LWN.net Weekly Edition for March 5, 2009
How (not) to run a developer program
The Android developer phone (ADP1) is a nice piece of hardware which allows freedoms that the T-Mobile standard-issue G1 does not allow. As the name might imply, it is targeted at developers so that they can more easily develop applications for the Android Market, but also so that they can hack on the Android platform itself. So far, though, the Android development community has been less-than-satisfied with the development support provided by Google. In fact, the recent decision to disallow access to copy-protected applications in the Android Market has a lot of ADP1 purchasers up in arms. But that isn't the only thing that has annoyed—or worse—Android hackers.
The idea behind a developer program is, or should be, that developers get early access to the code that customers will soon be running, so that they can test their applications—finding and fixing bugs before the general public ever sees them. For whatever reason—manpower is the oft-stated problem—Google has turned this on its head. Customers who purchase the consumer version (i.e. G1), will get the RC33 version (in the US, European version numbering is different) of the firmware. The G1 phones ship with an earlier version, but an over-the-air upgrade will eventually bring them up to that version. For developers who purchased an ADP1, however, there is no equivalent upgrade, at least officially.
There has been a fair amount of complaining about the lack of an ADP1 upgrade on the android-developers mailing list. Jean-Baptiste Queru, who seems to be the Android engineer who was selected or volunteered to answer questions on the list, is unhappy about the delay—and lack of information—as well:
[...] You're not the only one frustrated about this. I am too.
The 1.1 firmware release for the ADP1 is supposed to have more-or-less equivalent functionality to the RC33 release for the G1. But what, exactly, that release will contain is still a closely-held secret. That seems to be one of the biggest complaints about how Google is treating Android developers: lack of information. The problem with copy-protected applications for the ADP1 is just another example.
Android offers application developers two restrictions that they can apply to their programs in the Android Market: for-sale and copy-protection. It is believed that most for-sale applications will also carry the copy-protection restriction, but that is not required. Gratis applications can also be copy-protected if the developer wishes to do so.
The ADP 1.0
code does not allow access to either kind of application in the Market.
ADP 1.1 is believed to relax that restriction to only those that specify
copy-protection, though that may not be much different in practice. The
reasoning, according to Queru, is that
"copy-protected apps aren't offered on devices where the
copy-protection is known to be ineffective.
" Because the ADP1
phones are unlocked, there are various ways that the copy protection
could be overridden.
The fear seems to be that developers might pay for an application, then squirrel it away and apply for a refund. Developers could restore the deleted application after receiving the refund or copy it to other phones. While that is a possibility, it leaves some feeling like developers are being singled out as pirates. One of the problems is that folks who have gotten root access on their G1 phones can access copy-protected applications. In the end, folks who want to pirate applications—be they developers or consumers—will find a way to do it.
It is a time-honored tradition amongst software developers to check out the competition. Many of the hobbyist developers hoping to strike it rich with Android Market applications purchased the ADP1 in the belief that it would have the same functionality that the consumer version does. Now they have found out that they can't purchase competitor's applications (at least in the likely case that they are copy-protected), on top of the realization that they can't get a blessed version of the latest code. Other ADP1 purchasers were looking to get around the geographic and/or cellular carrier restrictions of the G1, but now have a phone with fewer capabilities.
There are alternative firmware loads for the ADP1, but it doesn't sit well that Google has yet to provide one. A somewhat popular alternative is to use the so-called "holiday" version—the version that shipped on the ADP1s that Google gave its employees as a holiday bonus. Interestingly, that code does not allow accessing copy-protected Market applications either, which makes it likely that the restriction is simply an attempt to be consistent about copy protection, as Queru stated, rather than a real belief that developers are more likely to be pirates.
Google could have avoided much of the outcry by being more transparent—something the company seems to have a general problem with—and by paying more attention to its developer program. The official developers blog does not seem to cover many of the areas that are of concern to the community. One must wander through the mailing list or third-party sites to find information about the restriction on copy-protected applications, for example.
There are alternative mechanisms for handling copy protection, of course. Several were bandied about on the mailing list as the "forward locking" scheme—essentially signing the application in such a way that it won't run on other phones—is seen as suboptimal. The alternatives are other forms of DRM, however, as Queru points out:
Developers just want a phone that can do what they need it to, so some are starting to feel like they made a bad decision by purchasing the ADP1. That has led to suggestions that folks should just sell their ADP1 and use the emulator or a G1 phone to do their development. That may be a bit of an extreme reaction, but there are probably some who have done that or are considering it. A bigger worry for Google might be that they decide to ditch the Android platform entirely for something more developer-friendly.
Some have portrayed Android as the future of the Linux desktop—on phones and netbooks at least—but the problems that are currently being experienced on phones could well spill over. DRM and locking devices to particular vendors are not "features" that people normally associate with Linux and free software, but they are being demanded by some vendors. Those kinds of restrictions are really meant to keep consumers from reaping the benefits of freedom. While folks may be used to that treatment from mobile phones, one hopes they don't have to get used to it from their computers as well.
Third time is the charm?
Almost two years ago, your editor sat on an Open Source Business Conference panel with Microsoft's Sam Ramji, who made the point that Microsoft had only launched patent infringement lawsuits twice in its existence. Given that, worries about the Microsoft/Novell patent deal were, in his opinion, misplaced. Last week, it was revealed that the count has gone up to three: Microsoft has filed a lawsuit against TomTom, a maker of Linux-based navigation devices. There is much speculation and uncertainty on the net as to just what this action means. Your editor means to add to it by saying that Microsoft's intentions would appear to be relatively clear.The patents which TomTom is alleged to be infringing are:
- 6,175,789
(Vehicle computer system with open platform). This patent, filed in
1999, covers the innovative concept of mounting a computer in a
vehicle dashboard. Literally, that is all there is to it.
- 6,202,008
(Vehicle computer system with wireless internet, 1999). This one
extends the previous patent by adding an Internet connection to the
dashboard-mounted computer.
- 7,054,745
(Method and system for generating driving directions, 2003), appears
to cover the basic turn-by-turn instructions provided by just about
any navigation unit on the market.
- 6,704,032
(Methods and Arrangements for Interacting with Controllable Objects
within a Graphical User Interface Environment Using Various Input
Mechanisms, 2000). This patent is relatively impenetrable, but
appears to cover a framework for binding responses to user interface
events.
- 7,117,286
(Portable computing device-integrated appliance, 2005). The deep
concept here appears to be recognizing a docking station and causing
the user interface to configure itself accordingly.
- 5,579,517
(Common name space for long and short filenames, 1995) and 5,758,352
(Common name space for long and short filenames, 1996). These are the
infamous patents on the long filename hacks embedded in the VFAT filesystem.
- 6,256,642 (Method and System for File System Management Using a Flash-Erasable, Programmable, Read-only Memory, 1992). This one covers a fairly straightforward mechanism for managing flash memory by dividing large erase blocks into filesystem-sized blocks and allocating them independently.
The first two patents in this list appear to be laughable indeed; it is hard to see how they can pass the obviousness test. This is especially true in light of the KSR v. Teleflex ruling, wherein it was decided (also in the automotive setting) that the idea of connecting a floor pedal to an electronic throttle control was too obvious to patent. The navigation patent would appear to be infringed by anybody who sits in the passenger seat and helps the driver find a destination. The docking station and GUI patents seem less clear, but it doesn't seem like it should be all that hard to find suitable prior art.
That leaves the final three patents, all of which are relevant to the Linux platform. Like almost every other system on the planet, Linux supports the VFAT filesystem, and, thus, could be argued to infringe upon the relevant patents. The flash patent looks much like the technique used by any system which manages flash memory in anything but the stupidest of ways. It would appear that Microsoft has finally decided to follow through on its longstanding patent threats against Linux.
Of course, not all agree. The 451 Group posted this fairly impressive apology for Microsoft, claiming:
For those looking for signs that Microsoft has changed, I would hope this might serve as the proverbial coffee to wake up and smell. Microsoft is acknowledging the contributions and IP value of open source software and is going out of its way to make sure people don't think it is making patent infringement claims over the actual Linux kernel.
Your editor wishes to politely dismiss this talk as dangerous nonsense. There is nothing special about TomTom's kernel with regard to these patents. One would think that it would make little sense for TomTom to go into the kernel source and create its own special version of VFAT which infringes on Microsoft's patents. Of course, embedded systems developers have been known to do some very strange things, so one cannot take TomTom's good sense for granted in this situation. So, for the definitive word, we will refer to Harald Welte's take on TomTom's kernel:
If TomTom is infringing Microsoft's patents, then everybody who is running Linux is infringing those patents. This is an attack against Linux; TomTom has just been given the honor of being the first defendant.
Microsoft's motivation would seem to be clear. The company has tried for years to sell versions of Windows into the embedded systems market, with success best described as "modest." Linux is hard to compete against in these systems; it is highly portable, can be customized to an arbitrary degree, offers support from multiple vendors, and can be shipped with no royalty charges. Microsoft would like to take away some of those advantages by imposing a patent tax on embedded Linux deployments. Embedded systems vendors cannot miss this message: they can pay licensing fees, or they can pay legal fees.
The obvious question at this point is: what now? The VFAT patents may appear to fail the obviousness test; they could also run into difficulties stemming from the Bilski decision. These patents are problematic, though: the Public Patent Foundation tried hard to invalidate these patents in 2004, only to have them reinstated by the US patent office in 2006. As a result, there will be a certain presumption of validity which could prove hard to overcome in court. It has often been said that attempts to invalidate patents carry risks; what doesn't kill a patent may well make it stronger.
Your editor would certainly not advise anybody to give up on efforts to defeat these patents, but the possibility that they could stand must be considered. The loss of the VFAT filesystem would be painful. It is a poor filesystem, but it has become a sort of de facto interchange format for storage-oriented devices. Without VFAT, Linux users would encounter difficulties working with their digital cameras, cellular telephones, and music players. Sharing storage devices with Windows systems would become harder. VFAT would become a technology like MP3: unavailable on many Linux systems until installed from some third-party repository on the net.
Avoiding this outcome seems desirable. One way would be to defeat these patents in court. To that end, one can only hope that TomTom will stand up to this attack and defend its rights. The rest of the industry would be well advised to consider helping TomTom in this fight. This case, if fought to its conclusion, will certainly be expensive. But the cost of not fighting it seems certain to be much higher.
Another way to deal with the VFAT patents would be to start a serious look for workarounds - a technique which the free software community does not, yet, make enough use of. Patents tend to be tightly written, meaning that workarounds are often possible with relatively small changes. It may well be possible to make changes to the VFAT filesystem which pass the patent-lawyer test while maintaining interoperability with other systems.
Indeed, a suitably clever lawyer might be able to argue that Linux already operates outside the patent; the claims require that the long filename include "more than the maximum number of characters that is permissible by the operating system," something which is clearly not the case on Linux. Your editor, however, is neither a lawyer nor suitably clever; this kind of determination will need to be made by others.
At the upcoming Linux Foundation Collaboration Summit, your editor will be running a panel on kernel development. Sam Ramji, alas, will be in the other room at that time, sitting on a panel entitled "Why Can't We All Just Get Along: Linux, Microsoft & Sun." One can imagine the course this discussion is going to take; Sun is likely to get off easy. Parts of Microsoft (especially those represented by Mr. Ramji) have been making friendly noises toward open source for some time. But actions speak louder than friendly noises, and this particular action speaks loudly indeed. Parts of Microsoft are almost certainly sincere about wanting to get along with the Linux community, but the stronger forces within the company, it seems, are not.
Ubuntu debates usability changes
Ever since last July, when Mark Shuttleworth called on Ubuntu to surpass Mac OS X in desktop design within two years, Ubuntu mailing lists and blogs have become one of the main places to go for detailed discussions about GNU/Linux usability. However, the discussions can become convoluted and acrimonious, as developers argue the logic of design principles. A case in point is the discussion of Ubuntu's new notification guidelines on the ubuntu-devel list over the past two weeks, which quickly turned into a discussion of whether notifications should be used at all.
The discussion centers around the new guidelines for notification messages, which typically appear by the notification tray in GNOME. These guidelines were announced in Mark Shuttleworth's blog entry for February 21. Both the blog and the guidelines include screen shots to illustrate what they are describing.
The problem is that the now-standard notification bubbles (so-called for
their shape) are easily missed because they disappear after a few seconds,
and they often point to icons in the system tray, which users may find hard to
![[Bubble notification]](https://static.lwn.net/images/ns/ubuntu-notification.png)
click. For these reasons, the guidelines call for a reduction in their use,
although acknowledging the possibility that they might still be useful in
unspecified circumstances.
Whenever possible, notification bubbles will, in the next Ubuntu release, be replaced with a notification in an existing window; for instance, when a web browser has blocked up a popup, the notification could display in a dialog above the web page, using the browser's built-in notification system. More radically, when a notification needs user input, but doesn't need an immediate response — for instance, when a printer is detected, but the necessary driver is missing — it will be displayed in an alert box that opens beside the system tray without taking the focus away from the user's current window.
In cases such as a low battery reading, when a quick response is needed, the window or alert box will display the basic message, followed by, when the user clicks it, a dialog, possibly with a different color background. The guidelines refer to this arrangement as "morphing," and suggest that it will help prevent the accidental selection of a button when the cursor moves to the dialog. Why accidental selection is perceived as a problem, though, is unspecified.
The advantages of the proposed alert boxes is that, unlike notification bubbles, they remain on the desktop, and provide dialogs that are easier to click than a system tray icon.
Discussion of these new guidelines quickly followed Shuttleworth's blog
entry, wandering across several threads in ubuntu-devel in February and
March. Some of the discussion called for citations to support a usability
assertion, as when Jordan Mantha told
Mat Tomaszewski of the Canonical design team, the group responsible for the
guidelines, that "'trust us, we have our reasons' is not going to
very convincing to many people.
"
As discussion continued, it soon became apparent that at least some Ubuntu designers outside Canonical distrust those employed by the company. For instance, Scott Kitterman remarked:
Similarly, Martin Owens complained
that "It's as if the people at Canonical had taken a politics course
and decided to deliberately alienate those people who are not inside of
Canonical.
"
To such comments, Mat Tomaszewski replied several times, with patience and
enthusiasm for the tasks at hand, while Matthew Paul Thomas, another
Canonical employee, explained in a similar tone that usability efforts were
just getting started, and were expensive enough that "much of the
time we will have to rely on common sense
".
At one point, the language became so heated that Mark Shuttleworth intervened
to call one developer's comments "not constructive
" — a
rare occurrence on Ubuntu lists compared to those of some projects, due to
the
code
of conduct by which developers agree to abide.
However, for the most part, discussion remained civil. Matthew Paul Thomas defended the new guidelines, pointing out that:
Thomas also summarized potential problems with notice bubbles: either they disappear after a few seconds and can disappear before users notice them, or else they persist and distract users. In addition, alerts and windows are easier to use than small, often indistinguishable icons.
By contrast, Lars Wirzenius presented a case against all notifications, saying flatly that:
All
Wirzenius wanted was essential notifications, suggesting that "All
applications should, in my opinion, strive to interrupt the user as little
as possible, especially by default.
"
Wirzenius' position was soon challenged by other developers in ways that
show some of the considerations necessary in usability design. Chow Loong
Jin questioned
Wirzenius' assertion that default settings should be designed for those who
use their computer as a "tool
" rather than a
"toy,
" arguing that the tool users would know how to change
the defaults while the toy users would not.
Similarly, Ted Gould contended that, since toy users are probably a majority, the defaults should be settings that they want. In the same post, he also suggests that:
However, Tomaszewski indicated
that some ability to change levels of notifications would be available via
a "Do not disturb
" mode that would block at least some
standard notifications.
What made this discussion especially interesting was how it brought out both the general and specific issues that arise in usability. For instance, Mathew Paul Thomas responded to the suggestion that using an application at full-screen size should disable notifications by pointing out that:
Thomas also warned that:
In much the same way, Tomaszewski stated:
Yet another post, this time by Bruce Cowan, summarized the problems with any sort of dialog. The sudden appearance of windows and alerts, Cowan suggested, is confusing, and could make users worry that a piece of malware has started an application. In addition, too many dialogs could frustrate users, to the point that some disable them altogether, so that over-use of the system could defeat the entire purpose of providing timely warnings. As for the changes in the new guidelines, Cowan suggested that they may annoy experienced users who see little wrong with notification bubbles.
Whether these discussions will have any effect on the Ubuntu Design or Desktop Experience Team seems uncertain, since the guidelines are already being used in alpha versions of the upcoming Jaunty release. All the same, they are the sort of discussions that Ubuntu developers are likely to be having for the next eighteen months as they try to realize Shuttleworth's goal of increased usability, especially in the absence of hard data to show what designs are most usable. They are likely, too, to have them again, as they attempt to have their changes accepted upstream by projects like GNOME. However, for others, they show the punctilious but necessary considerations that usability generally involve — considerations that many free and open source software projects are only just starting to face.
Security
Reviving Python restricted mode
A sandbox (or restricted execution) environment for a programming language can be a useful feature to allow untrusted users access to much of the language while restricting the "dangerous" operations. Some languages, notably Java, were designed to support sandboxes from the outset. Others, like Python, have a variety of possible sandbox solutions, but the core language doesn't support that functionality. A movement is afoot to change that for Python by reviving "restricted mode".
Guido van Rossum raised the subject on the python-dev mailing list, which started a conversation about the requirements for such a mode. It turns out that the interested party, who goes by the name "Tav", would like to be able to run untrusted code within applications in Google's App Engine. In particular, he would like to be able to allow untrusted code to access additional functionality by way of closures. But, because of the introspection features of Python, a closure object could be used to circumvent any access restrictions.
The example Tav uses in his App Engine feature request is instructive:
def _get_blog_posts(db, current_user):
def get_blog_posts():
"""Return Blog posts by the current user."""
return db.get('BlogPost').filter('user =', current_user)
return get_blog_posts
__builtins__['get_blog_posts'] = _get_blog_posts(db, 'tav@espians.com')
This would allow untrusted code to access the database in a constrained
manner, in this case only returning data for one particular user. But, by
peering inside of the get_blog_posts object, a malicious user could
access the db object. That would allow access to any data that is
stored in the database.
So, at some level, Tav, van Rossum, and others are trying to create a restricted mode that limits the introspection so that untrusted code cannot access attributes that "leak" information from the trusted code. This is a fairly limited definition of a sandbox, as it relies on App Engine (or other, such as PyPy sandbox) safeguards to prevent things like system call access or problems caused by interpreter segmentation faults. For this exercise, those problems are explicitly defined away.
The real goal, as outlined in Tav's blog, is to be able to provide more expressive templating for users of App Engine applications:
Imagine instead if you could let your users use a templating language like Genshi. Users could have the full expresivity of the Python language to generate the output they want.
The problem with letting users do that today is that they would be able to use it to get at the rest of your application and start doing evil things to your database.
In order to test his ideas about how to approach this problem, Tav issued a challenge to Python developers to break his restricted FileReader object such that one could write a file to the filesystem. It was only a few hours before a simple crack was posted, but, unlike other challenges of this sort, Tav seemed delighted, rather than defeated, by what was found. His environment essentially removed access to certain attributes that are normally associated with an object. In essence, the challenge was to find more attributes which needed to be added to his list.
A second version of the challenge was posted to his blog, along with a running tally of exploits that had been found and fixed. It is an interesting exercise that Python developers seem to be having fun with. The problem with the approach is that it relies on blacklists, as Victor Stinner, who also found the first exploit, points out. A whitelist approach is likely to be better; choosing which attributes are safe to use, rather than removing those that are found to be unsafe.
Tav has posted a patch to the Python
core that implements his method into the language proper as suggested by
van Rossum. Given that van Rossum, as Python lead and Google employee, is
uniquely positioned to effect these changes, his promise
to "give it serious consideration,
both for inclusion in core Python and for App Engine
" would seem to
carry a lot of weight.
While it is not a complete solution to the sandboxing problem, Tav's work will help Python applications that already run in somewhat restricted environments. After all, from App Engine's perspective, all of the code that it gets is untrusted, so it must provide the safeguards against exploits of the underlying operating system by way of crashes or system calls. Tav's code would then allow App Engine user applications to run their own untrusted code.
This could be a solution for other programs that want to run untrusted Python code as well. The Battle for Wesnoth has support for AIs written in Python, but there have been some security concerns about users grabbing random, perhaps malicious, AI code. This change to the Python core, perhaps coupled with a PyPy sandbox might be enough to change Eric Raymond's recent pronouncement that Lua is the way forward instead of Python.
Brief items
Support for Red Hat Enterprise Linux 2.1 ends on May 31
Red Hat has sent out a reminder that support for RHEL 2.1 will end on May 31, 2009. "In accordance with the Red Hat Enterprise Linux Errata Support Policy, the 7 years life-cycle of Red Hat Enterprise Linux 2.1 will end on May 31 2009. [...] After that date, Red Hat will discontinue the technical support services, bugfix, enhancement and security errata updates." Click below for the full announcement.
New vulnerabilities
audacity: buffer overflow
| Package(s): | audacity | CVE #(s): | CVE-2009-0490 | ||||||||
| Created: | February 26, 2009 | Updated: | March 9, 2009 | ||||||||
| Description: | Audacity has a buffer overflow vulnerability. From the Mandriva alert: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string. | ||||||||||
| Alerts: |
| ||||||||||
curl: information disclosure
| Package(s): | curl | CVE #(s): | CVE-2009-0037 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 4, 2009 | Updated: | March 19, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The curl utility does not enforce any restrictions when following HTTP redirects. A malicious server could thus create a redirect which would provide access to arbitrary files on the local system. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
dkim-milter: denial of service, possible arbitrary code execution
| Package(s): | dkim-milter | CVE #(s): | |||||||||
| Created: | March 2, 2009 | Updated: | March 5, 2009 | ||||||||
| Description: | From the Debian advisory: It was discovered that dkim-milter, an implementation of the DomainKeys Identified Mail protocol, may crash during DKIM verification if it encounters a specially-crafted or revoked public key record in DNS. | ||||||||||
| Alerts: |
| ||||||||||
eID-belgium: improper certificate check
| Package(s): | dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, gstreamer-0_10-plugins-good | CVE #(s): | CVE-2009-0049 | ||||||||
| Created: | March 2, 2009 | Updated: | December 7, 2009 | ||||||||
| Description: | From the SUSE advisory: eID-belgium didn't properly check the return value of the openssl function EVP_VerifyFinal (CVE-2009-0049). | ||||||||||
| Alerts: |
| ||||||||||
eog: arbitrary code execution
| Package(s): | eog | CVE #(s): | CVE-2008-5987 | ||||||||
| Created: | March 3, 2009 | Updated: | April 7, 2009 | ||||||||
| Description: | From the Mandriva alert: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current eog working directory. | ||||||||||
| Alerts: |
| ||||||||||
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin | CVE #(s): | CVE-2009-0519 CVE-2009-0520 CVE-2009-0521 | ||||||||||||
| Created: | February 26, 2009 | Updated: | March 4, 2009 | ||||||||||||
| Description: | flash-plugin has multiple vulnerabilities. From the Red Hat alert:
Multiple input validation flaws were found in the way Flash Player displayed certain SWF (Shockwave Flash) content. An attacker could use these flaws to create a specially-crafted SWF file that could cause flash-plugin to crash, or, possibly, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2009-0520, CVE-2009-0519) It was discovered that Adobe Flash Player had an insecure RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user with write access to the directory pointed to by RPATH could use this flaw to execute arbitrary code with the privileges of the user running Adobe Flash Player. (CVE-2009-0521) | ||||||||||||||
| Alerts: |
| ||||||||||||||
kdepim: execution of arbitrary code
| Package(s): | kdepim kmail | CVE #(s): | |||||
| Created: | February 27, 2009 | Updated: | March 4, 2009 | ||||
| Description: | From the Ubuntu advisory: It was discovered that Kmail did not adequately prevent execution of arbitrary code when a user clicked on a URL to an executable within an HTML mail. If a user clicked on a malicious URL and chose to execute the file, a remote attacker could execute arbitrary code with user privileges. This update changes KMail's behavior to instead launch a helper program to view the file if the user chooses to execute such a link. | ||||||
| Alerts: |
| ||||||
kernel: signal handling vulnerability
| Package(s): | kernel | CVE #(s): | CVE-2009-0028 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2009 | Updated: | July 2, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE alert: A minor signal handling vulnerability was fixed, where a child could send his parent a arbitrary signal. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-0269 | ||||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2009 | Updated: | June 9, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE alert: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-0322 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2009 | Updated: | June 9, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE alert: drivers/firmware/dell_rbu.c in the Linux kernel allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mediawiki: cross-site scripting
| Package(s): | mediawiki | CVE #(s): | CVE-2009-0737 | ||||||||||||
| Created: | March 2, 2009 | Updated: | October 5, 2009 | ||||||||||||
| Description: | From the Red Hat bugzilla entry: Multiple cross-site scripting (XSS) vulnerabilities in the web-based installer (config/index.php) in MediaWiki 1.6 before 1.6.12, 1.12 before 1.12.4, and 1.13 before 1.13.4, when the installer is in active use, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mldonkey: information disclosure
| Package(s): | mldonkey | CVE #(s): | |||||||||
| Created: | March 4, 2009 | Updated: | March 4, 2009 | ||||||||
| Description: | MLDonkey up to version 2.9.7 contains a vulnerability which allows a remote attacker to access any file readable by the user. | ||||||||||
| Alerts: |
| ||||||||||
NetworkManager: information disclosure
| Package(s): | network-manager | CVE #(s): | CVE-2009-0365 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 4, 2009 | Updated: | December 16, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | NetworkManager does not enforce permissions when responding to DBus requests, allowing a local user to view network connection authentication information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
network-manager-applet: privilege escalation
| Package(s): | network-manager-applet | CVE #(s): | CVE-2009-0578 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 4, 2009 | Updated: | April 21, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Network-manager-applet does not properly check permissions when responding to DBus "modify" and "delete" requests, allowing a local user to modify network connections belonging to other users. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
optipng: user-after-free
| Package(s): | optipng | CVE #(s): | CVE-2009-0749 | ||||||||||||||||||||
| Created: | March 4, 2009 | Updated: | July 3, 2009 | ||||||||||||||||||||
| Description: | OptiPNG 0.6.2 and earlier contains a user-after-free bug in the GIF file reader, allowing "context-dependent attackers" to crash the application. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
proftpd-dfsg: SQL injection vulnerability
| Package(s): | proftpd-dfsg | CVE #(s): | CVE-2009-0542 CVE-2009-0543 | ||||||||||||||||||||
| Created: | February 26, 2009 | Updated: | September 24, 2009 | ||||||||||||||||||||
| Description: | proftpd-dfsg has two SQL injection vulnerabilities.
From the Debian alert:
CVE-2009-0542 Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. CVE-2009-0543 TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
psi: denial of service
| Package(s): | psi | CVE #(s): | CVE-2008-6393 | ||||||||||||||||
| Created: | March 4, 2009 | Updated: | March 16, 2009 | ||||||||||||||||
| Description: | The psi instant messaging application suffers from a remotely exploitable integer overflow which can cause a crash, and, possibly, enable remote code execution. More information in this Red Hat bugzilla entry. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
rubygem-actionpack: HTTP response splitting
| Package(s): | rubygem-actionpack | CVE #(s): | CVE-2008-5189 | ||||||||||||||||
| Created: | March 2, 2009 | Updated: | December 10, 2009 | ||||||||||||||||
| Description: | From the Red Hat bugzilla entry: CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-0599 CVE-2009-0600 CVE-2009-0601 | ||||||||||||||||||||||||||||||||
| Created: | February 27, 2009 | Updated: | June 30, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed NetScreen snoop file. (CVE-2009-0599) Wireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted Tektronix K12 text capture file, as demonstrated by a file with exactly one frame. (CVE-2009-0600) Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. (CVE-2009-0601) Wireshark 1.0.6 is not vulnerable to these issues. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
xchat: arbitrary code execution
| Package(s): | xchat | CVE #(s): | CVE-2009-0315 | ||||||||
| Created: | March 2, 2009 | Updated: | December 9, 2009 | ||||||||
| Description: | From the Mandriva advisory: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current X-Chat working directory (CVE-2009-0315). | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current 2.6 development kernel is 2.6.29-rc7, released on March 3. It contains a long list of fixes, new drivers for Atheros L1C gigabit Ethernet adapters and FireDTV IEEE1394 adapters, and some out-of-space handling improvements for the btrfs filesystem. See the long-format changelog for the details.There have been no stable 2.6 updates released over the last week.
Kernel development news
Quotes of the week
Oh, did I just say that out loud?
+ /* + * The pifutex has an owner, make sure it's us, if not complain + * to userspace. + * FIXME_LATER: handle this gracefully + */ + pid = curval & FUTEX_TID_MASK; + if (pid && pid != task_pid_vnr(current)) + return -EMORON;
There's no easy fix for this - you need to be aware of what is right and what is wrong, but you cannot look at existing code to determine this.
Making NetworkManager work with suspend/resume
Anybody who travels with a suspended laptop has likely run into the irritating problem of NetworkManager trying to reconnect to the old network - the one which was left behind before getting onto the airplane. It seems that Dan Williams has figured out the problem and queued a set of patches to fix it. "See, drivers timestamp wifi networks they know about. That way you can figure out if the network was last seen a second ago, 7 seconds ago, or so long ago that its dead to me. But they all use an kernel counter called jiffies to do that. And jiffies doesnt increment across suspend/resume. See where Im going with this?" Your editor plans to buy Dan a beer at the next opportunity.
Interrupts, threads, and lockdep
Felipe Balbi recently posted a driver called twl4030-pwrbutton, which generates input events when somebody hits a power button connected through a twl4030 i2c controller. It is, in many ways, a standard driver; Felipe certainly did not expect to see a long and acrimonious discussion result from its posting. But that's what ensued. Over the course of this discussion, the participants were able to outline some problems with how interrupts are handled on Linux systems, along with a potential solution.Things started when Andrew Morton questioned the following bit of code, found in the driver's interrupt handler:
#ifdef CONFIG_LOCKDEP
/* WORKAROUND for lockdep forcing IRQF_DISABLED on us, which
* we don't want and can't tolerate. Although it might be
* friendlier not to borrow this thread context...
*/
local_irq_enable();
#endif
Workarounds of this variety do tend to catch the attention of diligent reviewers. Understanding this one requires just a bit of background.
Back in the Good Old Days, the Linux kernel had "fast" and "slow" interrupt handlers; the main difference between the two is that "fast" handlers ran with further interrupts disabled, while "slow" handlers were run with interrupts enabled. Over time, the distinction between the two types has faded; faster, smarter hardware and greater use of software interrupts and tasklets have made the execution time of most well-written interrupt handlers essentially irrelevant. So most driver authors do not even think much about whether they are writing a "fast" or a "slow" handler, even though the distinction still exists. Unless a driver passes the IRQF_DISABLED flag when requesting its interrupt line, its interrupt handler will be called with interrupts enabled.
"Lockdep" is the kernel lock validator, which, when enabled, creates a detailed model of how locks are used in the kernel. This model can be used to find potential deadlocks and other problems. According to Ingo Molnar, lockdep has been quite effective:
It turns out, though, that the lockdep developers made one significant, simplifying assumption: all interrupt handlers were to be invoked with interrupts disabled. When lockdep is enabled, in fact, the generic interrupt handling layer forces this condition, regardless of whether any specific handler was registered with the IRQF_DISABLED flag. Lockdep has worked this way for some time, and complaints have been scarce. But, as can be seen from the patch cited above, "scarce" is not the same as "nonexistent."
Drivers for i2c-connected devices operate under a number of interesting constraints, mostly forced by the fact that the i2c "bus" is, in reality, a slow, two-wire serial interface. So even "fast" operations like reading a device register are, in fact, slow on i2c devices; they are slow enough that the process involved should sleep while waiting for the result. That is a bit of a problem for i2c interrupt handlers, since they need to access device registers, but they cannot sleep.
The result is that a number of i2c drivers have implemented what is, in effect, a threaded interrupt handler mechanism. The "real" interrupt handler simply masks the interrupt and wakes up the thread, which then does the real work of talking to the device. In the case of the twl4030 driver, this threaded implementation has been done in a relatively formal manner in which the device interrupt handlers are invoked - from within a special-purpose kernel thread - by way of the generic IRQ layer itself. These threaded handlers do not expect to run with interrupts disabled - indeed, they cannot run that way - but the generic IRQ code will, when lockdep is enabled, turn off interrupts anyway. That is why this patch takes pains to turn them back on when lockdep is being used.
Peter Zijlstra's response to this discussion was to post a patch forcing IRQF_DISABLED for all drivers. His position is that no interrupt handlers should be run with interrupts enabled. Doing so invites kernel stack overruns if too many nested interrupts come in; it also, he says, encourages the notion that it's OK for interrupt handlers to be slow. Additionally, he says, drivers must already be able to run their handlers with interrupts disabled, since another driver may disable interrupts on a shared interrupt line. So, he says, it makes no sense to "fix" lockdep for handlers which want interrupts to be enabled; instead, the always-disabled assumption built into lockdep should be made part of the system as a whole.
The response to this patch was somewhat sympathetic, at least in a general sense. Making IRQF_DISABLED be the default situation makes sense for most devices. But there really are drivers which need their interrupt handlers to run with interrupts enabled; IDE drivers using programmed I/O are one example. If those interrupt handlers are given exclusive control over the system, other devices will see unacceptable latencies and start to fail operations or drop data. So any change of this nature must be done carefully, and it must remain possible to run some handlers with interrupts enabled.
And, of course, forcing IRQF_DISABLED does nothing to fix the twl4030 problem.
The real solution is to have general support for threaded interrupt handlers. The realtime preemption tree has supported threaded handlers for quite some time; more recently, a variant of the threaded handlers patch was posted for mainline consideration. There are a lot of advantages to threaded handlers beyond their applicability to the problems discussed here; threaded handlers can improve latencies, allow interrupt handlers to be prioritized, and, someday, perhaps allow the removal of software interrupts altogether. So it seems like there would be value in getting this code merged.
To that end, Thomas Gleixner has come back with a new version of the threaded handlers patch. The API looks much like it did in the previous posting, though it could change in response to some review comments made this time around. In essence, this infrastructure allows a driver to register a "quick handler" to acknowledge (and mask) an interrupt; there would also be a regular handler which could be called in either hard interrupt or process context, depending on the quick handler's return value. The API allows drivers to continue to work unmodified, or they can be converted over to threaded handlers.
David Brownell, the leading critic of lockdep's behavior and the idea of disabling interrupts for all handlers, seems to agree that the threaded interrupt handler infrastructure should be able to solve the i2c problem. All threaded handlers will, by necessity, run with interrupts enabled, so the primary difficulty goes away. David would like to see some changes made to better support the chaining of handlers that is typically needed in such situations, but it's not clear how many changes are really needed.
In summary, threaded interrupt handlers seem likely to be the next technology to be merged from the realtime preemption tree. Just when that might happen remains to be seen, though. The request for some API changes may well slow things down a bit; there were also requests for example implementations of threaded handlers with more types of drivers. Satisfying those requests quickly enough to allow the code to be reviewed before the 2.6.30 merge window opens could be a bit of a challenge. So this code might just have to wait for one more development cycle; it would be surprising if it were to take longer than that, though.
Xen: finishing the job
Once upon a time, Xen was the hot virtualization story. The Xen developers had a working solution for Linux - using free software - well ahead of anybody else, and Xen looked like the future of virtualization on Linux. Much venture capital chased after that story, and distributors raced to be the first to offer Xen-based virtualization. But, along the way, Xen seemed to get lost. The XenSource developers often showed little interest in getting their code into the mainline, and attempts by others to get that job done ran into no end of obstacles. So Xen stayed out of the mainline for years; the first public Xen release happened in 2003, but the core Xen code was only merged for 2.6.23 in October, 2007.In the mean time, KVM showed up and grabbed much of the attention. Its path into the mainline was almost blindingly fast, and many kernel developers were less than shy about expressing their preference for the KVM approach. More recently, Red Hat has made things more formal with its announcement of a "virtualization agenda" based on KVM. Meanwhile, lguest showed up as an easy introduction for those who want to play with virtualization code.
The Xen story is a classic example of the reasons behind the "upstream first" policy, which states that code should be merged into the mainline before being shipped to customers. Distributors rushed to ship Xen, then found themselves supporting out-of-tree code which, often, was not well supported by its creators. In particular, published releases of Xen often only supported relatively old kernels, creating lots of work for distributors wanting to ship something more current. Now at least some of those distributors are moving on to other solutions, and high-level kernel developers are questioning whether, at this point, it's worth merging the remaining Xen code at all.
All told, Xen looks to be on its last legs. Or, perhaps, the rumors of Xen's demise have been slightly exaggerated.
The code in the mainline implements the Xen "DomU" concept - an unprivileged domain with no access to the hardware. A full Xen implementation requires more than that, though; there is the user-space hypervisor (which is GPL-licensed) and the kernel-based "Dom0" code. Dom0 is the first domain started by the hypervisor; it is typically run with more privileges than any other Xen guest. The purpose of Dom0 is to carefully hand out privileges to other Xen domains, providing access to hardware, network interfaces, etc. as set by administrative policy. Actual implementations of Xen must include the Dom0 code - currently a large body of out-of-tree kernel code.
Jeremy Fitzhardinge would like to change that situation. So he has posted a core Xen Dom0 patch set with the goal of getting it merged into the 2.6.30 release. Among the review comments was this question from Andrew Morton:
In three years time, will we regret having merged this?
The questions asked by Andrew were, essentially, (1) what code (beyond
the current posting) is required to finish the job, and (2) is there
really any reason to do that? The answer
to the first question was "another 2-3 similarly sized series to get
everything so that you can boot dom0 out of the box
". Then there are
various other bits which may not ever make it into the mainline. But, says
Jeremy, getting the core into the mainline would shrink the out-of-tree
patches carried by distributors and generally make life easier for
everybody. For the second question, Jeremy responds:
Beyond that, Jeremy is arguing that Xen still has a reason to exist. Its design differs significantly from that of KVM in a number of ways; see this message for an excellent description of those differences. As a result, Xen is useful in different situations.
Some of the advantages claimed by Jeremy include:
- Xen's approach to page tables eliminates the need for shadow page
tables or page table nesting in the guests; that, in turn, allows for
significantly better performance for many workloads.
- The Xen hypervisor is lightweight, and can be run standalone; the KVM
hypervisor is, instead, the Linux kernel. It seems that some vendors
(HP and Dell are named) are shipping a Xen hypervisor in the firmware
of many of their systems; that's the code behind the "instant on"
feature, among other things.
- Xen's paravirtualization support allows it to work with hardware which
does not support full virtualization. KVM, instead, needs hardware
support.
- The separation between the hypervisor, Dom0, and DomU makes security validation easier. The separation between domains also allows for wild configurations with each device being driven by a separate domain; one might think of this kind of thing as a sort of heavyweight microkernel architecture.
KVM's advantages, instead, take the form of relative simplicity, ease of use, full access to contemporary kernel features, etc. By Jeremy's reasoning, there is a place for both systems in Linux.
The relative silence at the end of the discussion suggests that Jeremy has made his case fairly well. Mistakes may have been made in Xen's history, but it is a project which remains alive, and which has clear reasons to exist. Your editor predicts that the Dom0 code will find little opposition at the opening of the 2.6.30 merge window.
Speeding up ftrace printing
A kernel patch that reduces memory, while providing a performance increase of roughly a factor of three, is generally seen as a good thing. But, when there is another, more-or-less equivalent—but much faster—way to perform that action, it may appear to be an unnecessary optimization. A recent patch to the ftrace_printk() function has those characteristics, but the ability to get such a speed increase, even in something that is just convenient—rather than required—may well trump the concerns about the necessity.
Lai Jiangshan proposed adding a binary version of ftrace_printk() last December; Frederic Weisbecker has picked up the patches and submitted them for inclusion into ftrace. The basic idea is that rather than converting the arguments to strings—as specified in a printk()-style format string—ftrace_bprintk() would defer the actual conversion until the trace output is read by user space. Instead it would put the binary values into the ring buffer, along with a pointer to the format string. When the trace data is read from debugfs, the format string and binary data are used to construct the output.
Ingo Molnar liked the idea, but was unhappy
with the implementation that duplicated much of the code in
vsnprintf() into two new functions. He suggested that it should
be possible to pull out the common code: "We should try _much_ harder
at unifying these functions before
giving up and duplicating them.
" Weisbecker agreed, which
eventually resulted in a patch that breaks
out the format string decoding as a separate function.
Molnar also asked for some performance numbers, which Weisbecker provided as part of his patch. He reported the memory and time difference when adding:
ftrace_printk("This is the timer interrupt: %llu", jiffies_64);
to the timer interrupt. The memory used was less than half (16 versus 39
bytes per entry), and the time savings was also significant:
After some time running on low load (no X, no really active processes):
ftrace_printk: duration average: 2044 ns, avg of bytes stored per entry: 39
ftrace_bprintk: duration average: 1426 ns, avg of bytes stored per entry: 16
Higher load (started X and launched a cat running on an X console looping on traces printing):
ftrace_printk: duration average: 8812 ns
ftrace_bprintk: duration average: 2611 ns
Andrew Morton was a bit puzzled by the
intent of the patch: "Trying to make something which is inherently
slow run slightly faster seems...odd.
" But Molnar explained why it makes sense:
That does not remove the ease of use of ad-hoc printk-alike tracepoints though, and speeding them up 3-fold is a [worthwhile] goal.
Breaking out the format string handling into its own format_decode() function was mostly met with approval, except that the argument list is rather ugly:
int format_decode(const char *fmt, enum format_type *type,
int *flags, int *field_width, int *base,
int *precision, int *qualifier)
Linus Torvalds suggested using a struct
printf_spec
to contain the various values decoded from the format specifier, passing
a pointer to that into the function.
Weisbecker agreed, and added that into his patches, but he didn't quite go
far enough.
Torvalds also thought that the various helper functions to handle specific
formats
(i.e. number(), pointer(), string(), etc.)
should get passed a struct printf_spec pointer as well. As
he points out: "When
cleaning up, let's just do it properly.
" Once again, Weisbecker was
quick to agree; he plans to respin the patches addressing these and other
comments in the near future.
In addition, because ftrace_bprintk() is a drop-in replacement for ftrace_printk(), Weisbecker proposes eliminating the current code in favor of the faster version. Molnar, at least, advocates that outcome:
While it is a minor upgrade to a relatively minor kernel subsystem, it does provide some impressive performance gains. As a bonus, the review process has resulted in some clean-up that was probably overdue. While there is validity to the argument that it is not really required, it is not very intrusive, nor very large. In the end, that is likely to be enough to see it eventually end up in the mainline.
A summary of 2.6.29 internal API changes
As the 2.6.29 kernel development cycle draws toward its eventual close, it is appropriate to look back at the internal API changes which have been made. The following list cannot possibly be exhaustive, but, hopefully, it captures the major points.
- The massive task credentials
patch set has been merged. This code reorganizes the handling of
process credentials (user ID, capabilities, etc.). One of the
immediate implications of this change is direct references to
credential-oriented fields in the task structure need to be changed;
for example, current->user->uid becomes
current_uid(). See Documentation/credentials.txt for a
description of the new API.
- The ftrace code has seen a lot of internal changes. The function
tracing feature has seen a number of improvements, and the developers
have added
mechanisms to profile the behavior of if statements,
provide function call graphs,
obtain user-space stack traces, and
follow CPU power-state transitions.
- Most of the callback functions/methods associated with the
net_device structure have been moved out of that structure
and into the new struct net_device_ops. In-tree drivers
have been converted to the new API.
- The priv field has been removed from struct
net_device; drivers should use netdev_priv() instead.
- The generic PHY layer now has power management support. To that end,
two new methods - suspend() and resume() - have been
added to struct phy_driver.
- The networking layer now supports large receive offload (or
"generic receive offload") operation.
- The NAPI API has been cleaned up somewhat; in particular, functions
like netif_rx_schedule(), netif_rx_schedule_prep(),
and netif_rx_complete() have lost the unneeded struct
net_device parameter.
- The poll() file operation is now allowed to sleep; see this article for more
information on this change.
- The CPU mask mechanism, used to represent sets of processors in the
system, is in the middle of being massively reworked. The problem is
that CPU masks were often put on the stack, but, as the number of
processors grows, the stack lacks room for the mask. The new API is designed to
get these masks off the stack, and to guard against anybody ever
trying to put one back. See this
posting by Rusty Russell for details on this work.
- An infrastructure for
asynchronous function calls has been merged. This code is still a
work in progress, though, and, for 2.6.29, it will not be activated in
the absence of the fastboot command-line parameter.
- The exclusive I/O memory
allocation functions have been merged.
- There is a new synchronous hash interface called "shash." It
simplifies the use of synchronous hash operations while allowing the
same tfm to be used simultaneously in different threads. All in-tree
users have been switched to the new API.
- The hrtimer code has been simplified with the removal of variable
modes for callback functions. All processing is now done in hardirq
context.
- A new set of LSM hooks has been added; these support pathname-based
security operations. With the merging of these hooks, one major
obstacle to the inclusion of security modules like AppArmor and TOMOYO
has been removed.
- The kernel will now refuse to build with GCC 4.1.0 or 4.1.1; those
versions have unfortunate bugs which prevent the building of a working
kernel. Versions 3.0 and 3.1 have also been deemed to be too old and
will not be supported in 2.6.29.
- Video4Linux drivers now use a separate v4l2_file_operations
structure to hold their VFS-like callbacks. The prototypes of a
number of these functions have been changed to remove the
inode argument.
- Video4Linux2 has also acquired a new "subdevice" concept, meant to
reflect the fact that video "devices" tend to be, in reality, a set of
cooperating devices. See the new
document for a description of how this mechanism works.
- Two new functions - stop_machine_create() and
stop_machine_destroy() - allow the independent creation of
the threads used by stop_machine(). That, in turn, lets
those threads be created before trying to actually stop the machine,
making that operation more resistant to failure.
- The exports for a number of SUNRPC functions have been changed to
GPL-only.
- The internal MTD (memory technology device) API has seen significant changes aimed at supporting larger devices (those requiring 64-bit sizes).
Developers interested in the history of kernel API changes can look at the LWN 2.6 API changes page. After a period of unfortunate neglect, this page has been made current once again; your editor promises to be a bit more diligent about maintaining this page in the future.
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Networking
Security-related
Virtualization and containers
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
CrunchBang Linux 8.10
CrunchBang Linux (#!) is a lightweight Ubuntu-based distribution featuring the OpenBox window manager and Conky system monitor. The distribution is essentially a minimal Ubuntu install with a custom set of installed packages, and it has been designed to offer a balance between speed and functionality. The light system requirements suggest that CrunchBang Linux is a perfect match for an outdated computer or a netbook. With this in mind, your author tested CrunchBang Linux 8.10.02 on an Acer Aspire One with a 8 GB SSD and 512 MB RAM. Since the RAM is on the low end, this puts to the test how lightweight CrunchBang Linux really is.
Installing CrunchBang Linux
CrunchBang Linux comes in three editions: Standard Desktop Edition, Lite Edition, and CrunchEee Eee PC Edition. Your author opted for the Standard Desktop Edition. CrunchBang Linux, like its parent distribution, is available as a live cd image. Of course, the best performance is achieved when installing the distribution on the SSD or hard disk. Your author used Unetbootin to write the iso image to a USB pen drive and booted the live distribution. The installer (started by right-clicking on the desktop and choosing "Install") looks familiar: it is the well-known seven-step installer of Ubuntu's live cd.
After the installation, the light system requirements immediately shine. CrunchBang Linux boots significantly faster than Ubuntu Intrepid on the Acer Aspire One and it feels much more responsive. The memory requirements are significantly less: while Ubuntu is eating almost all the available RAM right after booting, CrunchBang Linux needs only around 150 MB. Even after opening Firefox and some other applications, the memory usage of 250 MB is rather modest.
Minimalistic desktop
![[CrunchBang Screenshot]](https://static.lwn.net/images/crunchbang_sm.png)
The first thing that one sees is the minimalistic interface. Instead of Ubuntu's brownish colors, CrunchBang Linux presents a stylish black background without icons, and showing some system information like CPU, RAM and disk usage. This is done by the Conky system monitor, which also shows some shortcut keys for opening a web browser, terminal, editor, etc. This is helpful for the novice user not yet acquainted with the shortcut keys. Conky is completely customizable: for example, it is possible to show weather reports on your desktop, email notifications, battery life, and more. The CrunchBang Linux forum hosts plenty of examples of the conkyrc configuration file.
The OpenBox window manager is a program in the same minimalistic style. It has no menu bar, but right-clicking on a random position on the desktop presents a menu with applications, preferences and system settings. One caveat: when your author installed an application, it was not automatically added to the applications menu: he had to edit the OpenBox menu file manually. The bottom panel shows the virtual desktop pager, a window list, system tray, digital clock, wireless network, battery status and clipboard manager. Additional plugins are available if you need more information on your panel.
Member of the Ubuntu family
Although CrunchBang Linux is an unofficial branch of Ubuntu, it stays close to the upstream distribution: it uses the official Ubuntu repositories and the same update manager and package management tools. It even uses the stock Ubuntu kernel. Hence, when you are facing problems, most of the information in Ubuntu wikis and forums still applies. CrunchBang Linux has also its own places for help (a wiki, forum, blog and planet aggregator) and an active and helpful IRC channel (#crunchbang on freenode).
The standard set of installed applications differs a bit from Ubuntu's set. For example, CrunchBang Linux doesn't install OpenOffice.org, but the much lighter Abiword and Gnumeric. CrunchBang Linux is also a good fit for web-centric users: Firefox 3 is installed with out-of-the-box Flash support. Other installed internet applications are Skype and Gwibber (for Twitter users). CrunchBang Linux also has MP3 support and encrypted DVD playback out-of-the-box. If you use the Lite Edition, the difference mainly lies in the number of installed applications: the Lite Edition is even more minimal.
The support for the Acer Aspire One is good: Your author successfully applied all the suggestions and tips from the Ubuntu community documentation for the machine right away in CrunchBang Linux. Using wired internet, he installed the linux-backports-modules-intrepid package for the ath5k wireless driver, and after a reboot wireless networking was fully functional. The tweaks for better SSD performance in the Ubuntu community documentation also work in CrunchBang Linux.
Conclusion
If you are looking for an easy-to-use and lightweight Linux distribution, CrunchBang Linux should definitely be considered. The combination of the OpenBox window manager and Conky system monitor with an Ubuntu base and a carefully chosen set of lightweight applications makes it unique. With CrunchBang Linux, you can revive an updated computer or let your netbook shine. Moreover, the huge set of available Ubuntu documentation also applies for this distribution. This makes it easy for Ubuntu users to migrate to CrunchBang Linux, while still having the advantages of the huge Ubuntu community.
New Releases
Ubuntu Jaunty Alpha 5 released
Ubuntu's Jaunty Jackalope Alpha 5 has been released for testing. CD images are available for Ubuntu, Ubuntu Education Edition, Kubuntu, Xubuntu, UbuntuStudio, Mythbuntu, Ubuntu Netbook Remix, Ubuntu MID and Ubuntu ARM.
Distribution News
Debian GNU/Linux
Debian Project Leader Elections 2009: Call for nominations
A call for nominations for the next Debian project leader has been announced. The new DPL will start their term on April 17, 2009, so nominations are due by March 7, with the vote taking place from March 29 through April 11. Campaigning amongst the nominees will be happening after the nominations and before the election. Click below for the full announcement with more information about the election process.Google Summer of Code 2009 at Debian needs you
The Debian Project is seeking proposals for the 2009 Summer of Code. "The important part of the 2009 edition of the Google Summer of Code is going to start next week with the Organizations application period (March 9th). By that time, we should have listed a reasonable number of ideas on the dedicated wiki page."
Fedora
Fedora 10 Stats + FUDCon Berlin
The Fedora Community will host the Fedora Users and Developers Conference in Berlin this summer, June 26 - 28, 2009. "FUDCon Berlin is being organized in conjunction with LinuxTag, where Fedora has had a strong presence for several years. The FUDCon event will leverage the large audience at LinuxTag to ensure that Fedora can reach both users and developers equally well. The conference will run from Friday through Sunday, and will include speeches in English and German that are both user and developer focused, as well as a self-organizing BarCamp and multiple hackfests. Discussion topics include Fedora 11, open source education, packaging RPMs, and open source infrastructure tools for provisioning and managing systems."
Fedora Board Meeting Recap 2009-03-03
This recap of the Fedora Advisory Board meeting covers fedoraforever Trademark Approval, Creative Commons Repo, ph.fedoracommunity.org Trademark Approval, and some questions & answers.Unofficial Fedora FAQ Update
The Unofficial Fedora FAQ has been updated. The latest round, completed February 24, 2009, adds information, fixes typos and minor issues. Click below for more information.
Gentoo Linux
Gentoo Council Meeting summary for 26 February 2009
This meeting of the Gentoo Council covers an open Council spot, technical issues, and more.
SUSE Linux and openSUSE
openSUSE Trademark Guidelines Released
The openSUSE Project has announced the release of the openSUSE Trademark Guidelines (PDF). These guidelines should clarify the use of openSUSE marks and make it easier to redistribute openSUSE-based projects.Addressing the layoffs
Joe "Zonker" Brockmeier talks about the recent layoffs at Novell. "Novell has recently laid off less than 100 employees. Some of the reports have greatly exaggerated the numbers, but again — the number of people laid off is less than 100. So, how does this impact the openSUSE Project? Obviously, there will be an impact, but Novell remains committed to openSUSE. We will work on opening the project further and improving the infrastructure to allow all contributors to participate as fully as possible in openSUSE."
OpenSUSE RT Kernel
Real Time Kernels are available for OpenSUSE 11.1 and Factory. Click below to see the versions and how to get ahold of one.
Ubuntu family
Ubuntu now offering mainline kernel builds
The Ubuntu kernel team is making packages of mainline kernels available to facilitate testing. The kernel source for each stable release (and -stable updates) as well as Linus's releases (including each -rc) will be built into .deb packages for easy installation. "This will allow users to run the unmodified upstream vanilla kernel. This can be useful for verifying fixes upstream, testing for regressions introduced by Ubuntu specific changes, or confirming bugs exist upstream and subsequently help to report bugs upstream." Click below for the full announcement.
Karmic Release Schedule
The release schedule for the Karmic Koala is now available. The first Karmic milestone is in mid-May and the Karmic Ubuntu Developer Summit will be happening May 25 - 29, 2009.
New Distributions
Qimo 4 Kids
Qimo is a desktop operating system designed for kids. Based on the Ubuntu Linux desktop, Qimo comes pre-installed with educational games for children aged 3 and up. Qimo's interface has been designed to be intuitive and easy to use, providing large icons for all installed games, so that even the youngest users have no trouble selecting the activity they want.
Distribution Newsletters
Miscellaneous Debian developer news (#14)
This issue of developer news looks at debhelper third-party command option parsing transition, initramfs-tools new Lenny features, bts-link supporting more bugtrackers, Debian Data Export, and a list of bugs blocking transitions.DistroWatch Weekly, Issue 292
The DistroWatch Weekly for March 2, 2009 is out. "Last week saw the release of SimplyMEPIS 8.0, a Debian-based desktop Linux distribution designed for both personal and business purposes. We take the live CD for a spin to see what it has to offer. In the news this past week, openSUSE develops Debian-like distribution upgrade functionality to their package manager, Red Hat looks set for a comeback to the desktop arena as it announces virtualisation plans that will centre around KVM technology, and Novell signs a virtualisation agreement with VMware over support for their products. Also in the news, the Linux Starter Kit from Linux Format magazine has been released for free and we link to interviews with lead developers of Linux Mint and Kongoni. Finally, we are pleased to announce that the DistroWatch.com February 2009 donation goes to Wolvix GNU/Linux, a Slackware-based desktop distribution and live CD. Happy reading!"
Fedora Weekly News #165
The Fedora Weekly News for March 1, 2009 is out. "In this week's issue, in announcements we're reminded about this month's Fedora Board meeting and updates on the Fedora 11 feature freeze and updates on upcoming Fedora events. News from the Fedora Planet includes summer internship opportunities at Red Hat, an interview with Matt Domsch in Red Hat Magazine, and reports from Fedora events in Egypt and India. In Ambassador news, many reports from the recent Southern California Linux Expo (SCaLE) meeting, and another update from a Fedora install fest in Texas. In the QA beat, updates from Fedora 11 testing and weekly planning, as well as helping new contributors with the BugZapper team. Art work brings more updates on the Echo icon theme and Fedora 11." And several other topics.
Fedora's Echo Monthly News Issue 6
The Echo team presents the Echo Monthly News. In this issue: new icons for the Echo theme in Fedora.The Mint Newsletter - issue 77
The Mint Newsletter for March 4 covers the release of Mint 6 Community Editons Fluxbox RC1 and KDE RC1, an interview with Mint founder Clem and other minty fresh news.openSUSE Weekly News
This issue of the openSUSE Weekly News covers Joe Brockmeier: Addressing the layoffs, Andrew Wafaa: Open Support, Masim Sugianto: Apache Web Server & Virtual Host on openSUSE : Part 1, pablo2525: opensuse 11.1 - kupdateapplet, {lizards,news,zonker}.opensuse.org updated to Wordpress 2.7.1 and more.Ubuntu Weekly Newsletter #131
The Ubuntu Weekly Newsletter for February 28, 2009 is out. "In this issue we cover: Jaunty Alpha 5 Released, Needed: Countdown to Jaunty Banners, Ubuntu Global Bug Jam Success, Voting for New MOTU Council seats, Ubuntu Server: Call for testing, Next Ubuntu Hug Day, Developer News: Issue #2, LoCo Team Meeting, Philadelphia Bug Jam, Chicago Bug Jam, Arizona team has new website, Launchpad Performance Week Roundup, Launchpad 2.2.2 released, Meet the Devs, Ubuntu podcast #20, Full Circle Magazine #22, UK government backs open source, Random Ubuntu Sightings, February Team Meeting Summaries, Team of the Week(Ubuntu New Mexico), and much much more!"
Distribution reviews
Debian 5.0 Continues Strong Linux Tradition (eWeek)
eWeek has a review of Debian 5.0 (Lenny). "Unlike the Debian 4 release that I last reviewed, which impressed me with its disk encryption leadership among rival Linux distributions, Lenny doesn't significantly advance the state of Debian or of Linux in general. Beyond its slate of software package refreshes, the best reason for existing Debian users to upgrade to the new version is that, as per the project's security policy, version 4 will fall out of security fix coverage one year after Lenny's Valentine's Day release date."
Page editor: Rebecca Sobol
Development
Using Parasite to delve into GTK+ applications
Trying to debug your own GUI applications can be a pain if you are not extremely familiar with the toolkit used to make the user interface. When the code you are working on is also unfamiliar, the whole experience quickly becomes less than desirable. The GTK+ Parasite tool helps you to work out the structure of the widgets that comprise a GUI, inspect and change properties of those widgets, and perform more in-depth analysis using an embedded Python shell.
The GTK+ toolkit provides an object-oriented framework for making user interfaces in C. GTK+ gives you facilities to inspect and change the properties of objects and supports introspection so you don't need to know about classes at compile time in order to make use of them at runtime. The GTK+ Parasite attaches itself to a GTK+ application and takes advantage of these dynamic features to let you inspect and change the interface of an application as it runs.
GTK+ Parasite doesn't have any official releases yet, but the source
can easily be pulled from its Git repository, compiled and installed
using the standard ./autogen.sh && make autotools
dance. You'll want
to make sure that you have the development packages for PyGtk
installed first in order to get the embedded Python shell
functionality.
To use GTK+ Parasite, add its name to the GTK_MODULES environment variable and run your GTK+ application as you normally would. For example:
GTK_MODULES=gtkparasite gedit
Along with your application, you should see and additional Parasite window with a Widget Tree and Action List tab and a small area in the lower part of the window with a Python prompt.
![[GTK+ Parasite screenshot]](https://static.lwn.net/images/ns/gtk-parasite-sm.png)
To find out the hierarchy of widgets in your GTK+ application, click
on the Inspect button in the Parasite window and then any part of the
GUI of your GTK+ application. Along with each widget in a tree view
you should see if that widget is realized, mapped and visible, along
with the address of both the X Window of the widget and the GTK+
widget itself. The latter address is very handy because you can right
click on it and "Send Widget to Shell" to obtain a reference to the
widget from the embedded Python interpreter.
The list in the far right of the Widget Tree tab in the Parasite window lists the properties and their value for the current widget. Holding the left button down over a property pops up a list of possible values for you to change it too. On the other hand, if the range of values for a property is too large, like for an integer property, no menu is presented and you can enter the value directly.
The Action List tab in Parasite shows you all the GTKAction objects in the application. For those unfamiliar with the GTK+ toolkit, a GtkAction object represents a piece of functionality that can be connected to a menu or toolbar, for example, opening a Save as dialog or starting a search within the current document. As an example, running Parasite on the text editor gedit, finding the FileOpen action in the list and selecting "Send Object to Shell" from the menu, you can perform the GtkAction by calling the activate method on the object. You should see the file dialog appear. The embedded Python shell command should look something like:
>>> parasite.gobj(0xa78980).activate()
where everything up to the .activate() was added automatically by Parasite when I told it to send the object to the shell.
If you are writing a custom GTK widget, the "Show Graphic Updates" button causes any redraws that the application performs to briefly flash red first. This makes it fairly simple to see if you are drawing more than you think in order for your widget to update itself. For example, in gedit, only a rectangle covering the current line is updated when you type text into the active document, but when you hit return the current line and everything below it flashes red.
There are a few rough edges to the GUI of GTK+ Parasite, which is to be expected from such a young application. For example, in the "Action List" tab, one might expect to be able to simply double-click on an action to execute it. In addition, left-clicking on a property lets you either edit the value directly inline in the cell or if there is a limited number of acceptable values a popup menu appears allowing you to select a value. While this provides a consistent user interface for editing though left clicking, it does mean that you have to click on a property row before editing its value. One might at first expect a context menu to be available offering such editing functionality, with the added bonus that you could directly right click on a property to edit it rather than having to select it with a left click first.
For such a young application GTK+ Parasite is already very useful and a great tool for ironing out the kinks in an application's GTK+ interface. If you are a Python fan, the embedded Python interpreter lets you tinker with the GTK+ interface even if the program itself is written in C.
Parasite is developed by Christian Hammond and David Trowbridge. Activity on the mailing list is currently on the slow side, but it should pick up as developers discover this tool.
System Applications
Database Software
buzhug 1.5 released
Version 1.5 of buzhug has been announced. "buzhug is the fastest pure-Python database engine, with a clear and intuitive syntax (no SQL) The new release 1.5 brings the following improvements : - introduce a thread-safe version - introduce a new syntax for record selection : record = db(key1=value2[,key2=value2...]) - allow an iterable of records for update db.update(list_of_records,key1=value1...)"
Golconde 0.4 released
Version 0.4 of Golconde has been announced. "I am pleased to announce the first beta release of Golconde, 0.4. Golconde is a queue based replication solution for PostgreSQL written in Python 2.6. It is designed to be loosely coupled and rely upon existing enterprise messaging systems that have STOMP protocol support. Designed to scale easily and with multi-data center implementations in mind, the application and message queues for distribution live outside of the database."
pgpool-II 2.2 and pgpoolAdmin 2.2 are released
Version 2.2 of pgpool-II and pgpoolAdmin have been announced. "pgpool-II is a synchronous replication middle ware for PostgreSQL 7.3 or later. Also pgpoolAdmin 2.2, a GUI tool for pgpool-II 2.2 is available now."
phpMyAdmin: 3.1.3 is released (SourceForge)
Version 3.1.3 of phpMyAdmin has been announced. "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. Welcome to phpMyAdmin 3.1.3, a bugfix-only release with updates to 5 languages."
PostgreSQL Weekly News
The March 1, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.pysqlite 2.5.2 is out
Version 2.5.2 of pysqlite has been announced. "Release focus: minor bugfixes, minor new features. pysqlite is a DB-API 2.0-compliant database interface for SQLite. SQLite is a in-process library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine."
Device Drivers
Tour the Linux generic SCSI driver (IBM devloperWorks)
IBM developerWorks has an introduction to the Linux generic SCSI driver. "Linux provides a generic driver for SCSI devices and an application programming interface so users can build applications to send SCSI commands directly to SCSI devices. In this article, the author introduces some of the SCSI commands and methods of executing SCSI commands when using SCSI API in Linux. He also provides background on the SCSI client/server model and the storage SCSI command."
Networking Tools
Zenoss: 2.3.3 is now available (SourceForge)
Version 2.3.3 of Zenoss Core has been announced. "Zenoss Core is an enterprise network and systems management application written in Python/Zope. Zenoss provides an integrated product for monitoring availability, performance, events and configuration across layers and across platforms. We are proud to announce the Zenoss 2.3.3 maintenance release which fixes over 80 defects."
Security
announcing ClamAV 0.95rc1
Version 0.95rc1 of ClamAV, a virus scanner, has been announced. "ClamAV 0.95rc1 introduces many bugfixes, improvements and additions."
Virtualization Software
Open Letter: Leaving TightVNC, Founding TigerVNC
Peter Åstrand has announced the launch of the TigerVNC project. "For the last six years, I have worked with the VNC community in general and the TightVNC project in particular, encouraging cooperation and unity. We have made great progress. When the TurboVNC developer and Fedora VNC maintainer joined forces almost a year ago, we believed we could take this technology to another level of success, and accelerate development. Recently, however, it has became clear that the TightVNC project cannot support this development. This is why we are now announcing the TigerVNC project."
Web Site Development
spawn-fcgi 1.6.0 released
Version 1.6.0 of spawn-fcgi has been announced on the lighttpd web site. "As mentioned before, we planned to extract spawn-fcgi into its own project and remove it from lighttpd. Now the first standalone release has been published, starting at version 1.6.0."
Miscellaneous
DeviceKit 003 released
Version 003 of DeviceKit has been announced. "DeviceKit is an abstraction for enumerating devices and listening to device events. Any application on the system can access the org.freedesktop.DeviceKit service via the system message bus. On GNU/Linux, DeviceKit can be considered a simple D-Bus frontend to udev." This is supposed to be the final release of the project: "
The functionality of DeviceKit is going to be merged into the udev-extras with the only changes being the D-Bus name as well as the prefix for the GObject library and the command line tool."
Microlog: V1.1.0 released (SourceForge)
Version 1.1.0 of Microlog has been announced. "Microlog is a small logging library for Java ME (J2ME) like Log4j. It has support for logging to console, file, RecordStore, Canvas, Form, Bluetooth, a serial port (Bluetooth, IR, USB), Socket(incl SSL), UDP, Syslog, MMS, SMS, e-mail or to Amazon S3. The long awaited Microlog V1.1.0 release is here. Please download and try it out."
Desktop Applications
Audio Applications
Invada Studio Plugins 0.3.0 announced
Version 0.3.0 of Invada Studio Plugins has been announced. "I've released a new version of the Invada Studio plugins which are a bit cleaner and fix an issue with gains at maximum not working as expected. The source now includes the necessary files to allow for deb packages to be built."
Business Applications
Gnumeric 1.9.4 announced
Version 1.9.4 of the Gnumeric spreadsheet has been announced. "This release is a development release with lots and lots of bug fixes. Also, this version is considerably faster than previous versions in three ways: (1) when dealing with spreadsheets containing large farms of VLOOKUP, HLOOKUP, or MATCH calls over the same database, we now pre-process the database range once and the actual lookups are very fast; (2) we now only calculate the relevant branch of IF calls, unless implicit iteration is in effect; (3) large spreadsheets containing many similar ranges like, for example, A$10:A10, A$10:A11, ..., A$10:A9999 used to hit a degenerate case in our dependency tracking."
Collaboration Software
Agilefant: 1.5.4 released (SourceForge)
Version 1.4 of Agilefant has been announced. "Agilefant is a tool for managing agile software development activities, such as: projects, products, releases, iterations and backlogs. It brings together the perspectives of long-term product and release planning and project portfolio management. Usability and user interface improvements were done to this release. Agilefant's performance is also greatly improved! Also a handful of minor improvements and bug fixes are included."
gumnut: 0.2.7 released (SourceForge)
Version 0.2.7 of gumnut has been announced. "Gumnut is a moderated, distributed, discussion forum that may be used by groups of people to find an agreed positive direction for any decisions that affect that group. Each group may be of any size and associated by geography, common interest, or both."
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Anjuta 2.25.903.0 (bug fixes and documentation work)
- at-spi 1.25.92 (bug fixes and translation work)
- Brasero 2.25.92 (code cleanup, bug fixes and translation work)
- Cheese 2.25.92 (bug fixes and translation work)
- Deskbar-Applet 2.25.92 (bug fixes and translation work)
- Ekiga 3.1.2 (new features, bug fixes and translation work)
- Empathy 2.25.92 (new features, bug fixes and translation work)
- Evince 2.25.92 (bug fixes and translation work)
- Eye of GNOME 2.25.92 (bug fixes, code cleanup and translation work)
- GCalctool 5.25.92 (bug fixes, documentation and translation work)
- Gdl 2.25.92 (bug fixes)
- GLib 2.19.10 (new features, bug fixes and translation work)
- gnome-applets 2.25.92 (bug fixes and translation work)
- GNOME DVB Daemon 0.1.5 (new features and bug fixes)
- gnome-games 2.25.92 (new features, bug fixes and translation work)
- gnome-keyring 2.25.92 (new features, bug fixes and translation work)
- gnome-mud 0.11.2 (bug fixes and translation work)
- GNOME Scan 0.6.2 (new features and bug fixes)
- gnome-settings-daemon 2.25.92 (bug fixes and translation work)
- GTK+ 2.15.5 (new features, bug fixes and translation work)
- gtk-engines 2.17.4 (new features and translation work)
- Libgda 3.99.12 (new features, bug fixes and translation work)
- mousetweaks 2.25.92 (bug fix and translation work)
- Nemiver 0.6.5 (new features, bug fixes and translation work)
- Orca 2.25.92 (bug fixes and translation work)
- seahorse 2.25.92 (new features, bug fixes and translation work)
- seahorse-plugins 2.25.92 (bug fixes, code cleanup and translation work)
KDE Software Announcements
The following new KDE software has been announced this week:- 2ManDVD 0.5.1 (new features, bug fixes and translation work)
- blackscreen 0.0.1 (initial release)
- blackscreen 0.0.2 (new feature)
- cb2Bib 1.2.0 (new features)
- first4 1.4.0 (bug fixes and translation work)
- Frescobaldi 0.7.7 (new features, bug fixes and translation work)
- fsrunner for KRunner 0.1 (initial release)
- KAlarm 2.1.5 (new features and bug fixes)
- KBlogger 1.0-alpha3 (new features and bug fixes)
- KdeSudo 3.3.2/2.6 (bug fixes and translation work)
- kgbmencoder 0.1.1 (new feature and bug fix)
- K Menu Gnome 0.9.1 (new features and code cleanup)
- KRadio4 for KDE4.x snapshot-r694 (new features, bug fixes and KDE4 support)
- K-Yamo v0.40a4-2 (new features and bug fixes)
- PeaZip 2.5.1 (new features and translation work)
- QNapi 0.1.6-rc2 (unspecified)
- QTrans 0.2.1.5 (new feature)
- Qwit 0.8 (new features and bug fixes)
- Radio Italiane 0.2 (new stations)
- Veusz 1.3 (new features and bug fixes)
- Wally 2.0.1 (bug fixes)
- yape 2.0 (new features)
Xfce 4.6 released
The announcement has gone out for the Xfce 4.6 release. "Xfce 4.6 features a new configuration backend, a new settings manager, a brand new session manager and sound mixer as well as several huge improvements of its core components." An extensive list of changes can be found in the changelog.
Xorg Software Announcements
The following new Xorg software has been announced this week:- libXi 1.2.1 (new features and bug fixes)
- xf86-input-evdev 2.1.99.1 (new features, bug fixes and code cleanup)
- xf86-input-hyperpen 1.3.0 (build fixes and code cleanup)
- xf86-input-synaptics 1.0.99.1 (new features and code cleanup)
- xf86-input-synaptics 1.0.99.2 (build fixes)
- xf86-input-synaptics 1.0.99.3 (bug fixes and code cleanup)
- xf86-video-intel 2.6.3 (bug fixes)
- xorg-server 1.6.0 (bug fixes, code cleanup and documentation work)
- xproto 7.0.15 (new features and code cleanup)
Electronics
zParts: 0.93 Released (SourceForge)
Version 0.93 of zParts has been announced. "zParts is an electronic parts inventory system. It is an alternative to using spreadsheet software and has a very high degree of customization. It was created with the electronic hobbyist in mind and even has support for part datasheets and images! Version 0.93 comes with some big bug fixes that should help things run smoother for all. I'm working towards a system to help first time users get acquainted with zParts and use it well."
Encryption Software
GnuPG 2.0.11 released
Version 2.0.11 of GnuPG, a GNU tool for secure communication and data storage, has been announced. Changes include: "* Fixed a problem in SCDAEMON which caused unexpected card resets. * SCDAEMON is now aware of the Geldkarte. * The SCDAEMON option --allow-admin is now used by default. * GPGCONF now restarts SCdaemon if necessary. * The default cipher algorithm in GPGSM is now again 3DES. This is due to interoperability problems with Outlook 2003 which still can't cope with AES."
Games
Doomsday Engine: 1.9.0-beta6 released (SourceForge)
Version 1.9.0-beta6 of Doomsday Engine has been announced. "A Windows/Unix/Mac OS X game engine for 2.5d first person shooters such as DOOM, Heretic and Hexen. Lets you enjoy the original games using modern technology e.g. OpenGL, 3D models, unlimited framerate, high-resolution graphics, simulated radiosity."
ScummVM: 0.13.0 'More Guests' enter(s) the house (SourceForge)
Version 0.13.0 of ScummVM has been announced. "ScummVM is a cross-platform interpreter for several point-and-click adventure engines. This includes all SCUMM-based adventures by LucasArts, Simon the Sorcerer 1&2 by AdventureSoft, Beneath a Steel Sky and Broken Sword 1&2 by Revolution, and many more. As we turned to a 6 months release cycle, our newest and best ScummVM version is ready for you! A couple of new engines were added, and besides 2 Humongous Entertainment titles, we now support The 7th Guest and Bud Tucker in Double Trouble."
GUI Packages
Qt 4.5 released
Version 4.5 of the Qt toolkit has been announced. "Qt 4.5 includes several new features, but sees the greatest improvement via a concerted effort to increase performance across the entire framework. Significant performance enhancements were made to the graphics system, data handling, and the web engine. These improvements result in an appreciable performance increase in Qt-based applications." The Qt Creator 1.0 release is also available.
Interoperability
Wine 1.1.16 announced
Version 1.1.16 of Wine has been announced. Changes include: "Improved SANE scanner support. Support for digital CD audio playback. Improved cookies management in Wininet. Support for building stand-alone 16-bit modules. Many fixes to the regression tests on Windows. Various bug fixes."
Medical Applications
GNUmed 0.4.0 released (LinuxMedNews)
Version 0.4.0 of the GNUmed medical record system has been announced. "This release provides nice and stable new features: * can show log file from client on demand * can merge two patients into one * can edit existing progress note on any encounter * can access text expansion macros by startof-keyword (will show a list for selection) * has new hook "after_new_doc_created" * has minimum HIPAA compliance * has waiting list * has random access to plugins * has screenshots on Linux include window decoration * has local "installer" for tarball * has a large part of the user interface translated to Brazilian Portuguese".
Multimedia
Elisa Media Center 0.5.30 Release
Version 0.5.30 of Elisa Media Center has been announced. "This release is a "light weight" release, meaning it is pushed through our automatic plugin update system. That is why there is no new Elisa windows installer nor any new packages: use the existing ones for 0.5.27; with the default configuration, they should upgrade automatically to 0.5.30."
Music Applications
mingus 0.4 released
Version 0.4 of mingus has been announced. "Mingus is an advanced, cross-platform music theory and notation package for Python with MIDI file and playback support. It can be used to play around with music theory, to build editors, educational tools and other applications that need to process and/or play music. It can also be used to create sheet music with LilyPond."
Digital Photography
hugin: 0.8.0 beta1 testers release (SourceForge)
Version 0.8.0 beta1 of hugin has been announced. The project description states: "Panorama stitching and more. A powerful software package for creation and processing of panoramic images. Similar to the windows programs PTGui and PTAssembler."
Video Applications
Gnash 0.8.5 released
Version 0.8.5 (also know as "the fourth beta release") of the Gnash flash player has been released. There's lots of new features, including improved performance, support for saving media files to disk, new codecs, and more; see the announcement for details.
Web Browsers
Browsing in GNOME
Should GNOME adopt a web browser component? If so, which one? Benjamin Otte takes on this question with a detailed look at Webkit and Mozilla but comes to no clear conclusion. "Regardless of which project were to be chosen, my expectation would be that if we were to start now, it would take 5 experienced GNOME developers roughly a year to get this work to a point were it would hold up against today's requirements of the web. For Webkit, this would mostly require writing source code. For Mozilla, both writing code and evangelizing inside their community would be necessary." (Thanks to Paul Wise).
Languages and Tools
C
LLVM 2.5 released
Version 2.5 of the LLVM compiler is out. "LLVM 2.5 includes an amazing collection of bug fixes, performance improvements (both in the compiler itself and in the generated code) and new features. Some highlights include a new XCore backend, significantly improved llvm-gcc GFortran support, code generator support for arbitrary sized integers (e.g. i71), support for acting on overflow of integer operations, an amazing new 'Writing an LLVM Compiler Backend' document, and many many other things." See the release notes for details.
Caml
Caml Weekly News
The March 3, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.
Java
IcedTea6 1.4.1 released
Version 1.4.1 of IcedTea6 has been announced, it includes bug fixes and some rewritten code. "The IcedTea6 project provides a harness to build the source code from OpenJDK6 (http://openjdk.java.net) using Free Software build tools."
Perl
Rakudo Perl development release #14 (use Perl)
Development release #14 of Rakudo Perl, an implementation of Perl 6 on the Parrot Virtual Machine, has been announced. "This is the fourteenth development release of Rakudo Perl, but it's the first release independent from Parrot releases. We will continue to follow a monthly release cycle, with each release to be code named after a Perl Mongers group."
PHP
PHP 5.2.9 released
Version 5.2.9 of PHP has been announced. "This release focuses on improving the stability of the PHP 5.2.x branch with over 50 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release."
Python
Python-URL! - weekly Python news and links
The February 26, 2009 edition of the Python-URL! is online with a new collection of Python article links.Python-URL! - weekly Python news and links
The March 3, 2009 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk
Tcl-URL! - weekly Tcl news and links
The February 25, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Cross Compilers
SDCC 2.9.0 RC1 released
Version 2.9.0 RC1 of SDCC has been announced. "SDCC is a retargettable, optimizing ANSI - C compiler that targets the Intel 8051, Maxim 80DS390, Zilog Z80 and the Motorola 68HC08 based MCUs. Work is in progress on supporting the Microchip PIC16 and PIC18 series."
Editors
Emacs 23.0.91 pretest
A pretest release of Emacs 23.0.91 has been announced "This is the second pretest for what will be the Emacs 23.1 release. Pretesters: please send an email to me reporting success or failure on your build platform."
Profilers
Valgrind 3.4.1 is available
Version 3.4.1 of Valgrind has been announced. "Valgrind is an open-source suite of simulation based debugging and profiling tools. 3.4.1 fixes some regressions and assertion failures in debug info reading in 3.4.0, most notably incorrect stack traces on amd64-linux on older (glibc-2.3 based) systems. A number of other bugs, including some in the new exp-ptrcheck tool, have also been fixed."
Test Suites
The Linux Test Project: February 2009 release (SourceForge)
The February, 2009 release of the The Linux Test Project has been announced. "The Linux Test Project is a group aimed at testing and improving Linux. The goal of the LTP is to deliver a suite of automated testing tools for Linux as well as publishing the results of tests we run. LTP invites community to contribute in new horizons. The Linux Test Project test suite has been released for the month of FEBRUARY 2009. Please see ltp/INSTALL file carefully, as, there has been multiple changes for building/installing the test suite."
Version Control
GIT 1.6.2 released
Version 1.6.2 of the GIT distributed version control system has been announced. "With the next major release, "git push" into a branch that is currently checked out will be refused by default. You can choose what should happen upon such a push by setting the configuration variable receive.denyCurrentBranch in the receiving repository. To ease the transition plan, the receiving repository of such a push running this release will issue a big warning when the configuration variable is missing."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
451 Group: Microsoft suing TomTom, not Linux, not open source
The 451 Group says not to worry about Microsoft's suit against TomTom. "The key phrase, which is repeated, is the suit involves 'the Linux kernel as implemented by TomTom,' which is very different from 'the Linux kernel' when we're talking software code and patent infringement suits. While some usual suspicions are being raised, there are also some who generally agree this is not the first shot in a supposed war against Linux and open source." This strikes your editor as a bit of wishful thinking, but others may disagree.
LinuxDNA Supercharges Linux with the Intel C/C++ Compiler (Linux Journal)
Linux Journal has some news from the Linux DNA project. "Exciting news from the LinuxDNA project, which earlier this month successfully compiled a recent Linux kernel with the Intel C/C++ compiler (ICC). This is not just a compile without errors, this is — for the most part — a fully bootable, compatible Linux kernel that can boot into a full Linux system. The full system is based on Gentoo Linux, and utilizes kernel version 2.6.22."
Companies
Novell puts Linux on sale as earnings disappoint (cnet)
cnet takes a look at Novell's disappointing first quarter earnings. "Novell now plans to cut prices aggressively to increase its market share, according to [CEO Ron] Hovsepian. Part of the problem, however, is that Novell isn't really an open-source company, and it doesn't pretend to be one. Most of its revenue comes from proprietary software, and that software didn't deliver in the first quarter."
VMware, Novell hatch virtual appliance scheme (the Register)
the Register covers a partnership between VMware and Novell. "Virtualization specialist VMware has teamed up with commercial Linux distributor Novell to create software appliances based on Novell's SUSE Linux Enterprise Server (SLES) wrapped up in VMware's ESX Server virtual machines. The deal was inked at the VMworld festivities in Cannes this week."
Linux Adoption
UK government backs open source (BBC)
The BBC reports that the UK government is planning a shift towards open-source software. "The UK government has said it will accelerate the use of open source software in public services. Tom Watson MP, minister for digital engagement, said open source software would be on a level playing field with proprietary software such as Windows. Open source software will be adopted "when it delivers best value for money", the government said. It added that public services should where possible avoid being "locked into proprietary software"." (Thanks to Pavel Roskin).
Legal
Judge orders defendant to decrypt PGP-protected laptop (CNet)
CNet reports that a US Federal judge has ordered a defendant to decrypt a laptop drive to allow the government to view its contents; this runs counter to an earlier ruling that compelling decryption would violate the defendant's self-incrimination rights. "Boucher's attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period."
Red Hat's JBoss Software Draws Patent Suit (InformationWeek)
InformationWeek reports that Red Hat is being sued for patent infringement by a company called Software Tree. The patent involved appears to be one of many covering the idea of an impedance-matching layer between an object-oriented system and a relational database. "Red Hat acquired open source developer JBoss in 2006 for $420 million. Software Tree contends that certain of Red Hat's JBoss products, including the JBoss Enterprise Application Platform, which includes JBoss Hibernate, step on its patent. 'The infringing products have no substantial noninfringing uses,' Software Tree says in court papers. The lawsuit also names Dell, Hewlett-Packard, and Genuitec as defendants because the companies sell JBoss-based software or include it on their products."
Interviews
Video: Ted Ts'o on Ext4, BtrFS and first steps with Linux (Linux Magazine)
Linux Magazine presents a video interview with Ted Ts'o. "Ted talks about the improved acceleration of ext4 and the difference between ext4 and BtrFS. He explains who actually pays him, and why he's on assignment from IBM. Subsequently, Ted reminisces about what he did with Linux when he first discovered it in the 1990's."
Resources
Web Content Filtering with OpenDNS (Linux Journal)
Linux Journal takes a look at OpenDNS for content filtering. "OpenDNS is a free service that enables you to block content you deem inappropriate at the DNS level. There's no need for any proxy configuration on either the client or the server. All you have to do is arrange for your servers and clients to use the OpenDNS DNS servers instead of the DNS servers provided by your Internet provider. Once that is done, if users try to access a Web site that provides inappropriate content, they are redirected to an OpenDNS Web site that tells them the site has been blocked and why."
Reviews
Touch Book: Linux based touch screen device announced (The H)
An interesting twist on Linux-based netbooks is the subject of an article over at The H. "The Touch Book sports a number of unique features in a small device. The keyboard is detachable, allowing the device to used as just a tablet, and the back of the tablet is magnetic, letting a user stick the device to a fridge or other metallic surface. The device weighs less than two pounds, but offers a ten to fifteen hour battery life. However, there is a catch; the two parts of the Touch Book, the tablet and the keyboard, have their own separate batteries. The tablet alone has 3 to 5 hours battery life, with the keyboard battery extending that to the ten to fifteen hours."
Miscellaneous
Is Microsoft Targeting Linux Through Tom Tom? Oh Please... (ITBusinessEdge)
Every now and then, it can be educational to look at Rob Enderle's remarks just to see how strange some people's view of the world is. Here's his take on the TomTom suit. "Linux leaders have a problem. Ever since Microsoft adopted the 'let's get along' strategy of licensing and interoperating, it has been hard to get people to volunteer their time for the platform, and interest seems to be waning."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
FSFE engages in the EU browser case
Free Software Foundation Europe has announced that it will support the European Commission's antitrust investigation against Microsoft and to this effect it has formally requested to be admitted as an interested third party. "The investigation began on the 16th of January when the European Commission DG Competition reported that it had issued a statement of objections regarding Microsoft's abuse of web standards and the tying of Internet Explorer (IE) to the Windows Operating System product family. It is based on a complaint submitted by Opera, a European company involved in web browser development, which FSFE publicly supported in 2007."
The Linux Foundation acquires Linux.com
What became of Linux.com has finally been announced: it has been sold to the Linux Foundation. "The new Linux.com site will transform in the months ahead from solely being a news source to a collaborative site that will be 'for the community, by the community.' Much like Linux itself, Linux.com will rely on the community to create and drive the content and conversation. While the Linux Foundation will host the collaboration forum, the site will feature the real Linux experts - users and developers - and give them the tools needed to connect with each other and with Linux."
Draft OpenStreetMap license and implementation plan
Back in October, LWN looked at the licensing discussion happening within the OpenStreetMap project. That project has now, finally, posted a draft version of the Open Database License Agreement which would cover access to OpenStreetMap data in the future. There is also an implementation plan which calls for comments through March, followed by a vote by OpenStreetMap contributors. See the announcement (click below) for details and links.
Commercial announcements
MontaVista introduces Meld embedded Linux community
MontaVista has announced the launch of the Meld embedded Linux community. "Meld provides a forum for developers of all skill levels to connect and share information, ideas, and software around embedded Linux designs, accelerating their development efforts and delivery of commercial products."
wxDesigner 2.19 is available
Version 2.19 of wxDesigner, a commercial dialog editor and RAD tool for wxWidgets, is out: "New release wxDesigner 2.19, based on the upcoming wxWidgets 3.0".
New Books
Scott Meyers New C++ eBook Collection
Three new electronic books on C++ have been released by Addison-Wesley. "The eBook versions of best-selling books by Scott Meyers include Effective C++, More Effective C++, and Effective STL. The books have been immensely helpful to hundreds of thousands of C++ programmers. All three are finally available as PDF eBooks."
Resources
EFF Releases How-To Guide to Fight Government Spying
The Electronic Frontier Foundation has released an online How-To Guide to Fight Government Spying. "EFF created the Surveillance Self-Defense site to educate Americans about the law and technology of communications surveillance and computer searches and seizures, and to provide the information and tools necessary to keep their private data out of the government's hands. The guide includes tips on assessing the security risks to your personal computer files and communications, strategies for interacting with law enforcement, and articles on specific defensive technologies such as encryption that can help protect the privacy of your data."
Linux Gazette #160
Issue #160 of the Linux Gazette has been announced. Contents include: "* Mailbag * Talkback * 2-Cent Tips * News Bytes, by Deividson Luiz Okopnik and Howard Dyckoff * Away Mission - 2008 in Review - part 2, by Howard Dyckoff * The Unbearable Lightness of Desktops: IceWM and idesk, by Ben Okopnik * Joey's Notes: Bash shell basics, by Joey Prestia Our monthly column of basic Linux advice and education * SCaLE 7 Speed-through, by Kat Tanaka Okopnik A brief con report for the Southern California Linux Expo (SCaLE) * Development Builds Layered on Top of a Stable System by Means of Unionfs, by Dirk Wallenstein * XKCD, by Randall Munroe * The Linux Launderette"
Contests and Awards
Announcing the first programming competition for Openmoko phones
An Openmoko programming contest has been launched. "We're announcing the first programming competition for Openmoko phones. You're all invited to participate in the competition to code an audiobook / podcast player."
Education and Certification
Linux Foundation announces training program
The Linux Foundation (LF) has announced new training courses for Linux developers. The courses will be offered at LF events, starting with the Collaboration Summit in early April, as well as in various cities in the US. "While the Linux server market is predicted to reach $50 billion dollars in three years, and the embedded and mobile Linux markets continue to explode, the picture is less rosy in other corners of the IT market. Developers are being laid off, and many are looking to careers in the Linux and open source sector. The freelance marketplace Odesk (www.odesk.org) recently reported that the number of Linux-related jobs posted on its boards has increased more than 1400% since 2006. The Linux Foundations Training Program will help meet this demand for industry, and provide the tools for a new generation of programmers."
LPI launches Enterprise-level "Security" exam
The Linux Professional Institute has announced a new enterprise-level Security Exam. "The Linux Professional Institute (LPI), the world's premier Linux certification organization, launched their new "Security" exam elective for their LPIC-3 certification program effective March 1, 2009. The LPI-303 "Security" exam is the second elective available in the organization's enterprise-level LPIC-3 certification program for Linux professionals."
Calls for Presentations
FRHACK 2nd Call For Papers
The second call for papers has been posted for FRHACK. "FRHACK is the First International IT Security Conference, by hackers - for hackers, in France! FRHACK is not commercial - but - highly technical. Target Audience: Security Officers, Security Professionals and Product Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and Firewall Administrators, Teachers, Academic Researchers and Software Developers." The event takes place on September 7-8, 2009, submissions are due by June 1.
Liwoli 2009 - Call for projects
A call for projects has gone out for Liwoli 2009. The event takes place in Linz, Austria on April 23-27, submissions are due by March 25. "Liwoli 2009 is a three day long Hacklab and an open invitation to everyone who would like to participate in an active process of learning, producing and sharing ideas around the areas of Free/Libre Open Source Software (FLOSS) and DIY practices in digital art and culture. FLOSS developers, software artists such as the collective GOTO10, activists from HAIP (Hack Act Interact Progress) and many others form the basis for the event and will share their knowledge in the form of workshops, presentations, installations and performances."
OSPERT 2009 call for papers
A call for papers has gone out for OSPERT 2009, the Fifth International Workshop on Operating Systems Platforms for Embedded Real-Time Applications. The event takes place on July 2-4, 2009 in Dublin, Ireland, submissions are due by April 4. "This workshop is intended as a forum for researchers and practitioners of RTOS to discuss the recent advances in RTOS technology and the challenges that lie ahead."
Pycon Tre Italy Call For Presentations
A call for presentations has gone out for Pycon Tre Italy, submissions are due by March 15. "For the third year Florence will host the Italian edition of PyCon starting from May 8th till May 10th."
Upcoming Events
Registration open for ELC 2009 - Program announced
Registration is now open for the Embedded Linux Conference 2009, which will be held April 6-8, 2009 in San Francisco, CA. This year's edition will be co-located with the Linux Foundation's Collaboration Summit and attendees are invited to that event as well. There will be three days of presentations, tutorials, and the like, along with keynotes from Dirk Hohndel and David Woodhouse. Click below for the full announcement.EuroPython 2009 registration opens
Registration has opened for EuroPython 2009, an early bird rate is available until March 14. "EuroPython is the conference for the communities around Python, including the Django, Zope and Plone communities. This year's conference will be held in Birmingham, UK from Monday 30th June to Monday 2nd July 2009. Preceding the conference, on Saturday 28th June and Sunday 29th June, are the tutorial days, which can be attended separately."
Announcing the International Techno Security Conference
The International Techno Security Conference has been announced. "Please plan to join us for our 2009 Techno Security Conference in beautiful Myrtle Beach, SC. May 31 - June 3 at the Marriott Grande Dunes Resort. Our Eleventh Annual International Techno Security Conference, promises to be THE international meeting place for IT Security professionals from around the world. We also have some great pre-conference and post-conference training from some of leading companies in training."
Libre Graphics Meeting 2009 launches community fund raising campaign
The Libre Graphics Meeting 2009 is holding a community fund raising campaign. "The Libre Graphics Meeting (LGM) is an annual workshop for developers and users of free software graphics applications to collaborate and advance the cause of high-quality free graphics software. From now until April 22, you can help support this event by making a donation to the LGM 2009 community pledge drive. LGM is free to attend, so your support is critical to making this important event a success. The fourth annual LGM will be held May 6 - 9, 2009 in Montreal, Canada at Ecole Polytechnique."
The OpenOffice.org annual Conference 2009 goes to Italy
The 2009 OpenOffice.org conference location has been chosen. "Members of the OpenOffice.org Community have selected Orvieto, Italy as the venue for their Annual Conference (OOoCon), to be held between November 3rd and November 5th 2009 (provisional dates)."
Announcing php|tek 2009
The php|tek 2009 conference has been announced. "We are happy to invite you to this year's php|tek conference, to be held May 19-22, 2009 in Chicago, Illinois, and hosted (as always) by the folks at php|architect. Join us to hear talks and tutorials on a variety of PHP subjects from PHP experts such as Ed Finkler, Sara Golemon, Chris Shiflett, Sebastian Bergmann, Derick Rethans, Stefan Priebsch, Christian Wenz and our mid-conference keynote by Andrei Zmievski on PHP6."
Events: March 12, 2009 to May 11, 2009
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| March 9 March 13 |
Advanced Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, GA, USA |
| March 9 March 12 |
O'Reilly Emerging Technology Conference | San Jose, CA, USA |
| March 12 March 15 |
Pingwinaria 2009 - Polish Linux User Group Conference | Spala, Poland |
| March 14 | OpenNMS User Conference (Europe) 2009 | Frankfurt Main, Germany |
| March 14 March 15 |
Chemnitzer Linux Tage 2009 | Chemnitz, Germany |
| March 16 March 20 |
Android Bootcamp with Mark Murphy | Atlanta, USA |
| March 16 March 20 |
CanSecWest Vancouver 2009 | Vancouver, BC, Canada |
| March 18 | Linuxwochen Österreich - Klagenfurt | Klagenfurt, Austria |
| March 21 March 22 |
Libre Planet 2009 | Cambridge, MA, USA |
| March 23 March 27 |
iPhone Bootcamp | Atlanta, Georgia, USA |
| March 23 April 3 |
Google Summer of Code '09 Student Application Period | online, USA |
| March 23 March 27 |
ApacheCon Europe 2009 | Amsterdam, The Netherlands |
| March 24 March 26 |
UKUUG Spring 2009 Conference | London, England |
| March 25 March 29 |
PyCon 2009 | Chicago, IL, USA |
| March 27 March 29 |
Free Software and Beyond The World of Peer Production | Manchester, UK |
| March 28 | Open Knowledge Conference 2009 | London, UK |
| March 31 April 2 |
Solutions Linux France | Paris, France |
| March 31 April 3 |
Web 2.0 Expo San Francisco | San Francisco, CA, USA |
| April 3 April 5 |
PostgreSQL Conference: East 09 | Philadelphia, PA, USA |
| April 3 April 4 |
Flourish Conference | Chicago, IL, USA |
| April 6 April 8 |
CELF Embedded Linux Conference | San Francisco, CA, USA |
| April 6 April 7 |
Linux Storage and Filesystem Workshop | San Francisco, CA, USA |
| April 8 April 10 |
Linux Foundation Collaboration Summit | San Francisco, CA, USA |
| April 14 | OpenClinica European Summit | Brussels, Belgium |
| April 15 | Linuxwochen Österreich - Krems | Krems, Austria |
| April 16 April 17 |
Nordic Perl Workshop 2009 | Oslo, Norway |
| April 16 April 19 |
Linux Audio Conference 2009 | Parma, Italy |
| April 16 April 18 |
Linuxwochen Austria - Wien | Wien, Austria |
| April 20 April 24 |
samba eXPerience 2009 | Göttingen, Germany |
| April 20 April 23 |
MySQL Conference and Expo | Santa Clara, CA, USA |
| April 20 April 24 |
Perl Bootcamp at the Big Nerd Ranch | Atlanta, GA, USA |
| April 20 April 24 |
Cloud Slam '09 | Online, Online |
| April 22 April 25 |
ACCU 2009 | Oxford, United Kingdom |
| April 23 April 26 |
Liwoli 2009 | Linz, Austria |
| April 23 | Linuxwochen Austria - Linz | Linz, Austria |
| April 23 April 24 |
European Licensing and Legal Workshop for Free Software | Amsterdam, The Netherlands |
| April 25 May 1 |
Ruby & Ruby on Rails Bootcamp | Atlanta, Georgia, USA |
| April 25 April 26 |
LinuxFest Northwest 2009 10th Anniversary | Bellingham, Washington, USA |
| April 25 | Linuxwochen Austria - Graz | Graz, Austria |
| April 25 | Festival Latinoamericano instalación de Software libre | All Latin America, All Latin America |
| April 25 | Grazer Linux Tage 2009 | Graz, Austria |
| April 27 | OSDM 2009 | Bangkok, Thailand |
| May 4 May 8 |
JavaScript/Ajax Bootcamp at the Big Nerd Ranch | Atlanta, Georgia, USA |
| May 4 May 7 |
RailsConf 2009 | Las Vegas, NV, USA |
| May 4 May 6 |
EuroDjangoCon 2009 | Prague, Czech Republic |
| May 4 May 6 |
SYSTOR 2009---The Israeli Experimental Systems Conference | Haifa, Israel |
| May 5 | Linuxwochen Austria - Salzburg | Salzburg, Austria |
| May 6 May 9 |
Libre Graphics Meeting 2009 | Montreal, Quebec, Canada |
| May 6 May 8 |
Embedded Linux training | Maynard, USA |
| May 7 | NLUUG spring conference | Ede, The Netherlands |
| May 8 May 10 |
PyCon Italy 2009 | Florence, Italy |
| May 8 May 9 |
Linuxwochen Austria - Eisenstadt | Eisenstadt, Austria |
| May 8 May 9 |
Erlanger Firebird Conference 2009 | Erlangen-Nürnberg, Germany |
If your event does not appear here, please tell us about it.
Event Reports
OSBF demos platform for secure cloud computing at CeBIT
OSBF demonstrated a platform for secure cloud computing at the CeBIT conference. "The Interoperability project group of Open Source Business Foundation e.V., the European business network for the open source sector, presented at CeBIT on March 3, 2009, a jointly developed platform for secure cloud computing. The Internet Service Bus (ISB) demonstrates how different applications can be combined to form platform-neutral services and be used securely."
Page editor: Forrest Cook