 and 7.4.24. These updates include two serious fixes, for autovacuum crashes in version 8.1 and GiST indexing data loss in 8.3, and those two versions should be updated as soon as possible. These update releases also include patches for several low-risk security holes, as well as up to 17 other minor fixes, depending on your major version of PostgreSQL."
PostgreSQL Weekly News
The February 8, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.web2py 1.56 is out
Version 1.56 of web2py, a cross-platform database driven web framework, has been announced. "web2py 1.56 is out, including a new web site with better documentation".
Embedded Systems
FreeRTOS: V5.1.2 released (SourceForge)
Version 5.1.2 of FreeRTOS has been announced, several new platforms are now supported, among other improvements. FreeRTOS is a: "Mini RTOS kernel for small embedded systems. Preconfigured demo programs are included for lots of microcontroller architectures - ARM7, ARM CORTEX M3, PIC32, PPC405, 8051, AVR (MegaAVR), x86, PIC18, PIC24, dsPIC, HCS12, H8S, RDC, ColdFire, Fujitsu, etc."
Package Management
RPM version 4.6.0 is out
Version 4.6.0 of RPM has been announced. "The primary focus on this release has been cleaning up the code-base to make it more maintainable and robust, and also more approachable to invite more community involvement. Code duplications, memory handling and various code pieces have been cleaned up. The local copies of system libraries like db4, lua, popt and libmagic were removed. New APIs have been established and dozens of old bugs have been fixed. A several obsolete features have been removed from the code base. There also have been a number of visible improvements."
Telecom
OpenSIPS: new PBX dialing module (SourceForge)
A new PBX dialing module is available for OpenSIPS. "OpenSIPS is an GPL implementation of a multi-functionality SIP Server that targets to deliver a high-level technical solution (performance, security and quality) to be used in professional SIP server platforms. A new module is available in OpenSIPS (called closeddial module). This module is intended to offer a functionality similar to Centrex to OpenSIPS, allowing to define groups of closed dialling, using abbreviated codes."
Desktop Applications
Audio Applications
Aqualung 0.9beta10 released
Version 0.9beta10 of Aqualung has been announced. "On behalf of the developer team, it is my pleasure to announce the latest release of Aqualung, an advanced cross-platform gapless music player. This release is the result of a year's work, much of which has been done by our newly joined developer Jeremy Evans."
Ecasound 2.6.0 released
Version 2.6.0 of Ecasound, a multi-track audio processing package, has been announced. "New interactive commands have been added to query and manage JACK port connections. More options are also now available for setting up ecasound's own JACK ports. Severe bugs in 'playat' and 'select' objects have been fixed. A refactored ECI C implementation fixes bugs and provides improved performance for ECI apps. Many minor bugs have been fixed."
Business Applications
OpenERP 5.0 released
Version 5.0 of OpenERP has been announced. "This new version comes with a full review of the web site giving access to more then 1500 pages of documentations on business management and a reorganization of the community sources build upon the Open Object framework. Free cycles of conferences are planned with the version 5.0 release of Open ERP."
Data Visualization
python-graph 1.4.0 released
Version 1.4.0 of python-graph has been announced. "python-graph is a library for working with graphs in Python. This software provides a suitable data structure for representing graphs and a whole set of important algorithms."
Desktop Environments
GNOME 2.25.90 beta released
Version 2.25.90 of the GNOME desktop has been announced. "This is the sixth development release, and the first beta, towards our 2.26 release that will happen in March 2009. By now most things are in place, and your mission is easy: Go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it."
GNOME Software Announcements
The following new GNOME software has been announced this week:- CrunchyFrog 0.3.3 (bug fixes)
- Evince 2.25.90 (bug fixes and translation work)
- GENIUS 1.0.4 (new features, bug fixes and translation work)
- GENIUS 1.0.5 (new features, bug fixes and translation work)
- Glade 3.5.7 (new features, bug fixes and translation work)
- GNOME Power Manager 2.25.91 (new features, bug fixes and translation work)
- GParted 0.4.2 (new features and bug fixes)
- libcroco 0.6.2 (bug fixes)
- Quick Lounge Applet 2.13.1 (new features, bug fixes and translation work)
- tracker 0.6.90 (new features, bug fixes and translation work)
Plasma Team Looks at the Future (KDEDot)
KDE.News reports from the Tokamak II gathering. "The purpose of Tokamak II was to design features and concepts to be worked on over the next year in Plasma and the KDE desktop. Topics covered included: animations and other new features in Qt 4.5, Social Desktop concepts, desktop search, email and calendaring integration, a new system tray implementation, Plasma for educational desktops, mediacenters and PlasMate, a content creation application."
KDE Software Announcements
The following new KDE software has been announced this week:- cb2Bib 1.1.1 (new features)
- CrossVC XXL 2.1.3 (bug fixes)
- eXaro 1.60.0 (new features and license change)
- geolokate alpha 0.1 (initial release)
- kopcat 0.2.1 (new features and bug fixes)
- KRadio for KDE4.x 2009-02-08 (initial KDE4 port)
- luckyBackup 0.2.1 (bug fixes)
- MPlayerThumbs 1.2 (build fix)
- QTrans 0.2.1.2 (new feature)
- QTrans 0.2.1.3 (new feature)
- rekonq Web Browser 0.0.3 (new features and bug fixes)
- TorK 0.31 (new features, bug fixes and translation work)
- Wikipedia Dump Reader 0.2.9 (new features and bug fixes)
Xorg Software Announcements
The following new Xorg software has been announced this week:- libXext 1.0.5 (bug fixes and code cleanup)
- xcb-util 0.3.3 (code cleanup)
- xextproto 7.0.5 (bug fix and documentation work)
- xf86-video-ati 6.10.99.0 (new features, bug fixes and code cleanup)
Financial Applications
LedgerSMB::API 0.04a released
Version 0.04a of LedgerSMB::API has been announced. "In a collaboration initiated between Nigel Titley and Hugh Esco -- but open to others, operating under a SourceForge project as LedgerSMB-OSCommerce, but with an expanded focus of supporting developers seeking to integrate LedgerSMB generically with other applications which have a need to post transactions to or pull reports from an accounting database.SQL-Ledger 2.8.21 released
Version 2.8.21 of SQL-Ledger, a web-based accounting system, has been announced. See the What's New document for release notes.webERP: 3.10 released (SourceForge)
Version 3.10 of webERP has been announced. "Integrated accounting ERP system. Multi-language/currency/inventory locations. Full double entry. SO/AR/PO/AP/GL/Bank/Sales Analysis. BOMs/assemblies/kit-sets. Flexible pricing. Emailable pdf reports. Fast PHP created html for any browser. Many new features and bug fixes from the last release including geo mapping, new CRM functionality, significant improvements to the API, two new themes, and the inclusion of javascript to check the input on certain forms."
Games
WFMath 0.3.9 released
Version 0.3.9 of WFMath has been announced. "WFMath, or the WorldForge Math librarys main focus is geometric objects, and it has classes for several shapes as well as the basic math objects, points, vectors, matrices and quaternions. It is required by all WorldForge components. This release is aimed at all developers. Changes in this version: * The headers have been cleaned up to include fewer system headers and dependencies, and keep the namespace a bit cleaner."
Geographical Software
Traveling Salesman: OSMbin v1.0 announced (SourceForge)
Version 1.0 of Traveling Salesman has been announced. "traveling-salesman is a GPS -route-planning and -navigation -system based on libosm and the OpenStreetMap. LibOSM of Traveling Salesman contains the reference-implementation of the OSMbin file-format. As our implementation now has advanced far enough I am happy to announce the final OSMbin file-format on the OpenStreetMap -dev and -osmosis -mailing lists."
GUI Packages
AnyScreen: Released AnyScreen v1.0 (SourceForge)
Version 1.0 of AnyScreen has been announced. "The goal of AnyScreen is to allow simple development of OpenGL applications running on a wide range of modern output devices. Currently, AnyScreen is capable of rendering on multiple displays settings and offers various stereoscopic rendering modes."
Instant Messaging
GOZERBOT 0.9 released
Version 0.9 of GOZERBOT, a Python IRC bot and Jabber bot, has been announced. "Finally gozerbot 0.9 has been released. This is a huge step forward to version 1.0 and contains a number of changes".
Multimedia
Elisa Media Center 0.5.27 released
Version 0.5.27 of Elisa Media Center has been announced, it includes some new features and bug fixes. "Elisa is an open source cross-platform media center connecting the Internet to an all-in-one media player. It is written in python using twisted, gstreamer and pigment among others, and runs on GNU/Linux and Microsft Windows (XP and above)."
Music Applications
QJackMMC / JackCtlMMC version 3 released
Version 3 of QJackMMC / JackCtlMMC is out. "A new version of QJackMMC / JackCtlMMC has been released today, sporting the new ability to select a device ID, a new help system, and several bug fixes. If you have a MIDI device capable of sending Midi Machine Code commands, you can use QJackMMC / JackCtlMMC to control all your JACK-based programs with your external hardware, or even internal ALSA programs that emit MMC."
Office Applications
Resolver One 1.4 beta announced
Version 1.4 beta of Resolver One has been announced. "Version 1.4 of Resolver One, our Pythonic spreadsheet, uses our Ironclad project to provide (alpha-level) support for numpy in a IronPython application. You can put numpy matrices in spreadsheet cells and manipulate them like any other data".
Science
Stellarium: 0.10.1 released! (SourceForge)
Version 0.10.1 of Stellarium has been announced. "Stellarium renders 3D photo-realistic skies in real time with OpenGL. It displays stars, constellations, planets, nebulas and others things like ground, landscape, atmosphere, etc. This is the first stable version featuring the new Graphical User Interface. It contains all features introduced in 0.10.0 beta (with much less bugs!) as well as: a new script engine (in testing), new translations in Albanian and Bosnian, an improved grid rendering, the possibility to download extra star catalogs in 1 click, and various performance improvements."
Web Browsers
Mozilla Firefox 3.0.6 released (MozillaZine)
MozillaZine covers the release of Firefox 3.0.6. "The sixth minor update to Mozilla Firefox 3 has been released. Firefox 3.0.6 fixes security vulnerabilities, improves stability, improves the ability for scripted commands to work properly with plugins and resolves a handful of other small bugs."
Miscellaneous
BleachBit 0.3.1 released
Version 0.3.1 of BleachBit has been announced. "BleachBit is a Internet history, locale, registry, privacy, and temporary file cleaner for Linux on Python v2.4 - v2.6. Notable changes for 0.3.1: * Clean the cache and temporary files of Acrobat Reader, GIMP, Google Earth, Second Life Viewer, and winetricks. * Clean Firefox version 3's URL history without deleting the entire places.sqlite file (which also contains bookmarks). * Clean more localizations. * Vacuum the Firefox databases (which becomes fragmented). * Fixed bug that blocked cleaning of some localizations for some using Ubuntu 8.04. * Fixed bug that prevented starting BleachBit when the language was not set. * Fixed bug that prevented cleaning of the clipboard."
Virtaal 0.3.0 released (SourceForge)
Version 0.3.0 of Virtaal has been announced. "Tools for localization: Pootle, a web based translation management system. Virtaal, a powerful desktop CAT tool and Translate Toolkit, providing QA, format conversion and support (PO, Java .properties, OpenOffice, Mozilla, XLIFF, TMX, TBX, CSV, Qt .ts) There are far too many improvements to list, but some of the new features include..."
Languages and Tools
C
GCC 4.4.0 Status Report
The February 9, 2009 edition of the GCC 4.4.0 Status Report has been published. "Trunk remains in Stage 4 (regression and documentation fixes mode). GCC 4.4 will be branched when there are no open P1 regressions for 4.4 and the runtime library sources have been converted to GPLv3 with the new licensing exception; the number of P1, P2 and P3 regressions has been below 100 for some time. The licensing exception is waiting for the FSF to confirm to the SC exactly what wording should go in source files using the exception and whether any changes to the exception are to be made to address the possible issues discussed on this list."
Caml
Caml Weekly News
The February 10, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.
Java
GNU Classpath 0.98 released
Version 0.98 of GNU Classpath, the essential libraries for Java, has been announced. "The GNU Classpath developer snapshot releases are not directly aimed at the end user but are meant to be integrated into larger development platforms. For example the GCC (gcj) and Kaffe projects will use the developer snapshots as a base for future versions."
Python
cssutils 0.9.6a1 announced
Version 0.9.6a1 of cssutils has been announced, this release adds some new capabilities and improved documentation. cssutils is: "A Python package to parse and build CSS Cascading Style Sheets. (Not a renderer though!)"
HDF5 for Python 1.1 announced
Version 1.1 of HDF5 for Python has been announced, several new capabilities have been added. "HDF5 for Python (h5py) is a general-purpose Python interface to the Hierarchical Data Format library, version 5. HDF5 is a versatile, mature scientific software library designed for the fast, flexible storage of enormous amounts of data."
itools 0.50.3 released
Version 0.50.3 of itools has been announced, it includes several bug fixes. "itools is a Python library, it groups a number of packages into a single meta-package for easier development and deployment".
SciPy 0.7.0 released
Version 0.7.0 of SciPy has been announced. "SciPy is a package of tools for science and engineering for Python. It includes modules for statistics, optimization, integration, linear algebra, Fourier transforms, signal and image processing, ODE solvers, and more. This release comes sixteen months after the 0.6.0 release and contains many new features, numerous bug-fixes, improved test coverage, and better documentation."
Python-URL! - weekly Python news and links
The February 5, 2009 edition of the Python-URL! is online with a new collection of Python article links.
Cross Compilers
Arduino 0013 released
Version 0013 of Arduino, a development system for the Arduino board, has been announced. "Arduino is an open-source electronics prototyping platform based on flexible, easy-to-use hardware and software. It's intended for artists, designers, hobbyists, and anyone interested in creating interactive objects or environments. Arduino can sense the environment by receiving input from a variety of sensors and can affect its surroundings by controlling lights, motors, and other actuators." See the release notes for more information.
IDEs
eric 4.3.0 released
Version 4.3.0 of eric has been announced. "this is to inform all of you about the immediate availability of the long awaited 4.3.0 release. It includes enhancements in nearly every area. Please see for yourself by downloading it from http://eric-ide.python-projects.org/index.html eric4 is a Python (and Ruby) IDE written using PyQt4 and QScintilla2. It comes with batteries included and is extensible via a built-in plug-in system."
KDevelop 4 Beta 1 available (KDEDot)
Version 4 Beta 1 of KDevelop has been announced. "On behalf of the KDevelop team I am happy to announce that we have reached the next milestone on our way to a final release, KDevelop 4 Beta 1. We feel that KDevelop 4, although in no way feature complete, is now usable and stable enough to get first feedback from a somewhat wider audience. Being a beta there are of course still bugs and missing functionality, but we have excellent language support for C++, integration of the CMake buildsystem, subversion, git and even starts of Qt GUI designer integration."
Test Suites
Linux Desktop Testing Project 1.5.0 released
Version 1.5.0 of LDTP, the Linux Desktop Testing Project, has been announced. "This release features number of important breakthroughs in LDTP as well as in the field of Test Automation. This release note covers a brief introduction on LDTP followed by the list of new features and major bug fixes which makes this new version of LDTP the best of the breed. Useful references have been included at the end of this article for those who wish to hack / use LDTP."
TestLink: 1.8 RC4 released (SourceForge)
Version 1.8 RC4 of TestLink has been announced. "TestLink is leading open source Test management tool. The fourth 1.8 Release candidate improves stability and usability of TestLink. We solved 38 issues and requests within this build (especially installer and localization). New feature: User notification on testing assignment via e-mail."
Version Control
GIT 1.6.1.3 announced
Version 1.6.1.3 of the GIT distributed version control system has been announced, it includes new capabilities and bug fixes.
Miscellaneous
PLY 3.0 announced
Version 3.0 of PLY has been announced. "I'm pleased to announce a significant new update to PLY---a 100% Python implementation of the common parsing tools lex and yacc. PLY-3.0 adds compatibility for Python 2.6 and 3.0, provides some new customization options, and cleans up a lot of internal implementation details."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Reflections on the hardware industry
Harald Welte reflects on the issue of insufficient FOSS support from the hardware industry. "They all have some people inside their own organization, most often actual engineers or even engineering managers up to the very senior R&D managers who understand the FOSS model and the benefits that this would or at least could bring to their products and their organizations. They want to release the source, they want to push mainline, and they might even want to release the user manuals. But inside the industry, nobody listens to what their own R&D department or event some external entity - even the very representatives of the operating system they use (Linux). The chip makers will only listen to one thing: Demand from their tier-1 customers. Whatever is in the spec of those who buy their components in millions of units will get implemented. Only those maybe biggest five board-makers are considered 'customer'. Everybody else is not." (Thanks to Paul Wise).
Trade Shows and Conferences
Camp KDE Talks part two (KDEDot)
KDE.News presents part two of its coverage of the Camp KDE Talks "Sunday again had talks about a large range of topics. The day started a bit late, but Guillermo Amaral really made up for it by providing us with a funny and interesting talk about the opportunities for the Business use of KDE in Mexico. He pointed out how important it is to handle cultural differences well, continuing the theme set by Pradeepto Adriaan and Till."
Camp KDE Continues And Finishes (KDEDot)
KDEDot covers Camp KDE. "Camp KDE, the KDE community event of North and South America, has finished. Similar to the European KDE meeting, Akademy, the first two days were based around a series of talks on various topics. After that we moved towards BOF sessions, local discussions and programming. We had a trip to the Appleton Estate, visited Rick's café and had a lot of fun. The following article details some of the things that kept us busy."
Companies
Behind the scenes in Microsoft's war against Linux (cnet)
Over at cnet, Matt Asay examines the patent deal between Brother and Microsoft. Given that Microsoft doesn't make printers or even printer drivers, the Brother deal is puzzling. "Slowly, behind the scenes, Microsoft continues to try to portray Linux as risky and Microsoft's patent coverage as insurance. Given that the company selling the insurance is also the one threatening a lawsuit, however, Microsoft needs to step very carefully to avoid the 'extortionist' label. I personally believe that it has already crossed the line and needs to get back to competition between products, not lawyers."
MySQL founder leaves Sun (heise online)
Heise online is reporting that MySQL founder Michael "Monty" Widenius is leaving Sun. It was rumored to be happening last September, but Widenius and Sun worked out an agreement for him to stay for three months at that time—which stretched to a few extra months. "Now, by agreement, and apparently on good terms, Sun and Widenius have parted. 'I still think that Sun was the best possible buyer for MySQL and I feel sad that things didn't work out together', he said, 'I will be available for Sun in helping them with their goals in the open source space'."
State of the Union at Red Hat (Red Hat Magazine)
Jim Whitehurst, President and CEO of Red Hat, provides a brief "State of the Union" for Red Hat. "I've been on the job at Red Hat since December 2007, and have had the opportunity to meet hundreds of Red Hat customers, partners, associates and industry leaders. In keeping with the U.S. presidential State of the Union address, I'd like to touch on plans for the upcoming year while also reflecting back to share a few observations from the past 13+ months." (Thanks to Rahul Sundaram)
Red Hat Expands Real Time Linux Cloud (internetnews.com)
internetnews.com reports on Red Hat's new MRG 1.1 platform. "Linux vendor Red Hat is out today with its newest Real Time Linux platform, MRG 1.1 boasting new performance, messaging and grid computing (cloud) capabilities. The new MRG 1.1 platform marks the debut of Red Hat's commercially-supported grid technology, which helps users create their own enterprise clouds as well as leverage the power of Amazon's EC2 service. Red Hat is also claiming significant performance gains with a new Real Time Linux kernel and improved messaging speeds in a bid to appeal to unique sectors such as government, military and financial services."
Vodafone signs Linux deal with U.S. firm Azingo (Reuters)
Reuters covers a partnership between Vodaphone and Azingo. "Vodafone has picked U.S. software firm Azingo to develop Linux-based applications, the latest sign the world's largest wireless operator by sales is keeping Linux operating system LiMo as one of its key choices. Privately held Azingo unveiled the deal on Thursday. Vodafone, one of the founding members of mobile Linux foundation LiMo, has stressed the importance of cutting the number of different operating systems, raising some media speculation it could dump LiMo support."
Interviews
Xfce creator talks Linux, Moblin, netbooks and open-source (SlashGear)
SlashGear has an interview with Olivier Fourdan, creator of Xfce. "As Intel's investment into the Moblin OS gets increasing attention, and more non-technical users are introduced to Linux-based platforms in the shape of low-cost netbooks, 2009 will see open-source become more mainstream than ever before. Under the hood there's much that makes Linux safer, more efficient and secure than rival systems, but for most new users it's what they can see on-screen that counts. SlashGear caught up with Xfce creator Olivier Fourdan, whose desktop environment has not only been selected by Intel for Moblin but can be found on many existing Linux netbooks, and talked Intel, Moblin, the future for netbooks and what challenges he sees for open-source newcomer Android."
Fellowship interview with Colin Turner (FSFE)
The Free Software Foundation Europe has an interview with Colin Turner. "Colin Turner is a dedicated Free Software activist and Fellowship member, working as a scientist and teacher at the University of Ulster in Northern Ireland. He has been advocating Free Software in schools and universities for many years and generously shared some of his experiences with us in this fourth instal[l]ment of our Fellowship interview series."
Resources
Two articles on containers
The developerWorks site has posted two detailed articles on Linux container technology. this overview by Matt Helsey looks at the LXC toolkit, while this article by Serge Hallyn focuses on security issues. "A common response when someone first hears about containers is 'How do I create a secure container?' This article answers that question by showing you how to use Linux Security Modules (LSM) to improve the security of containers. In particular, it shows you how to specify a security goal and meet it with both the Smack and SELinux security modules."
FOSS Linux CRM Roundup (Linux Journal)
Doc Searls presents an updated list of Linux-compatible CRM systems on Linux Journal. "Back at the 2003 OSCON, r0ml Lefkowitz gave a talk called "Six Missing Open Source Projects".The next year he gave a talk titled "More Missing Open Source Projects". At the top of his first list was CRM, or Customer Relationship Management, systems."
Bruce Perens: Combining GPL and Proprietary Software (Datamation)
In an article at Datamation, Bruce Perens gives some advice on using both GPL and proprietary software, particularly in mobile phones. He looks at the reasons for keeping some parts closed (DRM or regulatory compliance for example), then offers suggestions on how to handle that safely. "Also, don't look for, and use loopholes in the Open Source licenses. Nothing makes your company look worse than taking unfair advantage of people who provided their work to you without charge, expecting in good faith that you'd honor their license. It also tends to make Open Source folks reluctant to cooperate with your company, the next time you need help with their software."
Reviews
HP releases custom Netbook version of Ubuntu Linux (ZDNet)
ZDNet covers HP's release of the Mini 1000 Mi netbook, which features a customized version of Ubuntu. "The operating system is based on Ubuntu 8.04 Hardy Heron, and can run pretty much any application that normally runs on Ubuntu, including OpenOffice.org, Firefox, Thunderbird, Pidgin and so forth with which the OS conveniently comes preloaded. (Youll have to install GIMP, though.) On the other hand, the GUI hardly resembles Ubuntu, according to DownloadSquads Brad Linder."
Krita 2.0: a Host of New Features (KDE.News)
KDE.News takes a look at new features in Krita 2.0, the KDE painting and image editing application. "In KOffice 2.0, KParts have been replaced by Flake Shapes, as an end result Krita 2.0 has vector layers where you can add any combination of KOffice shapes. Examples of KOffice shapes are vector drawings, text objects or even musical notation objects. These shapes are then rendered at the image resolution and blended with your pixel layers. The same technique is used for vector selections."
Miro 2.0 gets serious about Web video, leaves us wanting (ars technica)
Ars technica reviews the Miro 2.0 release. "A major new version of the open source Internet TV and video podcast player brings support for a variety of Web services like Hulu, YouTube, and Legaltorrents.com, a separate video playing window, and a more polished UI. Most of Miro's key drawbacks, however, still remain."
Miscellaneous
Compiz Comes Together (Linux Journal)
Linux Journal takes a look at the new Compiz Council. "Compiz — the compositing window manager responsible for more than a few dropped-jaws — has a long history of ins and outs, not the least of which includes more forks than at a garden club lunch. It seems, however, that things always come back together, and such was the case on Tuesday, as the Compiz community announced the imminent re-merger of several well known forks."
If You Want to Change the World, You've Got to Buy Big (Linux Journal)
Linux Journal covers the demise of the One Laptop Per Child "Change the World" program. "The "Change the World" program, variously known as "Give a School" and "Give 100, Give 1000," offered individuals and groups the opportunity to donate one hundred or more laptops to children in the developing world, and designate where they should be deployed. Through the program, those with ties to particular areas — a sister organization in a developing nation, for example — were given the opportunity to have their donation directly affect children in that area. Morgan Collett, a developer at OLPC, was among the first to report the news, and wrote that several hundred XOs have already been deployed in South Africa through the program, with more in the works."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Ardour project loses funding
The Ardour multi-track audio recorder project has announced a loss of corporate sponsorship. "SAE announced today that they will no longer sponsor the development of Ardour. This puts me (Paul, Ardours lead developer) in the position of being paid solely by the donations and subscriptions made by the Ardour community. This is obviously insufficient to support myself, let alone my family, so I am obviously looking for other opportunities to earn a living. Although I intend to try to improve the revenue that Ardour itself generates, this is unlikely to be sufficient for some time to come."
EFF calls on Federal Regulators to protect Consumers from DRM
The Electronic Frontier Foundation has called on the Federal Trade Commission to mitigate damage caused to consumers by Digital Rights Management. "In public comments submitted to the FTC today, EFF explained how DRM, backed by the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA), impedes innovation and thwarts consumers' rights to make full use of their digital music, movies, software, and videogames. EFF urged the commission to study DRM's effect on competition in the marketplace, investigate whether the effects of DRM are fully disclosed to consumers, and promote a set of "Best Practices" that, if followed, would help alleviate the burdens of DRM for consumers."
New GNOME desktop testing team announced
The GNOME Desktop Testing team has been launched. "We are proud to announce that a new GNOME team has been created, focused on desktop testing automation. If you have ever wondered how could you test your application writing scripts that mimic what a normal user would do, join us in this new effort. We have a mailing list, a wiki page with documentation and a SVN module with the initial work that we have done, but we need more people to get involve to make GNOME better and better."
New Books
Network Know-How--New from No Starch Press
No Starch Press has published the book Network Know-How by John Ross.
Resources
Python 2.6 Quick Reference available
A new Python 2.6 Quick Reference is available online. "The Python 2.6 Quick Reference is available in HTML and PDF formats at http://rgruet.free.fr/#QuickRef."
Meeting Minutes
Perl 6 Design Meeting Minutes (use Perl)
The minutes from the January 7, 2009 Perl 6 Design Meeting have been published. "The Perl 6 Design Team met by phone on 07 January 2009. Larry, Jerry, Allison, Patrick, Jesse, and chromatic attended."
Calls for Presentations
EuroDjangoCon '09 Venue and Keynotes
EuroDjangoCon '09 will take place in Prague, the Czech Republic on May 4-8. "We have also extended the conference by two days so that we can have sprints. The dates are now as follows: May 4th - 6th (Main conference) May 7th - 8th (Sprints) Call for participation ends on 1st March, so please ensure you have submitted your talk before then".
Upcoming Events
Announcing the Cloud Slam virtual conference
Cloud Slam 09 has been announced. "The world's leading experts and authorities in cloud computing to convene on April 20-24 at Cloud Slam 09 to analyze and uncover top trends and challenges."
Demonstrating Open-Source Healthcare Solutions 2009 Conference (LinuxMedNews)
The Demonstrating Open-Source Healthcare Solutions 2009 Conference has been announced. "Lend Your Voice to this Crucial Discussion as America Transitions to a New Era Arguably, the unique elements of the 2008/2009 recession combined with a change in administration and governing philosophy constitute a unique historical moment as demonstrated by ongoing events..." The event takes place on February 20 in Los Angeles, CA.
FSF announces LibrePlanet 2009 and annual meeting
The FSF annual meeting has been announced. "The Free Software Foundation has announced LibrePlanet 2009, an expansion of its traditional annual meeting to a two-day event. The event will be held in Cambridge, MA, on March 21st and March 22nd, 2009, and in addition to presentations from FSF staff and board members will include a full "unconference" day of work oriented toward progressing free network services and other areas important to the free software community as outlined on the FSF's High Priority Projects list."
PyCon 2009 takes Python to new places
PyCon 2009 registration is open, the event takes place in Chicago, IL on March 25 - April 2. "From hackathons in Africa to a neutrino detector at the South Pole; from massive multicore machines to tiny embedded wireless devices; and from mobile phones to distributed heterogeneous networks, talks at Pycon 2009 demonstrate how Python is being used in places and in ways that will startle even longtime Python users. Python continues to branch out across software platforms as well, with several talks covering the growing use of IronPython and Jython on the .NET and Java platforms."
SCALE Is almost here
The Southern California Linux Expo begins on February 20. "Free and Open Source software can save you money. Whether you're running a business or are a computer user, FOSS software is high-quality software that can be quite inexpensive. Smart organizations know that, and they come to SCALE, and sponsor SCALE. And because the FOSS community continues its vibrant growth unabated, there were more than enough organizations to fill the "dotORG" booths at this month's Expo: SCALE is full!"
SOA in Healthcare Conference (LinuxMedNews)
LinuxMedNews has announced the SOA in Healthcare conference. "OMG, Health Level Seven (HL7), and the SOA Consortium announce the SOA in Healthcare: Value in a Time of Change, conference held June 2-4, 2009 at the Hyatt Regency OHare in Chicago, IL. Registration details may be found online at http://www.omg.org/hc-std."
uCon Security Conference speakers announced
The speaker lineup for the uCon Security Conference has been announced. "The conference will take place three days after the most insane street carnival in the world in Recife, Brazil, on 28th February 2009 and will also feature trainings sessions on 26th and 27th. If you are outside Brazil and plan to attend to uCon, please contact us if you need any assistance on your travel. Carnival and hacking in a row, rather unique. Don't miss the chance."
UKUUG - Google Bursaries for attendees at Spring 2009
Google has announced the availability of grants for the UKUUG conference. "Google, as part of Google's ongoing commitment to encouraging women to excel in computing and technology, we are pleased to announce the 2009 Google UKUUG Student/Developer Conference Grant to encourage more female computer scientists to attend and participate in the UKUUG 2009 Conference, 24-26 March, London."
Events: February 19, 2009 to April 20, 2009
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| February 16 February 19 |
Black Hat DC Briefings 2009 | Washington, D.C., USA |
| February 20 | Demonstrating Open-Source Health Care Solutions | Los Angeles, CA, USA |
| February 20 February 22 |
Southern California Linux Expo | Los Angeles, CA, USA |
| February 24 February 26 |
VMworld Europe 2009 | Cannes, France |
| February 25 February 27 |
German Perl Workshop | Frankfurt Main, Germany |
| February 27 | PHP UK Conference | London, UK |
| February 28 | Belgian Perl Workshop | Leuven, Belgium |
| February 28 | uCon Security Conference | Recife, Brazil |
| March 1 March 4 |
Global Ignite week | Online |
| March 3 March 8 |
CeBIT 2009 | Hanover, Germany |
| March 4 March 7 |
DrupalCon DC 2009 | Washington D.C., USA |
| March 6 | Dutch Perl Workshop | Arnhem, The Netherlands |
| March 7 | Ukrainian Perl Workshop 2009 | Kiev, Ukraine |
| March 8 March 11 |
Bossa Conference 2009 | Recife, Brazil |
| March 9 March 13 |
Advanced Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, GA, USA |
| March 9 March 12 |
O'Reilly Emerging Technology Conference | San Jose, CA, USA |
| March 12 March 15 |
Pingwinaria 2009 - Polish Linux User Group Conference | Spala, Poland |
| March 14 | OpenNMS User Conference (Europe) 2009 | Frankfurt Main, Germany |
| March 14 March 15 |
Chemnitzer Linux Tage 2009 | Chemnitz, Germany |
| March 16 March 20 |
Android Bootcamp with Mark Murphy | Atlanta, USA |
| March 16 March 20 |
CanSecWest Vancouver 2009 | Vancouver, BC, Canada |
| March 18 | Linuxwochen Österreich - Klagenfurt | Klagenfurt, Austria |
| March 21 March 22 |
Libre Planet 2009 | Cambridge, MA, USA |
| March 23 March 27 |
iPhone Bootcamp | Atlanta, Georgia, USA |
| March 23 April 3 |
Google Summer of Code '09 Student Application Period | online, USA |
| March 23 March 27 |
ApacheCon Europe 2009 | Amsterdam, The Netherlands |
| March 24 March 26 |
UKUUG Spring 2009 Conference | London, England |
| March 25 March 29 |
PyCon 2009 | Chicago, IL, USA |
| March 27 March 29 |
Free Software and Beyond The World of Peer Production | Manchester, UK |
| March 28 | Open Knowledge Conference 2009 | London, UK |
| March 31 April 2 |
Solutions Linux France | Paris, France |
| March 31 April 3 |
Web 2.0 Expo San Francisco | San Francisco, CA, USA |
| April 3 April 5 |
PostgreSQL Conference: East 09 | Philadelphia, PA, USA |
| April 3 April 4 |
Flourish Conference | Chicago, IL, USA |
| April 6 April 8 |
CELF Embedded Linux Conference | San Francisco, CA, USA |
| April 6 April 7 |
Linux Storage and Filesystem Workshop | San Francisco, CA, USA |
| April 8 April 10 |
Linux Foundation Collaboration Summit | San Francisco, CA, USA |
| April 14 | OpenClinica European Summit | Brussels, Belgium |
| April 15 | Linuxwochen Österreich - Krems | Krems, Austria |
| April 16 April 17 |
Nordic Perl Workshop 2009 | Oslo, Norway |
| April 16 April 19 |
Linux Audio Conference 2009 | Parma, Italy |
| April 16 April 18 |
Linuxwochen Austria - Wien | Wien, Austria |
If your event does not appear here, please tell us about it.
Web sites
Announcing the OpenProofs Wiki
The OpenProofs Wiki site has been launched. "A new site, "http://www.openproofs.org/", has been set up to encourage the development of "open proofs". The site defines "open proofs" as "software or a system where all of the following are free-libre / open source software (FLOSS): * the entire implementation * automatically-verifiable proof(s) of at least one key property, and * required tools (for use and modification)"".
Page editor: Forrest Cook